+/*
+ * ocspTool - simple OCSP request/response generator and parser
+ */
+#include <Security/Security.h>
+#include <Security/SecAsn1Coder.h>
+#include <Security/ocspTemplates.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/types.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <security_cdsa_utils/cuCdsaUtils.h>
+#include <security_cdsa_utils/cuOidParser.h>
+#include <security_cdsa_utils/cuPrintCert.h>
+#include <clAppUtils/CertParser.h>
+#include <clAppUtils/timeStr.h>
+#include <clAppUtils/identPicker.h>
+#include <CommonCrypto/CommonDigest.h>
+#include <security_ocspd/ocspExtensions.h>
+#include <security_ocspd/ocspdUtils.h>
+#include <utilLib/common.h>
+#include "ocspUtils.h"
+#include "ocspRequest.h"
+#include "ocspNetwork.h"
+#include "findOcspUrl.h"
+
+static void usage(char **argv)
+{
+ printf("Usage: %s cmd [option...]\n", argv[0]);
+ printf("cmds:\n");
+ printf(" g generate request\n");
+ printf(" G parse request\n");
+ printf(" r generate reply\n");
+ printf(" R parse reply\n");
+ printf(" p generate OCSP request, post, get reply (use -p and/or -o)\n");
+ printf("Options\n");
+ printf(" -c cert_file -- for generating request\n");
+ printf(" -C issuer_cert_file -- for generating request\n");
+ printf(" -i in_file -- for parsing\n");
+ printf(" -o out_file -- for generating\n");
+ printf(" -s status -- cert status: g(ood)|r(evoked)|u(nknown)\n");
+ printf(" -r crlReason -- integer 0..8\n");
+ printf(" -k keychain -- keychain containing signing cert\n");
+ printf(" -p -- parse reply from post op\n");
+ printf(" -u responderURI -- OCSP responder here, not from cert's AIA extension\n");
+ printf(" -v -- verbose; e.g., print certs\n");
+ exit(1);
+}
+
+void doIndent(int indent)
+{
+ for(int dex=0; dex<indent; dex++) {
+ printf(" ");
+ }
+}
+
+static void printString(
+ const CSSM_DATA *str)
+{
+ unsigned i;
+ char *cp = (char *)str->Data;
+ for(i=0; i<str->Length; i++) {
+ printf("%c", *cp++);
+ }
+ printf("\n");
+}
+
+static void printDataAsHex(
+ const CSSM_DATA *d,
+ unsigned maxToPrint = 0) // optional, 0 means print it all
+{
+ unsigned i;
+ bool more = false;
+ uint32 len = d->Length;
+ uint8 *cp = d->Data;
+
+ if((maxToPrint != 0) && (len > maxToPrint)) {
+ len = maxToPrint;
+ more = true;
+ }
+ for(i=0; i<len; i++) {
+ printf("%02X ", ((unsigned char *)cp)[i]);
+ }
+ if(more) {
+ printf("...\n");
+ }
+ else {
+ printf("\n");
+ }
+}
+
+static void printTaggedItem(
+ const NSS_TaggedItem &ti)
+{
+ switch(ti.tag) {
+ case BER_TAG_PRINTABLE_STRING:
+ case BER_TAG_T61_STRING:
+ case BER_TAG_IA5_STRING:
+ case BER_TAG_UTC_TIME:
+ case BER_TAG_GENERALIZED_TIME:
+ printString(&ti.item);
+ break;
+ default:
+ printDataAsHex(&ti.item, 0);
+ }
+}
+
+static void printName(
+ const NSS_Name &name,
+ int indent)
+{
+ OidParser parser;
+
+ unsigned numRdns = ocspdArraySize((const void **)name.rdns);
+ for(unsigned rdnDex=0; rdnDex<numRdns; rdnDex++) {
+ NSS_RDN *rdn = name.rdns[rdnDex];
+ unsigned numATVs = ocspdArraySize((const void **)rdn->atvs);
+ for(unsigned atvDex=0; atvDex<numATVs; atvDex++) {
+ NSS_ATV *atv = rdn->atvs[atvDex];
+ char buf[OID_PARSER_STRING_SIZE];
+ parser.oidParse(atv->type.Data, atv->type.Length, buf);
+ doIndent(indent);
+ printf("%s : ", buf);
+ printTaggedItem(atv->value);
+ }
+ }
+}
+
+static uint8 nullParam[2] = {5, 0};
+
+/*
+ * Given the following, create a ResponseData (to be signed by caller).
