--- /dev/null
+/*
+ * tpUtils.cpp - TP and cert group test support
+ */
+
+#include <Security/cssmtype.h>
+#include <clAppUtils/tpUtils.h>
+#include <clAppUtils/clutils.h>
+#include <utilLib/common.h>
+#include <utilLib/cspwrap.h>
+#include <clAppUtils/CertBuilderApp.h>
+#include <Security/oidsattr.h>
+#include <Security/oidscert.h>
+#include <Security/SecTrustSettingsPriv.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <Security/SecKeychainItem.h>
+#include <Security/SecKeychain.h>
+#include <Security/SecCertificate.h>
+#include <security_cdsa_utils/cuFileIo.h>
+
+/*
+ * Currently, DBs created with SecKeychainCreateNew() do not contain
+ * the schema for CSSM_DL_DB_RECORD_X509_CERTIFICATE records. Keychain
+ * code (Certificate::add()) does this on the fly, I don't know why.
+ * To avoid dependencies on KC - other than SecKeychainCreateNew - we'll
+ * emulate that "add this schema on the fly" logic here.
+ *
+ * Turn this option off if and when Radar 2927378 is approved and
+ * integrated into Security TOT.
+ */
+#define FAKE_ADD_CERT_SCHEMA 1
+#if FAKE_ADD_CERT_SCHEMA
+
+/* defined in SecKeychainAPIPriv.h */
+// static const int kSecAlias = 'alis';
+
+/* Macro to declare a CSSM_DB_SCHEMA_ATTRIBUTE_INFO */
+#define SCHEMA_ATTR_INFO(id, name, type) \
+ { id, (char *)name, {0, NULL}, CSSM_DB_ATTRIBUTE_FORMAT_ ## type }
+
+/* Too bad we can't get this from inside of the Security framework. */
+static CSSM_DB_SCHEMA_ATTRIBUTE_INFO certSchemaAttrInfo[] =
+{
+ SCHEMA_ATTR_INFO(kSecCertTypeItemAttr, "CertType", UINT32),
+ SCHEMA_ATTR_INFO(kSecCertEncodingItemAttr, "CertEncoding", UINT32),
+ SCHEMA_ATTR_INFO(kSecLabelItemAttr, "PrintName", BLOB),
+ SCHEMA_ATTR_INFO(kSecAlias, "Alias", BLOB),
+ SCHEMA_ATTR_INFO(kSecSubjectItemAttr, "Subject", BLOB),
+ SCHEMA_ATTR_INFO(kSecIssuerItemAttr, "Issuer", BLOB),
+ SCHEMA_ATTR_INFO(kSecSerialNumberItemAttr, "SerialNumber", BLOB),
+ SCHEMA_ATTR_INFO(kSecSubjectKeyIdentifierItemAttr, "SubjectKeyIdentifier", BLOB),
+ SCHEMA_ATTR_INFO(kSecPublicKeyHashItemAttr, "PublicKeyHash", BLOB)
+};
+#define NUM_CERT_SCHEMA_ATTRS \
+ (sizeof(certSchemaAttrInfo) / sizeof(CSSM_DB_SCHEMA_ATTRIBUTE_INFO))
+
+/* Macro to declare a CSSM_DB_SCHEMA_INDEX_INFO */
+#define SCHEMA_INDEX_INFO(id, indexNum, indexType) \
+ { id, CSSM_DB_INDEX_ ## indexType, CSSM_DB_INDEX_ON_ATTRIBUTE }
+
+
+static CSSM_DB_SCHEMA_INDEX_INFO certSchemaIndices[] =
+{
+ SCHEMA_INDEX_INFO(kSecCertTypeItemAttr, 0, UNIQUE),
+ SCHEMA_INDEX_INFO(kSecIssuerItemAttr, 0, UNIQUE),
+ SCHEMA_INDEX_INFO(kSecSerialNumberItemAttr, 0, UNIQUE),
+ SCHEMA_INDEX_INFO(kSecCertTypeItemAttr, 1, NONUNIQUE),
+ SCHEMA_INDEX_INFO(kSecSubjectItemAttr, 2, NONUNIQUE),
+ SCHEMA_INDEX_INFO(kSecIssuerItemAttr, 3, NONUNIQUE),
+ SCHEMA_INDEX_INFO(kSecSerialNumberItemAttr, 4, NONUNIQUE),
+ SCHEMA_INDEX_INFO(kSecSubjectKeyIdentifierItemAttr, 5, NONUNIQUE),
+ SCHEMA_INDEX_INFO(kSecPublicKeyHashItemAttr, 6, NONUNIQUE)
+};
+#define NUM_CERT_INDICES \
+ (sizeof(certSchemaIndices) / sizeof(CSSM_DB_SCHEMA_INDEX_INFO))
+
+
+CSSM_RETURN tpAddCertSchema(
+ CSSM_DL_DB_HANDLE dlDbHand)
+{
+ return CSSM_DL_CreateRelation(dlDbHand,
+ CSSM_DL_DB_RECORD_X509_CERTIFICATE,
+ "CSSM_DL_DB_RECORD_X509_CERTIFICATE",
+ NUM_CERT_SCHEMA_ATTRS,
+ certSchemaAttrInfo,
+ NUM_CERT_INDICES,
+ certSchemaIndices);
+}
+#endif /* FAKE_ADD_CERT_SCHEMA */
+
+/*
+ * Given a raw cert, extract DER-encoded normalized subject and issuer names.
