--- /dev/null
+/*
+ * extenTest - verify encoding and decoding of extensions.
+ */
+
+#include <security_cdsa_utils/cuFileIo.h>
+#include <clAppUtils/CertBuilderApp.h>
+#include <utilLib/common.h>
+#include <utilLib/cspwrap.h>
+#include <clAppUtils/clutils.h>
+#include <security_cdsa_utils/cuPrintCert.h>
+#include <security_cdsa_utils/cuOidParser.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <Security/cssm.h>
+#include <Security/x509defs.h>
+#include <Security/oidsattr.h>
+#include <Security/oidscert.h>
+#include <Security/certextensions.h>
+
+#define KEY_ALG CSSM_ALGID_RSA
+#define SIG_ALG CSSM_ALGID_SHA1WithRSA
+#define KEY_SIZE_BITS CSP_RSA_KEY_SIZE_DEFAULT
+#define SUBJ_KEY_LABEL "subjectKey"
+
+#define LOOPS_DEF 10
+
+static void usage(char **argv)
+{
+ printf("Usage: %s [options]\n", argv[0]);
+ printf("Options:\n");
+ printf(" e=extenSpec (default = all)\n");
+ printf(" k keyUsage\n");
+ printf(" b basicConstraints\n");
+ printf(" x extendedKeyUsage\n");
+ printf(" s subjectKeyId\n");
+ printf(" a authorityKeyId\n");
+ printf(" t SubjectAltName\n");
+ printf(" i IssuerAltName\n");
+ printf(" c certPolicies\n");
+ printf(" n netscapeCertType\n");
+ printf(" p CRLDistributionPoints\n");
+ printf(" A AuthorityInfoAccess\n");
+ printf(" S SubjectInfoAccess\n");
+ printf(" q QualifiedCertStatements\n");
+ printf(" w(rite blobs)\n");
+ printf(" f=fileName (default is extension-specific file name)\n");
+ printf(" d(isplay certs)\n");
+ printf(" l=loops (default = %d)\n", LOOPS_DEF);
+ printf(" p(ause on each loop)\n");
+ printf(" P(ause on each cert)\n");
+ exit(1);
+}
+
+/* dummy RDN - subject and issuer - we aren't testing this */
+CB_NameOid dummyRdn[] =
+{
+ { "Apple Computer", &CSSMOID_OrganizationName },
+ { "Doug Mitchell", &CSSMOID_CommonName }
+};
+#define NUM_DUMMY_NAMES (sizeof(dummyRdn) / sizeof(CB_NameOid))
+
+/*
+ * Static components we reuse for each encode/decode.
+ */
+static CSSM_X509_NAME *dummyName;
+static CSSM_X509_TIME *notBefore; // UTC-style "not before" time
+static CSSM_X509_TIME *notAfter; // UTC-style "not after" time
+static CSSM_KEY subjPrivKey;
+static CSSM_KEY subjPubKey;
+
+static CSSM_BOOL randBool()
+{
+ unsigned r = genRand(1, 0x10000000);
+ return (r & 0x1) ? CSSM_TRUE : CSSM_FALSE;
+}
+
+/* Fill a CSSM_DATA with random data. Its referent is allocd with malloc. */
+static void randData(
+ CSSM_DATA_PTR data,
+ uint8 maxLen)
+{
+ data->Data = (uint8 *)malloc(maxLen);
+ simpleGenData(data, 1, maxLen);
+}
+
+/*
+ * Various compare tests
+ */
+int compBool(
+ CSSM_BOOL pre,
+ CSSM_BOOL post,
+ const char *desc)
+{
+ if(pre == post) {
+ return 0;
+ }
+ printf("***Boolean miscompare on %s\n", desc);
+ /* in case a CSSM_TRUE isn't exactly right... */
+ switch(post) {
+ case CSSM_FALSE:
+ case CSSM_TRUE:
+ break;
+ default:
+ printf("*** post value is %d expected %d\n",
+ (int)post, (int)pre);
+ break;
+ }
+ return 1;
+}
+
+static int compCssmData(
+ CSSM_DATA &d1,
+ CSSM_DATA &d2,
+ const char *desc)
+{
+ if(appCompareCssmData(&d1, &d2)) {
+ return 0;
+ }
+ printf("CSSM_DATA miscompare on %s\n", desc);
+ return 1;
+}
+
+#pragma mark ----- individual extension tests -----
+
+#pragma mark --- CE_KeyUsage ---
+static void kuCreate(void *arg)
+{
+ CE_KeyUsage *ku = (CE_KeyUsage *)arg;
+
+ /* set two random valid bits */
+ *ku = 0;
+ *ku |= 1 << genRand(7, 15);
+ *ku |= 1 << genRand(7, 15);
+}
+
+static unsigned kuCompare(const void *pre, const void *post)
+{
+ const CE_KeyUsage *kuPre = (CE_KeyUsage *)pre;
+ const CE_KeyUsage *kuPost = (CE_KeyUsage *)post;
+ if(*kuPre != *kuPost) {
+ printf("***Miscompare in CE_KeyUsage\n");
+ return 1;
+ }
+ return 0;
+}
+
+#pragma mark --- CE_BasicConstraints ---
+static void bcCreate(void *arg)
+{
+ CE_BasicConstraints *bc = (CE_BasicConstraints *)arg;
+ bc->cA = randBool();
+ bc->pathLenConstraintPresent = randBool();
+ if(bc->pathLenConstraintPresent) {
+ bc->pathLenConstraint = genRand(1,10);
+ }
+}
+
+static unsigned bcCompare(const void *pre, const void *post)
+{
+ const CE_BasicConstraints *bcpre = (CE_BasicConstraints *)pre;
+ const CE_BasicConstraints *bcpost = (CE_BasicConstraints *)post;
+ unsigned rtn = 0;
+
+ rtn += compBool(bcpre->cA, bcpost->cA, "BasicConstraints.cA");
+ rtn += compBool(bcpre->pathLenConstraintPresent,
+ bcpost->pathLenConstraintPresent,
+ "BasicConstraints.pathLenConstraintPresent");
+ if(bcpre->pathLenConstraint != bcpost->pathLenConstraint) {
+ printf("BasicConstraints.pathLenConstraint mismatch\n");
+ rtn++;
+ }
+ return rtn;
+}
+
+#pragma mark --- CE_SubjectKeyID ---
+static void skidCreate(void *arg)
+{
+ CSSM_DATA_PTR skid = (CSSM_DATA_PTR)arg;
+ randData(skid, 16);
+}
+
+static unsigned skidCompare(const void *pre, const void *post)
+{
+ CSSM_DATA_PTR spre = (CSSM_DATA_PTR)pre;
+ CSSM_DATA_PTR spost = (CSSM_DATA_PTR)post;
+ return compCssmData(*spre, *spost, "SubjectKeyID");
+}
+
+static void skidFree(void *arg)
+{
+ CSSM_DATA_PTR skid = (CSSM_DATA_PTR)arg;
+ free(skid->Data);
+}
+
+#pragma mark --- CE_NetscapeCertType ---
+static void nctCreate(void *arg)
+{
+ CE_NetscapeCertType *nct = (CE_NetscapeCertType *)arg;