+ *
+ * cert status (CS_{Good,Revoked,Unknown})
+ * cert being verified
+ * issuer cert
+ * this update time
+ * next update time (optional)
+ * nonce (optional)
+ */
+static int genTbsResp(
+ SecAsn1CoderRef coder, // result in this coder's address space
+ CSSM_CL_HANDLE clHand,
+ SecAsn1OCSPCertStatusTag status,
+ CE_CrlReason reason, // for CS_Revoked
+ const CSSM_DATA &subjectCert,
+ const CSSM_DATA &issuerCert,
+ unsigned thisUpdate, // required, seconds from now
+ unsigned nextUpdate, // optional, seconds from now, 0 ==> skip
+ const CSSM_DATA *nonce, // optional
+ CSSM_DATA &encodedTbs) // allocated in coder space and RETURNED
+{
+ char *nextUpdStr = NULL;
+ CSSM_DATA nextUpdateData;
+ char *thisUpdStr = NULL;
+ CSSM_DATA *thisUpdateData;
+ SecAsn1OCSPResponseData responseData;
+ OCSPNonce *nonceExt = NULL;
+ char *producedAt = NULL;
+ SecAsn1OCSPSingleResponse singleResp;
+ SecAsn1OCSPSingleResponse *respArray[2] = {&singleResp, NULL};
+ SecAsn1OCSPResponderID responderID;
+ NSS_CertExtension *extenArray[2] = {NULL, NULL};
+
+ /* SingleResponse */
+ memset(&singleResp, 0, sizeof(singleResp));
+
+ /* SingleResponse.CertID */
+ SecAsn1OCSPCertID &certId = singleResp.certID;
+ CertParser parser(clHand);
+ CertParser issuerParser(clHand);
+ CSSM_RETURN crtn = parser.initWithData(subjectCert);
+ if(crtn) {
+ cssmPerror("CertParser.initWithData for subject cert", crtn);
+ return -1;
+ }
+ crtn = issuerParser.initWithData(issuerCert);
+ if(crtn) {
+ cssmPerror("CertParser.initWithData for issuer", crtn);
+ return -1;
+ }
+
+ /* algId refers to the hash we'll perform in issuer name and key */
+ certId.algId.algorithm = CSSMOID_SHA1;
+ certId.algId.parameters.Data = nullParam;
+ certId.algId.parameters.Length = sizeof(nullParam);
+
+ /* SHA1(issuerName) */
+ CSSM_DATA issuerName = {0, NULL};
+ issuerName.Data = (uint8 *)parser.fieldForOid(CSSMOID_X509V1IssuerNameStd,
+ issuerName.Length);
+ if(issuerName.Data == NULL) {
+ printf("***Error fetching issuer name. Aborting.\n");
+ return 1;
+ }
+ uint8 issuerNameHash[CC_SHA1_DIGEST_LENGTH];
+ ocspdSha1(issuerName.Data, issuerName.Length, issuerNameHash);
+
+ /* SHA1(issuer public key) */
+ CSSM_KEY_PTR pubKey = NULL;
+ CSSM_SIZE pubKeyLen = sizeof(CSSM_KEY);
+ pubKey = (CSSM_KEY_PTR)issuerParser.fieldForOid(CSSMOID_CSSMKeyStruct, pubKeyLen);
+ if(pubKey == NULL) {
+ printf("***Error fetching public key from issuer cert. Aborting.\n");
+ return 1;
+ }
+ uint8 pubKeyHash[CC_SHA1_DIGEST_LENGTH];
+ ocspdSha1(pubKey->KeyData.Data, pubKey->KeyData.Length, pubKeyHash);
+
+ /* serial number */
+ CSSM_DATA serialNum = {0, NULL};
+ serialNum.Data = (uint8 *)parser.fieldForOid(CSSMOID_X509V1SerialNumber,
+ serialNum.Length);
+ if(serialNum.Data == NULL) {
+ printf("***Error fetching serial number. Aborting.\n");
+ return 1;
+ }
+
+ /* build the CertID from those components */
+ certId.issuerNameHash.Data = issuerNameHash;
+ certId.issuerNameHash.Length = CC_SHA1_DIGEST_LENGTH;
+ certId.issuerPubKeyHash.Data = pubKeyHash;
+ certId.issuerPubKeyHash.Length = CC_SHA1_DIGEST_LENGTH;
+ certId.serialNumber = serialNum;
+
+ /* SingleResponse.CertStatus - to be encoded on its own */
+ SecAsn1OCSPCertStatus certStatus;
+ memset(&certStatus, 0, sizeof(certStatus));
+ SecAsn1OCSPRevokedInfo revokedInfo;
+ char *revokedAt = NULL;
+ CSSM_DATA reasonData;
+ OSStatus ortn;
+
+ if(status == CS_Revoked) {
+ /* cook up SecAsn1OCSPRevokedInfo */
+ certStatus.revokedInfo = &revokedInfo;
+ revokedAt = appTimeAtNowPlus(-3600, TIME_GEN);
+ revokedInfo.revocationTime.Data = (uint8 *)revokedAt;
+ revokedInfo.revocationTime.Length = strlen(revokedAt);
+ uint8 theReason = reason;
+ reasonData.Data = &theReason;
+ reasonData.Length = 1;
+ revokedInfo.revocationReason = &reasonData;
+ ortn = SecAsn1EncodeItem(coder, &certStatus,
+ kSecAsn1OCSPCertStatusRevokedTemplate,
+ &singleResp.certStatus);
+ }
+ else {
+ ortn = SecAsn1EncodeItem(coder, &certStatus,
+ kSecAsn1OCSPCertStatusGoodTemplate,
+ &singleResp.certStatus);
+ }
+ if(ortn) {
+ printf("***Error encoding certStatus\n");
+ goto errOut;
+ }
+
+ /* SingleResponse.thisUpdate */
+ thisUpdStr = appTimeAtNowPlus(thisUpdate, TIME_GEN);
+ thisUpdateData = &singleResp.thisUpdate;
+ thisUpdateData->Data = (uint8 *)thisUpdStr;
+ thisUpdateData->Length = strlen(thisUpdStr);
+
+ /* SingleResponse.nextUpdate, optional */
+ if(nextUpdate) {
+ nextUpdStr = appTimeAtNowPlus(nextUpdate, TIME_GEN);
+ nextUpdateData.Data = (uint8 *)nextUpdStr;
+ nextUpdateData.Length = strlen(nextUpdStr);
+ singleResp.nextUpdate = &nextUpdateData;
+ }
+
+ /* Single Extensions - none for now */
+
+ /* Now up to ResponseData */
+ memset(&responseData, 0, sizeof(responseData));
+
+ /* skip version */
+
+ /*
+ * ResponseData.responderID: KeyHash (of signer); we already got this for CertID.
+ * WE have to encode this one separately and drop it in as an ASN_ANY.
