--- /dev/null
+/*
+ * cmstool.cpp - manipluate CMS messages, intended to be an alternate for the
+ * currently useless cms command in /usr/bin/security
+ */
+
+#include <Security/Security.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <utilLib/common.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <security_cdsa_utils/cuPrintCert.h>
+#include <clAppUtils/identPicker.h>
+#include <clAppUtils/sslAppUtils.h>
+#include <security_cdsa_utils/cuOidParser.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+#include <Security/SecCmsEncoder.h>
+#include <Security/SecCmsDecoder.h>
+#include <Security/SecCmsEncryptedData.h>
+#include <Security/SecCmsEnvelopedData.h>
+#include <Security/SecCmsMessage.h>
+#include <Security/SecCmsRecipientInfo.h>
+#include <Security/SecCmsSignedData.h>
+#include <Security/SecCmsSignerInfo.h>
+#include <Security/SecCmsContentInfo.h>
+#include <Security/SecCmsDigestContext.h>
+#include <Security/SecTrustPriv.h>
+#include <Security/SecKeychainItemPriv.h>
+#include <Security/SecCertificate.h>
+#include <Security/SecSMIME.h>
+#include <Security/oidsattr.h>
+#include <Security/SecAsn1Coder.h>
+#include <Security/secasn1t.h>
+#include <Security/SecAsn1Templates.h>
+
+static void usage(char **argv)
+{
+ printf("Usage: %s cmd [option ...]\n", argv[0]);
+ printf("cmd values:\n");
+ printf(" sign -- create signedData\n");
+ printf(" envel -- create envelopedData\n");
+ printf(" signEnv -- create nested EnvelopedData(signedData(data))\n");
+ printf(" parse -- parse a CMS message file\n");
+ printf("Options:\n");
+ printf(" -i infile\n");
+ printf(" -o outfile\n");
+ printf(" -k keychain -- Keychain to search for certs\n");
+ printf(" -p -- Use identity picker\n");
+ printf(" -r recipient -- specify recipient of enveloped data\n");
+ printf(" -c -- parse signer cert\n");
+ printf(" -v sign|encr -- verify message is signed/encrypted\n");
+ printf(" -e eContentType -- a(uthData)|r(keyData)\n");
+ printf(" -d detached -- infile contains detached content (sign only)\n");
+ printf(" -D detachedContent -- detached content (parse only)\n");
+ printf(" -q -- quiet\n");
+ exit(1);
+}
+
+/* high level op */
+typedef enum {
+ CTO_Sign,
+ CTO_Envelop,
+ CTO_SignEnvelop,
+ CTO_Parse
+} CT_Op;
+
+/* to verify */
+typedef enum {
+ CTV_None,
+ CTV_Sign,
+ CTV_Envelop,
+ CTV_SignEnvelop
+} CT_Vfy;
+
+/* additional OIDS to specify as eContentType */
+#define OID_PKINIT 0x2B, 6, 1, 5, 2, 3
+#define OID_PKINIT_LEN 6
+
+static const uint8 OID_PKINIT_AUTH_DATA[] = {OID_PKINIT, 1};
+static const uint8 OID_PKINIT_DH_KEY_DATA[] = {OID_PKINIT, 2};
+static const uint8 OID_PKINIT_RKEY_DATA[] = {OID_PKINIT, 3};
+static const uint8 OID_PKINIT_KP_CLIENTAUTH[] = {OID_PKINIT, 3};
+static const uint8 OID_PKINIT_KPKDC[] = {OID_PKINIT, 5};
+
+static const CSSM_OID CSSMOID_PKINIT_AUTH_DATA =
+ {OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_AUTH_DATA};
+static const CSSM_OID CSSMOID_PKINIT_DH_KEY_DATA =
+ {OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_DH_KEY_DATA};
+static const CSSM_OID CSSMOID_PKINIT_RKEY_DATA =
+ {OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_RKEY_DATA};
+static const CSSM_OID CSSMOID_PKINIT_KP_CLIENTAUTH =
+ {OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_KP_CLIENTAUTH};
+static const CSSM_OID CSSMOID_PKINIT_KPKDC =
+ {OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_KPKDC};
+
+typedef struct {
+ CSSM_OID contentType;
+ CSSM_DATA content;
+} SimpleContentInfo;
+
+const SecAsn1Template SimpleContentInfoTemplate[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SimpleContentInfo) },
+ { SEC_ASN1_OBJECT_ID, offsetof(SimpleContentInfo, contentType) },
+ { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+ offsetof(SimpleContentInfo, content),
+ kSecAsn1AnyTemplate },
+ { 0, }
+};
+
+/*
+ * Obtain the content of a contentInfo, This basically strips off the contentType OID
+ * and returns a mallocd copy of the ASN_ANY content.
+ */
+static OSStatus ContentInfoContent(
+ const unsigned char *contentInfo,
+ unsigned contentInfoLen,
+ unsigned char **content, /* mallocd and RETURNED */
+ unsigned *contentLen) /* RETURNED */
+{
+ SecAsn1CoderRef coder = NULL;
+ OSStatus ortn;
+ SimpleContentInfo decodedInfo;
+
+ ortn = SecAsn1CoderCreate(&coder);
+ if(ortn) {
+ return ortn;
+ }
+ memset(&decodedInfo, 0, sizeof(decodedInfo));
+ ortn = SecAsn1Decode(coder, contentInfo, contentInfoLen,
+ SimpleContentInfoTemplate, &decodedInfo);
+ if(ortn) {
+ goto errOut;
+ }
+ if(decodedInfo.content.Data == NULL) {
+ printf("***Error decoding contentInfo: no content\n");
+ ortn = internalComponentErr;
+ goto errOut;
+ }
+ *content = (unsigned char *)malloc(decodedInfo.content.Length);
+ memmove(*content, decodedInfo.content.Data, decodedInfo.content.Length);
+ *contentLen = decodedInfo.content.Length;
+errOut:
+ SecAsn1CoderRelease(coder);
+ return ortn;
+}
+
+/*
+ * Find a cert in specified keychain or keychain list matching specified
+ * email address. We happen to knopw that the email address is stored with the
+ * kSecKeyAlias attribute.