+ */
+static CSSM_DATA_PTR tpGetNormSubject(
+ CSSM_CL_HANDLE clHand,
+ const CSSM_DATA *rawCert)
+{
+ CSSM_RETURN crtn;
+ CSSM_HANDLE searchHand = CSSM_INVALID_HANDLE;
+ uint32 numFields;
+ CSSM_DATA_PTR fieldValue;
+
+ crtn = CSSM_CL_CertGetFirstFieldValue(clHand,
+ rawCert,
+ &CSSMOID_X509V1SubjectName,
+ &searchHand,
+ &numFields,
+ &fieldValue);
+ if(crtn) {
+ printError("CSSM_CL_CertGetFirstFieldValue", crtn);
+ return NULL;
+ }
+ CSSM_CL_CertAbortQuery(clHand, searchHand);
+ return fieldValue;
+}
+
+static CSSM_DATA_PTR tpGetNormIssuer(
+ CSSM_CL_HANDLE clHand,
+ const CSSM_DATA *rawCert)
+{
+ CSSM_RETURN crtn;
+ CSSM_HANDLE searchHand = CSSM_INVALID_HANDLE;
+ uint32 numFields;
+ CSSM_DATA_PTR fieldValue;
+
+ crtn = CSSM_CL_CertGetFirstFieldValue(clHand,
+ rawCert,
+ &CSSMOID_X509V1IssuerName,
+ &searchHand,
+ &numFields,
+ &fieldValue);
+ if(crtn) {
+ printError("CSSM_CL_CertGetFirstFieldValue", crtn);
+ return NULL;
+ }
+ CSSM_CL_CertAbortQuery(clHand, searchHand);
+ return fieldValue;
+}
+
+
+#define SERIAL_NUMBER_BASE 0x33445566
+
+/*
+ * Given an array of certs and an uninitialized CSSM_CERTGROUP, place the
+ * certs into the certgroup and optionally into one of a list of DBs in
+ * random order. Optionally the first cert in the array is placed in the
+ * first element of certgroup. Only error is memory error. It's legal to
+ * pass in an empty cert array.
+ */
+CSSM_RETURN tpMakeRandCertGroup(
+ CSSM_CL_HANDLE clHand,
+ CSSM_DL_DB_LIST_PTR dbList,
+ const CSSM_DATA_PTR certs,
+ unsigned numCerts,
+ CSSM_CERTGROUP_PTR certGroup,
+ CSSM_BOOL firstCertIsSubject, // true: certs[0] goes to head
+ // of certGroup
+ CSSM_BOOL verbose,
+ CSSM_BOOL allInDbs, // all certs go to DBs
+ CSSM_BOOL skipFirstDb) // no certs go to db[0]
+{
+ unsigned startDex = 0; // where to start processing
+ unsigned certDex; // into certs and certGroup
+ unsigned die;
+ CSSM_RETURN crtn;
+
+ #if TP_DB_ENABLE
+ if((dbList == NULL) && (allInDbs | skipFirstDb)) {
+ printf("need dbList for allInDbs or skipFirstDb\n");
+ return CSSM_ERRCODE_INTERNAL_ERROR;
+ }
+ if(skipFirstDb && (dbList->NumHandles == 1)) {
+ printf("Need more than one DB for skipFirstDb\n");
+ return CSSM_ERRCODE_INTERNAL_ERROR;
+ }
+ #else
+ if(dbList != NULL) {
+ printf("TP/DB not supported yet\n");
+ return CSSMERR_CSSM_INTERNAL_ERROR;
+ }
+ #endif
+
+ certGroup->NumCerts = 0;
+ certGroup->CertGroupType = CSSM_CERTGROUP_DATA;
+ certGroup->CertType = CSSM_CERT_X_509v3;
+ certGroup->CertEncoding = CSSM_CERT_ENCODING_DER;
+ if(numCerts == 0) {
+ /* legal */
+ certGroup->GroupList.CertList = NULL;
+ return CSSM_OK;
+ }
+
+ /* make CertList big enough for all certs */
+ certGroup->GroupList.CertList = (CSSM_DATA_PTR)CSSM_CALLOC(numCerts, sizeof(CSSM_DATA));
+ if(certGroup->GroupList.CertList == NULL) {
+ printf("Memory error!\n");
+ return CSSMERR_CSSM_MEMORY_ERROR;
+ }
+ if(firstCertIsSubject) {
+ certGroup->GroupList.CertList[0] = certs[0];
+ certGroup->NumCerts = 1;
+ startDex = 1;
+ }
+ for(certDex=startDex; certDex<numCerts; certDex++) {
+ /* flip a coin, half of the certs go into a DB */
+ die = genRand(1, 2); // one random bit
+ if( ( (dbList != NULL) && (dbList->NumHandles != 0) ) &&
+ ( (die == 1) || allInDbs) ) {
+ /* put this cert in one of the DBs */
+ if(skipFirstDb) {
+ die = genRand(1, dbList->NumHandles-1);
+ }
+ else {
+ die = genRand(0, dbList->NumHandles-1);
+ }
+ if(verbose) {
+ printf(" ...cert %d to DB[%d]\n", certDex, die);
+ }
+ crtn = tpStoreRawCert(dbList->DLDBHandle[die],
+ clHand,
+ &certs[certDex]);
+ if(crtn) {
+ return crtn;
+ }
+ }
+ else {
+ /* find a random unused place in certGroupFrag */
+ CSSM_DATA_PTR certData;
+
+ while(1) {
+ die = genRand(0, numCerts-1);
+ certData = &certGroup->GroupList.CertList[die];
+ if(certData->Data == NULL) {
+ *certData = certs[certDex];
+ certGroup->NumCerts++;
+ if(verbose) {
+ printf(" ...cert %d to frag[%d]\n",
+ certDex, die);
+ }
+ break;
+ }
+ /* else try again and hope we don't spin forever */
+ }
+ } /* random place in certGroup */
+ } /* main loop */
+
+ if(dbList != NULL) {
+ /*
+ * Since we put some of the certs in dlDb rather than in certGroup,
+ * compact the contents of certGroup. Its NumCerts is correct,
+ * but some of the entries in CertList are empty.
+ */
+ unsigned i;
+
+ for(certDex=0; certDex<numCerts; certDex++) {
+ if(certGroup->GroupList.CertList[certDex].Data == NULL) {
+ /* find next non-NULL cert */
+ for(i=certDex+1; i<numCerts; i++) {
+ if(certGroup->GroupList.CertList[i].Data != NULL) {
+ if(verbose) {
+ printf(" ...frag[%d] to frag[%d]\n",
+ i, certDex);
+ }
+ certGroup->GroupList.CertList[certDex] =
+ certGroup->GroupList.CertList[i];
+ certGroup->GroupList.CertList[i].Data = NULL;
+ break;
+ }
+ }
+ }
+ }
+ }
+ return CSSM_OK;
+}
+
+/*
+ * Store a cert in specified DL/DB. All attributes are optional except
+ * as noted (right?).
+ */
+CSSM_RETURN tpStoreCert(
+ CSSM_DL_DB_HANDLE dlDb,
+ const CSSM_DATA_PTR cert,
+ /* REQUIRED fields */
+ CSSM_CERT_TYPE certType, // e.g. CSSM_CERT_X_509v3
+ uint32 serialNum,
+ const CSSM_DATA *issuer, // (shouldn't this be subject?)
