+/*
+ * dotMacRequest.cpp - simple illustration of using SecCertificateRequestCreate() and
+ * SecCertificateRequestSubmit to post a request for a .mac cert.
+ */
+#include <Security/Security.h>
+#include <Security/SecCertificateRequest.h>
+#include <security_dotmac_tp/dotMacTp.h>
+#include <clAppUtils/keyPicker.h>
+#include <unistd.h>
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+
+/*
+ * Defaults for the test setup du jour
+ */
+#define USER_DEFAULT "dmitch10"
+#define PWD_DEFAULT "password"
+#define HOST_DEFAULT "certmgmt.mac.com"
+
+/*
+ * Type of cert to request
+ */
+typedef enum {
+ CRT_Identity, /* actually, now "iChat encryption", not "identity" */
+ CRT_EmailSign,
+ CRT_EmailEncrypt
+} CertRequestType;
+
+static void usage(char **argv)
+{
+ printf("usage: %s op [options]\n", argv[0]);
+ printf("Op:\n");
+ printf(" i -- generate iChat encryption cert\n");
+ printf(" s -- generate email signing cert\n");
+ printf(" e -- generate email encrypting cert\n");
+ printf(" I -- search/retrieve request for iChat encryption cert\n");
+ printf(" S -- search/retrieve request for signing cert\n");
+ printf(" E -- search/retrieve request for encrypting cert\n");
+ printf(" p -- pending request poll (via -u)\n");
+ printf("Options:\n");
+ printf(" -u username -- Default is %s\n", USER_DEFAULT);
+ printf(" -Z password -- default is %s\n", PWD_DEFAULT);
+ printf(" -p -- pick key pair from existing (default is generate)\n");
+ printf(" -k keychain -- Source/destination of keys\n");
+ printf(" -r -- Renew (default is new)\n");
+ printf(" -a -- async (default is synchronous)\n");
+ printf(" -H hostname -- Alternate .mac server host name (default %s)\n",
+ HOST_DEFAULT);
+ printf(" -M -- Pause for MallocDebug\n");
+ printf(" -l -- loop\n");
+ exit(1);
+}
+
+/* print a string int he form of a CSSM_DATA */
+static void printString(
+ const CSSM_DATA *str)
+{
+ for(unsigned dex=0; dex<str->Length; dex++) {
+ printf("%c", str->Data[dex]);
+ }
+}
+
+/* basic "generate keypair" routine */
+static OSStatus genKeyPair(
+ SecKeychainRef kcRef, // optional, NULL means the default list
+ SecKeyRef *pubKey, // RETURNED
+ SecKeyRef *privKey) // RETURNED
+{
+ OSStatus ortn;
+
+ ortn = SecKeyCreatePair(kcRef,
+ DOT_MAC_KEY_ALG,
+ DOT_MAC_KEY_SIZE,
+ 0, // context handle
+ /* public key usage and attrs */
+ CSSM_KEYUSE_ANY,
+ CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_EXTRACTABLE,
+ /* private key usage and attrs */
+ CSSM_KEYUSE_ANY,
+ CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_EXTRACTABLE |
+ CSSM_KEYATTR_SENSITIVE,
+ NULL, // initial access
+ pubKey,
+ privKey);
+ if(ortn) {
+ cssmPerror("SecKeyCreatePair", ortn);
+ }
+ return ortn;
+}
+
+/* max number of oid/value pairs */
+#define MAX_ATTRS 5
+
+/*
+ * search for a pending .mac cert request, get current status.