+ */
+ responderID.byKey = certId.issuerPubKeyHash;
+ ortn = SecAsn1EncodeItem(coder, &responderID,
+ kSecAsn1OCSPResponderIDAsKeyTemplate,
+ &responseData.responderID);
+ if(ortn) {
+ printf("***Error encoding responderID\n");
+ goto errOut;
+ }
+
+ /* ResponseData.producedAt = now */
+ producedAt = appTimeAtNowPlus(0, TIME_GEN);
+ responseData.producedAt.Data = (uint8 *)producedAt;
+ responseData.producedAt.Length = strlen(producedAt);
+
+ /* ResponseData.responses - one of 'em */
+ responseData.responses = respArray;
+
+ /* ResponseData.responseExtensions - optionally one, nonce */
+ if(nonce) {
+ nonceExt = new OCSPNonce(coder, false, *nonce);
+ extenArray[0] = nonceExt->nssExt();
+ responseData.responseExtensions = extenArray;
+ }
+ else {
+ responseData.responseExtensions = NULL;
+ }
+
+ /* encode it */
+ encodedTbs.Data = NULL;
+ encodedTbs.Length = 0;
+ ortn = SecAsn1EncodeItem(coder, &responseData,
+ kSecAsn1OCSPResponseDataTemplate,
+ &encodedTbs);
+ if(ortn) {
+ printf("***Error encoding SecAsn1OCSPResponseData\n");
+ }
+errOut:
+ /* free resources */
+ if(revokedAt) {
+ CSSM_FREE(revokedAt);
+ }
+ if(thisUpdStr) {
+ CSSM_FREE(thisUpdStr);
+ }
+ if(nextUpdStr) {
+ CSSM_FREE(nextUpdStr);
+ }
+ if(nonceExt) {
+ delete nonceExt;
+ }
+ return ortn;
+}
+
+static int genOcspReq(
+ CSSM_CL_HANDLE clHand,
+ const unsigned char *certFile,
+ unsigned certFileLen,
+ const unsigned char *issuerCertFile,
+ unsigned issuerCertFileLen,
+ unsigned char **outFile, // RETURNED
+ unsigned *outFileLen) // RETURNED
+{
+ CertParser parser(clHand);
+ CertParser issuerParser(clHand);
+ CSSM_DATA certData = {certFileLen, (uint8 *)certFile};
+ CSSM_RETURN crtn;
+ crtn = parser.initWithData(certData);
+ if(crtn) {
+ cssmPerror("CertParser.initWithData for subject cert", crtn);
+ return -1;
+ }
+ certData.Data = (uint8 *)issuerCertFile;
+ certData.Length = issuerCertFileLen;
+ crtn = issuerParser.initWithData(certData);
+ if(crtn) {
+ cssmPerror("CertParser.initWithData for issuer", crtn);
+ return -1;
+ }
+
+ /*
+ * One single request, no extensions
+ */
+ SecAsn1OCSPRequest singleReq;
+ memset(&singleReq, 0, sizeof(singleReq));
+ SecAsn1OCSPCertID &certId = singleReq.reqCert;
+
+ /* algId refers to the hash we'll perform in issuer name and key */
+ certId.algId.algorithm = CSSMOID_SHA1;
+ certId.algId.parameters.Data = nullParam;
+ certId.algId.parameters.Length = sizeof(nullParam);
+
+ /* SHA1(issuerName) */
+ CSSM_DATA issuerName = {0, NULL};
+ issuerName.Data = (uint8 *)parser.fieldForOid(CSSMOID_X509V1IssuerNameStd,
+ issuerName.Length);
+ if(issuerName.Data == NULL) {
+ printf("***Error fetching issuer name. Aborting.\n");
+ return 1;
+ }
+ uint8 issuerNameHash[CC_SHA1_DIGEST_LENGTH];
+ ocspdSha1(issuerName.Data, issuerName.Length, issuerNameHash);
+
+ /* SHA1(issuer public key) */
+ CSSM_KEY_PTR pubKey = NULL;
+ CSSM_SIZE pubKeyLen = sizeof(CSSM_KEY);
+ pubKey = (CSSM_KEY_PTR)issuerParser.fieldForOid(CSSMOID_CSSMKeyStruct, pubKeyLen);
+ if(pubKey == NULL) {
+ printf("***Error fetching public key from issuer cert. Aborting.\n");
+ return 1;
+ }
+ uint8 pubKeyHash[CC_SHA1_DIGEST_LENGTH];
+ ocspdSha1(pubKey->KeyData.Data, pubKey->KeyData.Length, pubKeyHash);
+
+ /* serial number */
+ CSSM_DATA serialNum = {0, NULL};
+ serialNum.Data = (uint8 *)parser.fieldForOid(CSSMOID_X509V1SerialNumber,
+ serialNum.Length);
+ if(serialNum.Data == NULL) {
+ printf("***Error fetching serial number. Aborting.\n");
+ return 1;
+ }
+
+ /* build the CertID from those components */
+ certId.issuerNameHash.Data = issuerNameHash;
+ certId.issuerNameHash.Length = CC_SHA1_DIGEST_LENGTH;
+ certId.issuerPubKeyHash.Data = pubKeyHash;
+ certId.issuerPubKeyHash.Length = CC_SHA1_DIGEST_LENGTH;
+ certId.serialNumber = serialNum;
+
+ /*
+ * Build top level request with one entry in requestList, no signature,
+ * one extension (a nonce)
+ */
+ SecAsn1OCSPSignedRequest signedReq;
+ SecAsn1OCSPRequest *reqArray[2] = { &singleReq, NULL };
+ SecAsn1OCSPTbsRequest &tbs = signedReq.tbsRequest;
+ memset(&signedReq, 0, sizeof(signedReq));
+ uint8 version = 0;
+ CSSM_DATA vers = {1, &version};
+ tbs.version = &vers;
+ tbs.requestList = reqArray;
+