+
+ /* set two random valid bits */
+ *nct = 0;
+ *nct |= 1 << genRand(8, 15);
+ *nct |= 1 << genRand(8, 15);
+}
+
+static unsigned nctCompare(const void *pre, const void *post)
+{
+ const CE_NetscapeCertType *nPre = (CE_NetscapeCertType *)pre;
+ const CE_NetscapeCertType *nPost = (CE_NetscapeCertType *)post;
+ if(*nPre != *nPost) {
+ printf("***Miscompare in CE_NetscapeCertType\n");
+ return 1;
+ }
+ return 0;
+}
+
+#pragma mark --- CE_ExtendedKeyUsage ---
+
+/* a static array of meaningless OIDs, use 1.. NUM_SKU_OIDS */
+CSSM_OID ekuOids[] = {
+ CSSMOID_CrlNumber,
+ CSSMOID_CrlReason,
+ CSSMOID_HoldInstructionCode,
+ CSSMOID_InvalidityDate
+};
+#define NUM_SKU_OIDS 4
+
+static void ekuCreate(void *arg)
+{
+ CE_ExtendedKeyUsage *eku = (CE_ExtendedKeyUsage *)arg;
+ eku->numPurposes = genRand(1, NUM_SKU_OIDS);
+ eku->purposes = ekuOids;
+}
+
+static unsigned ekuCompare(const void *pre, const void *post)
+{
+ CE_ExtendedKeyUsage *ekupre = (CE_ExtendedKeyUsage *)pre;
+ CE_ExtendedKeyUsage *ekupost = (CE_ExtendedKeyUsage *)post;
+
+ if(ekupre->numPurposes != ekupost->numPurposes) {
+ printf("CE_ExtendedKeyUsage.numPurposes miscompare\n");
+ return 1;
+ }
+ unsigned rtn = 0;
+ for(unsigned dex=0; dex<ekupre->numPurposes; dex++) {
+ rtn += compCssmData(ekupre->purposes[dex],
+ ekupost->purposes[dex], "CE_ExtendedKeyUsage.purposes");
+ }
+ return rtn;
+}
+
+
+#pragma mark --- general purpose X509 name generator ---
+
+/* Attr/Value pairs, pick one of NUM_ATTR_STRINGS */
+static char *attrStrings[] = {
+ (char *)"thisName",
+ (char *)"anotherName",
+ (char *)"someOtherName"
+};
+#define NUM_ATTR_STRINGS 3
+
+/* A/V type, pick one of NUM_ATTR_TYPES */
+static CSSM_OID attrTypes[] = {
+ CSSMOID_Surname,
+ CSSMOID_CountryName,
+ CSSMOID_OrganizationName,
+ CSSMOID_Description
+};
+#define NUM_ATTR_TYPES 4
+
+/* A/V tag, pick one of NUM_ATTR_TAGS */
+static char attrTags[] = {
+ BER_TAG_PRINTABLE_STRING,
+ BER_TAG_IA5_STRING,
+ BER_TAG_T61_STRING
+};
+#define NUM_ATTR_TAGS 3
+
+static void rdnCreate(
+ CSSM_X509_RDN_PTR rdn)
+{
+ unsigned numPairs = genRand(1,4);
+ rdn->numberOfPairs = numPairs;
+ unsigned len = numPairs * sizeof(CSSM_X509_TYPE_VALUE_PAIR);
+ rdn->AttributeTypeAndValue =
+ (CSSM_X509_TYPE_VALUE_PAIR_PTR)malloc(len);
+ memset(rdn->AttributeTypeAndValue, 0, len);
+
+ for(unsigned atvDex=0; atvDex<numPairs; atvDex++) {
+ CSSM_X509_TYPE_VALUE_PAIR &pair =
+ rdn->AttributeTypeAndValue[atvDex];
+ unsigned die = genRand(1, NUM_ATTR_TYPES);
+ pair.type = attrTypes[die - 1];
+ die = genRand(1, NUM_ATTR_STRINGS);
+ char *str = attrStrings[die - 1];
+ pair.value.Data = (uint8 *)str;
+ pair.value.Length = strlen(str);
+ die = genRand(1, NUM_ATTR_TAGS);
+ pair.valueType = attrTags[die - 1];
+ }
+}
+
+static unsigned rdnCompare(
+ CSSM_X509_RDN_PTR rdn1,
+ CSSM_X509_RDN_PTR rdn2)
+{
+ if(rdn1->numberOfPairs != rdn2->numberOfPairs) {
+ printf("***Mismatch in numberOfPairs\n");
+ return 1;
+ }
+ unsigned rtn = 0;
+ for(unsigned atvDex=0; atvDex<rdn1->numberOfPairs; atvDex++) {
+ CSSM_X509_TYPE_VALUE_PAIR &p1 =
+ rdn1->AttributeTypeAndValue[atvDex];
+ CSSM_X509_TYPE_VALUE_PAIR &p2 =
+ rdn2->AttributeTypeAndValue[atvDex];
+ if(p1.valueType != p2.valueType) {
+ printf("***valueType miscompare\n");
+ rtn++;
+ }
+ if(compCssmData(p1.type, p2.type, "ATV.type")) {
+ rtn++;
+ }
+ if(compCssmData(p1.value, p2.value, "ATV.value")) {
+ rtn++;
+ }
+ }
+ return rtn;
+}
+
+static void rdnFree(
+ CSSM_X509_RDN_PTR rdn)
+{
+ free(rdn->AttributeTypeAndValue);
+}
+
+static void x509NameCreate(
+ CSSM_X509_NAME_PTR x509Name)
+{
+ memset(x509Name, 0, sizeof(*x509Name));
+ unsigned numRdns = genRand(1,4);
+ x509Name->numberOfRDNs = numRdns;
+ unsigned len = numRdns * sizeof(CSSM_X509_RDN);
+ x509Name->RelativeDistinguishedName = (CSSM_X509_RDN_PTR)malloc(len);
+ memset(x509Name->RelativeDistinguishedName, 0, len);
+
+ for(unsigned rdnDex=0; rdnDex<numRdns; rdnDex++) {
+ CSSM_X509_RDN &rdn = x509Name->RelativeDistinguishedName[rdnDex];
+ rdnCreate(&rdn);
+ }
+}
+
+static unsigned x509NameCompare(
+ const CSSM_X509_NAME_PTR n1,
+ const CSSM_X509_NAME_PTR n2)
+{
+ if(n1->numberOfRDNs != n2->numberOfRDNs) {
+ printf("***Mismatch in numberOfRDNs\n");
+ return 1;
+ }
+ unsigned rtn = 0;
+ for(unsigned rdnDex=0; rdnDex<n1->numberOfRDNs; rdnDex++) {
+ CSSM_X509_RDN &rdn1 = n1->RelativeDistinguishedName[rdnDex];
+ CSSM_X509_RDN &rdn2 = n2->RelativeDistinguishedName[rdnDex];
+ rtn += rdnCompare(&rdn1, &rdn2);
+ }
+ return rtn;
+}
+
+static void x509NameFree(
+ CSSM_X509_NAME_PTR n)
+{
+ for(unsigned rdnDex=0; rdnDex<n->numberOfRDNs; rdnDex++) {
+ CSSM_X509_RDN &rdn = n->RelativeDistinguishedName[rdnDex];
+ rdnFree(&rdn);
+ }
+ free(n->RelativeDistinguishedName);
+}
+
+#pragma mark --- general purpose GeneralNames generator ---
+
+#define SOME_URL_1 "http://foo.bar.com"
+#define SOME_URL_2 "http://bar.foo.com"
+#define SOME_DNS_1 "Some DNS"
+#define SOME_DNS_2 "Another DNS"
+unsigned char someIpAdr_1[] = {208, 161, 124, 209 };
+unsigned char someIpAdr_2[] = {10, 0, 61, 5};
+
+static void genNameCreate(CE_GeneralName *name)
+{
+ unsigned type = genRand(1, 5);