+ */
+static OSStatus dotMacGetPendingRequest(
+ /* required fields */
+ const char *userName, // REQUIRED, C string
+ const char *password, // REQUIRED, C string
+ CertRequestType requestType,
+
+ /* optional fields */
+ const char *hostName, // C string
+ SecKeychainRef keychain) // destination of created cert (if !async)
+{
+ SecCertificateRequestAttribute attrs[MAX_ATTRS];
+ SecCertificateRequestAttribute *attrp = attrs;
+ SecCertificateRequestAttributeList attrList;
+
+ attrList.count = 0;
+ attrList.attr = attrs;
+
+ /* user name */
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_USERNAME;
+ attrp->value.Data = (uint8 *)userName;
+ attrp->value.Length = strlen(userName);
+ attrp++;
+ attrList.count++;
+
+ /* password */
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_PASSWORD;
+ attrp->value.Data = (uint8 *)password;
+ attrp->value.Length = strlen(password);
+ attrp++;
+ attrList.count++;
+
+ /* options */
+
+ if(hostName) {
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_HOSTNAME;
+ attrp->value.Data = (uint8 *)hostName;
+ attrp->value.Length = strlen(hostName);
+ attrp++;
+ attrList.count++;
+ }
+
+ /* map CertRequestType to a policy OID */
+ const CSSM_OID *policy;
+ switch(requestType) {
+ case CRT_Identity:
+ policy = &CSSMOID_DOTMAC_CERT_REQ_IDENTITY;
+ break;
+ case CRT_EmailSign:
+ policy = &CSSMOID_DOTMAC_CERT_REQ_EMAIL_SIGN;
+ break;
+ case CRT_EmailEncrypt:
+ policy = &CSSMOID_DOTMAC_CERT_REQ_EMAIL_ENCRYPT;
+ break;
+ default:
+ printf("GAK! Bad cert type.\n");
+ return -1;
+ }
+ OSStatus ortn;
+ SecCertificateRequestRef certReq = NULL;
+ SecCertificateRef certRef = NULL;
+ sint32 estTime;
+
+ printf("...calling SecCertificateFindRequest\n");
+ ortn = SecCertificateFindRequest(policy,
+ CSSM_CERT_X_509v3,
+ CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
+ NULL, NULL, // no keys needed
+ &attrList,
+ &certReq);
+ if(ortn) {
+ cssmPerror("SecCertificateFindRequest", ortn);
+ return ortn;
+ }
+
+ printf("...calling SecCertificateRequestGetResult\n");
+ ortn = SecCertificateRequestGetResult(certReq, keychain, &estTime, &certRef);
+ if(ortn) {
+ cssmPerror("SecCertificateRequestGetResult", ortn);
+ }
+ else {
+ printf("...SecCertificateRequestGetResult succeeded; estTime %d; cert %s\n",
+ (int)estTime, certRef ? "OBTAINED" : "NOT OBTAINED");
+ }
+ if(certRef) {
+ CFRelease(certRef);
+ }
+ if(certReq) {
+ CFRelease(certReq);
+ }
+ return ortn;
+}
+
+/*
+ * Do an "is there a pending request for this user?" poll.
+ * That function - via SecCertificateFindRequest() always returns an error;
+ * *we* only return an error if the result is something other than the
+ * expected two results:
+ * CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING
+ * CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING
+ */
+static OSStatus dotMacPostPendingReqPoll(
+ const char *userName,
+ const char *password,
+ const char *hostName)
+{
+ SecCertificateRequestAttribute attrs[MAX_ATTRS];
+ SecCertificateRequestAttribute *attrp = attrs;
+ SecCertificateRequestAttributeList attrList;
+ uint8 oneBit = 1;
+
+ attrList.count = 0;
+ attrList.attr = attrs;
+
+ /* user name, required */
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_USERNAME;
+ attrp->value.Data = (uint8 *)userName;