+ // normalized & encoded
+ /* OPTIONAL fields */
+ CSSM_CERT_ENCODING certEncoding, // e.g. CSSM_CERT_ENCODING_DER
+ const CSSM_DATA *printName,
+ const CSSM_DATA *subject) // normalized & encoded
+{
+ CSSM_DB_ATTRIBUTE_DATA attrs[6];
+ CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
+ CSSM_DB_ATTRIBUTE_DATA_PTR attr = &attrs[0];
+ CSSM_DB_UNIQUE_RECORD_PTR recordPtr = NULL;
+ CSSM_DATA certTypeData;
+ CSSM_DATA certEncData;
+ CSSM_DATA_PTR serialNumData;
+ uint32 numAttributes;
+
+ if(issuer == NULL) {
+ printf("***For now, must specify cert issuer when storing\n");
+ return CSSM_ERRCODE_INTERNAL_ERROR;
+ }
+
+ /* how many attributes are we storing? */
+ numAttributes = 4; // certType, serialNum, issuer, certEncoding
+ if(printName != NULL) {
+ numAttributes++;
+ }
+ if(subject != NULL) {
+ numAttributes++;
+ }
+
+ /* cook up CSSM_DB_RECORD_ATTRIBUTE_DATA */
+ recordAttrs.DataRecordType = CSSM_DL_DB_RECORD_X509_CERTIFICATE;
+ recordAttrs.SemanticInformation = 0;
+ recordAttrs.NumberOfAttributes = numAttributes;
+ recordAttrs.AttributeData = attrs;
+
+ /* grind thru the attributes - first the required ones plus certEncoding */
+ certTypeData.Data = (uint8 *)&certType;
+ certTypeData.Length = sizeof(CSSM_CERT_TYPE);
+ certEncData.Data = (uint8 *)&certEncoding;
+ certEncData.Length = sizeof(CSSM_CERT_ENCODING);
+ serialNumData = intToDER(serialNum);
+
+ attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
+ attr->Info.Label.AttributeName = (char *)"CertType";
+ attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_UINT32;
+ attr->NumberOfValues = 1;
+ attr->Value = &certTypeData;
+ attr++;
+
+ attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
+ attr->Info.Label.AttributeName = (char *)"CertEncoding";
+ attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_UINT32;
+ attr->NumberOfValues = 1;
+ attr->Value = &certEncData;
+ attr++;
+
+ attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
+ attr->Info.Label.AttributeName = (char *)"SerialNumber";
+ attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
+ attr->NumberOfValues = 1;
+ attr->Value = serialNumData;
+ attr++;
+
+ attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
+ attr->Info.Label.AttributeName = (char *)"Issuer";
+ attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
+ attr->NumberOfValues = 1;
+ attr->Value = (CSSM_DATA_PTR)issuer;
+ attr++;
+
+ /* now the options */
+ if(printName != NULL) {
+ attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
+ attr->Info.Label.AttributeName = (char *)"PrintName";
+ attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
+ attr->NumberOfValues = 1;
+ attr->Value = (CSSM_DATA_PTR)printName;
+ attr++;
+ }
+ if(subject != NULL) {
+ attr->Info.AttributeNameFormat = CSSM_DB_ATTRIBUTE_NAME_AS_STRING;
+ attr->Info.Label.AttributeName = (char *)"Subject";
+ attr->Info.AttributeFormat = CSSM_DB_ATTRIBUTE_FORMAT_BLOB;
+ attr->NumberOfValues = 1;
+ attr->Value = (CSSM_DATA_PTR)subject;
+ attr++;
+ }
+
+ /* Okay, here we go */
+ CSSM_RETURN crtn = CSSM_DL_DataInsert(dlDb,
+ CSSM_DL_DB_RECORD_X509_CERTIFICATE,
+ &recordAttrs,
+ cert,
+ &recordPtr);
+ #if FAKE_ADD_CERT_SCHEMA
+ if(crtn == CSSMERR_DL_INVALID_RECORDTYPE) {
+ /* gross hack of inserting this "new" schema that Keychain didn't specify */
+ crtn = tpAddCertSchema(dlDb);
+ if(crtn == CSSM_OK) {
+ /* Retry with a fully capable DLDB */
+ crtn = CSSM_DL_DataInsert(dlDb,
+ CSSM_DL_DB_RECORD_X509_CERTIFICATE,
+ &recordAttrs,
+ cert,
+ &recordPtr);
+ }
+ }
+ #endif /* FAKE_ADD_CERT_SCHEMA */
+
+ /* free resources allocated to get this far */
+ appFreeCssmData(serialNumData, CSSM_TRUE);
+ if(recordPtr != NULL) {
+ CSSM_DL_FreeUniqueRecord(dlDb, recordPtr);
+ }
+ if(crtn) {
+ printError("CSSM_DL_DataInsert", crtn);
+ }
+ return crtn;
+}
+
+/*
+ * Store a cert when we don't already know the required fields. We'll
+ * extract them or make them up.
+ */
+CSSM_RETURN tpStoreRawCert(
+ CSSM_DL_DB_HANDLE dlDb,
+ CSSM_CL_HANDLE clHand,
+ const CSSM_DATA_PTR cert)
+{
+ CSSM_DATA_PTR normSubj;
+ CSSM_DATA_PTR normIssuer;
+ CSSM_DATA printName;
+ CSSM_RETURN crtn;
+ static uint32 fakeSerialNum = 0;
+
+ normSubj = tpGetNormSubject(clHand, cert);
+ normIssuer = tpGetNormIssuer(clHand, cert);
+ if((normSubj == NULL) || (normIssuer == NULL)) {
+ return CSSM_ERRCODE_INTERNAL_ERROR;
+ }
+ printName.Data = (uint8 *)"Some Printable Name";
+ printName.Length = strlen((char *)printName.Data);
+ crtn = tpStoreCert(dlDb,
+ cert,
+ CSSM_CERT_X_509v3,
+ fakeSerialNum++,
+ normIssuer,
+ CSSM_CERT_ENCODING_DER,
+ &printName,
+ normSubj);
+ appFreeCssmData(normSubj, CSSM_TRUE);
+ appFreeCssmData(normIssuer, CSSM_TRUE);
+ return crtn;
+}
+
+/*
+ * Generate numKeyPairs key pairs of specified algorithm and size.