+ */
+static OSStatus findCert(
+ const char *emailAddress,
+ CFTypeRef kcArArray, // kc, array, or even NULL
+ SecCertificateRef *cert)
+{
+ OSStatus ortn;
+ SecKeychainSearchRef srch;
+ SecKeychainAttributeList attrList;
+ SecKeychainAttribute attr;
+
+ attr.tag = kSecKeyAlias;
+ attr.length = strlen(emailAddress);
+ attr.data = (void *)emailAddress;
+ attrList.count = 1;
+ attrList.attr = &attr;
+
+ ortn = SecKeychainSearchCreateFromAttributes(kcArArray,
+ kSecCertificateItemClass,
+ &attrList,
+ &srch);
+ if(ortn) {
+ cssmPerror("SecKeychainSearchCreateFromAttributes", ortn);
+ return ortn;
+ }
+
+ ortn = SecKeychainSearchCopyNext(srch, (SecKeychainItemRef *)cert);
+ if(ortn) {
+ printf("***No certs founmd matching recipient %s. Aborting.\n",
+ emailAddress);
+ return ortn;
+ }
+ CFRelease(srch);
+ return noErr;
+}
+
+static void evalSecTrust(
+ SecTrustRef secTrust,
+ bool quiet)
+{
+ OSStatus ortn;
+ SecTrustResultType secTrustResult;
+
+ ortn = SecTrustEvaluate(secTrust, &secTrustResult);
+ if(ortn) {
+ /* should never happen */
+ cssmPerror("SecTrustEvaluate", ortn);
+ return;
+ }
+ switch(secTrustResult) {
+ case kSecTrustResultUnspecified:
+ /* cert chain valid, no special UserTrust assignments */
+ case kSecTrustResultProceed:
+ /* cert chain valid AND user explicitly trusts this */
+ if(!quiet) {
+ fprintf(stderr, "Successful\n");
+ }
+ return;
+ case kSecTrustResultDeny:
+ case kSecTrustResultConfirm:
+ /*
+ * Cert chain may well have verified OK, but user has flagged
+ * one of these certs as untrustable.
+ */
+ printf("Not trusted per user-specified Trust level\n");
+ return;
+ default:
+ {
+ /* get low-level TP error */
+ OSStatus tpStatus;
+ ortn = SecTrustGetCssmResultCode(secTrust, &tpStatus);
+ if(ortn) {
+ cssmPerror("SecTrustGetCssmResultCode", ortn);
+ return;
+ }
+ switch(tpStatus) {
+ case CSSMERR_TP_INVALID_ANCHOR_CERT:
+ fprintf(stderr, "Untrusted root\n");
+ return;
+ case CSSMERR_TP_NOT_TRUSTED:
+ /* no root, not even in implicit SSL roots */
+ fprintf(stderr, "No root cert found\n");
+ return;
+ case CSSMERR_TP_CERT_EXPIRED:
+ fprintf(stderr, "Expired cert\n");
+ return;
+ case CSSMERR_TP_CERT_NOT_VALID_YET:
+ fprintf(stderr, "Cert not valid yet\n");
+ break;
+ default:
+ printf("Other cert failure: ");
+ cssmPerror("", tpStatus);
+ return;
+ }
+ }
+ } /* SecTrustEvaluate error */
+
+}
+static OSStatus parseSignedData(
+ SecCmsSignedDataRef signedData,
+ SecArenaPoolRef arena, /* used for detached content only */
+ const unsigned char *detachedData,
+ unsigned detachedDataLen,
+ CT_Vfy vfyOp,
+ bool quiet,
+ bool parseSignerCert)
+{
+ Boolean b;
+ b = SecCmsSignedDataHasDigests(signedData);
+ if(!quiet) {
+ printf(" has digests : %s\n", b ? "true" : "false");
+ }
+
+ SecTrustRef secTrust = NULL;
+ OSStatus ortn;
+ SecPolicyRef policy = NULL;
+ SecPolicySearchRef policySearch = NULL;
+
+ ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
+ &CSSMOID_APPLE_X509_BASIC,
+ NULL,
+ &policySearch);
+ if(ortn) {
+ cssmPerror("SecPolicySearchCreate", ortn);
+ return ortn;
+ }
+ ortn = SecPolicySearchCopyNext(policySearch, &policy);
+ if(ortn) {
+ cssmPerror("SecPolicySearchCopyNext", ortn);
+ return ortn;
+ }
+
+ int numSigners = SecCmsSignedDataSignerInfoCount(signedData);
+ if(!quiet) {
+ printf(" num signers : %d\n", numSigners);
+ }
+ for(int dex=0; dex<numSigners; dex++) {
+ if(!quiet) {
+ fprintf(stderr, " signer %d :\n", dex);
+ fprintf(stderr, " vfy status : ");
+ }
+ Boolean b = SecCmsSignedDataHasDigests(signedData);
+ if(b) {
+ if(detachedData != NULL) {
+ fprintf(stderr, "<provided detachedContent, but msg has digests> ");
