--- /dev/null
+/*
+ * extendAttrTest.cpp
+ */
+
+#include <stdlib.h>
+#include <strings.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <Security/SecKeychainItemExtendedAttributes.h>
+#include <Security/Security.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <utilLib/common.h>
+
+#define DEFAULT_KC_NAME "extendAttr.keychain"
+
+static void usage(char **argv)
+{
+ printf("usage: %s [options]\n", argv[0]);
+ printf("Options:\n");
+ printf(" -k keychain -- default is %s\n", DEFAULT_KC_NAME);
+ printf(" -n -- don't delete attributes or keychain\n");
+ printf(" -q -- quiet\n");
+ exit(1);
+}
+
+/* RSA keys, both in OpenSSL format */
+#define PUB_KEY "rsakey_pub.der"
+#define PRIV_KEY "rsakey_priv.der"
+#define CERT_FILE "amazon_v3.100.cer"
+#define PWD_SERVICE "some service"
+#define PWD_ACCOUNT "some account"
+#define PWD_PWD "some password"
+
+/* set up unique extended attributes for each tested item */
+typedef struct {
+ CFStringRef attr1Name;
+ const char *attr1Value;
+ CFStringRef attr2Name;
+ const char *attr2Value;
+} ItemAttrs;
+
+static const ItemAttrs pubKeyAttrs = {
+ CFSTR("one pub key Attribute"),
+ "some pub key value",
+ CFSTR("another pub key Attribute"),
+ "another pub key value"
+};
+
+static const ItemAttrs privKeyAttrs = {
+ CFSTR("one priv key Attribute"),
+ "some priv key value",
+ CFSTR("another priv key Attribute"),
+ "another priv key value"
+};
+
+static const ItemAttrs certAttrs = {
+ CFSTR("one cert Attribute"),
+ "some cert value",
+ CFSTR("another cert Attribute"),
+ "another cert value"
+};
+
+static const ItemAttrs pwdAttrs = {
+ CFSTR("one pwd Attribute"),
+ "some pwd value",
+ CFSTR("another pwd Attribute"),
+ "another pwd value"
+};
+
+#define CFRELEASE(cf) if(cf) { CFRelease(cf); }
+
+/* import file as key into specified keychain */
+static int doImportKey(
+ const char *fileName,
+ SecExternalFormat format,
+ SecExternalItemType itemType,
+ SecKeychainRef kcRef,
+ SecKeyRef *keyRef) // RETURNED
+{
+ unsigned char *item = NULL;
+ unsigned itemLen = 0;
+
+ if(readFile(fileName, &item, &itemLen)) {
+ printf("***Error reading %s. \n", fileName);
+ }
+ CFDataRef cfd = CFDataCreate(NULL, (const UInt8 *)item, itemLen);
+ free(item);
+ SecKeyImportExportParameters params;
+ memset(¶ms, 0, sizeof(params));
+ params.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
+ params.keyUsage = CSSM_KEYUSE_ANY;
+ params.keyAttributes = CSSM_KEYATTR_PERMANENT;
+ if(itemType == kSecItemTypePrivateKey) {
+ params.keyAttributes |= CSSM_KEYATTR_SENSITIVE;
+ }
+ CFArrayRef outArray = NULL;
+ OSStatus ortn;
+ ortn = SecKeychainItemImport(cfd, NULL, &format, &itemType, 0, ¶ms, kcRef, &outArray);
+ if(ortn) {
+ cssmPerror("SecKeychainItemImport", ortn);
+ }
+ CFRelease(cfd);
+ if(ortn) {
+ return -1;
+ }
+ if((outArray == NULL) || (CFArrayGetCount(outArray) == 0)) {
+ printf("SecKeychainItemImport succeeded, but no returned items\n");
+ return -1;
+ }
+ *keyRef = (SecKeyRef)CFArrayGetValueAtIndex(outArray, 0);
+ if(CFGetTypeID(*keyRef) != SecKeyGetTypeID()) {
+ printf("***Unknown type returned after import\n");
+ return -1;
+ }
+ CFRetain(*keyRef);
+ CFRelease(outArray);
+ return 0;
+}
+
+/* import file as cert into specified keychain */
+static int doImportCert(
+ const char *fileName,
+ SecKeychainRef kcRef,
+ SecCertificateRef *certRef) // RETURNED
+{
+ unsigned char *item = NULL;
+ unsigned itemLen = 0;
+