+ * Key labels will be 'keyLabelBase' concatenated with a 4-digit
+ * decimal number.
+ */
+CSSM_RETURN tpGenKeys(
+ CSSM_CSP_HANDLE cspHand,
+ CSSM_DL_DB_HANDLE dbHand, /* keys go here */
+ unsigned numKeyPairs,
+ uint32 keyGenAlg, /* CSSM_ALGID_RSA, etc. */
+ uint32 keySizeInBits,
+ const char *keyLabelBase, /* C string */
+ CSSM_KEY_PTR pubKeys, /* array of keys RETURNED here */
+ CSSM_KEY_PTR privKeys, /* array of keys RETURNED here */
+ CSSM_DATA_PTR paramData) /* optional DSA params */
+{
+ CSSM_RETURN crtn;
+ unsigned i;
+ char label[80];
+ unsigned labelLen = strlen(keyLabelBase);
+
+ memset(pubKeys, 0, numKeyPairs * sizeof(CSSM_KEY));
+ memset(privKeys, 0, numKeyPairs * sizeof(CSSM_KEY));
+ memmove(label, keyLabelBase, labelLen);
+
+ for(i=0; i<numKeyPairs; i++) {
+ /* unique label */
+ sprintf(label+labelLen, "%04d", i);
+ if(keyGenAlg == CSSM_ALGID_DSA) {
+ crtn = cspGenDSAKeyPair(cspHand,
+ label,
+ labelLen + 4,
+ keySizeInBits,
+ &pubKeys[i],
+ CSSM_FALSE, // pubIsRef
+ CSSM_KEYUSE_VERIFY, // pubKeyUsage
+ CSSM_KEYBLOB_RAW_FORMAT_NONE,
+ &privKeys[i],
+ CSSM_TRUE, // privIsRef
+ CSSM_KEYUSE_SIGN,
+ CSSM_KEYBLOB_RAW_FORMAT_NONE,
+ CSSM_FALSE, // genParams
+ paramData);
+ }
+ else {
+ crtn = cspGenKeyPair(cspHand,
+ keyGenAlg,
+ // not used in X, yet dbHand,
+ label,
+ labelLen + 4,
+ keySizeInBits,
+ &pubKeys[i],
+ CSSM_FALSE, // pubIsRef
+ CSSM_KEYUSE_VERIFY, // pubKeyUsage
+ CSSM_KEYBLOB_RAW_FORMAT_NONE,
+ &privKeys[i],
+ CSSM_TRUE, /// privIsRef
+ CSSM_KEYUSE_SIGN,
+ CSSM_KEYBLOB_RAW_FORMAT_NONE,
+ CSSM_FALSE);
+ }
+ if(crtn) {
+ return crtn;
+ }
+ }
+
+ /* verify they are all different keys */
+ for(i=0; i<numKeyPairs; i++) {
+ CSSM_DATA_PTR k1 = &pubKeys[i].KeyData;
+ for(unsigned j=i+1; j<numKeyPairs; j++) {
+ CSSM_DATA_PTR k2 = &pubKeys[j].KeyData;
+ if(appCompareCssmData(k1, k2)) {
+ printf("***HEY! public keys %d and %d are indentical!\n", i, j);
+ }
+ }
+ }
+ return crtn;
+}
+
+/*
+ * Generate a cert chain using specified key pairs. The last cert in the
+ * chain (certs[numCerts-1]) is a root cert, self-signed.
+ */
+CSSM_RETURN tpGenCerts(
+ CSSM_CSP_HANDLE cspHand,
+ CSSM_CL_HANDLE clHand,
+ unsigned numCerts,
+ uint32 sigAlg, /* CSSM_ALGID_SHA1WithRSA, etc. */
+ const char *nameBase, /* C string */
+ CSSM_KEY_PTR pubKeys, /* array of public keys */
+ CSSM_KEY_PTR privKeys, /* array of private keys */
+ CSSM_DATA_PTR certs, /* array of certs RETURNED here */
+ const char *notBeforeStr, /* from genTimeAtNowPlus() */
+ const char *notAfterStr) /* from genTimeAtNowPlus() */
+{
+ return tpGenCertsStore(cspHand,
+ clHand,
+ numCerts,
+ sigAlg,
+ nameBase,
+ pubKeys,
+ privKeys,
+ NULL, // storeArray
+ certs,
+ notBeforeStr,
+ notAfterStr);
+}
+
+/*
+ * Generate a cert chain using specified key pairs. The last cert in the
+ * chain (certs[numCerts-1]) is a root cert, self-signed. Store
+ * the certs indicated by corresponding element on storeArray. If
+ * storeArray[n].DLHandle == 0, the cert is not stored.
