--- /dev/null
+/*
+ * dotMacArchive.cpp - test and demonstrate use of dotmacp_tp.bundle to
+ * manipulate Identity archives ont he .mac server.
+ */
+#include <Security/Security.h>
+#include <Security/SecImportExport.h>
+#include <Security/SecCertificateRequest.h>
+//#include <security_dotmac_tp/dotMacTp.h>
+#include <dotMacTp.h>
+#include "identSearch.h"
+#include "dotMacTpAttach.h"
+#include <unistd.h>
+#include <security_cdsa_utils/cuCdsaUtils.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+
+/*
+ * Defaults for the test setup du jour
+ */
+#define USER_DEFAULT "dmitch_new"
+#define PWD_DEFAULT "password"
+#define ARCHIVE_NAME_DEFAULT "dmitch_new"
+#define HOST_DEFAULT "certmgmt.mac.com"
+
+/*
+ * Type of archive op
+ */
+typedef enum {
+ AO_List,
+ AO_Store,
+ AO_Fetch,
+ AO_Remove
+} ArchiveOp;
+
+static void usage(char **argv)
+{
+ printf("usage: %s op [options]\n", argv[0]);
+ printf("Op:\n");
+ printf(" l -- list archive contents\n");
+ printf(" s -- store archive\n");
+ printf(" f -- fetch archive\n");
+ printf(" r -- remove archive(s)\n");
+ printf("Options:\n");
+ printf(" -u username -- Default is %s\n", USER_DEFAULT);
+ printf(" -Z password -- default is %s\n", PWD_DEFAULT);
+ printf(" -n archiveName -- default is %s\n", ARCHIVE_NAME_DEFAULT);
+ printf(" -k keychain -- Source/destination of archive\n");
+ printf(" -H hostname -- Alternate .mac server host name (default %s)\n",
+ HOST_DEFAULT);
+ printf(" -o outFile -- write P12 blob to outFile\n");
+ printf(" -z p12Phrase -- PKCS12 passphrase (default is GUI prompt)\n");
+ printf(" -M -- Pause for MallocDebug\n");
+ printf(" -l -- loop\n");
+ exit(1);
+}
+
+/* print a string in the form of a CSSM_DATA */
+static void printString(
+ const CSSM_DATA *str)
+{
+ for(unsigned dex=0; dex<str->Length; dex++) {
+ printf("%c", str->Data[dex]);
+ }
+}
+
+
+/*
+ * Post a .mac archive request, with a small number of options.
+ */
+static CSSM_RETURN dotMacPostArchiveRequest(
+ ArchiveOp op,
+ CSSM_TP_HANDLE tpHand,
+ /* required fields for all ops */
+ const CSSM_DATA *userName, // REQUIRED, C string
+ const CSSM_DATA *password, // REQUIRED, C string
+
+ /* optional (per op, that is...) fields */
+ const CSSM_DATA *hostName, // optional alternate host
+ const CSSM_DATA *archiveName, // required for store, fetch, remove
+ const CSSM_DATA *timeString, // required for store
+ const CSSM_DATA *pfxIn, // required for store
+ CSSM_DATA *pfxOut, // required and RETURNED for fetch
+ unsigned *numArchives, // required and RETURNED for list
+ DotMacArchive **archives) // required and RETURNED for list
+{
+ CSSM_RETURN crtn;
+ CSSM_TP_AUTHORITY_ID tpAuthority;
+ CSSM_TP_AUTHORITY_ID *tpAuthPtr = NULL;
+ CSSM_NET_ADDRESS tpNetAddrs;
+ CSSM_APPLE_DOTMAC_TP_ARCHIVE_REQUEST archReq;
+ CSSM_TP_REQUEST_SET reqSet;
+ CSSM_TP_CALLERAUTH_CONTEXT callerAuth;
+ sint32 estTime;
+ CSSM_DATA refId = {0, NULL};
+ CSSM_FIELD policyField;
+ const CSSM_OID *opOid = NULL;
+