+ const char *src;
+ unsigned char *usrc;
+ switch(type) {
+ case 1:
+ name->nameType = GNT_URI;
+ name->berEncoded = CSSM_FALSE;
+ src = randBool() ? SOME_URL_1 : SOME_URL_2;
+ appCopyData(src, strlen(src), &name->name);
+ break;
+
+ case 2:
+ name->nameType = GNT_RegisteredID;
+ name->berEncoded = CSSM_FALSE;
+ appCopyData(CSSMOID_SubjectDirectoryAttributes.Data,
+ CSSMOID_SubjectDirectoryAttributes.Length,
+ &name->name);
+ break;
+
+ case 3:
+ name->nameType = GNT_DNSName;
+ name->berEncoded = CSSM_FALSE;
+ src = randBool() ? SOME_DNS_1 : SOME_DNS_2;
+ appCopyData(src, strlen(src), &name->name);
+ break;
+
+ case 4:
+ name->nameType = GNT_IPAddress;
+ name->berEncoded = CSSM_FALSE;
+ usrc = randBool() ? someIpAdr_1 : someIpAdr_2;
+ appCopyData(usrc, 4, &name->name);
+ break;
+
+ case 5:
+ {
+ /* X509_NAME, the hard one */
+ name->nameType = GNT_DirectoryName;
+ name->berEncoded = CSSM_FALSE;
+ appSetupCssmData(&name->name, sizeof(CSSM_X509_NAME));
+ x509NameCreate((CSSM_X509_NAME_PTR)name->name.Data);
+ }
+ }
+}
+
+static void genNamesCreate(void *arg)
+{
+ CE_GeneralNames *names = (CE_GeneralNames *)arg;
+ names->numNames = genRand(1, 3);
+ // one at a time
+ //names->numNames = 1;
+ names->generalName = (CE_GeneralName *)malloc(names->numNames *
+ sizeof(CE_GeneralName));
+ memset(names->generalName, 0, names->numNames * sizeof(CE_GeneralName));
+
+ for(unsigned i=0; i<names->numNames; i++) {
+ CE_GeneralName *name = &names->generalName[i];
+ genNameCreate(name);
+ }
+}
+
+static unsigned genNameCompare(
+ CE_GeneralName *npre,
+ CE_GeneralName *npost)
+{
+ unsigned rtn = 0;
+ if(npre->nameType != npost->nameType) {
+ printf("***CE_GeneralName.nameType miscompare\n");
+ rtn++;
+ }
+ if(compBool(npre->berEncoded, npost->berEncoded,
+ "CE_GeneralName.berEncoded")) {
+ rtn++;
+ }
+
+ /* nameType-specific compare */
+ switch(npre->nameType) {
+ case GNT_RFC822Name:
+ rtn += compCssmData(npre->name, npost->name,
+ "CE_GeneralName.RFC822Name");
+ break;
+ case GNT_DNSName:
+ rtn += compCssmData(npre->name, npost->name,
+ "CE_GeneralName.DNSName");
+ break;
+ case GNT_URI:
+ rtn += compCssmData(npre->name, npost->name,
+ "CE_GeneralName.URI");
+ break;
+ case GNT_IPAddress:
+ rtn += compCssmData(npre->name, npost->name,
+ "CE_GeneralName.RFIPAddressC822Name");
+ break;
+ case GNT_RegisteredID:
+ rtn += compCssmData(npre->name, npost->name,
+ "CE_GeneralName.RegisteredID");
+ break;
+ case GNT_DirectoryName:
+ rtn += x509NameCompare((CSSM_X509_NAME_PTR)npre->name.Data,
+ (CSSM_X509_NAME_PTR)npost->name.Data);
+ break;
+ default:
+ printf("****BRRZAP! genNamesCompare needs work\n");
+ rtn++;
+ }
+ return rtn;
+}
+
+static unsigned genNamesCompare(const void *pre, const void *post)
+{
+ const CE_GeneralNames *gnPre = (CE_GeneralNames *)pre;
+ const CE_GeneralNames *gnPost = (CE_GeneralNames *)post;
+ unsigned rtn = 0;
+
+ if((gnPre == NULL) || (gnPost == NULL)) {
+ printf("***Bad GenNames pointer\n");
+ return 1;
+ }
+ if(gnPre->numNames != gnPost->numNames) {
+ printf("***CE_GeneralNames.numNames miscompare\n");
+ return 1;
+ }
+ for(unsigned dex=0; dex<gnPre->numNames; dex++) {
+ CE_GeneralName *npre = &gnPre->generalName[dex];
+ CE_GeneralName *npost = &gnPost->generalName[dex];
+ rtn += genNameCompare(npre, npost);
+ }
+ return rtn;
+}
+
+
+static void genNameFree(CE_GeneralName *n)
+{
+ switch(n->nameType) {
+ case GNT_DirectoryName:
+ x509NameFree((CSSM_X509_NAME_PTR)n->name.Data);
+ CSSM_FREE(n->name.Data);
+ break;
+ default:
+ CSSM_FREE(n->name.Data);
+ break;
+ }
+}
+
+
+static void genNamesFree(void *arg)
+{
+ const CE_GeneralNames *gn = (CE_GeneralNames *)arg;
+ for(unsigned dex=0; dex<gn->numNames; dex++) {
+ CE_GeneralName *n = (CE_GeneralName *)&gn->generalName[dex];
+ genNameFree(n);
+ }
+ free(gn->generalName);
+}
+
+#pragma mark --- CE_CRLDistPointsSyntax ---
+static void cdpCreate(void *arg)
+{
+ CE_CRLDistPointsSyntax *cdp = (CE_CRLDistPointsSyntax *)arg;
+ //cdp->numDistPoints = genRand(1,3);
+ // one at a time
+ cdp->numDistPoints = 1;
+ unsigned len = sizeof(CE_CRLDistributionPoint) * cdp->numDistPoints;
+ cdp->distPoints = (CE_CRLDistributionPoint *)malloc(len);
+ memset(cdp->distPoints, 0, len);
+
+ for(unsigned dex=0; dex<cdp->numDistPoints; dex++) {
+ CE_CRLDistributionPoint *pt = &cdp->distPoints[dex];
+
+ /* all fields optional */
+ if(randBool()) {
+ CE_DistributionPointName *dpn = pt->distPointName =
+ (CE_DistributionPointName *)malloc(
+ sizeof(CE_DistributionPointName));
+ memset(dpn, 0, sizeof(CE_DistributionPointName));
+
+ /* CE_DistributionPointName has two flavors */
+ if(randBool()) {
+ dpn->nameType = CE_CDNT_FullName;
+ dpn->dpn.fullName = (CE_GeneralNames *)malloc(
+ sizeof(CE_GeneralNames));
+ memset(dpn->dpn.fullName, 0, sizeof(CE_GeneralNames));
+ genNamesCreate(dpn->dpn.fullName);
+ }
+ else {
+ dpn->nameType = CE_CDNT_NameRelativeToCrlIssuer;
+ dpn->dpn.rdn = (CSSM_X509_RDN_PTR)malloc(
+ sizeof(CSSM_X509_RDN));
+ memset(dpn->dpn.rdn, 0, sizeof(CSSM_X509_RDN));
+ rdnCreate(dpn->dpn.rdn);
+ }
+ } /* creating CE_DistributionPointName */
+
+ pt->reasonsPresent = randBool();