+ /* FIXME - does this make sense? Error? */
+ }
+ }
+ else if(detachedData != NULL) {
+ /* digest the detached content */
+ SECAlgorithmID **digestAlgorithms = SecCmsSignedDataGetDigestAlgs(signedData);
+ SecCmsDigestContextRef digcx = SecCmsDigestContextStartMultiple(digestAlgorithms);
+ CSSM_DATA **digests = NULL;
+
+ SecCmsDigestContextUpdate(digcx, detachedData, detachedDataLen);
+ ortn = SecCmsDigestContextFinishMultiple(digcx, arena, &digests);
+ if(ortn) {
+ fprintf(stderr, "SecCmsDigestContextFinishMultiple() returned %d\n", (int)ortn);
+ }
+ else {
+ SecCmsSignedDataSetDigests(signedData, digestAlgorithms, digests);
+ }
+ }
+ else {
+ fprintf(stderr, "<Msg has no digest: need detachedContent> ");
+ }
+ ortn = SecCmsSignedDataVerifySignerInfo(signedData, dex, NULL,
+ policy, &secTrust);
+ if(ortn) {
+ fprintf(stderr, "vfSignerInfo() returned %d\n", (int)ortn);
+ fprintf(stderr, " vfy status : ");
+ }
+ if(secTrust == NULL) {
+ fprintf(stderr, "***NO SecTrust available!\n");
+ }
+ else {
+ evalSecTrust(secTrust, quiet);
+ }
+
+ SecCmsSignerInfoRef signerInfo = SecCmsSignedDataGetSignerInfo(signedData, dex);
+ CFStringRef emailAddrs = SecCmsSignerInfoGetSignerCommonName(signerInfo);
+ char emailStr[1000];
+ if(!quiet) {
+ fprintf(stderr, " signer : ");
+ }
+ if(emailAddrs == NULL) {
+ fprintf(stderr, "<<SecCmsSignerInfoGetSignerCommonName returned NULL)>>\n");
+ }
+ else {
+ if(!CFStringGetCString(emailAddrs, emailStr, 1000, kCFStringEncodingASCII)) {
+ fprintf(stderr, "*** Error converting email address to C string\n");
+ }
+ else if(!quiet) {
+
+ fprintf(stderr, "%s\n", emailStr);
+ }
+ }
+ if(parseSignerCert) {
+ SecCertificateRef signer;
+ signer = SecCmsSignerInfoGetSigningCertificate(signerInfo, NULL);
+ if(signer) {
+ CSSM_DATA certData;
+ ortn = SecCertificateGetData(signer, &certData);
+ if(ortn) {
+ fprintf(stderr, "***Error getting signing cert data***\n");
+ cssmPerror("SecCertificateGetData", ortn);
+ }
+ else {
+ printf("========== Signer Cert==========\n\n");
+ printCert(certData.Data, certData.Length, CSSM_FALSE);
+ printf("========== End Signer Cert==========\n\n");
+ }
+ }
+ else {
+ fprintf(stderr, "***Error getting signing cert ***\n");
+ }
+ }
+ }
+ return ortn;
+}
+
+static OSStatus doParse(
+ const unsigned char *data,
+ unsigned dataLen,
+ const unsigned char *detachedData,
+ unsigned detachedDataLen,
+ CT_Vfy vfyOp,
+ bool parseSignerCert,
+ bool quiet,
+ unsigned char **outData, // mallocd and RETURNED
+ unsigned *outDataLen) // RETURNED
+{
+ if((data == NULL) || (dataLen == 0)) {
+ fprintf(stderr, "***Parse requires input file. Aborting.\n");
+ return paramErr;
+ }
+
+ SecArenaPoolRef arena = NULL;
+ SecArenaPoolCreate(1024, &arena);
+ SecCmsMessageRef cmsMsg = NULL;
+ SecCmsDecoderRef decoder;
+ OSStatus ortn;
+ OSStatus ourRtn = noErr;
+ bool foundOneSigned = false;
+ bool foundOneEnveloped = false;
+
+ ortn = SecCmsDecoderCreate(arena, NULL, NULL, NULL, NULL, NULL, NULL, &decoder);
+ if(ortn) {
+ cssmPerror("SecCmsDecoderCreate", ortn);
+ return ortn;
+ }
+ ortn = SecCmsDecoderUpdate(decoder, data, dataLen);
+ if(ortn) {
+ cssmPerror("SecCmsDecoderUpdate", ortn);
+ return ortn;
+ }
+ ortn = SecCmsDecoderFinish(decoder, &cmsMsg);
+ if(ortn) {
+ cssmPerror("SecCmsDecoderFinish", ortn);
+ return ortn;
+ }
+
+ Boolean b = SecCmsMessageIsSigned(cmsMsg);
+ switch(vfyOp) {
+ case CTV_None:
+ break;
+ case CTV_Sign:
+ if(!b) {
+ fprintf(stderr, "***Expected SignedData, but !SecCmsMessageIsSigned()\n");
+ ourRtn = -1;
+ }
+ break;
+ case CTV_SignEnvelop:
+ if(!b) {
+ fprintf(stderr, "***Expected Signed&Enveloped, but !SecCmsMessageIsSigned()\n");
+ ourRtn = -1;