+ if((tpHand == 0) || (userName == NULL) || (password == NULL)) {
+ printf("dotMacPostArchiveRequest: illegal common args\n");
+ return paramErr;
+ }
+ switch(op) {
+ case AO_List:
+ if((numArchives == NULL) || (archives == NULL)) {
+ printf("dotMacPostArchiveRequest: illegal AO_List args\n");
+ return paramErr;
+ }
+ opOid = &CSSMOID_DOTMAC_CERT_REQ_ARCHIVE_LIST;
+ break;
+ case AO_Store:
+ if((archiveName == NULL) || (timeString == NULL) || (pfxIn == NULL)) {
+ printf("dotMacPostArchiveRequest: illegal AO_Store args\n");
+ return paramErr;
+ }
+ opOid = &CSSMOID_DOTMAC_CERT_REQ_ARCHIVE_STORE;
+ break;
+ case AO_Fetch:
+ if((archiveName == NULL) || (pfxOut == NULL)) {
+ printf("dotMacPostArchiveRequest: illegal AO_Fetch args\n");
+ return paramErr;
+ }
+ opOid = &CSSMOID_DOTMAC_CERT_REQ_ARCHIVE_FETCH;
+ break;
+ case AO_Remove:
+ if(archiveName == NULL) {
+ printf("dotMacPostArchiveRequest: illegal AO_Remove args\n");
+ return paramErr;
+ }
+ opOid = &CSSMOID_DOTMAC_CERT_REQ_ARCHIVE_REMOVE;
+ break;
+ }
+
+ /*
+ * The main job here is bundling up the arguments into a
+ * CSSM_APPLE_DOTMAC_TP_ARCHIVE_REQUEST
+ */
+ memset(&archReq, 0, sizeof(archReq));
+ archReq.version = CSSM_DOT_MAC_TP_ARCHIVE_REQ_VERSION;
+ archReq.userName = *userName;
+ archReq.password = *password;
+ if(archiveName) {
+ archReq.archiveName = *archiveName;
+ }
+ if(timeString) {
+ archReq.timeString = *timeString;
+ }
+ if(pfxIn) {
+ archReq.pfx = *pfxIn;
+ }
+
+ /* remaining arguments for TP call... */
+ if((hostName != NULL) && (hostName->Data != NULL)) {
+ tpAuthority.AuthorityCert = NULL;
+ tpAuthority.AuthorityLocation = &tpNetAddrs;
+ tpNetAddrs.AddressType = CSSM_ADDR_NAME;
+ tpNetAddrs.Address = *hostName;
+ tpAuthPtr = &tpAuthority;
+ }
+
+ reqSet.NumberOfRequests = 1;
+ reqSet.Requests = &archReq;
+
+ policyField.FieldOid = *opOid;
+ policyField.FieldValue.Data = NULL;
+ policyField.FieldValue.Length = 0;
+ memset(&callerAuth, 0, sizeof(callerAuth));
+ callerAuth.Policy.NumberOfPolicyIds = 1;
+ callerAuth.Policy.PolicyIds = &policyField;
+
+ crtn = CSSM_TP_SubmitCredRequest (tpHand,
+ tpAuthPtr,
+ CSSM_TP_AUTHORITY_REQUEST_CERTISSUE, // CSSM_TP_AUTHORITY_REQUEST_TYPE
+ &reqSet, // const CSSM_TP_REQUEST_SET *RequestInput,
+ &callerAuth,
+ &estTime, // sint32 *EstimatedTime,
+ &refId); // CSSM_DATA_PTR ReferenceIdentifier
+ if(crtn) {
+ cssmPerror("CSSM_TP_SubmitCredRequest", crtn);
+ }
+
+ /* success: post-process */
+ switch(op) {
+ case AO_List:
+ *numArchives = archReq.numArchives;
+ *archives = archReq.archives;
+ break;
+ case AO_Store:
+ break;
+ case AO_Fetch:
+ *pfxOut = archReq.pfx;
+ break;
+ case AO_Remove:
+ break;
+ }
+
+ return CSSM_OK;
+}
+
+static void cStringToCssmData(
+ const char *cstr,
+ CSSM_DATA *cdata)
+{
+ if(cstr) {
+ cdata->Data = (uint8 *)cstr;
+ cdata->Length = strlen(cstr);
+ }
+ else {
+ cdata->Data = NULL;
+ cdata->Length = 0;
+ }
+}
+
+int main(int argc, char **argv)
+{
+ SecKeychainRef kcRef = NULL;
+ CSSM_RETURN crtn;