+ /* one extension - the nonce */
+ SecAsn1CoderRef coder;
+ SecAsn1CoderCreate(&coder);
+ uint8 nonceBytes[8] = {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0};
+ CSSM_DATA nonceData = {8, nonceBytes};
+ OCSPNonce *nonce = new OCSPNonce(coder, false, nonceData);
+ NSS_CertExtension *extenArray[2] = {nonce->nssExt(), NULL};
+ tbs.requestExtensions = extenArray;
+
+ /* Encode */
+ OSStatus ortn;
+ CSSM_DATA encoded = {0, NULL};
+ ortn = SecAsn1EncodeItem(coder, &signedReq, kSecAsn1OCSPSignedRequestTemplate,
+ &encoded);
+ if(ortn) {
+ printf("***Error encoding SecAsn1OCSPSignedRequest\n");
+ }
+ else {
+ *outFile = (unsigned char *)malloc(encoded.Length);
+ *outFileLen = encoded.Length;
+ memmove(*outFile, encoded.Data, encoded.Length);
+ }
+ SecAsn1CoderRelease(coder);
+ return (int)ortn;
+}
+
+static void dumpCertID(
+ SecAsn1OCSPCertID *certID,
+ int indent)
+{
+ doIndent(indent);
+ printf("algId : ");
+ printDataAsHex(&certID->algId.algorithm);
+
+ doIndent(indent);
+ printf("issuerNameHash : ");
+ printDataAsHex(&certID->issuerNameHash);
+
+ doIndent(indent);
+ printf("issuerPubKeyHash : ");
+ printDataAsHex(&certID->issuerPubKeyHash);
+
+ doIndent(indent);
+ printf("serialNumber : ");
+ printDataAsHex(&certID->serialNumber);
+}
+
+static void printCritical(
+ int indent,
+ OCSPExtension *ocspExt)
+{
+ doIndent(indent);
+ printf("Critical : %s\n", ocspExt->critical() ? "true" : "false");
+}
+
+static void printOcspExt(
+ SecAsn1CoderRef coder,
+ NSS_CertExtension *nssExt,
+ int indent)
+{
+ OCSPExtension *ocspExt = NULL;
+ try {
+ ocspExt = OCSPExtension::createFromNSS(coder, *nssExt);
+ }
+ catch(...) {
+ doIndent(indent);
+ printf("***Error thrown parsing extension\n");
+ return;
+ }
+ switch(ocspExt->tag()) {
+ case OET_Unknown:
+ doIndent(indent);
+ printf("Extension type: Unknown\n");
+ printCritical(indent, ocspExt);
+ return;
+ case OET_Nonce:
+ {
+ doIndent(indent);
+ printf("Extension type : Nonce\n");
+ printCritical(indent, ocspExt);
+ doIndent(indent);
+ OCSPNonce *nonce = dynamic_cast<OCSPNonce *>(ocspExt);
+ if(nonce == NULL) {
+ printf("***dynamic_cast failure in OCSPNonce!\n");
+ return;
+ }
+ printf("nonce value : ");
+ printDataAsHex(&nonce->nonce());
+ break;
+ }
+ case OET_CrlReference:
+ doIndent(indent);
+ printf("Extension type : CrlReference");
+ printCritical(indent, ocspExt);
+ /* TBD */
+ return;
+ case OET_AcceptResponse:
+ doIndent(indent);
+ printf("Extension type : AcceptResponse");
+ printCritical(indent, ocspExt);
+ /* TBD */
+ return;
+ case OET_ArchiveCutoff:
+ doIndent(indent);
+ printf("Extension type : ArchiveCutoff");
+ printCritical(indent, ocspExt);
+ /* TBD */
+ return;
+ case OET_ServiceLocator:
+ doIndent(indent);
+ printf("Extension type : ServiceLocator");
+ printCritical(indent, ocspExt);
+ /* TBD */
+ return;
+ default:
+ /* this code is out of sync with ocspExtensions.{h,cpp} */
+ doIndent(indent);
+ printf("Extension type : unrecognized - code sync error");
+ printCritical(indent, ocspExt);
+ return;
+
+ }
+}
+
+static int parseOcspReq(
+ CSSM_CL_HANDLE clHand,
+ unsigned char *inFile,
+ unsigned inFileLen,
+ bool verbose)
+{
+ SecAsn1CoderRef coder;
+ SecAsn1OCSPSignedRequest signedReq;
+ SecAsn1OCSPTbsRequest &tbs = signedReq.tbsRequest;
+ OSStatus ortn;
+ int indent;
+ unsigned numExts;
+ unsigned numReqs;
+
+ SecAsn1CoderCreate(&coder);
+ memset(&signedReq, 0, sizeof(signedReq));
+
+ ortn = SecAsn1Decode(coder, inFile, inFileLen, kSecAsn1OCSPSignedRequestTemplate,
+ &signedReq);
+ if(ortn) {
+ printf("***Error decoding SecAsn1OCSPSignedRequest\n");
+ goto errOut;
+ }
+ printf("SecAsn1OCSPSignedRequest:\n");
+
+ printf("SecAsn1OCSPTbsRequest:\n");
+ indent = 2;
+ if(tbs.version) {
+ doIndent(indent);
+ printf("Version : ");
+ printDataAsHex(tbs.version);
+ }
+ if(tbs.requestorName) {
+ doIndent(indent);
+ printf("NSS_GeneralName found; print it later maybe\n");
+ }
+ numReqs = ocspdArraySize((const void **)tbs.requestList);
+ for(unsigned dex=0; dex<numReqs; dex++) {
+ SecAsn1OCSPRequest *req = tbs.requestList[dex];
+ doIndent(indent);
+ printf("Request List Entry %u\n", dex);
+ indent += 2;
+ doIndent(indent);
+ printf("CertID:\n");
+ indent += 2;