+ attrp->value.Length = strlen(userName);
+ attrp++;
+ attrList.count++;
+
+ /* password, required */
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_PASSWORD;
+ attrp->value.Data = (uint8 *)password;
+ attrp->value.Length = strlen(password);
+ attrp++;
+ attrList.count++;
+
+ /* the "poll the server" indicator */
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_IS_PENDING;
+ /* true ::= any nonzero data */
+ attrp->value.Data = &oneBit;
+ attrp->value.Length = 1;
+ attrp++;
+ attrList.count++;
+
+ /* options */
+
+ if(hostName) {
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_HOSTNAME;
+ attrp->value.Data = (uint8 *)hostName;
+ attrp->value.Length = strlen(hostName);
+ attrp++;
+ attrList.count++;
+ }
+
+ /* policy, not technically needed; use this one by convention */
+ const CSSM_OID *policy = &CSSMOID_DOTMAC_CERT_REQ_IDENTITY;
+
+ OSStatus ortn;
+ SecCertificateRequestRef certReq = NULL;
+
+ printf("...calling SecCertificateFindRequest\n");
+ ortn = SecCertificateFindRequest(policy,
+ CSSM_CERT_X_509v3,
+ CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
+ NULL, NULL, // no keys needed
+ &attrList,
+ &certReq);
+
+ switch(ortn) {
+ case CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING:
+ printf("...result: REQ_IS_PENDING\n");
+ ortn = noErr;
+ break;
+ case CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING:
+ printf("...result: NO_REQ_PENDING\n");
+ ortn = noErr;
+ break;
+ case noErr:
+ /* should never happen */
+ printf("...UNEXPECTED SUCCESS on SecCertificateFindRequest\n");
+ ortn = internalComponentErr;
+ if(certReq != NULL) {
+ /* Somehow, it got created */
+ CFRelease(certReq);
+ }
+ break;
+ default:
+ cssmPerror("SecCertificateFindRequest", ortn);
+ break;
+ }
+ return ortn;
+}
+
+/*
+ * Post a .mac cert request, with a small number of options.
+ */
+static OSStatus dotMacPostCertRequest(
+ /* required fields */
+ const char *userName, // REQUIRED, C string
+ const char *password, // REQUIRED, C string
+ SecKeyRef privKey, // REQUIRED
+ SecKeyRef pubKey,
+ CertRequestType requestType,
+ bool renew, // false: new cert
+ // true : renew existing
+ bool async, // false: wait for result
+ // true : just post request and return
+ /* optional fields */
+ const char *hostName, // C string
+ SecKeychainRef keychain) // destination of created cert (if !async)
+{
+
+ /* the main job here is bundling up the arguments in an array of OID/value pairs */
+ SecCertificateRequestAttribute attrs[MAX_ATTRS];
+ SecCertificateRequestAttribute *attrp = attrs;
+ SecCertificateRequestAttributeList attrList;
+ uint8 oneBit = 1;
+
+ attrList.count = 0;
+ attrList.attr = attrs;
+
+ /* user name */
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_USERNAME;
+ attrp->value.Data = (uint8 *)userName;
+ attrp->value.Length = strlen(userName);
+ attrp++;
+ attrList.count++;
+
+ /* password */
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_PASSWORD;
+ attrp->value.Data = (uint8 *)password;
+ attrp->value.Length = strlen(password);
+ attrp++;
+ attrList.count++;
+
+ /* options */
+
+ if(hostName) {
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_HOSTNAME;
+ attrp->value.Data = (uint8 *)hostName;
+ attrp->value.Length = strlen(hostName);
+ attrp++;
+ attrList.count++;
+ }
+
+ if(renew) {
