--- /dev/null
+/*
+ * secTrustTime.cpp - measure performance of SecTrust and TP cert verify
+ */
+
+#include <stdlib.h>
+#include <strings.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <Security/TrustSettingsSchema.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <utilLib/common.h>
+#include <clAppUtils/clutils.h>
+#include <clAppUtils/tpUtils.h>
+
+#define LOOPS_DEF 100
+
+const char *certFiles[] = {
+ "keybank_v3.100.cer", "keybank_v3.101.cer", "keybank_v3.102.cer"
+};
+
+#define NUM_CERTS (sizeof(certFiles) / sizeof(certFiles[0]))
+
+static void usage(char **argv)
+{
+ printf("usage: %s [options]\n", argv[0]);
+ printf("Options:\n");
+ printf(" -l loops -- loops; default %d; 0=forever\n", LOOPS_DEF);
+ printf(" -k -- open and hold keychains\n");
+ printf(" -t -- TP, not SecTrust\n");
+ printf(" -T -- TP, no Trust Settings\n");
+ printf(" -n -- don't include root in cert chain\n");
+ printf(" -K -- set empty KC list\n");
+ /* etc. */
+ exit(1);
+}
+
+static SecCertificateRef readCertFile(
+ const char *fileName)
+{
+ unsigned char *cp = NULL;
+ unsigned len = 0;
+ CSSM_DATA certData;
+ OSStatus ortn;
+
+ if(readFile(fileName, &cp, &len)) {
+ printf("***Error reading file %s\n", fileName);
+ return NULL;
+ }
+ certData.Length = len;
+ certData.Data = cp;
+ SecCertificateRef certRef;
+
+ ortn = SecCertificateCreateFromData(&certData,
+ CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER, &certRef);
+ if(ortn) {
+ cssmPerror("SecCertificateCreateFromData", ortn);
+ return NULL;
+ }
+ free(cp);
+ return certRef;
+}
+
+/* perfrom one cert chain evaluation using SecTrust */
+static OSStatus doEval(
+ CFArrayRef certArray,
+ SecPolicyRef policyRef,
+ CFArrayRef kcList)
+{
+ OSStatus ortn;
+ SecTrustRef trustRef;
+
+ ortn = SecTrustCreateWithCertificates(certArray, policyRef, &trustRef);
+ if(ortn) {
+ cssmPerror("SecTrustCreateWithCertificates", ortn);
+ return ortn;
+ }
+ if(kcList) {
+ ortn = SecTrustSetKeychains(trustRef, kcList);
+ if(ortn) {
+ cssmPerror("SecTrustCreateWithCertificates", ortn);
+ return ortn;
+ }
+ }
+ SecTrustResultType secTrustResult;
+ ortn = SecTrustEvaluate(trustRef, &secTrustResult);
+ if(ortn) {
+ cssmPerror("SecTrustEvaluate", ortn);
+ return ortn;
+ }
+ switch(secTrustResult) {
+ case kSecTrustResultProceed:
+ case kSecTrustResultUnspecified:
+ break;
+ default:
+ printf("***Unexpected SecTrustResultType (%d)\n", (int)secTrustResult);
+ ortn = -1;
+ }
+ CFRelease(trustRef);
+ return ortn;
+}
+
+/* cached CSSM anchors - simulate old SecTrustGetCSSMAnchorCertificates() */
+static CFArrayRef cachedRootArray = NULL;
+static CSSM_DATA *cachedAnchors = NULL;
+static unsigned cachedNumAnchors = 0;
+
+static OSStatus getAnchors(
+ CSSM_DATA **anchors, /* RETURNED */
+ unsigned *numAnchors) /* RETURNED */
+{
+ if(cachedRootArray == NULL) {
+ /* fetch, once */
+ OSStatus ortn = getSystemAnchors(&cachedRootArray, &cachedAnchors,
+ &cachedNumAnchors);
+ if(ortn) {
+ return ortn;
+ }
+ }
+ *anchors = cachedAnchors;
+ *numAnchors = cachedNumAnchors;
+ return noErr;
+}
+
+/* perfrom one cert chain evaluation using CSSM_TP_CertGroupVerify */