+ SecAsn1OCSPCertID *certID = &req->reqCert;
+ dumpCertID(certID, indent);
+ indent -= 2;
+ numExts = ocspdArraySize((const void **)req->extensions);
+ for(unsigned extDex=0; extDex<numExts; extDex++) {
+ doIndent(indent);
+ printf("singleExtension[%u]\n", extDex);
+ printOcspExt(coder, req->extensions[dex], indent + 2);
+ }
+ indent -= 2;
+ }
+
+ numExts = ocspdArraySize((const void **)tbs.requestExtensions);
+ for(unsigned extDex=0; extDex<numExts; extDex++) {
+ doIndent(indent);
+ printf("requestExtension[%u]\n", extDex);
+ printOcspExt(coder, tbs.requestExtensions[extDex], indent + 2);
+ }
+
+ indent -= 2;
+
+ if(signedReq.signature) {
+ printf("SecAsn1OCSPSignature:\n");
+ indent += 2;
+ doIndent(indent);
+ printf("==unparsed for now ==\n");
+ /* ... */
+ indent -= 2;
+ }
+errOut:
+ SecAsn1CoderRelease(coder);
+ return ortn;
+}
+
+static int genOcspResp(
+ CSSM_CL_HANDLE clHand,
+ SecAsn1OCSPCertStatusTag status,
+ CE_CrlReason reason, // for CS_Revoked
+ const unsigned char *subjectCert,
+ unsigned subjectCertLen,
+ const unsigned char *issuerCert,
+ unsigned issuerCertLen,
+ SecIdentityRef signer,
+ unsigned char **outData,
+ unsigned *outDataLen)
+{
+ SecAsn1CoderRef coder;
+ SecAsn1CoderCreate(&coder);
+
+ CSSM_DATA subjectCertData = {subjectCertLen, (uint8 *)subjectCert};
+ CSSM_DATA issuerCertData = {issuerCertLen, (uint8 *)issuerCert};
+ uint8 nonceBytes[8] = {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0};
+ CSSM_DATA nonceData = {8, nonceBytes};
+ CSSM_DATA tbs;
+ CSSM_DATA encoded = {0, NULL};
+ SecAsn1OCSPResponse topResponse;
+ SecAsn1OCSPResponseBytes responseBytes;
+ uint8 responseStatusByte;
+ CSSM_DATA resp = {0, NULL};
+ CSSM_DATA sig = {0, NULL};
+
+ int irtn = genTbsResp(coder, clHand, status, reason,
+ subjectCertData, issuerCertData,
+ 0, // thisUpdate
+ 2600 * 24, // next update
+ &nonceData,
+ tbs);
+ if(irtn) {
+ printf("***Error encoding tbsResp\n");
+ return irtn;
+ }
+
+ /*
+ * That's the TBSResponseData. Sign it.
+ */
+ OSStatus ortn;
+ SecAsn1OCSPBasicResponse basicResp;
+ memset(&basicResp, 0, sizeof(basicResp));
+ ortn = ocspSign(signer, tbs, CSSM_ALGID_SHA1WithRSA, sig);
+ if(ortn) {
+ printf("***Error signing basicResponse.\n");
+ goto errOut;
+ }
+ basicResp.algId.algorithm = CSSMOID_SHA1WithRSA;
+ basicResp.algId.parameters.Data = nullParam;
+ basicResp.algId.parameters.Length = sizeof(nullParam);
+ basicResp.tbsResponseData = tbs;
+ basicResp.sig = sig;
+ /* ASN1 encoder needs to know length in bits */
+ basicResp.sig.Length *= 8;
+ /* no certs for now */
+ /* encode SecAsn1OCSPBasicResponse */
+
+ ortn = SecAsn1EncodeItem(coder, &basicResp, kSecAsn1OCSPBasicResponseTemplate,
+ &encoded);
+ if(ortn) {
+ printf("***Error encoding SecAsn1OCSPBasicResponse\n");
+ }
+
+ /* put that into a SecAsn1OCSPResponse */
+ responseBytes.responseType = CSSMOID_PKIX_OCSP_BASIC;
+ responseBytes.response = encoded;
+ responseStatusByte = RS_Success;
+ topResponse.responseStatus.Data = &responseStatusByte;
+ topResponse.responseStatus.Length = 1;
+ topResponse.responseBytes = &responseBytes;
+ ortn = SecAsn1EncodeItem(coder, &topResponse, kSecAsn1OCSPResponseTemplate,
+ &resp);
+ if(ortn) {
+ printf("***Error encoding SecAsn1OCSPBasicResponse\n");
+ goto errOut;
+ }
+
+ /* TA DA */
+ *outData = (unsigned char *)malloc(resp.Length);
+ *outDataLen = resp.Length;
+ memmove(*outData, resp.Data, resp.Length);
+errOut:
+ SecAsn1CoderRelease(coder);
+ if(sig.Data) {
+ APP_FREE(sig.Data);
+ }
+ return ortn;
+}
+
+/* decode and parse tbsResponseData, sitting in SecAsn1OCSPBasicResponse as an
+ * ASN_ANY */
+static int parseResponseData(
+ SecAsn1CoderRef coder,
+ int indent,
+ const CSSM_DATA &tbsResponseData)
+{
+ SecAsn1OCSPResponseData respData;
+ SecAsn1OCSPResponderID responderID;
+ uint8 tag;
+ const SecAsn1Template *templ;
+ unsigned numExts;
+
+ memset(&respData, 0, sizeof(respData));
+ OSStatus ortn = SecAsn1DecodeData(coder, &tbsResponseData,
+ kSecAsn1OCSPResponseDataTemplate, &respData);
+ if(ortn) {
+ printf("***Error decoding ResponseData\n");
+ return 1;
+ }
+ if(respData.version && respData.version->Data) {
+ doIndent(indent);
+ printf("version: %u\n", respData.version->Data[0]);