+ */
+CSSM_RETURN tpGenCertsStore(
+ CSSM_CSP_HANDLE cspHand,
+ CSSM_CL_HANDLE clHand,
+ unsigned numCerts,
+ uint32 sigAlg, /* CSSM_ALGID_SHA1WithRSA, etc. */
+ const char *nameBase, /* C string */
+ CSSM_KEY_PTR pubKeys, /* array of public keys */
+ CSSM_KEY_PTR privKeys, /* array of private keys */
+ CSSM_DL_DB_HANDLE *storeArray, /* array of certs stored here */
+ CSSM_DATA_PTR certs, /* array of certs RETURNED here */
+ const char *notBeforeStr, /* from genTimeAtNowPlus() */
+ const char *notAfterStr) /* from genTimeAtNowPlus() */
+
+{
+ int dex;
+ CSSM_RETURN crtn;
+ CSSM_X509_NAME *issuerName = NULL;
+ CSSM_X509_NAME *subjectName = NULL;
+ CSSM_X509_TIME *notBefore; // UTC-style "not before" time
+ CSSM_X509_TIME *notAfter; // UTC-style "not after" time
+ CSSM_DATA_PTR rawCert = NULL; // from CSSM_CL_CertCreateTemplate
+ CSSM_DATA signedCert; // from CSSM_CL_CertSign
+ uint32 rtn;
+ CSSM_KEY_PTR signerKey; // signs the cert
+ CSSM_CC_HANDLE signContext;
+ char nameStr[100];
+ CSSM_DATA_PTR thisCert; // ptr into certs[]
+ CB_NameOid nameOid;
+ CE_BasicConstraints bc;
+ CSSM_X509_EXTENSION exten;
+
+ nameOid.oid = &CSSMOID_OrganizationName; // const
+ nameOid.string = nameStr;
+
+ /* one extension for nonleaf indicating cA */
+ exten.extnId = CSSMOID_BasicConstraints;
+ exten.critical = CSSM_TRUE;
+ exten.format = CSSM_X509_DATAFORMAT_PARSED;
+ exten.value.parsedValue = &bc;
+ exten.BERvalue.Data = NULL;
+ exten.BERvalue.Length = 0;
+ bc.cA = CSSM_TRUE;
+ bc.pathLenConstraintPresent = CSSM_FALSE;
+ bc.pathLenConstraint = 0;
+
+ /* main loop - once per keypair/cert - starting at end/root */
+ for(dex=numCerts-1; dex>=0; dex--) {
+ thisCert = &certs[dex];
+
+ thisCert->Data = NULL;
+ thisCert->Length = 0;
+
+ sprintf(nameStr, "%s%04d", nameBase, dex);
+ if(issuerName == NULL) {
+ /* last (root) cert - subject same as issuer */
+ issuerName = CB_BuildX509Name(&nameOid, 1);
+ /* self-signed */
+ signerKey = &privKeys[dex];
+ }
+ else {
+ /* previous subject becomes current issuer */
+ CB_FreeX509Name(issuerName);
+ issuerName = subjectName;
+ signerKey = &privKeys[dex+1];
+ }
+ subjectName = CB_BuildX509Name(&nameOid, 1);
+ if((subjectName == NULL) || (issuerName == NULL)) {
+ printf("Error creating X509Names\n");
+ crtn = CSSMERR_CSSM_MEMORY_ERROR;
+ break;
+ }
+
+ /*
+ * not before/after in Y2k-compliant generalized time format.
+ * These come preformatted from our caller.
+ */
+ notBefore = CB_BuildX509Time(0, notBeforeStr);
+ notAfter = CB_BuildX509Time(0, notAfterStr);
+
+ /*
+ * Cook up cert template
+ * Note serial number would be app-specified in real world
+ */
+ rawCert = CB_MakeCertTemplate(clHand,
+ SERIAL_NUMBER_BASE + dex, // serial number
+ issuerName,
+ subjectName,
+ notBefore,
+ notAfter,
+ &pubKeys[dex],
+ sigAlg,
+ NULL, // subj unique ID
+ NULL, // issuer unique ID
+ &exten, // extensions
+ (dex == 0) ? 0 : 1);// numExtensions
+
+ if(rawCert == NULL) {
+ crtn = CSSM_ERRCODE_INTERNAL_ERROR;
+ break;
+ }
+
+ /* Free the stuff we allocd to get here */
+ CB_FreeX509Time(notBefore);
+ CB_FreeX509Time(notAfter);
+
+ /**** sign the cert ****/
+ /* 1. get a signing context */
+ crtn = CSSM_CSP_CreateSignatureContext(cspHand,
+ sigAlg,
+ NULL, // no passphrase for now
+ signerKey,
+ &signContext);
+ if(crtn) {
+ printError("CreateSignatureContext", crtn);
+ break;
+ }
+
+ /* 2. use CL to sign the cert */
+ signedCert.Data = NULL;
+ signedCert.Length = 0;
+ crtn = CSSM_CL_CertSign(clHand,
+ signContext,
+ rawCert, // CertToBeSigned
+ NULL, // SignScope per spec
+ 0, // ScopeSize per spec
+ &signedCert);
+ if(crtn) {
+ printError("CSSM_CL_CertSign", crtn);
+ break;
+ }
+
+ /* 3. Optionally store the cert in DL */
+ if((storeArray != NULL) && storeArray[dex].DBHandle != 0) {
+ crtn = tpStoreRawCert(storeArray[dex],
+ clHand,
+ &signedCert);
+ if(crtn) {
+ break;
+ }
+ }
+
+ /* 4. delete signing context */
+ crtn = CSSM_DeleteContext(signContext);
+ if(crtn) {
+ printError("CSSM_DeleteContext", crtn);
+ break;
+ }
+
+ /*
+ * CSSM_CL_CertSign() returned us a mallocd CSSM_DATA. Copy
+ * its fields to caller's cert.
+ */
+ certs[dex] = signedCert;
+
+ /* and the raw unsigned cert as well */
+ appFreeCssmData(rawCert, CSSM_TRUE);
+ rtn = 0;
+ }
+
+ /* free resources */
+ if(issuerName != NULL) {
+ CB_FreeX509Name(issuerName);
+ }
+ if(subjectName != NULL) {
+ CB_FreeX509Name(subjectName);
+ }
+ return crtn;
+}
+
+/* compare two CSSM_CERTGROUPs, returns CSSM_TRUE on success */
+CSSM_BOOL tpCompareCertGroups(
+ const CSSM_CERTGROUP *grp1,
+ const CSSM_CERTGROUP *grp2)
+{
+ unsigned i;
+ CSSM_DATA_PTR d1;
+ CSSM_DATA_PTR d2;
+
+ if(grp1->NumCerts != grp2->NumCerts) {
+ return CSSM_FALSE;
+ }
+ for(i=0; i<grp1->NumCerts; i++) {
+ d1 = &grp1->GroupList.CertList[i];
+ d2 = &grp2->GroupList.CertList[i];
+
+ /* these are all errors */
+ if((d1->Data == NULL) ||
+ (d1->Length == 0) ||
+ (d2->Data == NULL) ||
+ (d2->Length == 0)) {
+ printf("compareCertGroups: bad cert group!\n");
+ return CSSM_FALSE;
+ }
+ if(d1->Length != d2->Length) {
+ return CSSM_FALSE;
+ }
+ if(memcmp(d1->Data, d2->Data, d1->Length)) {
+ return CSSM_FALSE;
+ }
+ }
+ return CSSM_TRUE;
+}
+
+/* free a CSSM_CERT_GROUP */
+void tpFreeCertGroup(
+ CSSM_CERTGROUP_PTR certGroup,
+ CSSM_BOOL freeCertData, // free individual CertList.Data
+ CSSM_BOOL freeStruct) // free the overall CSSM_CERTGROUP
+{
+ unsigned dex;
+
+ if(certGroup == NULL) {
+ return;
+ }
+
+ if(freeCertData) {
+ /* free the individual cert Data fields */
+ for(dex=0; dex<certGroup->NumCerts; dex++) {
+ appFreeCssmData(&certGroup->GroupList.CertList[dex], CSSM_FALSE);
+ }
+ }
+
+ /* and the array of CSSM_DATAs */
+ if(certGroup->GroupList.CertList) {
+ CSSM_FREE(certGroup->GroupList.CertList);
+ }
+
+ if(freeStruct) {
+ CSSM_FREE(certGroup);
+ }
+}
+
+CSSM_RETURN clDeleteAllCerts(CSSM_DL_DB_HANDLE dlDb)
+{
+ CSSM_QUERY query;
+ CSSM_DB_UNIQUE_RECORD_PTR record = NULL;
+ CSSM_RETURN crtn;
+ CSSM_HANDLE resultHand;
+ CSSM_DB_RECORD_ATTRIBUTE_DATA recordAttrs;
+
+ recordAttrs.DataRecordType = CSSM_DL_DB_RECORD_X509_CERTIFICATE;
+ recordAttrs.NumberOfAttributes = 0;
+ recordAttrs.AttributeData = NULL;
+
+ /* just search by recordType, no predicates */
+ query.RecordType = CSSM_DL_DB_RECORD_X509_CERTIFICATE;
+ query.Conjunctive = CSSM_DB_NONE;
+ query.NumSelectionPredicates = 0;
+ query.SelectionPredicate = NULL;
+ query.QueryLimits.TimeLimit = 0; // FIXME - meaningful?