+ CSSM_TP_HANDLE tpHand = 0;
+ OSStatus ortn;
+
+ /* user-spec'd variables */
+ ArchiveOp op = AO_List;
+ char *keychainName = NULL;
+ const char *userName = USER_DEFAULT;
+ const char *password = PWD_DEFAULT;
+ const char *archName = ARCHIVE_NAME_DEFAULT;
+ const char *hostName = HOST_DEFAULT;
+ char *outFile = NULL;
+ bool doPause = false;
+ bool loop = false;
+ char *p12Phrase = NULL;
+
+ if(argc < 2) {
+ usage(argv);
+ }
+ switch(argv[1][0]) {
+ case 'l':
+ op = AO_List;
+ break;
+ case 's':
+ op = AO_Store;
+ break;
+ case 'f':
+ op = AO_Fetch;
+ break;
+ case 'r':
+ op = AO_Remove;
+ break;
+ default:
+ usage(argv);
+ }
+
+ extern char *optarg;
+ extern int optind;
+ optind = 2;
+ int arg;
+ while ((arg = getopt(argc, argv, "u:Z:n:k:H:Nlo:z:")) != -1) {
+ switch (arg) {
+ case 'u':
+ userName = optarg;
+ break;
+ case 'Z':
+ password = optarg;
+ break;
+ case 'n':
+ archName = optarg;
+ break;
+ case 'k':
+ keychainName = optarg;
+ break;
+ case 'M':
+ doPause = true;
+ break;
+ case 'H':
+ hostName = optarg;
+ break;
+ case 'l':
+ loop = true;
+ break;
+ case 'o':
+ outFile = optarg;
+ break;
+ case 'z':
+ p12Phrase = optarg;
+ break;
+ case 'h':
+ usage(argv);
+ }
+ }
+ if(optind != argc) {
+ usage(argv);
+ }
+
+ if(doPause) {
+ fpurge(stdin);
+ printf("Pausing for MallocDebug attach; CR to continue: ");
+ getchar();
+ }
+
+ if(keychainName != NULL) {
+ /* pick a keychain (optional) */
+ ortn = SecKeychainOpen(keychainName, &kcRef);
+ if(ortn) {
+ cssmPerror("SecKeychainOpen", ortn);
+ exit(1);
+ }
+
+ /* make sure it's there since a successful SecKeychainOpen proves nothing */
+ SecKeychainStatus kcStat;
+ ortn = SecKeychainGetStatus(kcRef, &kcStat);
+ if(ortn) {
+ cssmPerror("SecKeychainGetStatus", ortn);
+ exit(1);
+ }
+ }
+
+ /* bundle up our crufty C string args into CSSM_DATAs needed at the TP SPI */
+ CSSM_DATA userNameData;
+ CSSM_DATA passwordData;
+ CSSM_DATA hostNameData;
+ CSSM_DATA archNameData;
+ CSSM_DATA timeStringData;
+
+ cStringToCssmData(userName, &userNameData);
+ cStringToCssmData(password, &passwordData);
+ cStringToCssmData(hostName, &hostNameData);
+ cStringToCssmData(archName, &archNameData);
+
+ /* time in seconds since the epoch, sprintf'd in base 10 */
+ char timeStr[20];
+ time_t nowTime = time(NULL);
+ printf("...nowTime = %lu\n", nowTime);
+ //nowTime += (60 * 60 * 24 * 26); // fails
+ nowTime += (60 * 60 * 24 * 25); // works
+ printf("...expirationTime = %lu\n", nowTime);
+ sprintf(timeStr, "%lu", nowTime);
+ timeStringData.Data = (uint8 *)timeStr;
+ timeStringData.Length = strlen(timeStr);
+
+ /* other data needed by dotMacPostArchiveRequest() */
+ CFDataRef p12 = NULL;
+ CSSM_DATA pfxInData = {0, NULL};
+ CSSM_DATA pfxOutData = {0, NULL};
+ unsigned numArchives = 0;
+ DotMacArchive *archives = NULL;
+
+ /* Store op: get identity in p12 form */
+ if(op == AO_Store) {
+ CFStringRef cfPhrase = NULL;
+
+ /* Cert attribute - email address - contains the "@mac.com" */
+ char emailAddr[500];