+ }
+ doIndent(indent);
+ printf("ResponderID:\n");
+ indent += 2;
+ memset(&responderID, 0, sizeof(responderID));
+ if(respData.responderID.Data == NULL) {
+ doIndent(indent);
+ printf("***Malformed(empty)***\n");
+ return 1;
+ }
+
+ /* lame-o choice processing */
+ tag = respData.responderID.Data[0] & SEC_ASN1_TAGNUM_MASK;
+ switch(tag) {
+ case RIT_Name:
+ templ = kSecAsn1OCSPResponderIDAsNameTemplate;
+ break;
+ case RIT_Key:
+ templ = kSecAsn1OCSPResponderIDAsKeyTemplate;
+ break;
+ default:
+ doIndent(indent);
+ printf("**Unknown tag for ResponderID (%u)\n", tag);
+ return 1;
+ }
+ ortn = SecAsn1DecodeData(coder, &respData.responderID, templ, &responderID);
+ if(ortn) {
+ doIndent(indent);
+ printf("***Error decoding ResponderID\n");
+ return 1;
+ }
+ doIndent(indent);
+ switch(tag) {
+ case RIT_Name:
+ printf("byName:\n");
+ printName((NSS_Name &)responderID.byName, indent + 2);
+ break;
+ case RIT_Key:
+ printf("byKey : ");
+ printDataAsHex(&responderID.byKey);
+ break;
+ }
+ indent -= 2; // end of ResponderID
+
+ doIndent(indent);
+ printf("producedAt: ");
+ printString(&respData.producedAt);
+ unsigned numResps = ocspdArraySize((const void **)respData.responses);
+ doIndent(indent);
+ printf("Num responses: %u\n", numResps);
+ for(unsigned dex=0; dex<numResps; dex++) {
+ SecAsn1OCSPSingleResponse *resp = respData.responses[dex];
+ doIndent(indent);
+ printf("Response %u:\n", dex);
+ indent += 2;
+ doIndent(indent);
+ printf("CertID:\n");
+ dumpCertID(&resp->certID, indent + 2);
+
+ doIndent(indent);
+ printf("certStatus: ");
+ /* lame-o choice processing */
+ tag = resp->certStatus.Data[0] & SEC_ASN1_TAGNUM_MASK;
+ switch(tag) {
+ case CS_Good:
+ printf("Good\n");
+ break;
+ case CS_Unknown:
+ printf("Unknown\n");
+ break;
+ default:
+ printf("**MALFORMED cert status tag (%u)\n", tag);
+ break;
+ case CS_Revoked:
+ {
+ printf("Revoked\n");
+ doIndent(indent);
+ SecAsn1OCSPCertStatus certStatus;
+ memset(&certStatus, 0, sizeof(certStatus));
+ ortn = SecAsn1DecodeData(coder, &resp->certStatus,
+ kSecAsn1OCSPCertStatusRevokedTemplate, &certStatus);
+ if(ortn) {
+ doIndent(indent);
+ printf("***error parsing RevokedInfo\n");
+ break;
+ }
+ if(certStatus.revokedInfo == NULL) {
+ doIndent(indent);
+ printf("***GAK! Malformed (empty) revokedInfo\n");break;
+ }
+ printf("RevokedIndfo:\n");
+ indent += 2;
+ doIndent(indent);
+ printf("revocationTime: ");
+ printString(&certStatus.revokedInfo->revocationTime);
+ if(certStatus.revokedInfo->revocationReason) {
+ doIndent(indent);
+ printf("reason: %u\n",
+ certStatus.revokedInfo->revocationReason->Data[0]);
+ }
+ indent -= 2; // end of RevokedInfo
+ break;
+ }
+ } /* switch cert status tag */
+
+ doIndent(indent);
+ printf("thisUpdate: ");
+ printString(&resp->thisUpdate);
+
+ if(resp->nextUpdate) {
+ doIndent(indent);
+ printf("nextUpdate: ");
+ printString(resp->nextUpdate);
+ }
+
+ numExts = ocspdArraySize((const void **)resp->singleExtensions);
+ for(unsigned extDex=0; extDex<numExts; extDex++) {
+ doIndent(indent);
+ printf("singleExtensions[%u]\n", extDex);
+ printOcspExt(coder, resp->singleExtensions[extDex], indent + 2);
+ }
+
+ indent -= 2; // end of resp[dex]
+ }
+
+ numExts = ocspdArraySize((const void **)respData.responseExtensions);
+ for(unsigned extDex=0; extDex<numExts; extDex++) {
+ doIndent(indent);
+ printf("responseExtensions[%u]\n", extDex);
+ printOcspExt(coder, respData.responseExtensions[extDex], indent + 2);
+ }
+ return 0;
+}
+
+static int parseOcspResp(
+ CSSM_CL_HANDLE clHand,
+ unsigned char *inFile,
+ unsigned inFileLen,
+ bool verbose)
+{
+ SecAsn1OCSPResponse topResp;
+ SecAsn1CoderRef coder;
+ OSStatus ortn;
+ int indent = 0;
+ const char *str;
+ SecAsn1OCSPBasicResponse basicResp;
+ unsigned numCerts = 0;
+
+ SecAsn1CoderCreate(&coder);
+ memset(&topResp, 0, sizeof(topResp));
+ ortn = SecAsn1Decode(coder, inFile, inFileLen, kSecAsn1OCSPResponseTemplate,
+ &topResp);
+ if(ortn) {
+ printf("***Error decoding SecAsn1OCSPResponse\n");
+ goto errOut;
+ }
+ printf("OCSPResponse:\n");
+ indent += 2;
+ doIndent(indent);
+ printf("responseStatus: ");
+ if(topResp.responseStatus.Length == 0) {
+ printf("**MALFORMED**\n");
+ }