+ if(pt->reasonsPresent) {
+ CE_CrlDistReasonFlags *cdr = &pt->reasons;
+ /* set two random valid bits */
+ *cdr = 0;
+ *cdr |= 1 << genRand(0,7);
+ *cdr |= 1 << genRand(0,7);
+ }
+
+ /* make sure at least one present */
+ if((!pt->distPointName && !pt->reasonsPresent) || randBool()) {
+ pt->crlIssuer = (CE_GeneralNames *)malloc(sizeof(CE_GeneralNames));
+ memset(pt->crlIssuer, 0, sizeof(CE_GeneralNames));
+ genNamesCreate(pt->crlIssuer);
+ }
+ }
+}
+
+static unsigned cdpCompare(const void *pre, const void *post)
+{
+ CE_CRLDistPointsSyntax *cpre = (CE_CRLDistPointsSyntax *)pre;
+ CE_CRLDistPointsSyntax *cpost = (CE_CRLDistPointsSyntax *)post;
+
+ if(cpre->numDistPoints != cpost->numDistPoints) {
+ printf("***CE_CRLDistPointsSyntax.numDistPoints miscompare\n");
+ return 1;
+ }
+ unsigned rtn = 0;
+ for(unsigned dex=0; dex<cpre->numDistPoints; dex++) {
+ CE_CRLDistributionPoint *ptpre = &cpre->distPoints[dex];
+ CE_CRLDistributionPoint *ptpost = &cpost->distPoints[dex];
+
+ if(ptpre->distPointName) {
+ if(ptpost->distPointName == NULL) {
+ printf("***NULL distPointName post decode\n");
+ rtn++;
+ goto checkReason;
+ }
+ CE_DistributionPointName *dpnpre = ptpre->distPointName;
+ CE_DistributionPointName *dpnpost = ptpost->distPointName;
+ if(dpnpre->nameType != dpnpost->nameType) {
+ printf("***CE_DistributionPointName.nameType miscompare\n");
+ rtn++;
+ goto checkReason;
+ }
+ if(dpnpre->nameType == CE_CDNT_FullName) {
+ rtn += genNamesCompare(dpnpre->dpn.fullName, dpnpost->dpn.fullName);
+ }
+ else {
+ rtn += rdnCompare(dpnpre->dpn.rdn, dpnpost->dpn.rdn);
+ }
+
+ }
+ else if(ptpost->distPointName != NULL) {
+ printf("***NON NULL distPointName post decode\n");
+ rtn++;
+ }
+
+ checkReason:
+ if(ptpre->reasons != ptpost->reasons) {
+ printf("***CE_CRLDistributionPoint.reasons miscompare\n");
+ rtn++;
+ }
+
+ if(ptpre->crlIssuer) {
+ if(ptpost->crlIssuer == NULL) {
+ printf("***NULL crlIssuer post decode\n");
+ rtn++;
+ continue;
+ }
+ CE_GeneralNames *gnpre = ptpre->crlIssuer;
+ CE_GeneralNames *gnpost = ptpost->crlIssuer;
+ rtn += genNamesCompare(gnpre, gnpost);
+ }
+ else if(ptpost->crlIssuer != NULL) {
+ printf("***NON NULL crlIssuer post decode\n");
+ rtn++;
+ }
+ }
+ return rtn;
+}
+
+static void cdpFree(void *arg)
+{
+ CE_CRLDistPointsSyntax *cdp = (CE_CRLDistPointsSyntax *)arg;
+ for(unsigned dex=0; dex<cdp->numDistPoints; dex++) {
+ CE_CRLDistributionPoint *pt = &cdp->distPoints[dex];
+ if(pt->distPointName) {
+ CE_DistributionPointName *dpn = pt->distPointName;
+ if(dpn->nameType == CE_CDNT_FullName) {
+ genNamesFree(dpn->dpn.fullName);
+ free(dpn->dpn.fullName);
+ }
+ else {
+ rdnFree(dpn->dpn.rdn);
+ free(dpn->dpn.rdn);
+ }
+ free(dpn);
+ }
+
+ if(pt->crlIssuer) {
+ genNamesFree(pt->crlIssuer);
+ free(pt->crlIssuer);
+ }
+ }
+ free(cdp->distPoints);
+}
+
+#pragma mark --- CE_AuthorityKeyID ---
+static void authKeyIdCreate(void *arg)
+{
+ CE_AuthorityKeyID *akid = (CE_AuthorityKeyID *)arg;
+
+ /* all three fields optional */
+
+ akid->keyIdentifierPresent = randBool();
+ if(akid->keyIdentifierPresent) {
+ randData(&akid->keyIdentifier, 16);
+ }
+
+ akid->generalNamesPresent = randBool();
+ if(akid->generalNamesPresent) {
+ akid->generalNames =
+ (CE_GeneralNames *)malloc(sizeof(CE_GeneralNames));
+ memset(akid->generalNames, 0, sizeof(CE_GeneralNames));
+ genNamesCreate(akid->generalNames);
+ }
+
+ if(!akid->keyIdentifierPresent & !akid->generalNamesPresent) {
+ /* force at least one to be present */
+ akid->serialNumberPresent = CSSM_TRUE;
+ }
+ else {
+ akid->serialNumberPresent = randBool();
+ }
+ if(akid->serialNumberPresent) {
+ randData(&akid->serialNumber, 16);
+ }
+
+}
+
+static unsigned authKeyIdCompare(const void *pre, const void *post)
+{
+ CE_AuthorityKeyID *akpre = (CE_AuthorityKeyID *)pre;
+ CE_AuthorityKeyID *akpost = (CE_AuthorityKeyID *)post;
+ unsigned rtn = 0;
+
+ if(compBool(akpre->keyIdentifierPresent, akpost->keyIdentifierPresent,
+ "CE_AuthorityKeyID.keyIdentifierPresent")) {
+ rtn++;
+ }
+ else if(akpre->keyIdentifierPresent) {
+ rtn += compCssmData(akpre->keyIdentifier,
+ akpost->keyIdentifier, "CE_AuthorityKeyID.keyIdentifier");
+ }
+
+ if(compBool(akpre->generalNamesPresent, akpost->generalNamesPresent,
+ "CE_AuthorityKeyID.generalNamesPresent")) {
+ rtn++;
+ }
+ else if(akpre->generalNamesPresent) {
+ rtn += genNamesCompare(akpre->generalNames,
+ akpost->generalNames);
+ }
+
+ if(compBool(akpre->serialNumberPresent, akpost->serialNumberPresent,
+ "CE_AuthorityKeyID.serialNumberPresent")) {
+ rtn++;
+ }
+ else if(akpre->serialNumberPresent) {
+ rtn += compCssmData(akpre->serialNumber,
+ akpost->serialNumber, "CE_AuthorityKeyID.serialNumber");
+ }
+ return rtn;
+}
+
+static void authKeyIdFree(void *arg)
+{
+ CE_AuthorityKeyID *akid = (CE_AuthorityKeyID *)arg;
+
+ if(akid->keyIdentifier.Data) {
+ free(akid->keyIdentifier.Data);
+ }
+ if(akid->generalNames) {
+ genNamesFree(akid->generalNames); // genNamesCreate mallocd
+ free(akid->generalNames); // we mallocd
+ }
+ if(akid->serialNumber.Data) {
+ free(akid->serialNumber.Data);
+ }
+}
+
+#pragma mark --- CE_CertPolicies ---
+