+ strcpy(emailAddr, userName);
+ // nope strcat(emailAddr, "@mac.com");
+
+ /* find an identity for that email address */
+ SecIdentityRef idRef = NULL;
+ OSStatus ortn = findIdentity(emailAddr, strlen(emailAddr), kcRef, &idRef);
+ if(ortn) {
+ printf("***Could not find an identity to store. Aborting.\n");
+ goto errOut;
+ }
+
+ /* convert that identity to p12 */
+ SecKeyImportExportParameters keyParams;
+ memset(&keyParams, 0, sizeof(keyParams));
+ keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+ if(p12Phrase) {
+ cfPhrase = CFStringCreateWithCString(NULL, p12Phrase,
+ kCFStringEncodingUTF8);
+ keyParams.passphrase = cfPhrase;
+ }
+ else {
+ keyParams.flags = kSecKeySecurePassphrase;
+ }
+ keyParams.alertTitle = CFSTR(".mac Identity Backup");
+ keyParams.alertPrompt =
+ CFSTR("Enter passphrase for encrypting your .mac private key");
+ ortn = SecKeychainItemExport(idRef, kSecFormatPKCS12, kSecItemPemArmour,
+ &keyParams, &p12);
+ if(ortn) {
+ cssmPerror("SecKeychainItemExport", crtn);
+ printf("***Error obtaining .mac identity in PKCS12 format. Aborting.\n");
+ goto errOut;
+ }
+
+ pfxInData.Data = (uint8 *)CFDataGetBytePtr(p12);
+ pfxInData.Length = CFDataGetLength(p12);
+ printf("...preparing to store archive of %lu bytes\n", pfxInData.Length);
+
+ if(outFile) {
+ if(writeFile(outFile, pfxInData.Data, pfxInData.Length)) {
+ printf("***Error writing P12 to %s\n", outFile);
+ }
+ else {
+ printf("...wrote %lu bytes to %s\n", pfxInData.Length, outFile);
+ }
+ }
+ if(cfPhrase) {
+ CFRelease(cfPhrase);
+ }
+ }
+
+ /* attach to the TP */
+ tpHand = dotMacTpAttach();
+ if(tpHand == 0) {
+ printf("***Error attaching to .mac TP; aborting.\n");
+ ortn = -1;
+ goto errOut;
+ }
+
+ /* go */
+ crtn = dotMacPostArchiveRequest(op, tpHand, &userNameData, &passwordData,
+ hostName ? &hostNameData : NULL,
+ &archNameData,
+ &timeStringData,
+ &pfxInData,
+ &pfxOutData,
+ &numArchives,
+ &archives);
+ if(crtn) {
+ printf("***Error performing archive request; aborting.\n");
+ goto errOut;
+ }
+
+ /* post-request processing */
+
+ switch(op) {
+ case AO_List:
+ {
+ printf("=== List request complete; numArchives = %u ===\n", numArchives);
+ for(unsigned dex=0; dex<numArchives; dex++) {
+ DotMacArchive *dmarch = &archives[dex];
+ printf("Archive %u:\n", dex);
+ printf(" name : ");
+ printString(&dmarch->archiveName);
+ printf("\n");
+
+ printf(" time : ");
+ printString(&dmarch->timeString);
+ printf("\n");
+
+ /* now free what the TP allocated on our behalf */
+ APP_FREE(dmarch->archiveName.Data);
+ APP_FREE(dmarch->timeString.Data);
+ }
+ APP_FREE(archives);
+ break;
+ }
+
+ case AO_Store:
+ printf("=== archive \'%s\' backup complete ===\n", archName);
+ break;
+ case AO_Fetch:
+ {
+ bool didSomething = false;
+ if(pfxOutData.Length == 0) {
+ printf("***Archive fetch claimed to succeed, but no data seen\n");
+ ortn = -1;
+ goto errOut;
+ }
+
+ /*
+ * OK, we have a blob of PKCS12 data. Import to keychain and/or write it
+ * to a file.