+ query.QueryLimits.SizeLimit = 1; // FIXME - meaningful?
+ query.QueryFlags = 0; // CSSM_QUERY_RETURN_DATA...FIXME - used?
+
+ crtn = CSSM_DL_DataGetFirst(dlDb,
+ &query,
+ &resultHand,
+ &recordAttrs,
+ NULL, // No data
+ &record);
+ switch(crtn) {
+ case CSSM_OK:
+ break; // proceed
+ case CSSMERR_DL_ENDOFDATA:
+ /* OK, no certs */
+ return CSSM_OK;
+ default:
+ printError("DataGetFirst", crtn);
+ return crtn;
+ }
+
+ crtn = CSSM_DL_DataDelete(dlDb, record);
+ if(crtn) {
+ printError("CSSM_DL_DataDelete", crtn);
+ return crtn;
+ }
+ CSSM_DL_FreeUniqueRecord(dlDb, record);
+
+ /* now the rest of them */
+ for(;;) {
+ crtn = CSSM_DL_DataGetNext(dlDb,
+ resultHand,
+ &recordAttrs,
+ NULL,
+ &record);
+ switch(crtn) {
+ case CSSM_OK:
+ crtn = CSSM_DL_DataDelete(dlDb, record);
+ if(crtn) {
+ printError("CSSM_DL_DataDelete", crtn);
+ return crtn;
+ }
+ CSSM_DL_FreeUniqueRecord(dlDb, record);
+ break; // and go again
+ case CSSMERR_DL_ENDOFDATA:
+ /* normal termination */
+ break;
+ default:
+ printError("DataGetNext", crtn);
+ return crtn;
+ }
+ if(crtn != CSSM_OK) {
+ break;
+ }
+ }
+ CSSM_DL_DataAbortQuery(dlDb, resultHand);
+ return CSSM_OK;
+}
+
+/*
+ * Wrapper for CSSM_TP_CertGroupVerify. What an ugly API.
+ */
+CSSM_RETURN tpCertGroupVerify(
+ CSSM_TP_HANDLE tpHand,
+ CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ CSSM_DL_DB_LIST_PTR dbListPtr,
+ const CSSM_OID *policy, // optional
+ const CSSM_DATA *fieldOpts, // optional
+ const CSSM_DATA *actionData, // optional
+ void *policyOpts,
+ const CSSM_CERTGROUP *certGroup,
+ CSSM_DATA_PTR anchorCerts,
+ unsigned numAnchorCerts,
+ CSSM_TP_STOP_ON stopOn, // CSSM_TP_STOP_ON_POLICY, etc.
+ CSSM_TIMESTRING cssmTimeStr,// optional
+ CSSM_TP_VERIFY_CONTEXT_RESULT_PTR result) // optional, RETURNED
+{
+ /* main job is building a CSSM_TP_VERIFY_CONTEXT and its components */
+ CSSM_TP_VERIFY_CONTEXT vfyCtx;
+ CSSM_TP_CALLERAUTH_CONTEXT authCtx;
+
+ memset(&vfyCtx, 0, sizeof(CSSM_TP_VERIFY_CONTEXT));
+ vfyCtx.Action = CSSM_TP_ACTION_DEFAULT;
+ if(actionData) {
+ vfyCtx.ActionData = *actionData;
+ }
+ else {
+ vfyCtx.ActionData.Data = NULL;
+ vfyCtx.ActionData.Length = 0;
+ }
+ vfyCtx.Cred = &authCtx;
+
+ /* CSSM_TP_CALLERAUTH_CONTEXT components */
+ /*
+ typedef struct cssm_tp_callerauth_context {
+ CSSM_TP_POLICYINFO Policy;
+ CSSM_TIMESTRING VerifyTime;
+ CSSM_TP_STOP_ON VerificationAbortOn;
+ CSSM_TP_VERIFICATION_RESULTS_CALLBACK CallbackWithVerifiedCert;
+ uint32 NumberOfAnchorCerts;
+ CSSM_DATA_PTR AnchorCerts;
+ CSSM_DL_DB_LIST_PTR DBList;
+ CSSM_ACCESS_CREDENTIALS_PTR CallerCredentials;
+ } CSSM_TP_CALLERAUTH_CONTEXT, *CSSM_TP_CALLERAUTH_CONTEXT_PTR;
+ */
+ /* zero or one policy here */
+ CSSM_FIELD policyId;
+ if(policy != NULL) {
+ policyId.FieldOid = (CSSM_OID)*policy;
+ authCtx.Policy.NumberOfPolicyIds = 1;
+ authCtx.Policy.PolicyIds = &policyId;
+ if(fieldOpts != NULL) {
+ policyId.FieldValue = *fieldOpts;
+ }
+ else {
+ policyId.FieldValue.Data = NULL;
+ policyId.FieldValue.Length = 0;
+ }
+ }
+ else {
+ authCtx.Policy.NumberOfPolicyIds = 0;
+ authCtx.Policy.PolicyIds = NULL;
+ }
+ authCtx.Policy.PolicyControl = policyOpts;
+ authCtx.VerifyTime = cssmTimeStr; // may be NULL
+ authCtx.VerificationAbortOn = stopOn;
+ authCtx.CallbackWithVerifiedCert = NULL;
+ authCtx.NumberOfAnchorCerts = numAnchorCerts;
+ authCtx.AnchorCerts = anchorCerts;
+ authCtx.DBList = dbListPtr;
+ authCtx.CallerCredentials = NULL;
+
+ return CSSM_TP_CertGroupVerify(tpHand,
+ clHand,
+ cspHand,
+ certGroup,
+ &vfyCtx,
+ result);
+}
+
+/*
+ * Open, optionally create, KC-style DLDB.