+/* random OIDs, pick 1..NUM_CP_OIDS */
+static CSSM_OID cpOids[] =
+{
+ CSSMOID_EmailAddress,
+ CSSMOID_UnstructuredName,
+ CSSMOID_ContentType,
+ CSSMOID_MessageDigest
+};
+#define NUM_CP_OIDS 4
+
+/* CPS strings, pick one of NUM_CPS_STR */
+static char *someCPSs[] =
+{
+ (char *)"http://www.apple.com",
+ (char *)"https://cdnow.com",
+ (char *)"ftp:backwards.com"
+};
+#define NUM_CPS_STR 3
+
+/* make these looks like real sequences */
+static uint8 someUnotice[] = {0x30, 0x03, BER_TAG_BOOLEAN, 1, 0xff};
+static uint8 someOtherData[] = {0x30, 0x02, BER_TAG_NULL, 0};
+
+static void cpCreate(void *arg)
+{
+ CE_CertPolicies *cp = (CE_CertPolicies *)arg;
+ cp->numPolicies = genRand(1,3);
+ //cp->numPolicies = 1;
+ unsigned len = sizeof(CE_PolicyInformation) * cp->numPolicies;
+ cp->policies = (CE_PolicyInformation *)malloc(len);
+ memset(cp->policies, 0, len);
+
+ for(unsigned polDex=0; polDex<cp->numPolicies; polDex++) {
+ CE_PolicyInformation *pi = &cp->policies[polDex];
+ unsigned die = genRand(1, NUM_CP_OIDS);
+ pi->certPolicyId = cpOids[die - 1];
+ unsigned numQual = genRand(1,3);
+ pi->numPolicyQualifiers = numQual;
+ len = sizeof(CE_PolicyQualifierInfo) * numQual;
+ pi->policyQualifiers = (CE_PolicyQualifierInfo *)
+ malloc(len);
+ memset(pi->policyQualifiers, 0, len);
+ for(unsigned cpiDex=0; cpiDex<numQual; cpiDex++) {
+ CE_PolicyQualifierInfo *qi =
+ &pi->policyQualifiers[cpiDex];
+ if(randBool()) {
+ qi->policyQualifierId = CSSMOID_QT_CPS;
+ die = genRand(1, NUM_CPS_STR);
+ qi->qualifier.Data = (uint8 *)someCPSs[die - 1];
+ qi->qualifier.Length = strlen((char *)qi->qualifier.Data);
+ }
+ else {
+ qi->policyQualifierId = CSSMOID_QT_UNOTICE;
+ if(randBool()) {
+ qi->qualifier.Data = someUnotice;
+ qi->qualifier.Length = 5;
+ }
+ else {
+ qi->qualifier.Data = someOtherData;
+ qi->qualifier.Length = 4;
+ }
+ }
+ }
+ }
+}
+
+static unsigned cpCompare(const void *pre, const void *post)
+{
+ CE_CertPolicies *cppre = (CE_CertPolicies *)pre;
+ CE_CertPolicies *cppost = (CE_CertPolicies *)post;
+
+ if(cppre->numPolicies != cppost->numPolicies) {
+ printf("CE_CertPolicies.numPolicies mismatch\n");
+ return 1;
+ }
+ unsigned rtn = 0;
+ for(unsigned polDex=0; polDex<cppre->numPolicies; polDex++) {
+ CE_PolicyInformation *pipre = &cppre->policies[polDex];
+ CE_PolicyInformation *pipost = &cppost->policies[polDex];
+ rtn += compCssmData(pipre->certPolicyId, pipost->certPolicyId,
+ "CE_PolicyInformation.certPolicyId");
+ if(pipre->numPolicyQualifiers != pipost->numPolicyQualifiers) {
+ printf("CE_PolicyInformation.CE_PolicyInformation mismatch\n");
+ rtn++;
+ continue;
+ }
+
+ for(unsigned qiDex=0; qiDex<pipre->numPolicyQualifiers; qiDex++) {
+ CE_PolicyQualifierInfo *qipre = &pipre->policyQualifiers[qiDex];
+ CE_PolicyQualifierInfo *qipost = &pipost->policyQualifiers[qiDex];
+ rtn += compCssmData(qipre->policyQualifierId,
+ qipost->policyQualifierId,
+ "CE_PolicyQualifierInfo.policyQualifierId");
+ rtn += compCssmData(qipre->qualifier,
+ qipost->qualifier,
+ "CE_PolicyQualifierInfo.qualifier");
+ }
+ }
+ return rtn;
+}
+
+static void cpFree(void *arg)
+{
+ CE_CertPolicies *cp = (CE_CertPolicies *)arg;
+ for(unsigned polDex=0; polDex<cp->numPolicies; polDex++) {
+ CE_PolicyInformation *pi = &cp->policies[polDex];
+ free(pi->policyQualifiers);
+ }
+ free(cp->policies);
+}
+
+#pragma mark --- CE_AuthorityInfoAccess ---
+
+/* random OIDs, pick 1..NUM_AI_OIDS */
+static CSSM_OID aiOids[] =
+{
+ CSSMOID_AD_OCSP,
+ CSSMOID_AD_CA_ISSUERS,
+ CSSMOID_AD_TIME_STAMPING,
+ CSSMOID_AD_CA_REPOSITORY
+};
+#define NUM_AI_OIDS 4
+
+static void aiaCreate(void *arg)
+{
+ CE_AuthorityInfoAccess *aia = (CE_AuthorityInfoAccess *)arg;
+ aia->numAccessDescriptions = genRand(1,3);
+ unsigned len = aia->numAccessDescriptions * sizeof(CE_AccessDescription);
+ aia->accessDescriptions = (CE_AccessDescription *)malloc(len);
+ memset(aia->accessDescriptions, 0, len);
+
+ for(unsigned dex=0; dex<aia->numAccessDescriptions; dex++) {
+ CE_AccessDescription *ad = &aia->accessDescriptions[dex];
+ int die = genRand(1, NUM_AI_OIDS);
+ ad->accessMethod = aiOids[die - 1];
+ genNameCreate(&ad->accessLocation);
+ }
+}
+
+static unsigned aiaCompare(const void *pre, const void *post)
+{
+ CE_AuthorityInfoAccess *apre = (CE_AuthorityInfoAccess *)pre;
+ CE_AuthorityInfoAccess *apost = (CE_AuthorityInfoAccess *)post;
+ unsigned rtn = 0;
+
+ if(apre->numAccessDescriptions != apost->numAccessDescriptions) {
+ printf("***CE_AuthorityInfoAccess.numAccessDescriptions miscompare\n");
+ return 1;
+ }
+ for(unsigned dex=0; dex<apre->numAccessDescriptions; dex++) {
+ CE_AccessDescription *adPre = &apre->accessDescriptions[dex];
+ CE_AccessDescription *adPost = &apost->accessDescriptions[dex];
+ if(compCssmData(adPre->accessMethod, adPost->accessMethod,
+ "CE_AccessDescription.accessMethod")) {
+ rtn++;
+ }
+ rtn += genNameCompare(&adPre->accessLocation, &adPost->accessLocation);
+ }
+ return rtn;
+}
+
+static void aiaFree(void *arg)
+{
+ CE_AuthorityInfoAccess *aia = (CE_AuthorityInfoAccess *)arg;
+ for(unsigned dex=0; dex<aia->numAccessDescriptions; dex++) {