+ if(readFile(fileName, &item, &itemLen)) {
+ printf("***Error reading %s. \n", fileName);
+ return -1;
+ }
+ CSSM_DATA certData = {itemLen, (uint8 *)item};
+ OSStatus ortn = SecCertificateCreateFromData(&certData,
+ CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER, certRef);
+ if(ortn) {
+ cssmPerror("SecCertificateCreateFromData", ortn);
+ return -1;
+ }
+ ortn = SecCertificateAddToKeychain(*certRef, kcRef);
+ if(ortn) {
+ cssmPerror("SecCertificateAddToKeychain", ortn);
+ return -1;
+ }
+ return 0;
+}
+
+/*
+ * Verify specified attr does not exist
+ * set it
+ * make sure we get it back
+ */
+int testOneAttr(
+ SecKeychainItemRef itemRef,
+ CFStringRef attrName,
+ CFDataRef attrVal,
+ bool quiet)
+{
+ OSStatus ortn;
+ CFDataRef fetchedVal = NULL;
+ int ourRtn = 0;
+
+ if(!quiet) {
+ printf(" ...verifying attribute doesn't exist\n");
+ }
+ ortn = SecKeychainItemCopyExtendedAttribute(itemRef, attrName, &fetchedVal);
+ if(ortn != errSecNoSuchAttr) {
+ printf("***First SecKeychainItemCopyExtendedAttribute returned %d, expected %d\n",
+ (int)ortn, (int)errSecNoSuchAttr);
+ ourRtn = -1;
+ goto errOut;
+ }
+ if(!quiet) {
+ printf(" ...setting attribute\n");
+ }
+ ortn = SecKeychainItemSetExtendedAttribute(itemRef, attrName, attrVal);
+ if(ortn) {
+ cssmPerror("SecKeychainItemSetExtendedAttribute", ortn);
+ ourRtn = -1;
+ goto errOut;
+ }
+ if(!quiet) {
+ printf(" ...verify attribute\n");
+ }
+ ortn = SecKeychainItemCopyExtendedAttribute(itemRef, attrName, &fetchedVal);
+ if(ortn) {
+ cssmPerror("SecKeychainItemCopyExtendedAttribute", ortn);
+ ourRtn = -1;
+ goto errOut;
+ }
+ if(!CFEqual(fetchedVal, attrVal)) {
+ printf("***Mismatch in set and fetched attribute\n");
+ ourRtn = -1;
+ }
+errOut:
+ CFRELEASE(fetchedVal);
+ return ourRtn;
+}
+
+/*
+ * Set two distinct extended attributes;
+ * Ensure that each comes back via SecKeychainItemCopyExtendedAttribute();
+ * Ensure that both come back via SecKeychainItemCopyAllExtendedAttributes();
+ */
+int doTest(SecKeychainItemRef itemRef,
+ const ItemAttrs &itemAttrs,
+ bool quiet)
+{
+ CFDataRef attrVal1 = CFDataCreate(NULL,
+ (const UInt8 *)itemAttrs.attr1Value, strlen(itemAttrs.attr1Value));
+ if(testOneAttr(itemRef, itemAttrs.attr1Name, attrVal1, quiet)) {
+ return -1;
+ }
+ CFDataRef attrVal2 = CFDataCreate(NULL,
+ (const UInt8 *)itemAttrs.attr2Value, strlen(itemAttrs.attr2Value));
+ if(testOneAttr(itemRef, itemAttrs.attr2Name, attrVal2, quiet)) {
+ return -1;
+ }
+
+ if(!quiet) {
+ printf(" ...verify both attributes via CopyAllExtendedAttributes()\n");
+ }
+ /* make sure they both come back in SecKeychainItemCopyAllExtendedAttributes */
+ CFArrayRef attrNames = NULL;
+ CFArrayRef attrValues = NULL;
+ OSStatus ortn = SecKeychainItemCopyAllExtendedAttributes(itemRef, &attrNames, &attrValues);
+ if(ortn) {
+ cssmPerror("SecKeychainItemCopyAllExtendedAttributes", ortn);
+ return -1;
+ }
+ CFIndex numNames = CFArrayGetCount(attrNames);
+ CFIndex numValues = CFArrayGetCount(attrValues);
+ if((numNames != 2) || (numValues != 2)) {
+ printf("***Bad array count after SecKeychainItemCopyAllExtendedAttributes\n");
+ printf(" numNames %ld numValues %ld; expected 2 for both\n",
+ (long)numNames, (long)numValues);
+ return -1;
+ }
+ bool found1 = false;
+ bool found2 = false;
+ for(CFIndex dex=0; dex<numNames; dex++) {
+ CFStringRef attrName = (CFStringRef)CFArrayGetValueAtIndex(attrNames, dex);