+ else {
+ switch(topResp.responseStatus.Data[0]) {
+ case RS_Success: str = "RS_Success"; break;
+ case RS_MalformedRequest: str = "RS_MalformedRequest"; break;
+ case RS_InternalError: str = "RS_InternalError"; break;
+ case RS_TryLater: str = "RS_TryLater"; break;
+ case RS_Unused: str = "RS_Unused"; break;
+ case RS_SigRequired: str = "RS_SigRequired"; break;
+ case RS_Unauthorized: str = "RS_Unauthorized"; break;
+ default: str = "MALFORMED (unknown enum)\n"; break;
+ }
+ printf("%s (%u(d))\n", str, topResp.responseStatus.Data[0]);
+ }
+ doIndent(indent);
+ printf("ResponseBytes: ");
+ if(topResp.responseBytes == NULL) {
+ printf("empty\n");
+ goto errOut;
+ }
+ printf("\n");
+ indent += 2;
+ doIndent(indent);
+ printf("responseType: ");
+ if(appCompareCssmData(&topResp.responseBytes->responseType,
+ &CSSMOID_PKIX_OCSP_BASIC)) {
+ str = "ocsp-basic";
+ }
+ else {
+ str = "Unknown type\n";
+ }
+ printf("%s\n", str);
+
+ /* decode the BasicOCSPResponse */
+ memset(&basicResp, 0, sizeof(basicResp));
+ ortn = SecAsn1DecodeData(coder, &topResp.responseBytes->response,
+ kSecAsn1OCSPBasicResponseTemplate, &basicResp);
+ if(ortn) {
+ printf("***Error decoding BasicOCSPResponse\n");
+ goto errOut;
+ }
+
+ doIndent(indent);
+ printf("BasicOCSPResponse:\n");
+ indent += 2;
+ doIndent(indent);
+ printf("ResponseData:\n");
+ parseResponseData(coder, indent + 2, basicResp.tbsResponseData);
+ doIndent(indent);
+ printf("sig: ");
+ printDataAsHex(&basicResp.sig, 8);
+ numCerts = ocspdArraySize((const void **)basicResp.certs);
+ doIndent(indent);
+ printf("Num Certs: %u\n", numCerts);
+
+ if(verbose) {
+ for(unsigned dex=0; dex<numCerts; dex++) {
+ printf("+++++++++++++++++++++++++ Cert %u +++++++++++++++++++++++++\n", dex);
+ printCert(basicResp.certs[dex]->Data, basicResp.certs[dex]->Length,
+ CSSM_FALSE);
+ printf("+++++++++++++++++++++++ End Cert %u +++++++++++++++++++++++\n", dex);
+ }
+ }
+ indent -= 2; // end of BasicOCSPResponse
+ indent -= 2; // end of ResponseBytes
+ indent -= 2; // end of OCSPResponse
+errOut:
+ SecAsn1CoderRelease(coder);
+ return ortn;
+}
+
+static int postOcspReq(
+ CSSM_CL_HANDLE clHand,
+ const unsigned char *certFile,
+ unsigned certFileLen,
+ const unsigned char *issuerCertFile,
+ unsigned issuerCertFileLen,
+ const char *responderURI,
+ bool doParse,
+ bool verbose,
+ unsigned char **outFile, // RETURNED
+ unsigned *outFileLen) // RETURNED
+{
+ auto_ptr<CertParser> subject;
+ auto_ptr<CertParser> issuer;
+ CSSM_DATA uriData = {0, NULL};
+ CSSM_DATA *url = NULL;
+
+ try {
+ CSSM_DATA cdata = {certFileLen, (uint8 *)certFile};
+ subject.reset(new CertParser(clHand, cdata));
+ }
+ catch(...) {
+ printf("***Error parsing subject cert. Aborting.\n");
+ return -1;
+ }
+ try {
+ CSSM_DATA cdata = {issuerCertFileLen, (uint8 *)issuerCertFile};
+ issuer.reset(new CertParser(clHand, cdata));
+ }
+ catch(...) {
+ printf("***Error parsing issuer cert. Aborting.\n");
+ return -1;
+ }
+
+ SecAsn1CoderRef coder;
+ SecAsn1CoderCreate(&coder);
+ /* subsequent errors to errOut: */
+ int ourRtn = 0;
+ const CSSM_DATA *derReq = NULL;
+ auto_ptr<OCSPRequest> ocspReq;
+
+ if(responderURI != NULL) {
+ uriData.Data = (uint8 *)responderURI;
+ uriData.Length = strlen(responderURI);
+ url = &uriData;
+ }
+ else {
+ /* get OCSP URL from subject cert */
+ url = ocspUrlFromCert(*subject, coder);
+ if(url == NULL) {
+ printf("Sorry, no can do.\n");
+ ourRtn = -1;
+ goto errOut;
+ }
+ }
+
+ /* create DER-encoded OCSP request for subject */
+ try {
+ ocspReq.reset(new OCSPRequest(*subject, *issuer, false));
+ derReq = ocspReq->encode();
+ }
+ catch(...) {
+ printf("***Error creating OCSP request. Aborting.\n");
+ ourRtn = -1;
+ goto errOut;
+ }
+
+ /* do it */
+ CSSM_DATA ocspResp;
+ CSSM_RETURN crtn;
+ crtn = ocspdHttpPost(coder, *url, *derReq, ocspResp);
+ if(crtn) {
+ printf("***Error fetching OCSP response***\n");
+ cssmPerror("ocspdHttpPost", crtn);
+ ourRtn = -1;
+ goto errOut;
+ }
+ *outFile = ocspResp.Data;
+ *outFileLen = ocspResp.Length;
+ if(doParse) {
+ parseOcspResp(clHand, ocspResp.Data, ocspResp.Length, verbose);
+ }
+ /* copy out */
+ *outFile = (unsigned char *)malloc(ocspResp.Length);
+ *outFileLen = ocspResp.Length;