+ CE_AccessDescription *ad = &aia->accessDescriptions[dex];
+ genNameFree(&ad->accessLocation);
+ }
+ free(aia->accessDescriptions);
+}
+
+#pragma mark --- CE_QC_Statements ---
+
+/* a static array of CE_QC_Statement.statementId */
+static const CSSM_OID qcsOids[] = {
+ CSSMOID_OID_QCS_SYNTAX_V1,
+ CSSMOID_OID_QCS_SYNTAX_V2,
+ CSSMOID_ETSI_QCS_QC_COMPLIANCE,
+};
+#define NUM_QCS_OIDS 3
+#define WHICH_QCS_V2 1
+
+static void qcsCreate(void *arg)
+{
+ CE_QC_Statements *qcss = (CE_QC_Statements *)arg;
+ //unsigned numQcs = genRand(1,3);
+ unsigned numQcs = 1;
+ qcss->numQCStatements = numQcs;
+ qcss->qcStatements = (CE_QC_Statement *)malloc(numQcs * sizeof(CE_QC_Statement));
+ memset(qcss->qcStatements, 0, numQcs * sizeof(CE_QC_Statement));
+
+ for(unsigned dex=0; dex<numQcs; dex++) {
+ CE_QC_Statement *qcs = &qcss->qcStatements[dex];
+ unsigned whichOid = genRand(0, NUM_QCS_OIDS-1);
+ qcs->statementId = qcsOids[whichOid];
+
+ /* three legal combos of (semanticsInfo, otherInfo), constrained by whichOid */
+ unsigned coin = genRand(1, 2);
+ switch(coin) {
+ case 1:
+ /* nothing */
+ break;
+ case 2:
+ {
+ /*
+ * CSSMOID_OID_QCS_SYNTAX_V2 --> semanticsInfo
+ * other --> otherInfo
+ */
+ if(whichOid == WHICH_QCS_V2) {
+ CE_SemanticsInformation *si = (CE_SemanticsInformation *)malloc(
+ sizeof(CE_SemanticsInformation));
+ qcs->semanticsInfo = si;
+ memset(si, 0, sizeof(CE_SemanticsInformation));
+
+ /* flip a coin; heads --> semanticsIdentifier */
+ coin = genRand(1, 2);
+ if(coin == 2) {
+ si->semanticsIdentifier = (CSSM_OID *)malloc(sizeof(CSSM_OID));
+ *si->semanticsIdentifier = qcsOids[0];
+ }
+
+ /* flip a coin; heads --> nameRegistrationAuthorities */
+ /* also gen this one if semanticsInfo is empty */
+ coin = genRand(1, 2);
+ if((coin == 2) || (si->semanticsIdentifier == NULL)) {
+ si->nameRegistrationAuthorities = (CE_NameRegistrationAuthorities *)
+ malloc(sizeof(CE_NameRegistrationAuthorities));
+ genNamesCreate(si->nameRegistrationAuthorities);
+ }
+ }
+ else {
+ /* ASN_ANY - just take an encoded NULL */
+ CSSM_DATA *otherInfo = (CSSM_DATA *)malloc(sizeof(CSSM_DATA));
+ otherInfo->Data = (uint8 *)malloc(2);
+ otherInfo->Data[0] = 5;
+ otherInfo->Data[1] = 0;
+ otherInfo->Length = 2;
+ qcs->otherInfo = otherInfo;
+ }
+ break;
+ }
+ }
+ }
+}
+
+static unsigned qcsCompare(const void *pre, const void *post)
+{
+ CE_QC_Statements *qpre = (CE_QC_Statements *)pre;
+ CE_QC_Statements *qpost = (CE_QC_Statements *)post;
+ uint32 numQcs = qpre->numQCStatements;
+ if(numQcs != qpost->numQCStatements) {
+ printf("***numQCStatements miscompare\n");
+ return 1;
+ }
+
+ unsigned rtn = 0;
+ for(unsigned dex=0; dex<numQcs; dex++) {
+ CE_QC_Statement *qcsPre = &qpre->qcStatements[dex];
+ CE_QC_Statement *qcsPost = &qpost->qcStatements[dex];
+ if(compCssmData(qcsPre->statementId, qcsPost->statementId,
+ "CE_QC_Statement.statementId")) {
+ rtn++;
+ }
+ if(qcsPre->semanticsInfo) {
+ if(qcsPost->semanticsInfo == NULL) {
+ printf("***semanticsInfo in pre but not in post\n");
+ rtn++;
+ }
+ else {
+ CE_SemanticsInformation *siPre = qcsPre->semanticsInfo;
+ CE_SemanticsInformation *siPost = qcsPost->semanticsInfo;
+ if((siPre->semanticsIdentifier == NULL) != (siPost->semanticsIdentifier == NULL)) {
+ printf("***mismatch in presence of semanticsIdentifier\n");
+ rtn++;
+ }
+ else if(siPre->semanticsIdentifier) {
+ if(compCssmData(*siPre->semanticsIdentifier, *siPost->semanticsIdentifier,
+ "CE_SemanticsInformation.semanticsIdentifier")) {
+ rtn++;
+ }
+ }
+ if((siPre->nameRegistrationAuthorities == NULL) !=
+ (siPost->nameRegistrationAuthorities == NULL)) {
+ printf("***mismatch in presence of nameRegistrationAuthorities\n");
+ rtn++;
+ }
+ else if(siPre->nameRegistrationAuthorities) {
+ rtn += genNamesCompare(siPre->nameRegistrationAuthorities,
+ siPost->nameRegistrationAuthorities);
+ }
+ }
+ }
+ else if(qcsPost->semanticsInfo != NULL) {
+ printf("***semanticsInfo in post but not in pre\n");
+ rtn++;
+ }
+ if(qcsPre->otherInfo) {
+ if(qcsPost->otherInfo == NULL) {
+ printf("***otherInfo in pre but not in post\n");
+ rtn++;
+ }
+ else {
+ if(compCssmData(*qcsPre->otherInfo, *qcsPre->otherInfo,
+ "CE_QC_Statement.otherInfo")) {
+ rtn++;
+ }
+ }
+ }
+ else if(qcsPost->otherInfo != NULL) {
+ printf("***otherInfo in post but not in pre\n");
+ rtn++;
+ }
+ }
+ return rtn;
+}
+
+static void qcsFree(void *arg)
+{
+ CE_QC_Statements *qcss = (CE_QC_Statements *)arg;
+ uint32 numQcs = qcss->numQCStatements;
+ for(unsigned dex=0; dex<numQcs; dex++) {
+ CE_QC_Statement *qcs = &qcss->qcStatements[dex];
+ if(qcs->semanticsInfo) {
+ CE_SemanticsInformation *si = qcs->semanticsInfo;
+ if(si->semanticsIdentifier) {
+ free(si->semanticsIdentifier);
+ }
+ if(si->nameRegistrationAuthorities) {
+ genNamesFree(si->nameRegistrationAuthorities);
+ free(si->nameRegistrationAuthorities);
+ }
+ free(qcs->semanticsInfo);
+ }
+ if(qcs->otherInfo) {
+ free(qcs->otherInfo->Data);
+ free(qcs->otherInfo);
+ }
+ }
+ free(qcss->qcStatements);
+}
+
+#pragma mark --- test definitions ---
+
+/*
+ * Define one extension test.
+ */
+
+/*
+ * Cook up this extension with random, reasonable values.