+ }
+ break;
+ case CTV_Envelop:
+ if(b) {
+ fprintf(stderr, "***Expected EnvelopedData, but SecCmsMessageIsSigned() "
+ "TRUE\n");
+ ourRtn = -1;
+ }
+ break;
+ }
+ int numContentInfos = SecCmsMessageContentLevelCount(cmsMsg);
+ if(!quiet) {
+ fprintf(stderr, "=== CMS message info ===\n");
+ fprintf(stderr, " Signed : %s\n", b ? "true" : "false");
+ b = SecCmsMessageIsEncrypted(cmsMsg);
+ fprintf(stderr, " Encrypted : %s\n", b ? "true" : "false");
+ b = SecCmsMessageContainsCertsOrCrls(cmsMsg);
+ fprintf(stderr, " certs/crls : %s\n", b ? "present" : "not present");
+ fprintf(stderr, " Num ContentInfos : %d\n", numContentInfos);
+ }
+
+ /* FIXME needs work for CTV_SignEnvelop */
+ OidParser oidParser;
+ for(int dex=0; dex<numContentInfos; dex++) {
+ SecCmsContentInfoRef ci = SecCmsMessageContentLevel(cmsMsg, dex);
+ if(!quiet) {
+ /* can't use stderr - oidparser is fixed w/stdout */
+ printf(" Content Info %d :\n", dex);
+ CSSM_OID *typeOid = SecCmsContentInfoGetContentTypeOID(ci);
+ printf(" OID Tag : ");
+ if(typeOid == NULL) {
+ printf("***NONE FOUND***]n");
+ }
+ else if(typeOid->Length == 0) {
+ printf("***EMPTY***\n");
+ }
+ else {
+ char str[OID_PARSER_STRING_SIZE];
+ oidParser.oidParse(typeOid->Data, typeOid->Length, str);
+ printf("%s\n", str);
+ }
+ }
+ SECOidTag tag = SecCmsContentInfoGetContentTypeTag(ci);
+ switch(tag) {
+ case SEC_OID_PKCS7_SIGNED_DATA:
+ {
+ switch(vfyOp) {
+ case CTV_None: // caller doesn't care
+ case CTV_Sign: // got what we wanted
+ break;
+ case CTV_Envelop:
+ fprintf(stderr, "***Expected EnvelopedData, got SignedData\n");
+ ourRtn = -1;
+ break;
+ case CTV_SignEnvelop:
+ printf("CTV_SignEnvelop code on demand\n");
+ break;
+ }
+ foundOneSigned = true;
+ SecCmsSignedDataRef sd =
+ (SecCmsSignedDataRef) SecCmsContentInfoGetContent(ci);
+ parseSignedData(sd, arena,
+ detachedData, detachedDataLen,
+ vfyOp, quiet, parseSignerCert);
+ break;
+ }
+ case SEC_OID_PKCS7_DATA:
+ case SEC_OID_OTHER:
+ break;
+ case SEC_OID_PKCS7_ENVELOPED_DATA:
+ foundOneEnveloped = true;
+ if(vfyOp == CTV_Sign) {
+ fprintf(stderr, "***Expected SignedData, EnvelopedData\n");
+ ourRtn = -1;
+ break;
+ }
+ case SEC_OID_PKCS7_ENCRYPTED_DATA:
+ switch(vfyOp) {
+ case CTV_None:
+ break;
+ case CTV_Sign:
+ fprintf(stderr, "***Expected SignedData, got EncryptedData\n");
+ ourRtn = -1;
+ break;
+ case CTV_Envelop:
+ fprintf(stderr, "***Expected EnvelopedData, got EncryptedData\n");
+ ourRtn = -1;
+ break;
+ case CTV_SignEnvelop:
+ printf("CTV_SignEnvelop code on demand\n");
+ break;
+ }
+ break;
+ default:
+ fprintf(stderr, " other content type TBD\n");
+ }
+ }
+ if(outData) {
+ CSSM_DATA_PTR odata = SecCmsMessageGetContent(cmsMsg);
+ if(odata == NULL) {
+ fprintf(stderr, "***No inner content available\n");
+ }
+ else {
+ *outData = (unsigned char *)malloc(odata->Length);
+ memmove(*outData, odata->Data, odata->Length);
+ *outDataLen = odata->Length;
+ }
+ }
+ if(arena) {
+ SecArenaPoolFree(arena, false);
+ }
+ switch(vfyOp) {
+ case CTV_None:
+ break;
+ case CTV_Sign:
+ if(!foundOneSigned) {
+ fprintf(stderr, "Expected signed, never saw a SignedData\n");
+ ourRtn = -1;
+ }
+ break;
+ case CTV_Envelop:
+ if(!foundOneEnveloped) {
+ fprintf(stderr, "Expected enveloped, never saw an EnvelopedData\n");
+ ourRtn = -1;
+ }
+ break;
+ case CTV_SignEnvelop:
+ if(!foundOneSigned) {
+ fprintf(stderr, "Expected signed, never saw a SignedData\n");
+ ourRtn = -1;
+ }
+ if(!foundOneEnveloped) {
+ fprintf(stderr, "Expected enveloped, never saw an EnvelopedData\n");
+ ourRtn = -1;
+ }
+ break;
+ }
+ /* free decoder? cmsMsg? */
+ return ourRtn;
+}
+
+/*
+ * Common encode routine.
