--- /dev/null
+/*
+ * crlTool.cpp
+ */
+
+#include <stdlib.h>
+#include <strings.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <utilLib/common.h>
+#include <clAppUtils/clutils.h>
+#include <clAppUtils/CertParser.h>
+#include <Security/Security.h>
+#include "crlNetwork.h"
+#include <security_cdsa_utils/cuPrintCert.h>
+#define LOOPS_DEF 100
+
+static void usage(char **argv)
+{
+ printf("usage: %s [options]\n", argv[0]);
+ printf("Options:\n");
+ printf(" -c certFile -- obtain CRL via net from this cert\n");
+ printf(" -C crlFile -- CRL from this file\n");
+ printf(" -p -- parse the CRL\n");
+ printf(" -o outFile -- write the fetched CRL to this file\n");
+ printf(" -v -- verbose CRL dump\n");
+ /* etc. */
+ exit(1);
+}
+
+static int fetchCrlViaGeneralNames(
+ const CE_GeneralNames *names,
+ unsigned char **crl, // mallocd and RETURNED
+ size_t *crlLen) // RETURNED
+{
+ CSSM_DATA crlData = {0, NULL};
+ CSSM_RETURN crtn;
+
+ for(unsigned nameDex=0; nameDex<names->numNames; nameDex++) {
+ CE_GeneralName *name = &names->generalName[nameDex];
+ switch(name->nameType) {
+ case GNT_URI:
+ if(name->name.Length < 5) {
+ continue;
+ }
+ if(strncmp((char *)name->name.Data, "ldap:", 5) &&
+ strncmp((char *)name->name.Data, "http:", 5) &&
+ strncmp((char *)name->name.Data, "https:", 6)) {
+ /* eventually handle other schemes here */
+ continue;
+ }
+
+ /* OK, we can do this */
+ crtn = crlNetFetch(&name->name, LT_Crl, &crlData);
+ if(crtn) {
+ printf("...net fetch error\n");
+ return 1;
+ }
+ *crl = crlData.Data;
+ *crlLen = crlData.Length;
+ return 0;
+
+ default:
+ printf("fetchCrlViaGeneralNames: unknown"
+ "nameType (%u)", (unsigned)name->nameType);
+ break;
+ }
+ }
+ printf("...GNT_URI name not found in GeneralNames\n");
+ return 1;
+}
+
+static int fetchCrl(
+ CertParser &cert,
+ unsigned char **crl, // mallocd and RETURNED
+ size_t *crlLen) // RETURNED
+{
+ CE_CRLDistPointsSyntax *dps = (CE_CRLDistPointsSyntax *)
+ cert.extensionForOid(CSSMOID_CrlDistributionPoints);
+
+ *crl = NULL;
+ *crlLen = 0;
+ if(dps == NULL) {
+ /* not an error, just indicate NULL return */
+ printf("***No CrlDistributionPoints in this cert.\n");
+ return 0;
+ }
+ for(unsigned dex=0; dex<dps->numDistPoints; dex++) {
+
+ CE_CRLDistributionPoint *dp = &dps->distPoints[dex];
+ if(dp->distPointName == NULL) {
+ continue;
+ }
+ switch(dp->distPointName->nameType) {
+ case CE_CDNT_NameRelativeToCrlIssuer:
+ printf("...CE_CDNT_NameRelativeToCrlIssuer not implemented\n");
+ break;
+
+ case CE_CDNT_FullName:
+ {
+ CE_GeneralNames *names = dp->distPointName->dpn.fullName;
+ int rtn = fetchCrlViaGeneralNames(names, crl, crlLen);
+ if(rtn == 0) {
+ return 0;
+ }
+ /* else try again if there's another name */
+ break;
+ } /* CE_CDNT_FullName */
+
+ default:
+ /* not yet */
+ printf("unknown distPointName->nameType (%u)\n",
+ (unsigned)dp->distPointName->nameType);
+ break;
+ } /* switch distPointName->nameType */
+ } /* for each distPoints */
+ printf("...CrlDistributionPoints found, but nothing we can use.\n");
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ char *certFile = NULL;
+ char *crlFile = NULL;
+ unsigned char *certData;
+ unsigned certDataLen;
+ bool doParse = false;
+ char *outFile = NULL;
+ CSSM_BOOL verbose = CSSM_FALSE;
+ unsigned char *crl = NULL;
+ size_t crlLen = 0;
+ int rtn = -1;
+
+ if(argc < 2) {
+ usage(argv);
+ }
+
+ extern char *optarg;
+ int arg;
+ while ((arg = getopt(argc, argv, "c:C:po:vh")) != -1) {
+ switch (arg) {
+ case 'c':
+ certFile = optarg;
+ break;
+ case 'C':
+ crlFile = optarg;
+ break;
+ case 'p':
+ doParse = true;
+ break;
+ case 'o':
+ outFile = optarg;
+ break;
+ case 'v':
+ verbose = CSSM_TRUE;
+ break;
+ case 'h':
+ usage(argv);
+ }
+ }
+ if(optind != argc) {
+ usage(argv);
+ }
+ if((certFile != NULL) && (crlFile != NULL)) {
+ printf("***crlFile and certFile are mutually exclusive.\n");
+ usage(argv);
+ }
+ if((certFile == NULL) && (crlFile == NULL)) {
+ printf("***Must specify either certFile or crlFile\n");
+ usage(argv);
+ }
+
+ CSSM_RETURN crtn;
+ CSSM_CL_HANDLE clHand = clStartup();
+ CertParser parser(clHand);
+
+ if(crlFile) {
+ unsigned len;
+ if(readFile(crlFile, &crl, &len)) {
+ printf("***Error reading %s. Aborting.\n", crlFile);
+ exit(1);
+ }
+ crlLen = len;
+ }
+ if(certFile) {
+ if(readFile(certFile, &certData, &certDataLen)) {
+ printf("***Error reading %s. Aborting.\n", certFile);
+ exit(1);
+ }
+ CSSM_DATA cdata = {certDataLen, certData};
+ crtn = parser.initWithData(cdata);
+ if(crtn) {
+ printf("Error parsing cert %s. Aborting.\n", certFile);
+ exit(1);
+ }
+ rtn = fetchCrl(parser, &crl, &crlLen);
+ if(rtn) {
+ printf("***aborting.\n");
+ exit(1);
+ }
+ }
+
+ if(doParse) {
+ if(crl == NULL) {
+ printf("...parse specified but no CRL found.\n");
+ }
+ else {
+ if(certFile != NULL) {
+ printf("============== CRL for cert %s ==============\n", certFile);
+ }
+ printCrl(crl, crlLen, verbose);
+ if(certFile != NULL) {
+ printf("============== end of CRL ==============\n");
+ }
+ }
+ }
+ if(outFile) {
+ if(crl == NULL) {
+ printf("...outFile specified but no CRL found.\n");
+ }
+ else {
+ if(writeFile(outFile, crl, crlLen)) {
+ printf("***Error writing CRL to %s.\n", outFile);
+ rtn = 1;
+ }
+ else {
+ printf("...wrote %u bytes to %s\n", (unsigned)crlLen, outFile);
+ }
+ }
+ }
+ return rtn;
+}
projects / apple / security.git / blobdiff