+ CFDataRef valToCompare = NULL;
+ if(CFEqual(attrName, itemAttrs.attr1Name)) {
+ found1 = true;
+ valToCompare = attrVal1;
+ }
+ else if(CFEqual(attrName, itemAttrs.attr2Name)) {
+ found2 = true;
+ valToCompare = attrVal2;
+ }
+ else {
+ printf("***Found unknown attribute name\n");
+ return -1;
+ }
+ CFDataRef foundVal = (CFDataRef)CFArrayGetValueAtIndex(attrValues, dex);
+ if(!CFEqual(foundVal, valToCompare)) {
+ printf("***Attribute Value miscompare\n");
+ return -1;
+ }
+ }
+ CFRelease(attrNames);
+ CFRelease(attrValues);
+ CFRelease(attrVal1);
+ CFRelease(attrVal2);
+
+ if(!found1 || !found2) {
+ printf("***wrote two attribute; found1 %s, found2 %s\n",
+ found1 ? "true" : "false", found2 ? "true" : "false");
+ return 1;
+ }
+
+ return 0;
+}
+
+/* delete two attrs, verify that none are left */
+static int doDeleteTest(
+ SecKeychainItemRef itemRef,
+ const ItemAttrs &itemAttrs,
+ bool quiet)
+{
+ if(!quiet) {
+ printf(" ...deleting both attributes, verifying none are left\n");
+ }
+
+ OSStatus ortn = SecKeychainItemSetExtendedAttribute(itemRef, itemAttrs.attr1Name, NULL);
+ if(ortn) {
+ cssmPerror("SecKeychainItemSetExtendedAttribute (NULL)", ortn);
+ return -1;
+ }
+ ortn = SecKeychainItemSetExtendedAttribute(itemRef, itemAttrs.attr2Name, NULL);
+ if(ortn) {
+ cssmPerror("SecKeychainItemSetExtendedAttribute (NULL)", ortn);
+ return -1;
+ }
+ CFArrayRef attrNames = NULL;
+ CFArrayRef attrValues = NULL;
+ ortn = SecKeychainItemCopyAllExtendedAttributes(itemRef, &attrNames, &attrValues);
+ if(ortn != errSecNoSuchAttr) {
+ printf("***Last SecKeychainItemCopyExtendedAttribute returned %d, expected %d\n",
+ (int)ortn, (int)errSecNoSuchAttr);
+ return -1;
+ }
+ return 0;
+}
+
+/*
+ * Verify that SecKeychainItemDelete() also deletes extended attributes.
+ *
+ * Assuming empty keychain:
+ * Import a cert;
+ * Set two extended attributes, make sure they're there;
+ * Delete the cert;
+ * Import the cert again;
+ * Verify that the new item has *no* extended attributes;
+ */
+static int doDeleteItemTest(
+ SecKeychainRef kcRef,
+ bool quiet)
+{
+ SecCertificateRef certRef = NULL;
+
+ if(doImportCert(CERT_FILE, kcRef, &certRef)) {
+ return 1;
+ }
+ if(!quiet) {
+ printf("...testing cert\n");
+ }
+ if(doTest((SecKeychainItemRef)certRef, certAttrs, quiet)) {
+ return -1;
+ }
+
+ /* doTest() verified that there are two extended attrs */
+ if(!quiet) {
+ printf("...deleting cert\n");
+ }
+ OSStatus ortn = SecKeychainItemDelete((SecKeychainItemRef)certRef);
+ if(ortn) {
+ cssmPerror("SecKeychainItemDelete", ortn);
+ return -1;
+ }
+ CFRelease(certRef);
+
+ if(!quiet) {
+ printf("...reimporting cert, verifying it has no extended attributes\n");
+ }
+ if(doImportCert(CERT_FILE, kcRef, &certRef)) {
+ return 1;
+ }
+ CFArrayRef attrNames = NULL;
+ ortn = SecKeychainItemCopyAllExtendedAttributes((SecKeychainItemRef)certRef, &attrNames,
+ NULL);
+ if(ortn != errSecNoSuchAttr) {
+ printf("***Deleted cert, re-imported it, and the new cert has extended attributes!\n");
+ return -1;
+ }
+ CFRelease(certRef);
+ return 0;
+}
+
+int main(int argc, char **argv)
+{
+ const char *kcName = DEFAULT_KC_NAME;
+ extern char *optarg;
+ int arg;
+ bool quiet = false;
+ bool noDelete = false;
+
+ while ((arg = getopt(argc, argv, "k:qnh")) != -1) {
+ switch (arg) {
+ case 'k':
+ kcName = optarg;
+ break;
+ case 'n':
+ noDelete = true;
+ break;
+ case 'q':
+ quiet = true;