+ */
+#if 1
+/* the simple way, when 3655861 is fixed */
+static OSStatus encodeCms(
+ SecCmsMessageRef cmsMsg,
+ const unsigned char *inData, // add in this
+ unsigned inDataLen,
+ unsigned char **outData, // mallocd and RETURNED
+ unsigned *outDataLen) // RETURNED
+{
+ SecArenaPoolRef arena = NULL;
+ SecArenaPoolCreate(1024, &arena);
+ CSSM_DATA cdataIn = {inDataLen, (uint8 *)inData};
+ CSSM_DATA cdataOut = {0, NULL};
+
+ OSStatus ortn = SecCmsMessageEncode(cmsMsg, &cdataIn, arena, &cdataOut);
+ if((ortn == noErr) && (cdataOut.Length != 0)) {
+ *outData = (unsigned char *)malloc(cdataOut.Length);
+ memmove(*outData, cdataOut.Data, cdataOut.Length);
+ *outDataLen = cdataOut.Length;
+ }
+ else {
+ cssmPerror("SecCmsMessageEncode", ortn);
+ *outData = NULL;
+ *outDataLen = 0;
+ }
+ SecArenaPoolFree(arena, false);
+ return ortn;
+}
+
+#else
+
+/* the hard way back when SecCmsMessageEncode() didn't work */
+static OSStatus encodeCms(
+ SecCmsMessageRef cmsMsg,
+ const unsigned char *inData, // add in this
+ unsigned inDataLen,
+ unsigned char **outData, // mallocd and RETURNED
+ unsigned *outDataLen) // RETURNED
+{
+ SecArenaPoolRef arena = NULL;
+ SecArenaPoolCreate(1024, &arena);
+ SecCmsEncoderRef cmsEnc = NULL;
+ CSSM_DATA output = { 0, NULL };
+ OSStatus ortn;
+
+ ortn = SecCmsEncoderCreate(cmsMsg,
+ NULL, NULL, // no callback
+ &output, arena, // data goes here
+ NULL, NULL, // no password callback (right?)
+ NULL, NULL, // decrypt key callback
+ NULL, NULL, // detached digests
+ &cmsEnc);
+ if(ortn) {
+ cssmPerror("SecKeychainItemCopyKeychain", ortn);
+ goto errOut;
+ }
+ ortn = SecCmsEncoderUpdate(cmsEnc, (char *)inData, inDataLen);
+ if(ortn) {
+ cssmPerror("SecCmsEncoderUpdate", ortn);
+ goto errOut;
+ }
+ ortn = SecCmsEncoderFinish(cmsEnc);
+ if(ortn) {
+ cssmPerror("SecCMsEncoderFinish", ortn);
+ goto errOut;
+ }
+
+ /* Did we get any data? */
+ if(output.Length) {
+ *outData = (unsigned char *)malloc(output.Length);
+ memmove(*outData, output.Data, output.Length);
+ *outDataLen = output.Length;
+ }
+ else {
+ *outData = NULL;
+ *outDataLen = 0;
+ }
+errOut:
+ if(arena) {
+ SecArenaPoolFree(arena, false);
+ }
+ return ortn;
+}
+
+#endif
+
+static OSStatus doSign(
+ SecIdentityRef signerId,
+ const unsigned char *inData,
+ unsigned inDataLen,
+ bool detachedContent,
+ const CSSM_OID *eContentType, // OPTIONAL
+ unsigned char **outData, // mallocd and RETURNED
+ unsigned *outDataLen) // RETURNED
+{
+ if((inData == NULL) || (inDataLen == 0) || (outData == NULL)) {
+ fprintf(stderr, "***Sign requires input file. Aborting.\n");
+ return paramErr;
+ }
+ if(signerId == NULL) {
+ fprintf(stderr, "***Sign requires a signing identity. Aborting.\n");
+ return paramErr;
+ }
+
+ SecCmsMessageRef cmsMsg = NULL;
+ SecCmsContentInfoRef contentInfo = NULL;
+ SecCmsSignedDataRef signedData = NULL;
+ SecCertificateRef ourCert = NULL;
+ SecCmsSignerInfoRef signerInfo;
+ OSStatus ortn;
+ SecKeychainRef ourKc = NULL;
+
+ ortn = SecIdentityCopyCertificate(signerId, &ourCert);
+ if(ortn) {
+ cssmPerror("SecIdentityCopyCertificate", ortn);
+ return ortn;
+ }
+ ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)ourCert, &ourKc);
+ if(ortn) {
+ cssmPerror("SecKeychainItemCopyKeychain", ortn);
+ goto errOut;
+ }
+
+ // build chain of objects: message->signedData->data
+ cmsMsg = SecCmsMessageCreate(NULL);
+ if(cmsMsg == NULL) {
+ fprintf(stderr, "***Error creating SecCmsMessageRef\n");
+ ortn = -1;
+ goto errOut;
+ }
+ signedData = SecCmsSignedDataCreate(cmsMsg);
+ if(signedData == NULL) {
+ printf("***Error creating SecCmsSignedDataRef\n");
+ ortn = -1;
+ goto errOut;
+ }
+ contentInfo = SecCmsMessageGetContentInfo(cmsMsg);
+ ortn = SecCmsContentInfoSetContentSignedData(cmsMsg, contentInfo, signedData);
+ if(ortn) {
+ cssmPerror("SecCmsContentInfoSetContentSignedData", ortn);
+ goto errOut;
+ }
+ contentInfo = SecCmsSignedDataGetContentInfo(signedData);
+ if(eContentType != NULL) {
+ ortn = SecCmsContentInfoSetContentOther(cmsMsg, contentInfo,
+ NULL /* data */,
+ detachedContent,
+ eContentType);
+ if(ortn) {
+ cssmPerror("SecCmsContentInfoSetContentData", ortn);
+ goto errOut;
+ }
+ }
+ else {