+ */
+#define KC_DB_PATH "Library/Keychains" /* relative to home */
+
+CSSM_RETURN tpKcOpen(
+ CSSM_DL_HANDLE dlHand,
+ const char *kcName,
+ const char *pwd, // optional to avoid UI
+ CSSM_BOOL doCreate,
+ CSSM_DB_HANDLE *dbHand) // RETURNED
+{
+ char kcPath[300];
+ const char *kcFileName = kcName;
+ char *userHome = getenv("HOME");
+
+ if(userHome == NULL) {
+ /* well, this is probably not going to work */
+ userHome = (char *)"";
+ }
+ sprintf(kcPath, "%s/%s/%s", userHome, KC_DB_PATH, kcFileName);
+ return dbCreateOpen(dlHand, kcPath,
+ doCreate, CSSM_FALSE, pwd, dbHand);
+}
+
+/*
+ * Free the contents of a CSSM_TP_VERIFY_CONTEXT_RESULT returned from
+ * CSSM_TP_CertGroupVerify().
+ */
+CSSM_RETURN freeVfyResult(
+ CSSM_TP_VERIFY_CONTEXT_RESULT *ctx)
+{
+ int numCerts = -1;
+ CSSM_RETURN crtn = CSSM_OK;
+
+ for(unsigned i=0; i<ctx->NumberOfEvidences; i++) {
+ CSSM_EVIDENCE_PTR evp = &ctx->Evidence[i];
+ switch(evp->EvidenceForm) {
+ case CSSM_EVIDENCE_FORM_APPLE_HEADER:
+ /* Evidence = (CSSM_TP_APPLE_EVIDENCE_HEADER *) */
+ appFree(evp->Evidence, NULL);
+ evp->Evidence = NULL;
+ break;
+ case CSSM_EVIDENCE_FORM_APPLE_CERTGROUP:
+ {
+ /* Evidence = CSSM_CERTGROUP_PTR */
+ CSSM_CERTGROUP_PTR cgp = (CSSM_CERTGROUP_PTR)evp->Evidence;
+ numCerts = cgp->NumCerts;
+ tpFreeCertGroup(cgp, CSSM_TRUE, CSSM_TRUE);
+ evp->Evidence = NULL;
+ break;
+ }
+ case CSSM_EVIDENCE_FORM_APPLE_CERT_INFO:
+ {
+ /* Evidence = array of CSSM_TP_APPLE_EVIDENCE_INFO */
+ if(numCerts < 0) {
+ /* Haven't gotten a CSSM_CERTGROUP_PTR! */
+ printf("***Malformed VerifyContextResult (2)\n");
+ crtn = CSSMERR_TP_INTERNAL_ERROR;
+ break;
+ }
+ CSSM_TP_APPLE_EVIDENCE_INFO *evInfo =
+ (CSSM_TP_APPLE_EVIDENCE_INFO *)evp->Evidence;
+ for(unsigned k=0; k<(unsigned)numCerts; k++) {
+ /* Dispose of StatusCodes, UniqueRecord */
+ CSSM_TP_APPLE_EVIDENCE_INFO *thisEvInfo =
+ &evInfo[k];
+ if(thisEvInfo->StatusCodes) {
+ appFree(thisEvInfo->StatusCodes, NULL);
+ }
+ if(thisEvInfo->UniqueRecord) {
+ CSSM_RETURN crtn =
+ CSSM_DL_FreeUniqueRecord(thisEvInfo->DlDbHandle,
+ thisEvInfo->UniqueRecord);
+ if(crtn) {
+ printError("CSSM_DL_FreeUniqueRecord", crtn);
+ printf(" Record %p\n", thisEvInfo->UniqueRecord);
+ break;
+ }
+ thisEvInfo->UniqueRecord = NULL;
+ }
+ } /* for each cert info */
+ appFree(evp->Evidence, NULL);
+ evp->Evidence = NULL;
+ break;
+ } /* CSSM_EVIDENCE_FORM_APPLE_CERT_INFO */
+ } /* switch(evp->EvidenceForm) */
+ } /* for each evidence */
+ if(ctx->Evidence) {
+ appFree(ctx->Evidence, NULL);
+ ctx->Evidence = NULL;
+ }
+ return crtn;
+}
+
+/* Display verify results */
+static void statusBitTest(
+ CSSM_TP_APPLE_CERT_STATUS certStatus,
+ uint32 bit,
+ const char *str)
+{
+ if(certStatus & bit) {
+ printf("%s ", str);
+ }
+}
+
+void printCertInfo(
+ unsigned numCerts, // from CertGroup
+ const CSSM_TP_APPLE_EVIDENCE_INFO *info)
+{
+ CSSM_TP_APPLE_CERT_STATUS cs;
+
+ for(unsigned i=0; i<numCerts; i++) {
+ const CSSM_TP_APPLE_EVIDENCE_INFO *thisInfo = &info[i];
+ cs = thisInfo->StatusBits;
+ printf(" cert %u:\n", i);
+ printf(" StatusBits : 0x%x", (unsigned)cs);
+ if(cs) {
+ printf(" ( ");
+ statusBitTest(cs, CSSM_CERT_STATUS_EXPIRED, "EXPIRED");
+ statusBitTest(cs, CSSM_CERT_STATUS_NOT_VALID_YET,
+ "NOT_VALID_YET");
+ statusBitTest(cs, CSSM_CERT_STATUS_IS_IN_INPUT_CERTS,
+ "IS_IN_INPUT_CERTS");
+ statusBitTest(cs, CSSM_CERT_STATUS_IS_IN_ANCHORS,
+ "IS_IN_ANCHORS");
+ statusBitTest(cs, CSSM_CERT_STATUS_IS_ROOT, "IS_ROOT");
+ statusBitTest(cs, CSSM_CERT_STATUS_IS_FROM_NET, "IS_FROM_NET");
+ statusBitTest(cs, CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_USER,
+ "TRUST_SETTINGS_FOUND_USER");
+ statusBitTest(cs, CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_ADMIN,
+ "TRUST_SETTINGS_FOUND_ADMIN");
+ statusBitTest(cs, CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_SYSTEM,