+ * Incoming pointer refers to extension-specific C struct, mallocd
+ * and zeroed by main test routine.
+ */
+typedef void (*extenCreateFcn)(void *arg);
+
+/*
+ * Compare two instances of this extension. Return number of
+ * compare errors.
+ */
+typedef unsigned (*extenCompareFcn)(
+ const void *preEncode,
+ const void *postEncode);
+
+/*
+ * Free struct components mallocd in extenCreateFcn. Do not free
+ * the outer struct.
+ */
+typedef void (*extenFreeFcn)(void *arg);
+
+typedef struct {
+ /* three extension-specific functions */
+ extenCreateFcn createFcn;
+ extenCompareFcn compareFcn;
+ extenFreeFcn freeFcn;
+
+ /* size of C struct passed to all three functions */
+ unsigned extenSize;
+
+ /* the OID for this extension */
+ CSSM_OID extenOid;
+
+ /* description for error logging and blob writing */
+ const char *extenDescr;
+
+ /* command-line letter for this one */
+ char extenLetter;
+
+} ExtenTest;
+
+/* empty freeFcn means no extension-specific resources to free */
+#define NO_FREE NULL
+
+static ExtenTest extenTests[] = {
+ { kuCreate, kuCompare, NO_FREE,
+ sizeof(CE_KeyUsage), CSSMOID_KeyUsage,
+ "KeyUsage", 'k' },
+ { bcCreate, bcCompare, NO_FREE,
+ sizeof(CE_BasicConstraints), CSSMOID_BasicConstraints,
+ "BasicConstraints", 'b' },
+ { ekuCreate, ekuCompare, NO_FREE,
+ sizeof(CE_ExtendedKeyUsage), CSSMOID_ExtendedKeyUsage,
+ "ExtendedKeyUsage", 'x' },
+ { skidCreate, skidCompare, skidFree,
+ sizeof(CSSM_DATA), CSSMOID_SubjectKeyIdentifier,
+ "SubjectKeyID", 's' },
+ { authKeyIdCreate, authKeyIdCompare, authKeyIdFree,
+ sizeof(CE_AuthorityKeyID), CSSMOID_AuthorityKeyIdentifier,
+ "AuthorityKeyID", 'a' },
+ { genNamesCreate, genNamesCompare, genNamesFree,
+ sizeof(CE_GeneralNames), CSSMOID_SubjectAltName,
+ "SubjectAltName", 't' },
+ { genNamesCreate, genNamesCompare, genNamesFree,
+ sizeof(CE_GeneralNames), CSSMOID_IssuerAltName,
+ "IssuerAltName", 'i' },
+ { nctCreate, nctCompare, NO_FREE,
+ sizeof(CE_NetscapeCertType), CSSMOID_NetscapeCertType,
+ "NetscapeCertType", 'n' },
+ { cdpCreate, cdpCompare, cdpFree,
+ sizeof(CE_CRLDistPointsSyntax), CSSMOID_CrlDistributionPoints,
+ "CRLDistPoints", 'p' },
+ { cpCreate, cpCompare, cpFree,
+ sizeof(CE_CertPolicies), CSSMOID_CertificatePolicies,
+ "CertPolicies", 'c' },
+ { aiaCreate, aiaCompare, aiaFree,
+ sizeof(CE_AuthorityInfoAccess), CSSMOID_AuthorityInfoAccess,
+ "AuthorityInfoAccess", 'A' },
+ { aiaCreate, aiaCompare, aiaFree,
+ sizeof(CE_AuthorityInfoAccess), CSSMOID_SubjectInfoAccess,
+ "SubjectInfoAccess", 'S' },
+ { qcsCreate, qcsCompare, qcsFree,
+ sizeof(CE_QC_Statements), CSSMOID_QC_Statements,
+ "QualifiedCertStatements", 'q' },
+};
+
+#define NUM_EXTEN_TESTS (sizeof(extenTests) / sizeof(ExtenTest))
+
+static void printExten(
+ CSSM_X509_EXTENSION &extn,
+ bool preEncode,
+ OidParser &parser)
+{
+ CSSM_FIELD field;
+ field.FieldOid = extn.extnId;
+ field.FieldValue.Data = (uint8 *)&extn;
+ field.FieldValue.Length = sizeof(CSSM_X509_EXTENSION);
+ printf("=== %s:\n", preEncode ? "PRE-ENCODE" : "POST-DECODE" );
+ printCertField(field, parser, CSSM_TRUE);
+}
+
+static int doTest(
+ CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ ExtenTest &extenTest,
+ bool writeBlobs,
+ const char *constFileName, // all blobs to this file if non-NULL
+ bool displayExtens,
+ OidParser &parser)
+{
+ /*
+ * 1. Cook up a random and reasonable instance of the C struct
+ * associated with this extension.
+ */
+ void *preEncode = CSSM_MALLOC(extenTest.extenSize);
+ memset(preEncode, 0, extenTest.extenSize);
+ extenTest.createFcn(preEncode);
+
+ /*
+ * Cook up the associated CSSM_X509_EXTENSION.
+ */
+ CSSM_X509_EXTENSION extnPre;
+
+ extnPre.extnId = extenTest.extenOid;
+ extnPre.critical = randBool();
+ extnPre.format = CSSM_X509_DATAFORMAT_PARSED;
+ extnPre.value.parsedValue = preEncode;
+ extnPre.BERvalue.Data = NULL;
+ extnPre.BERvalue.Length = 0;
+
+ /* encode the extension in a TBSCert */
+ CSSM_DATA_PTR rawCert = CB_MakeCertTemplate(clHand,
+ 0x12345678, // serial number
+ dummyName,
+ dummyName,
+ notBefore,
+ notAfter,
+ &subjPubKey,
+ SIG_ALG,
+ NULL, // subjUniqueId
+ NULL, // issuerUniqueId
+ &extnPre, // extensions
+ 1); // numExtensions
+ if(rawCert == NULL) {
+ printf("Error generating template; aborting.\n");
+ /* show what we tried to encode */
+ printExten(extnPre, true, parser);
+ return 1;
+ }
+
+ /* sign the cert */
+ CSSM_DATA signedCert = {0, NULL};
+ CSSM_CC_HANDLE sigHand;
+ CSSM_RETURN crtn = CSSM_CSP_CreateSignatureContext(cspHand,
+ SIG_ALG,
+ NULL, // no passphrase for now
+ &subjPrivKey,
+ &sigHand);
+ if(crtn) {
+ printError("CreateSignatureContext", crtn);
+ return 1;
+ }
+
+ crtn = CSSM_CL_CertSign(clHand,
+ sigHand,
+ rawCert, // CertToBeSigned
+ NULL, // SignScope per spec
+ 0, // ScopeSize per spec
+ &signedCert);
+ if(crtn) {
+ printError("CSSM_CL_CertSign", crtn);
+ /* show what we tried to encode */
+ printExten(extnPre, true, parser);
+ return 1;
+ }
+ CSSM_DeleteContext(sigHand);
+
+ if(writeBlobs) {
+ char fileName[200];
+ if(constFileName) {
+ strcpy(fileName, constFileName);
+ }
+ else {
+ sprintf(fileName, "%scert.der", extenTest.extenDescr);
+ }
+ writeFile(fileName, signedCert.Data, signedCert.Length);