+ ortn = SecCmsContentInfoSetContentData(cmsMsg, contentInfo, NULL /* data */,
+ detachedContent);
+ if(ortn) {
+ cssmPerror("SecCmsContentInfoSetContentData", ortn);
+ goto errOut;
+ }
+ }
+
+ /*
+ * create & attach signer information
+ */
+ signerInfo = SecCmsSignerInfoCreate(cmsMsg, signerId, SEC_OID_SHA1);
+ if (signerInfo == NULL) {
+ fprintf(stderr, "***Error on SecCmsSignerInfoCreate\n");
+ ortn = -1;
+ goto errOut;
+ }
+ /* we want the cert chain included for this one */
+ /* FIXME - what's the significance of the usage? */
+ ortn = SecCmsSignerInfoIncludeCerts(signerInfo, SecCmsCMCertChain, certUsageEmailSigner);
+ if(ortn) {
+ cssmPerror("SecCmsSignerInfoIncludeCerts", ortn);
+ goto errOut;
+ }
+
+ /* other options go here - signing time, etc. */
+
+ ortn = SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerInfo, ourCert, ourKc);
+ if(ortn) {
+ cssmPerror("SecCmsSignerInfoAddSMIMEEncKeyPrefs", ortn);
+ goto errOut;
+ }
+ ortn = SecCmsSignedDataAddCertificate(signedData, ourCert);
+ if(ortn) {
+ cssmPerror("SecCmsSignedDataAddCertificate", ortn);
+ goto errOut;
+ }
+
+ ortn = SecCmsSignedDataAddSignerInfo(signedData, signerInfo);
+ if(ortn) {
+ cssmPerror("SecCmsSignedDataAddSignerInfo", ortn);
+ goto errOut;
+ }
+
+ /* go */
+ ortn = encodeCms(cmsMsg, inData, inDataLen, outData, outDataLen);
+errOut:
+ /* free resources */
+ if(cmsMsg) {
+ SecCmsMessageDestroy(cmsMsg);
+ }
+ if(ourCert) {
+ CFRelease(ourCert);
+ }
+ if(ourKc) {
+ CFRelease(ourKc);
+ }
+ return ortn;
+}
+
+static OSStatus doEncrypt(
+ SecCertificateRef recipCert, // eventually more than one
+ const unsigned char *inData,
+ unsigned inDataLen,
+ unsigned char **outData, // mallocd and RETURNED
+ unsigned *outDataLen) // RETURNED
+{
+ if((inData == NULL) || (inDataLen == 0) || (outData == NULL)) {
+ fprintf(stderr, "***Encrypt requires input file. Aborting.\n");
+ return paramErr;
+ }
+ if(recipCert == NULL) {
+ fprintf(stderr, "***Encrypt requires a recipient certificate. Aborting.\n");
+ return paramErr;
+ }
+
+ SecCmsMessageRef cmsMsg = NULL;
+ SecCmsContentInfoRef contentInfo = NULL;
+ SecCmsEnvelopedDataRef envelopedData = NULL;
+ SecCmsRecipientInfoRef recipientInfo = NULL;
+ OSStatus ortn;
+ SecCertificateRef allCerts[2] = { recipCert, NULL};
+
+ SECOidTag algorithmTag;
+ int keySize;
+
+ ortn = SecSMIMEFindBulkAlgForRecipients(allCerts, &algorithmTag, &keySize);
+ if(ortn) {
+ cssmPerror("SecSMIMEFindBulkAlgForRecipients", ortn);
+ return ortn;
+ }
+
+ // build chain of objects: message->envelopedData->data
+ cmsMsg = SecCmsMessageCreate(NULL);
+ if(cmsMsg == NULL) {
+ fprintf(stderr, "***Error creating SecCmsMessageRef\n");
+ ortn = -1;
+ goto errOut;
+ }
+ envelopedData = SecCmsEnvelopedDataCreate(cmsMsg, algorithmTag, keySize);
+ if(envelopedData == NULL) {
+ fprintf(stderr, "***Error creating SecCmsEnvelopedDataRef\n");
+ ortn = -1;
+ goto errOut;
+ }
+ contentInfo = SecCmsMessageGetContentInfo(cmsMsg);
+ ortn = SecCmsContentInfoSetContentEnvelopedData(cmsMsg, contentInfo, envelopedData);
+ if(ortn) {
+ cssmPerror("SecCmsContentInfoSetContentEnvelopedData", ortn);
+ goto errOut;
+ }
+ contentInfo = SecCmsEnvelopedDataGetContentInfo(envelopedData);
+ ortn = SecCmsContentInfoSetContentData(cmsMsg, contentInfo, NULL /* data */, false);
+ if(ortn) {
+ cssmPerror("SecCmsContentInfoSetContentData", ortn);
+ goto errOut;
+ }
+
+ /*
+ * create & attach recipient information
+ */
+ recipientInfo = SecCmsRecipientInfoCreate(cmsMsg, recipCert);
+ ortn = SecCmsEnvelopedDataAddRecipient(envelopedData, recipientInfo);
+ if(ortn) {
+ cssmPerror("SecCmsEnvelopedDataAddRecipient", ortn);
+ goto errOut;
+ }
+
+
+ /* go */
+ ortn = encodeCms(cmsMsg, inData, inDataLen, outData, outDataLen);
+errOut:
+ /* free resources */
+ if(cmsMsg) {
+ SecCmsMessageDestroy(cmsMsg);
+ }
+ return ortn;
+}
+
+/* create nested message: msg = EnvelopedData(SignedData(inData)) */
+static OSStatus doSignEncrypt(
+ SecCertificateRef recipCert, // encryption recipient
+ SecIdentityRef signerId, // signer
+ const CSSM_OID *eContentType, // OPTIONAL - for signedData
+ const unsigned char *inData,
+ unsigned inDataLen,
+ unsigned char **outData, // mallocd and RETURNED
+ unsigned *outDataLen) // RETURNED