+static CSSM_RETURN doTpEval(
+ CSSM_TP_HANDLE tpHand,
+ CSSM_CL_HANDLE clHand,
+ CSSM_CSP_HANDLE cspHand,
+ CSSM_DATA_PTR certs,
+ uint32 numCerts,
+ bool useTrustSettings)
+{
+ CSSM_FIELD policyId;
+
+ policyId.FieldOid = CSSMOID_APPLE_X509_BASIC;
+ policyId.FieldValue.Data = NULL;
+ policyId.FieldValue.Length = 0;
+
+ CSSM_TP_CALLERAUTH_CONTEXT authCtx;
+ memset(&authCtx, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
+ authCtx.Policy.NumberOfPolicyIds = 1;
+ authCtx.Policy.PolicyIds = &policyId;
+ authCtx.VerificationAbortOn = CSSM_TP_STOP_ON_POLICY;
+ if(!useTrustSettings) {
+ OSStatus ortn = getAnchors(&authCtx.AnchorCerts,
+ &authCtx.NumberOfAnchorCerts);
+ if(ortn) {
+ return ortn;
+ }
+ }
+ CSSM_APPLE_TP_ACTION_DATA tpAction;
+ tpAction.Version = CSSM_APPLE_TP_ACTION_VERSION;
+ if(useTrustSettings) {
+ tpAction.ActionFlags = CSSM_TP_ACTION_TRUST_SETTINGS;
+ }
+ else {
+ tpAction.ActionFlags = 0;
+ }
+
+ CSSM_TP_VERIFY_CONTEXT vfyCtx;
+ memset(&vfyCtx, 0, sizeof(CSSM_TP_VERIFY_CONTEXT));
+ vfyCtx.ActionData.Data = (uint8 *)&tpAction;
+ vfyCtx.ActionData.Length = sizeof(tpAction);
+ vfyCtx.Action = CSSM_TP_ACTION_DEFAULT;
+ vfyCtx.Cred = &authCtx;
+
+ CSSM_CERTGROUP cssmCerts;
+ cssmCerts.CertType = CSSM_CERT_X_509v3;
+ cssmCerts.CertEncoding = CSSM_CERT_ENCODING_DER;
+ cssmCerts.NumCerts = numCerts;
+ cssmCerts.GroupList.CertList = certs;
+ cssmCerts.CertGroupType = CSSM_CERTGROUP_DATA;
+
+ CSSM_RETURN crtn = CSSM_TP_CertGroupVerify(tpHand, clHand, cspHand,
+ &cssmCerts,
+ &vfyCtx,
+ NULL); /* no results */
+ if(crtn) {
+ cssmPerror("CSSM_TP_CertGroupVerify", crtn);
+ }
+ return crtn;
+}
+
+int main(int argc, char **argv)
+{
+ unsigned dex;
+ CSSM_RETURN crtn;
+
+ /* common SecTrust args */
+ CFMutableArrayRef kcList = NULL;
+ CFMutableArrayRef certArray = NULL;
+ SecPolicyRef policyRef = NULL;
+ unsigned numCerts = NUM_CERTS;
+ CFArrayRef emptyKCList = NULL;
+
+ /* common TP args */
+ CSSM_TP_HANDLE tpHand;
+ CSSM_CL_HANDLE clHand;
+ CSSM_CSP_HANDLE cspHand;
+ CSSM_DATA cssmCerts[NUM_CERTS];
+
+ /* user-spec'd variables */
+ unsigned loops = LOOPS_DEF;
+ bool holdKeychains = false; /* hold references to KC list during operation */
+ bool useTp = false; /* TP, not SecTrust */
+ bool useTrustSettings = true; /* TP w/TrustSettings; false = old school TP way */
+ bool noRoot = false; /* don't include root in chain to be verified */
+ bool emptyList = false; /* SecTrust only: specify empty KC list */
+
+ extern char *optarg;
+ int arg;
+ while ((arg = getopt(argc, argv, "l:ktTnKh")) != -1) {
+ switch (arg) {
+ case 'l':
+ loops = atoi(optarg);
+ break;
+ case 'k':
+ holdKeychains = true;
+ break;
+ case 't':
+ useTp = true;
+ break;
+ case 'T':
+ useTp = true;
+ useTrustSettings = false;
+ break;
+ case 'n':
+ numCerts--;
+ noRoot = true;
+ break;
+ case 'K':
+ emptyList = true;
+ emptyKCList = CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
+ break;
+ case 'h':
+ usage(argv);
+ }
+ }
+ if(optind != argc) {
+ usage(argv);
+ }
+
+ /* gather certs to verify */
+ certArray = CFArrayCreateMutable(NULL, 3, &kCFTypeArrayCallBacks);