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_RENEW;
+ /* true ::= any nonzero data */
+ attrp->value.Data = &oneBit;
+ attrp->value.Length = 1;
+ attrp++;
+ attrList.count++;
+ }
+
+ if(async) {
+ attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_ASYNC;
+ /* true ::= any nonzero data */
+ attrp->value.Data = &oneBit;
+ attrp->value.Length = 1;
+ attrp++;
+ attrList.count++;
+ }
+
+ /* map CertRequestType to a policy OID */
+ const CSSM_OID *policy;
+ switch(requestType) {
+ case CRT_Identity:
+ policy = &CSSMOID_DOTMAC_CERT_REQ_IDENTITY;
+ break;
+ case CRT_EmailSign:
+ policy = &CSSMOID_DOTMAC_CERT_REQ_EMAIL_SIGN;
+ break;
+ case CRT_EmailEncrypt:
+ policy = &CSSMOID_DOTMAC_CERT_REQ_EMAIL_ENCRYPT;
+ break;
+ default:
+ printf("GAK! Bad cert type.\n");
+ return -1;
+ }
+ OSStatus ortn;
+ SecCertificateRequestRef certReq = NULL;
+
+ ortn = SecCertificateRequestCreate(policy,
+ CSSM_CERT_X_509v3,
+ CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
+ privKey,
+ pubKey,
+ &attrList,
+ &certReq);
+ if(ortn) {
+ cssmPerror("SecCertificateRequestCreate", ortn);
+ return ortn;
+ }
+
+ printf("...submitting request to .mac server\n");
+ sint32 estTime = 0;
+ ortn = SecCertificateRequestSubmit(certReq, &estTime);
+ switch(ortn) {
+ case CSSMERR_APPLE_DOTMAC_REQ_REDIRECT:
+ {
+ /*
+ * A special case; the server is redirecting the calling app to
+ * a URL which we fetch and report like so:
+ */
+ CSSM_DATA url = {0, NULL};
+ ortn = SecCertificateRequestGetData(certReq, &url);
+ if(ortn) {
+ cssmPerror("SecCertificateRequestGetData", ortn);
+ printf("***APPLE_DOTMAC_REQ_REDIRECT obtained but no URL availalble.\n");
+ }
+ else {
+ printf("***APPLE_DOTMAC_REQ_REDIRECT obtained; redirect URL is: ");
+ printString(&url);
+ printf("\n");
+ }
+ break;
+ }
+
+ case CSSM_OK:
+ printf("...cert request submitted; estimatedTime %d.\n", (int)estTime);
+ break;
+ default:
+ cssmPerror("SecCertificateRequestSubmit", ortn);
+ break;
+ }
+ if(ortn || async) {
+ /* we're done */
+ CFRelease(certReq);
+ return ortn;
+ }
+
+ /*
+ * Running synchronously, and the submit succeeded. Try to get a result.
+ * In the real world this would be polled, every so often....
+ */
+ SecCertificateRef certRef = NULL;
+ printf("...attempting to get result of cert request...\n");
+ ortn = SecCertificateRequestGetResult(certReq, keychain, &estTime, &certRef);
+ if(ortn) {
+ cssmPerror("SecCertificateRequestGetResult", ortn);
+ }
+ else {
+ printf("...SecCertificateRequestGetResult succeeded; estTime %d; cert %s\n",
+ (int)estTime, certRef ? "OBTAINED" : "NOT OBTAINED");
+ }
+ if(certRef) {
+ CFRelease(certRef);
+ CFRelease(certReq);
+ }
+ return ortn;
+}
+
+#define ALWAYS_DO_SUBMIT 0
+
+
+int main(int argc, char **argv)
+{
+ SecKeyRef pubKeyRef = NULL;
+ SecKeyRef privKeyRef = NULL;
+ SecKeychainRef kcRef = NULL;
+ OSStatus ortn;
+
+ /* user-spec'd variables */
+ bool genKeys = true; /* true: generate; false: pick 'em */
+ char *keychainName = NULL;
+ char *userName = USER_DEFAULT;
+ char *password = PWD_DEFAULT;
+ char *hostName = NULL; /* leave as the default! = HOST_DEFAULT; */
+ /*
+ * WARNING: doing a renew operation requires that you delete your *current*
+ * .mac cert from the destination keychain. The DB attrs of the old and new certs
+ * are the same!