+{
+ if((inData == NULL) || (inDataLen == 0) || (outData == NULL)) {
+ fprintf(stderr, "***Sign/Encrypt requires input file. Aborting.\n");
+ return paramErr;
+ }
+ if(recipCert == NULL) {
+ fprintf(stderr, "***Sign/Encrypt requires a recipient certificate. Aborting.\n");
+ return paramErr;
+ }
+ if(signerId == NULL) {
+ fprintf(stderr, "***Sign/Encrypt requires a signer Identity. Aborting.\n");
+ return paramErr;
+ }
+
+ OSStatus ortn;
+ unsigned char *signedData = NULL;
+ unsigned signedDataLen = 0;
+ SecCmsMessageRef cmsMsg = NULL;
+ SecCmsContentInfoRef contentInfo = NULL;
+ SecCmsEnvelopedDataRef envelopedData = NULL;
+ SecCmsRecipientInfoRef recipientInfo = NULL;
+ SecCertificateRef allCerts[2] = { recipCert, NULL};
+ SECOidTag algorithmTag;
+ int keySize;
+
+ /* first get a SignedData */
+ ortn = doSign(signerId, inData, inDataLen,
+ false, /* can't do detached content here */
+ eContentType,
+ &signedData, &signedDataLen);
+ if(ortn) {
+ printf("***Error generating inner signedData. Aborting.\n");
+ return ortn;
+ }
+
+ /* extract just the content - don't need the whole ContentINfo */
+ unsigned char *signedDataContent = NULL;
+ unsigned signedDataContentLen = 0;
+ ortn = ContentInfoContent(signedData, signedDataLen, &signedDataContent, &signedDataContentLen);
+ if(ortn) {
+ goto errOut;
+ }
+
+ /* now wrap that in an EnvelopedData */
+ ortn = SecSMIMEFindBulkAlgForRecipients(allCerts, &algorithmTag, &keySize);
+ if(ortn) {
+ cssmPerror("SecSMIMEFindBulkAlgForRecipients", ortn);
+ return ortn;
+ }
+
+ // build chain of objects: message->envelopedData->data
+ cmsMsg = SecCmsMessageCreate(NULL);
+ if(cmsMsg == NULL) {
+ fprintf(stderr, "***Error creating SecCmsMessageRef\n");
+ ortn = -1;
+ goto errOut;
+ }
+ envelopedData = SecCmsEnvelopedDataCreate(cmsMsg, algorithmTag, keySize);
+ if(envelopedData == NULL) {
+ fprintf(stderr, "***Error creating SecCmsEnvelopedDataRef\n");
+ ortn = -1;
+ goto errOut;
+ }
+ contentInfo = SecCmsMessageGetContentInfo(cmsMsg);
+ ortn = SecCmsContentInfoSetContentEnvelopedData(cmsMsg, contentInfo, envelopedData);
+ if(ortn) {
+ cssmPerror("SecCmsContentInfoSetContentEnvelopedData", ortn);
+ goto errOut;
+ }
+ contentInfo = SecCmsEnvelopedDataGetContentInfo(envelopedData);
+
+ /* here's the difference: we override the 'data' content with a SignedData type,
+ * but we fool the smime lib into thinking it's a plain old data so it doesn't try
+ * to encode the SignedData */
+ ortn = SecCmsContentInfoSetContentOther(cmsMsg, contentInfo,
+ NULL /* data */,
+ false,
+ &CSSMOID_PKCS7_SignedData);
+ if(ortn) {
+ cssmPerror("SecCmsContentInfoSetContentData", ortn);
+ goto errOut;
+ }
+
+ /*
+ * create & attach recipient information
+ */
+ recipientInfo = SecCmsRecipientInfoCreate(cmsMsg, recipCert);
+ ortn = SecCmsEnvelopedDataAddRecipient(envelopedData, recipientInfo);
+ if(ortn) {
+ cssmPerror("SecCmsEnvelopedDataAddRecipient", ortn);
+ goto errOut;
+ }
+
+
+ /* go */
+ ortn = encodeCms(cmsMsg, signedDataContent, signedDataContentLen, outData, outDataLen);
+errOut:
+ /* free resources */
+ if(cmsMsg) {
+ SecCmsMessageDestroy(cmsMsg);
+ }
+ if(signedData) {
+ free(signedData);
+ }
+ if(signedDataContent) {
+ free(signedDataContent);
+ }
+ return ortn;
+}
+
+int main(int argc, char **argv)
+{
+ if(argc < 2) {
+ usage(argv);
+ }
+
+ CT_Op op;
+ bool needId = false;
+ if(!strcmp(argv[1], "sign")) {
+ op = CTO_Sign;
+ needId = true;
+ }
+ else if(!strcmp(argv[1], "envel")) {
+ op = CTO_Envelop;
+ }
+ else if(!strcmp(argv[1], "signEnv")) {
+ op = CTO_SignEnvelop;
+ needId = true;
+ }
+ else if(!strcmp(argv[1], "parse")) {
+ op = CTO_Parse;
+ }
+ else {
+ fprintf(stderr, "***Unrecognized cmd.\n");
+ usage(argv);
+ }
+
+ extern int optind;
+ extern char *optarg;
+ int arg;
+
+ /* optional args */
+ const char *keychainName = NULL;
+ char *inFileName = NULL;
+ char *outFileName = NULL;
+ bool detachedContent = false;
+ char *detachedFile = NULL;
+ bool useIdPicker = false;
+ char *recipient = NULL;
+ bool quiet = false;
+ bool parseSignerCert = false;
+ CT_Vfy vfyOp = CTV_None;
+ const CSSM_OID *eContentType = NULL;
+
+ optind = 2;
+ while ((arg = getopt(argc, argv, "i:o:k:pr:e:dD:qcv:")) != -1) {