+ */
+ printf("=== %lu bytes of archive fetched ===\n", pfxOutData.Length);
+ if(outFile) {
+ if(writeFile(outFile, pfxOutData.Data, pfxOutData.Length)) {
+ printf("***Error writing P12 to %s\n", outFile);
+ }
+ else {
+ printf("...wrote %lu bytes to %s\n", pfxOutData.Length, outFile);
+ didSomething = true;
+ }
+ }
+ if(kcRef) {
+ /* Note we avoid importing to default keychain - user must really want
+ * to perform this step */
+ CFDataRef p12Data = CFDataCreate(NULL, pfxOutData.Data, pfxOutData.Length);
+ SecExternalFormat extForm = kSecFormatPKCS12;
+ SecKeyImportExportParameters keyParams;
+ memset(&keyParams, 0, sizeof(keyParams));
+ keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+ CFStringRef cfPhrase = NULL;
+ if(p12Phrase) {
+ cfPhrase = CFStringCreateWithCString(NULL, p12Phrase,
+ kCFStringEncodingUTF8);
+ keyParams.passphrase = cfPhrase;
+ }
+ else {
+ keyParams.flags = kSecKeySecurePassphrase;
+ }
+ keyParams.alertTitle = CFSTR(".mac Identity Restore");
+ keyParams.alertPrompt =
+ CFSTR("Enter passphrase for decrypting your .mac private key");
+
+ /* go... */
+ ortn = SecKeychainItemImport(p12Data,
+ NULL, // filename - passing kSecFormatPKCS12 is definitely enough
+ &extForm,
+ NULL, // itemType - import'll figure it out
+ 0, // SecItemImportExportFlags
+ &keyParams,
+ kcRef,
+ NULL); // we don't want any items returned
+ if(ortn) {
+ cssmPerror("SecKeychainItemImport", ortn);
+ printf("***Error importing p12 into keychain %s\n", keychainName);
+ }
+ else {
+ printf("...archive successfully imported into keychain %s\n",
+ keychainName);
+ didSomething = true;
+ }
+ if(cfPhrase) {
+ CFRelease(cfPhrase);
+ }
+ }
+ if(!didSomething) {
+ printf("...note we got an archive from the server but didn't have a "
+ "place to put it.\n");
+ }
+ break;
+ }
+ case AO_Remove:
+ printf("=== Archive %s removed ===\n", archName);
+ break;
+ }
+
+ if(doPause) {
+ fpurge(stdin);
+ printf("Pausing at end of test for MallocDebug attach; CR to continue: ");
+ getchar();
+ }
+
+errOut:
+ if(kcRef) {
+ CFRelease(kcRef);
+ }
+
+ if(tpHand) {
+ dotMacTpDetach(tpHand);
+ }
+ return ortn;
+}
+
projects / apple / security.git / blobdiff