+ printf("...wrote %lu bytes to %s\n", signedCert.Length, fileName);
+ }
+
+ /* snag the same extension from the encoded cert */
+ CSSM_DATA_PTR postField;
+ CSSM_HANDLE resultHand;
+ uint32 numFields;
+
+ crtn = CSSM_CL_CertGetFirstFieldValue(clHand,
+ &signedCert,
+ &extenTest.extenOid,
+ &resultHand,
+ &numFields,
+ &postField);
+ if(crtn) {
+ printf("****Extension field not found on decode for %s\n",
+ extenTest.extenDescr);
+ printError("CSSM_CL_CertGetFirstFieldValue", crtn);
+
+ /* show what we tried to encode and decode */
+ printExten(extnPre, true, parser);
+ return 1;
+ }
+
+ if(numFields != 1) {
+ printf("****GetFirstFieldValue: expect 1 value, got %u\n",
+ (unsigned)numFields);
+ return 1;
+ }
+ CSSM_CL_CertAbortQuery(clHand, resultHand);
+
+ /* verify the fields we generated */
+ CSSM_X509_EXTENSION *extnPost = (CSSM_X509_EXTENSION *)postField->Data;
+ if((extnPost == NULL) ||
+ (postField->Length != sizeof(CSSM_X509_EXTENSION))) {
+ printf("***Malformed CSSM_X509_EXTENSION (1) after decode\n");
+ return 1;
+ }
+ int rtn = 0;
+ rtn += compBool(extnPre.critical, extnPost->critical,
+ "CSSM_X509_EXTENSION.critical");
+ rtn += compCssmData(extnPre.extnId, extnPost->extnId,
+ "CSSM_X509_EXTENSION.extnId");
+
+ if(extnPost->format != CSSM_X509_DATAFORMAT_PARSED) {
+ printf("***Expected CSSM_X509_DATAFORMAT_PARSED (%x(x), got %x(x)\n",
+ CSSM_X509_DATAFORMAT_PARSED, extnPost->format);
+ }
+ if(extnPost->value.parsedValue == NULL) {
+ printf("***no parsedValue pointer!\n");
+ return 1;
+ }
+
+ /* down to extension-specific compare */
+ rtn += extenTest.compareFcn(preEncode, extnPost->value.parsedValue);
+
+ if(rtn) {
+ /* print preencode only on error */
+ printExten(extnPre, true, parser);
+ }
+ if(displayExtens || rtn) {
+ printExten(*extnPost, false, parser);
+ }
+
+ /* free the allocated data */
+ if(extenTest.freeFcn) {
+ extenTest.freeFcn(preEncode);
+ }
+ CSSM_CL_FreeFieldValue(clHand, &extenTest.extenOid, postField);
+ CSSM_FREE(rawCert->Data);
+ CSSM_FREE(rawCert);
+ CSSM_FREE(signedCert.Data);
+ CSSM_FREE(preEncode);
+ return rtn;
+}
+
+static void doPause(bool pause)
+{
+ if(!pause) {
+ return;
+ }
+ fpurge(stdin);
+ printf("CR to continue ");
+ getchar();
+}
+
+int main(int argc, char **argv)
+{
+ CSSM_CL_HANDLE clHand;
+ CSSM_CSP_HANDLE cspHand;
+ CSSM_RETURN crtn;
+ int arg;
+ int rtn;
+ OidParser parser;
+ char *argp;
+ unsigned i;
+
+ /* user-specificied params */
+ unsigned minExtenNum = 0;
+ unsigned maxExtenNum = NUM_EXTEN_TESTS-1;
+ bool writeBlobs = false;
+ bool displayExtens = false;
+ bool quiet = false;
+ unsigned loops = LOOPS_DEF;
+ bool pauseLoop = false;
+ bool pauseCert = false;
+ const char *constFileName = NULL;
+
+ for(arg=1; arg<argc; arg++) {
+ argp = argv[arg];
+ switch(argp[0]) {
+ case 'w':
+ writeBlobs = true;
+ break;
+ case 'd':
+ displayExtens = true;
+ break;
+ case 'q':
+ quiet = true;
+ break;
+ case 'p':
+ pauseLoop = true;
+ break;
+ case 'P':
+ pauseCert = true;
+ break;
+ case 'l':
+ loops = atoi(&argp[2]);
+ break;
+ case 'f':
+ constFileName = &argp[2];
+ break;
+ case 'e':
+ if(argp[1] != '=') {
+ usage(argv);
+ }
+ /* scan thru test array looking for epecified extension */
+ for(i=0; i<NUM_EXTEN_TESTS; i++) {
+ if(extenTests[i].extenLetter == argp[2]) {
+ minExtenNum = maxExtenNum = i;
+ break;
+ }
+ }
+ if(i == NUM_EXTEN_TESTS) {
+ usage(argv);
+ }
+ break;
+ default:
+ usage(argv);
+ }
+ }
+
+
+ /* common setup */
+ clHand = clStartup();
+ if(clHand == 0) {
+ return 0;
+ }
+ cspHand = cspStartup();
+ if(cspHand == 0) {
+ return 0;
+ }
+
+ printf("Starting extenTest; args: ");
+ for(i=1; i<(unsigned)argc; i++) {
+ printf("%s ", argv[i]);
+ }
+ printf("\n");
+
+ /* one common key pair - we're definitely not testing this */
+ crtn = cspGenKeyPair(cspHand,
+ KEY_ALG,
+ SUBJ_KEY_LABEL,
+ strlen(SUBJ_KEY_LABEL),
+ KEY_SIZE_BITS,
+ &subjPubKey,
+ CSSM_FALSE, // pubIsRef - should work both ways, but not yet
+ CSSM_KEYUSE_VERIFY,
+ CSSM_KEYBLOB_RAW_FORMAT_NONE,
+ &subjPrivKey,
+ CSSM_TRUE, // privIsRef - doesn't matter
+ CSSM_KEYUSE_SIGN,
+ CSSM_KEYBLOB_RAW_FORMAT_NONE,
+ CSSM_FALSE);
+ if(crtn) {
+ exit(1);
+ }
+
+ /* common issuer/subject - not testing this */
+ dummyName = CB_BuildX509Name(dummyRdn, NUM_DUMMY_NAMES);
+ if(dummyName == NULL) {
+ printf("CB_BuildX509Name failure");
+ exit(1);
+ }
+
+ /* not before/after in generalized time format */
+ notBefore = CB_BuildX509Time(0);
+ notAfter = CB_BuildX509Time(10000);
+
+ for(unsigned loop=0; loop<loops; loop++) {
+ if(!quiet) {
+ printf("...loop %u\n", loop);
+ }
+ for(unsigned extenDex=minExtenNum; extenDex<=maxExtenNum; extenDex++) {
+ rtn = doTest(clHand, cspHand, extenTests[extenDex],
+ writeBlobs, constFileName, displayExtens, parser);
+ if(rtn) {
+ break;
+ }
+ doPause(pauseCert);
+ }
+ if(rtn) {
+ break;
+ }
+ doPause(pauseLoop);
+ }
+
+ if(rtn) {
+ printf("***%s FAILED\n", argv[0]);
+ }
+ else if(!quiet) {
+ printf("...%s passed\n", argv[0]);
+ }
+
+
+ /* cleanup */
+ CB_FreeX509Name(dummyName);
+ CB_FreeX509Time(notBefore);
+ CB_FreeX509Time(notAfter);
+ CSSM_ModuleDetach(cspHand);
+ CSSM_ModuleDetach(clHand);
+ return 0;
+}
+
projects / apple / security.git / blobdiff