+ */
+ bool doRenew = false;
+ CertRequestType reqType = CRT_Identity;
+ bool doPause = false;
+ bool async = false;
+ bool doSearch = false; /* false: post cert request
+ * true : search for existing request, get
+ * status for it */
+ bool loop = false;
+ bool doPendingReqPoll = false;
+
+ if(argc < 2) {
+ usage(argv);
+ }
+ switch(argv[1][0]) {
+ case 'i':
+ reqType = CRT_Identity;
+ break;
+ case 's':
+ reqType = CRT_EmailSign;
+ break;
+ case 'e':
+ reqType = CRT_EmailEncrypt;
+ break;
+ case 'I':
+ doSearch = true;
+ reqType = CRT_Identity;
+ break;
+ case 'S':
+ doSearch = true;
+ reqType = CRT_EmailSign;
+ break;
+ case 'E':
+ doSearch = true;
+ reqType = CRT_EmailEncrypt;
+ break;
+ case 'p':
+ doPendingReqPoll = true;
+ break;
+ default:
+ usage(argv);
+ }
+
+ extern char *optarg;
+ extern int optind;
+ optind = 2;
+ int arg;
+ while ((arg = getopt(argc, argv, "u:Z:pk:rMH:al")) != -1) {
+ switch (arg) {
+ case 'u':
+ userName = optarg;
+ break;
+ case 'Z':
+ password = optarg;
+ break;
+ case 'p':
+ genKeys = false;
+ break;
+ case 'k':
+ keychainName = optarg;
+ break;
+ case 'r':
+ doRenew = true;
+ break;
+ case 'M':
+ doPause = true;
+ break;
+ case 'H':
+ hostName = optarg;
+ break;
+ case 'a':
+ async = true;
+ break;
+ case 'l':
+ loop = true;
+ break;
+ case 'h':
+ default:
+ usage(argv);
+ }
+ }
+ if(optind != argc) {
+ usage(argv);
+ }
+
+ if(doPause) {
+ fpurge(stdin);
+ printf("Pausing for MallocDebug attach; CR to continue: ");
+ getchar();
+ }
+
+ if(keychainName != NULL) {
+ /* pick a keychain (optional) */
+ ortn = SecKeychainOpen(keychainName, &kcRef);
+ if(ortn) {
+ cssmPerror("SecKeychainOpen", ortn);
+ exit(1);
+ }
+
+ /* make sure it's there since a successful SecKeychainOpen proves nothing */
+ SecKeychainStatus kcStat;
+ ortn = SecKeychainGetStatus(kcRef, &kcStat);
+ if(ortn) {
+ cssmPerror("SecKeychainGetStatus", ortn);
+ exit(1);
+ }
+ }
+
+ if((!doSearch || ALWAYS_DO_SUBMIT) && !doPendingReqPoll) {
+ /* get a key pair, somehow */
+ if(genKeys) {
+ ortn = genKeyPair(kcRef, &pubKeyRef, &privKeyRef);
+ }
+ else {
+ ortn = keyPicker(kcRef, &pubKeyRef, &privKeyRef);
+ }
+ if(ortn) {
+ printf("Can't proceed without a keypair. Aborting.\n");
+ exit(1);
+ }
+ }
+
+ /* go */
+ do {
+ if(doSearch) {
+ #if ALWAYS_DO_SUBMIT
+ /* debug only */
+ dotMacPostCertRequest(userName, password, privKeyRef, pubKeyRef,
+ reqType, doRenew, async, hostName, kcRef);
+ #endif
+
+ /* end */
+ ortn = dotMacGetPendingRequest(userName, password, reqType, hostName, kcRef);
+ }
+ else if(doPendingReqPoll) {
+ ortn = dotMacPostPendingReqPoll(userName, password, hostName);
+ }
+ else {
+ ortn = dotMacPostCertRequest(userName, password, privKeyRef, pubKeyRef,
+ reqType, doRenew, async, hostName, kcRef);
+ }
+ if(doPause) {
+ fpurge(stdin);
+ printf("Pausing for MallocDebug attach; CR to continue: ");
+ getchar();
+ }
+ } while(loop);
+ if(privKeyRef) {
+ CFRelease(privKeyRef);
+ }
+ if(pubKeyRef) {
+ CFRelease(pubKeyRef);
+ }
+ if(kcRef) {
+ CFRelease(kcRef);
+ }
+
+ if(doPause) {
+ fpurge(stdin);
+ printf("Pausing at end of test for MallocDebug attach; CR to continue: ");
+ getchar();
+ }
+
+ return ortn;
+}
+
projects / apple / security.git / blobdiff