+ "TRUST_SETTINGS_FOUND_SYSTEM");
+ statusBitTest(cs, CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST,
+ "TRUST_SETTINGS_TRUST");
+ statusBitTest(cs, CSSM_CERT_STATUS_TRUST_SETTINGS_DENY,
+ "TRUST_SETTINGS_DENY");
+ statusBitTest(cs, CSSM_CERT_STATUS_TRUST_SETTINGS_IGNORED_ERROR,
+ "TRUST_SETTINGS_IGNORED_ERROR");
+ printf(")\n");
+ }
+ else {
+ printf("\n");
+ }
+ printf(" NumStatusCodes : %u ",
+ (unsigned)thisInfo->NumStatusCodes);
+ for(unsigned j=0; j<thisInfo->NumStatusCodes; j++) {
+ printf("%s ",
+ cssmErrToStr(thisInfo->StatusCodes[j]));
+ }
+ printf("\n");
+ printf(" Index: %u\n", (unsigned)thisInfo->Index);
+ }
+ return;
+}
+
+/* we really only need CSSM_EVIDENCE_FORM_APPLE_CERT_INFO */
+#define SHOW_ALL_VFY_RESULTS 0
+
+void dumpVfyResult(
+ const CSSM_TP_VERIFY_CONTEXT_RESULT *vfyResult)
+{
+ unsigned numEvidences = vfyResult->NumberOfEvidences;
+ unsigned numCerts = 0;
+ printf("Returned evidence:\n");
+ for(unsigned dex=0; dex<numEvidences; dex++) {
+ CSSM_EVIDENCE_PTR ev = &vfyResult->Evidence[dex];
+ #if SHOW_ALL_VFY_RESULTS
+ printf(" Evidence %u:\n", dex);
+ #endif
+ switch(ev->EvidenceForm) {
+ case CSSM_EVIDENCE_FORM_APPLE_HEADER:
+ {
+ #if SHOW_ALL_VFY_RESULTS
+ const CSSM_TP_APPLE_EVIDENCE_HEADER *hdr =
+ (const CSSM_TP_APPLE_EVIDENCE_HEADER *)(ev->Evidence);
+ printf(" Form = HEADER; Version = %u\n", hdr->Version);
+ #endif
+ break;
+ }
+ case CSSM_EVIDENCE_FORM_APPLE_CERTGROUP:
+ {
+ const CSSM_CERTGROUP *grp =
+ (const CSSM_CERTGROUP *)ev->Evidence;
+ numCerts = grp->NumCerts;
+ #if SHOW_ALL_VFY_RESULTS
+ /* parse the rest of this eventually */
+ /* Note we depend on this coming before the CERT_INFO */
+ printf(" Form = CERTGROUP; numCerts = %u\n", numCerts);
+ #endif
+ break;
+ }
+ case CSSM_EVIDENCE_FORM_APPLE_CERT_INFO:
+ {
+ const CSSM_TP_APPLE_EVIDENCE_INFO *info =
+ (const CSSM_TP_APPLE_EVIDENCE_INFO *)ev->Evidence;
+ printCertInfo(numCerts, info);
+ break;
+ }
+ default:
+ printf("***UNKNOWN Evidence form (%u)\n",
+ (unsigned)ev->EvidenceForm);
+ break;
+ }
+ }
+}
+
+/*
+ * Obtain system anchors in CF and in CSSM_DATA form.
+ * Caller must CFRelease the returned rootArray and
+ * free() the returned CSSM_DATA array, but not its
+ * contents - SecCertificates themselves own that.
+ */
+OSStatus getSystemAnchors(
+ CFArrayRef *rootArray, /* RETURNED */
+ CSSM_DATA **anchors, /* RETURNED */
+ unsigned *numAnchors) /* RETURNED */
+{
+ OSStatus ortn;
+ CFArrayRef cfAnchors;
+ CSSM_DATA *cssmAnchors;
+
+ ortn = SecTrustSettingsCopyUnrestrictedRoots(false, false, true,
+ &cfAnchors);
+ if(ortn) {
+ cssmPerror("SecTrustSettingsCopyUnrestrictedRoots", ortn);
+ return ortn;
+ }
+ unsigned _numAnchors = CFArrayGetCount(cfAnchors);
+ cssmAnchors = (CSSM_DATA *)malloc(sizeof(CSSM_DATA) * _numAnchors);
+ unsigned dex;
+ for(dex=0; dex<_numAnchors; dex++) {
+ SecCertificateRef root = (SecCertificateRef)CFArrayGetValueAtIndex(
+ cfAnchors, dex);
+ ortn = SecCertificateGetData(root, &cssmAnchors[dex]);
+ if(ortn) {
+ cssmPerror("SecCertificateGetData", ortn);
+ return ortn;
+ }
+ }
+ *rootArray = cfAnchors;
+ *anchors = cssmAnchors;
+ *numAnchors = _numAnchors;
+ return noErr;
+}
+
+/* get a SecCertificateRef from a file */
+SecCertificateRef certFromFile(
+ const char *fileName)
+{
+ unsigned char *cp = NULL;
+ unsigned len = 0;
+ if(readFile(fileName, &cp, &len)) {
+ printf("***Error reading file %s\n", fileName);
+ return NULL;
+ }
+ SecCertificateRef certRef;
+ CSSM_DATA certData = {len, cp};
+ OSStatus ortn = SecCertificateCreateFromData(&certData,
+ CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER, &certRef);
+ if(ortn) {
+ cssmPerror("SecCertificateCreateFromData", ortn);
+ return NULL;
+ }
+ free(cp);
+ return certRef;
+}
+
projects / apple / security.git / blobdiff