+ memmove(*outFile, ocspResp.Data, ocspResp.Length);
+
+errOut:
+ SecAsn1CoderRelease(coder);
+ return ourRtn;
+}
+
+typedef enum {
+ op_genReq,
+ op_parseReq,
+ op_genReply,
+ op_parseResp,
+ op_post
+} ocspOp;
+
+int main(int argc, char **argv)
+{
+ if(argc < 2) {
+ usage(argv);
+ }
+ ocspOp op;
+ switch(argv[1][0]) {
+ case 'g': op = op_genReq; break;
+ case 'G': op = op_parseReq; break;
+ case 'r': op = op_genReply; break;
+ case 'R': op = op_parseResp; break;
+ case 'p': op = op_post; break;
+ default: usage(argv);
+ }
+
+ /* user defined vars */
+ char *inFile = NULL;
+ char *outFile = NULL;
+ char *inCertName = NULL;
+ char *issuerCertName = NULL;
+ SecAsn1OCSPCertStatusTag certStatus = CS_Good;
+ CE_CrlReason crlReason = CE_CR_Unspecified;
+ char *kcName = NULL;
+ bool verbose = false;
+ bool doParse = false;
+ const char *responderURI = NULL;
+
+ extern int optind;
+ optind = 2;
+ extern char *optarg;
+ int arg;
+ while ((arg = getopt(argc, argv, "c:C:i:o:s:r:k:phvu:")) != -1) {
+ switch (arg) {
+ case 'c':
+ inCertName = optarg;
+ break;
+ case 'C':
+ issuerCertName = optarg;
+ break;
+ case 'i':
+ inFile = optarg;
+ break;
+ case 'o':
+ outFile = optarg;
+ break;
+ case 's':
+ switch(optarg[0]) {
+ case 'g':
+ certStatus = CS_Good;
+ break;
+ case 'r':
+ certStatus = CS_Revoked;
+ break;
+ case 'u':
+ certStatus = CS_Unknown;
+ break;
+ default:
+ printf("***Unrecognized certStatus***\n");
+ usage(argv);
+ }
+ break;
+ case 'r':
+ crlReason = atoi(optarg);
+ break;
+ case 'k':
+ kcName = optarg;
+ break;
+ case 'v':
+ verbose = 1;
+ break;
+ case 'p':
+ doParse = true;
+ break;
+ case 'u':
+ responderURI = optarg;
+ break;
+ default:
+ case '?':
+ usage(argv);
+ }
+ }
+ if(optind != argc) {
+ /* this happens if you give getopt() an arg which doesn't start with '-' */
+ usage(argv);
+ }
+
+ unsigned char *certData = NULL;
+ unsigned certDataLen = 0;
+ unsigned char *issuerCertData = NULL;
+ unsigned issuerCertDataLen = 0;
+ unsigned char *inData = NULL;
+ unsigned inDataLen = 0;
+ unsigned char *outData = NULL;
+ unsigned outDataLen = 0;
+ SecKeychainRef kcRef = NULL;
+ OSStatus ortn;
+
+ if(inCertName) {
+ if(readFile(inCertName, &certData, &certDataLen)) {
+ printf("***Error reading cert file %s. Aborting.\n", inCertName);
+ exit(1);
+ }
+ }
+ if(issuerCertName) {
+ if(readFile(issuerCertName, &issuerCertData, &issuerCertDataLen)) {
+ printf("***Error reading cert file %s. Aborting.\n", issuerCertName);
+ exit(1);
+ }
+ }
+ if(inFile) {
+ if(readFile(inFile, &inData, &inDataLen)) {
+ printf("***Error reading input file %s. Aborting.\n", inFile);
+ exit(1);
+ }
+ }
+ if(kcName) {
+ ortn = SecKeychainOpen(kcName, &kcRef);
+ if(ortn) {
+ cssmPerror("SecKeychainOpen", ortn);
+ return ortn;
+ }
+ }
+ CSSM_CL_HANDLE clHand = cuClStartup();
+
+ switch(op) {
+ case op_genReq:
+ ortn = genOcspReq(clHand, certData, certDataLen,
+ issuerCertData, issuerCertDataLen,
+ &outData, &outDataLen);
+ break;
+ case op_parseReq:
+ ortn = parseOcspReq(clHand, inData, inDataLen, verbose);
+ break;
+ case op_genReply:
+ {
+ SecIdentityRef idRef = NULL;
+ ortn = sslSimpleIdentPicker(kcRef, &idRef);
+ if(ortn) {
+ printf("***Error choosing identity. Aborting.\n");
+ exit(1);
+ }
+ ortn = genOcspResp(clHand, certStatus, crlReason,
+ certData, certDataLen, issuerCertData, issuerCertDataLen,
+ idRef, &outData, &outDataLen);
+ CFRelease(idRef);
+ break;
+ }
+ case op_parseResp:
+ ortn = parseOcspResp(clHand, inData, inDataLen, verbose);
+ break;
+ case op_post:
+ ortn = postOcspReq(clHand, certData, certDataLen,
+ issuerCertData, issuerCertDataLen, responderURI,
+ doParse, verbose,
+ &outData, &outDataLen);
+ break;
+ default:
+ printf("Op %s is not yet implemented.\n", argv[1]);
+ exit(1);
+ }
+
+ if(ortn == 0) {
+ if(outData != NULL) {
+ if(outFile== NULL) {
+ printf("...generated %u bytes but no place to write it.\n", outDataLen);
+ }
+ else {
+ ortn = writeFile(outFile, outData, outDataLen);
+ if(ortn) {
+ printf("***Error writing output to %s.\n", outFile);
+ }
+ else {
+ printf("...wrote %u bytes to %s\n", outDataLen, outFile);
+ }
+ }
+ }
+ }
+ return ortn;
+}
projects / apple / security.git / blobdiff