+ break;
+ case 'h':
+ usage(argv);
+ }
+ }
+ if(optind != argc) {
+ usage(argv);
+ }
+
+ testStartBanner("extendAttrTest", argc, argv);
+
+ SecKeychainRef kcRef = NULL;
+ OSStatus ortn;
+
+ if(!quiet) {
+ printf("Deleting possible existing keychain and creating %s...\n", kcName);
+
+ }
+ /* delete possible existing keychain, then create it */
+ if (SecKeychainOpen(kcName, &kcRef) == noErr)
+ {
+ SecKeychainDelete(kcRef);
+ CFRelease(kcRef);
+ }
+
+ kcRef = NULL;
+ ortn = SecKeychainCreate(kcName,
+ strlen(DEFAULT_KC_NAME), DEFAULT_KC_NAME,
+ false, NULL, &kcRef);
+ if(ortn) {
+ cssmPerror("SecKeychainCreate", ortn);
+ exit(1);
+ }
+
+ /* import keys */
+ SecKeyRef pubKey = NULL;
+ SecKeyRef privKey = NULL;
+ if(!quiet) {
+ printf("Importing %s to keychain...\n", PUB_KEY);
+ }
+ if(doImportKey(PUB_KEY, kSecFormatOpenSSL, kSecItemTypePublicKey, kcRef, &pubKey)) {
+ exit(1);
+ }
+ if(!quiet) {
+ printf("Importing %s to keychain...\n", PRIV_KEY);
+ }
+ if(doImportKey(PRIV_KEY, kSecFormatOpenSSL, kSecItemTypePrivateKey, kcRef, &privKey)) {
+ exit(1);
+ }
+
+ if(!quiet) {
+ printf("...testing public key\n");
+ }
+ if(doTest((SecKeychainItemRef)pubKey, pubKeyAttrs, quiet)) {
+ return -1;
+ }
+ if(!quiet) {
+ printf("...testing private key\n");
+ }
+ if(doTest((SecKeychainItemRef)privKey, privKeyAttrs, quiet)) {
+ return -1;
+ }
+
+ /*
+ * Those keys and their extended attrs are still in the keychain. Test a cert.
+ */
+ SecCertificateRef certRef = NULL;
+ if(doImportCert(CERT_FILE, kcRef, &certRef)) {
+ exit(1);
+ }
+ if(!quiet) {
+ printf("...testing cert\n");
+ }
+ if(doTest((SecKeychainItemRef)certRef, certAttrs, quiet)) {
+ return -1;
+ }
+
+ /* leaving everything in place, test a generic password. */
+ SecKeychainItemRef pwdRef = NULL;
+ ortn = SecKeychainAddGenericPassword(kcRef,
+ strlen(PWD_SERVICE), PWD_SERVICE,
+ strlen(PWD_ACCOUNT), PWD_ACCOUNT,
+ strlen(PWD_PWD), PWD_PWD,
+ &pwdRef);
+ if(ortn) {
+ cssmPerror("SecKeychainAddGenericPassword", ortn);
+ exit(1);
+ }
+ if(!quiet) {
+ printf("...testing generic password\n");
+ }
+ if(doTest(pwdRef, pwdAttrs, quiet)) {
+ return -1;
+ }
+
+ if(noDelete) {
+ goto done;
+ }
+
+ /* delete extended attrs; make sure they really get deleted */
+ if(!quiet) {
+ printf("...removing extended attributes from public key\n");
+ }
+ if(doDeleteTest((SecKeychainItemRef)pubKey, pubKeyAttrs, quiet)) {
+ exit(1);
+ }
+ if(!quiet) {
+ printf("...removing extended attributes from private key\n");
+ }
+ if(doDeleteTest((SecKeychainItemRef)privKey, privKeyAttrs, quiet)) {
+ exit(1);
+ }
+ if(!quiet) {
+ printf("...removing extended attributes from certificate\n");
+ }
+ if(doDeleteTest((SecKeychainItemRef)certRef, certAttrs, quiet)) {
+ exit(1);
+ }
+ if(!quiet) {
+ printf("...removing extended attributes from generic password\n");
+ }
+ if(doDeleteTest(pwdRef, pwdAttrs, quiet)) {
+ exit(1);
+ }
+
+ CFRelease(pubKey);
+ CFRelease(privKey);
+ CFRelease(pwdRef);
+
+ /* Verify that SecKeychainItemDelete() also deletes extended attributes */
+ ortn = SecKeychainItemDelete((SecKeychainItemRef)certRef);
+ if(ortn) {
+ cssmPerror("SecKeychainItemDelete", ortn);
+ exit(1);
+ }
+ CFRelease(certRef);
+ if(doDeleteItemTest(kcRef, quiet)) {
+ exit(1);
+ }
+
+ SecKeychainDelete(kcRef);
+ CFRelease(kcRef);
+done:
+ if(!quiet) {
+ printf("...Success\n");
+ }
+ return 0;
+}
projects / apple / security.git / blobdiff