+ switch (arg) {
+ case 'i':
+ inFileName = optarg;
+ break;
+ case 'o':
+ outFileName = optarg;
+ break;
+ case 'k':
+ keychainName = optarg;
+ break;
+ case 'p':
+ useIdPicker = true;
+ break;
+ case 'r':
+ recipient = optarg;
+ break;
+ case 'c':
+ parseSignerCert = true;
+ break;
+ case 'v':
+ if(!strcmp(optarg, "sign")) {
+ vfyOp = CTV_Sign;
+ }
+ else if(!strcmp(optarg, "encr")) {
+ vfyOp = CTV_Envelop;
+ }
+ else if(!strcmp(optarg, "signEnv")) {
+ vfyOp = CTV_SignEnvelop;
+ }
+ else {
+ usage(argv);
+ }
+ break;
+ case 'e':
+ switch(optarg[0]) {
+ case 'a':
+ eContentType = &CSSMOID_PKINIT_AUTH_DATA;
+ break;
+ case 'r':
+ eContentType = &CSSMOID_PKINIT_RKEY_DATA;
+ break;
+ default:
+ usage(argv);
+ }
+ break;
+ case 'd':
+ if(op != CTO_Sign) {
+ printf("-d only valid for op sign\n");
+ exit(1);
+ }
+ detachedContent = true;
+ break;
+ case 'D':
+ if(op != CTO_Parse) {
+ printf("-D only valid for op sign\n");
+ exit(1);
+ }
+ detachedFile = optarg;
+ break;
+ case 'q':
+ quiet = true;
+ break;
+ default:
+ case '?':
+ usage(argv);
+ }
+ }
+ if(optind != argc) {
+ /* getopt does not return '?' */
+ usage(argv);
+ }
+
+ SecIdentityRef idRef = NULL;
+ SecKeychainRef kcRef = NULL;
+ SecCertificateRef recipientCert = NULL;
+ unsigned char *inData = NULL;
+ unsigned inDataLen = 0;
+ unsigned char *outData = NULL;
+ unsigned outDataLen = 0;
+ unsigned char *detachedData = NULL;
+ unsigned detachedDataLen = 0;
+ OSStatus ortn;
+
+ if(inFileName) {
+ if(readFile(inFileName, &inData, &inDataLen)) {
+ fprintf(stderr, "***Error reading infile %s. Aborting.\n", inFileName);
+ exit(1);
+ }
+ }
+ if(detachedFile) {
+ if(readFile(detachedFile, &detachedData, &detachedDataLen)) {
+ fprintf(stderr, "***Error reading detachedFile %s. Aborting.\n", detachedFile);
+ exit(1);
+ }
+ }
+ if(keychainName) {
+ ortn = SecKeychainOpen(keychainName, &kcRef);
+ if(ortn) {
+ cssmPerror("SecKeychainOpen", ortn);
+ exit(1);
+ }
+ }
+ if(useIdPicker) {
+ ortn = sslSimpleIdentPicker(kcRef, &idRef);
+ if(ortn) {
+ fprintf(stderr, "***Error obtaining identity via picker. Aborting.\n");
+ exit(1);
+ }
+ }
+ else if(needId) {
+ /* use first identity in specified keychain */
+ CFArrayRef array = sslKcRefToCertArray(kcRef, CSSM_FALSE, CSSM_FALSE,
+ NULL, // no verify policy
+ NULL);
+ if(array == NULL) {
+ fprintf(stderr, "***Error finding a signing cert. Aborting.\n");
+ exit(1);
+ }
+ idRef = (SecIdentityRef)CFArrayGetValueAtIndex(array, 0);
+ if(idRef == NULL) {
+ fprintf(stderr, "***No identities found. Aborting.\n");
+ exit(1);
+ }
+ CFRetain(idRef);
+ CFRelease(array);
+ }
+ if(recipient) {
+ ortn = findCert(recipient, kcRef, &recipientCert);
+ if(ortn) {
+ exit(1);
+ }
+ }
+
+ switch(op) {
+ case CTO_Sign:
+ ortn = doSign(idRef, inData, inDataLen,
+ detachedContent, eContentType,
+ &outData, &outDataLen);
+ break;
+ case CTO_Envelop:
+ if(recipientCert == NULL) {
+ if(idRef == NULL) {
+ printf("***Need a recipient or an identity to encrypt\n");
+ exit(1);
+ }
+ ortn = SecIdentityCopyCertificate(idRef, &recipientCert);
+ if(ortn) {
+ cssmPerror("SecIdentityCopyCertificate", ortn);
+ exit(1);
+ }
+ }
+ ortn = doEncrypt(recipientCert, inData, inDataLen, &outData, &outDataLen);
+ break;
+ case CTO_SignEnvelop:
+ ortn = doSignEncrypt(recipientCert, idRef, eContentType,
+ inData, inDataLen, &outData, &outDataLen);
+ break;
+ case CTO_Parse:
+ ortn = doParse(inData, inDataLen,
+ detachedData, detachedDataLen,
+ vfyOp, parseSignerCert, quiet,
+ &outData, &outDataLen);
+ break;
+ }
+ if(ortn) {
+ goto errOut;
+ }
+ if(outData && outFileName) {
+ if(writeFile(outFileName, outData, outDataLen)) {
+ fprintf(stderr, "***Error writing to %s.\n", outFileName);
+ ortn = -1;
+ }
+ else {
+ if(!quiet) {
+ fprintf(stderr, "...wrote %u bytes to %s.\n", outDataLen, outFileName);
+ }
+ }
+ }
+ else if(outData) {
+ fprintf(stderr, "...generated %u bytes but no place to write it.\n", outDataLen);
+ }
+ else if(outFileName) {
+ fprintf(stderr, "...nothing to write to file %s.\n", outFileName);
+ /* assume this is an error, caller wanted something */
+ ortn = -1;
+ }
+errOut:
+ return ortn;
+}
projects / apple / security.git / blobdiff