+ for(dex=0; dex<numCerts; dex++) {
+ SecCertificateRef certRef = readCertFile(certFiles[dex]);
+ if(certRef == NULL) {
+ exit(1);
+ }
+ CFArrayInsertValueAtIndex(certArray, dex, certRef);
+ CFRelease(certRef);
+ }
+
+ /* prepare for one method or another */
+ if(useTp) {
+ for(dex=0; dex<numCerts; dex++) {
+ crtn = SecCertificateGetData(
+ (SecCertificateRef)CFArrayGetValueAtIndex(certArray, dex),
+ &cssmCerts[dex]);
+ if(crtn) {
+ cssmPerror("SecCertificateGetData", crtn);
+ exit(1);
+ }
+ }
+ tpHand = tpStartup();
+ clHand = clStartup();
+ cspHand = cspStartup();
+ }
+ else {
+ /* cook up reusable policy object */
+ SecPolicySearchRef policySearch = NULL;
+ OSStatus ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
+ &CSSMOID_APPLE_X509_BASIC,
+ NULL, // policy opts
+ &policySearch);
+ if(ortn) {
+ cssmPerror("SecPolicySearchCreate", ortn);
+ exit(1);
+ }
+ ortn = SecPolicySearchCopyNext(policySearch, &policyRef);
+ if(ortn) {
+ cssmPerror("SecPolicySearchCopyNext", ortn);
+ exit(1);
+ }
+ CFRelease(policySearch);
+
+ if(holdKeychains) {
+ /* the standard keychains */
+ ortn = SecKeychainCopySearchList((CFArrayRef *)&kcList);
+ if(ortn) {
+ cssmPerror("SecKeychainCopySearchList", ortn);
+ exit(1);
+ }
+
+ /* plus the ones TrustSettings needs */
+ SecKeychainRef rootKc;
+ ortn = SecKeychainOpen(SYSTEM_ROOT_STORE_PATH, &rootKc);
+ if(ortn) {
+ cssmPerror("SecKeychainOpen", ortn);
+ exit(1);
+ }
+ CFArrayAppendValue(kcList, rootKc);
+ CFRelease(rootKc);
+ }
+ }
+
+ CFAbsoluteTime startTimeFirst;
+ CFAbsoluteTime endTimeFirst;
+ CFAbsoluteTime startTimeMulti;
+ CFAbsoluteTime endTimeMulti;
+
+ /* print a banner describing current test parameters */
+ printf("Starting test: mode = ");
+ if(useTp) {
+ if(useTrustSettings) {
+ printf("TP w/TrustSettings");
+ }
+ else {
+ printf("TP w/o TrustSettings");
+ }
+ }
+ else {
+ printf("SecTrust");
+ if(holdKeychains) {
+ printf("; hold KC refs");
+ }
+ if(emptyList) {
+ printf("; empty KC list");
+ }
+ }
+ if(noRoot) {
+ printf("; no root in input certs\n");
+ }
+ else {
+ printf("\n");
+ }
+
+ /* GO */
+ startTimeFirst = CFAbsoluteTimeGetCurrent();
+ if(useTp) {
+ if(doTpEval(tpHand, clHand, cspHand, cssmCerts, numCerts,
+ useTrustSettings)) {
+ exit(1);
+ }
+ endTimeFirst = CFAbsoluteTimeGetCurrent();
+
+ startTimeMulti = CFAbsoluteTimeGetCurrent();
+ for(dex=0; dex<loops; dex++) {
+ if(doTpEval(tpHand, clHand, cspHand, cssmCerts, numCerts,
+ useTrustSettings)) {
+ exit(1);
+ }
+ }
+ }
+ else {
+ if(doEval(certArray, policyRef, emptyKCList)) {
+ exit(1);
+ }
+ endTimeFirst = CFAbsoluteTimeGetCurrent();
+
+ startTimeMulti = CFAbsoluteTimeGetCurrent();
+ for(dex=0; dex<loops; dex++) {
+ if(doEval(certArray, policyRef, emptyKCList)) {
+ exit(1);
+ }
+ }
+ }
+ endTimeMulti = CFAbsoluteTimeGetCurrent();
+ CFTimeInterval elapsed = endTimeMulti - startTimeMulti;
+
+ printf("First eval = %4.1f ms\n", (endTimeFirst - startTimeFirst) * 1000.0);
+ printf("Next evals = %4.2f ms/op (%f s total for %u loops)\n",
+ elapsed * 1000.0 / loops, elapsed, loops);
+
+ return 0;
+}
projects / apple / security.git / blobdiff