+++ /dev/null
-/*
- * certLabelTest.cpp - test SecCertificateInferLabel(), in particular, Radar
- * 3529689 (teletex strings) and 4746055 (add Description
- * in parentheses)
- */
-
-#include <stdlib.h>
-#include <strings.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <Security/Security.h>
-#include <Security/SecCertificatePriv.h>
-#include <clAppUtils/clutils.h>
-#include <clAppUtils/CertBuilderApp.h>
-#include <utilLib/common.h>
-#include <utilLib/cspwrap.h>
-#include <security_cdsa_utils/cuFileIo.h>
-
-static void usage(char **argv)
-{
- printf("usage: %s [options]\n", argv[0]);
- printf("Options:\n");
- printf(" -p -- pause for leaks check\n");
- printf(" -q -- quiet\n");
- /* etc. */
- exit(1);
-}
-
-#define KEY_SIZE 1024
-#define KEY_ALG CSSM_ALGID_RSA
-#define SIG_ALG CSSM_ALGID_SHA1WithRSA
-#define CERT_FILE_OUT "/tmp/certLabelTest.cer"
-
-/*
- * Here's the definitive string for Radar 3529689.
- * BER tag = Teletex/T61, encoding = kCFStringEncodingISOLatin1.
- * I hope Herr Petersen does not mind.
- */
-static const unsigned char JurgenPetersen[] =
-{
- 0x4a, 0xf8, 0x72, 0x67, 0x65, 0x6e, 0x20, 0x4e,
- 0xf8, 0x72, 0x67, 0x61, 0x61, 0x72, 0x64, 0x20,
- 0x50, 0x65, 0x74, 0x65, 0x72, 0x73, 0x65, 0x6e
-};
-
-/*
- * Name/OID pair used in buildX509Name().
- * This logic is like the CB_BuildX509Name() code in clAppUtils/CertBuilderApp.cpp,
- * with the addition of the berTag specification, and data is specified as a void *
- * and size_t.
- */
-typedef struct {
- const void *nameVal;
- CSSM_SIZE nameLen;
- const CSSM_OID *oid;
- CSSM_BER_TAG berTag;
-} NameOid;
-
-/*
- * Build up a CSSM_X509_NAME from an arbitrary list of name/OID/tag triplets.
- * We do one a/v pair per RDN.
- */
-static CSSM_X509_NAME *buildX509Name(
- const NameOid *nameArray,
- unsigned numNames)
-{
- CSSM_X509_NAME *top = (CSSM_X509_NAME *)appMalloc(sizeof(CSSM_X509_NAME), 0);
- if(top == NULL) {
- return NULL;
- }
- top->numberOfRDNs = numNames;
- top->RelativeDistinguishedName =
- (CSSM_X509_RDN_PTR)appMalloc(sizeof(CSSM_X509_RDN) * numNames, 0);
- if(top->RelativeDistinguishedName == NULL) {
- return NULL;
- }
- CSSM_X509_RDN_PTR rdn;
- const NameOid *nameOid;
- unsigned nameDex;
- for(nameDex=0; nameDex<numNames; nameDex++) {
- rdn = &top->RelativeDistinguishedName[nameDex];
- nameOid = &nameArray[nameDex];
- rdn->numberOfPairs = 1;
- rdn->AttributeTypeAndValue = (CSSM_X509_TYPE_VALUE_PAIR_PTR)
- appMalloc(sizeof(CSSM_X509_TYPE_VALUE_PAIR), 0);
- CSSM_X509_TYPE_VALUE_PAIR_PTR atvp = rdn->AttributeTypeAndValue;
- if(atvp == NULL) {
- return NULL;
- }
- appCopyCssmData(nameOid->oid, &atvp->type);
- atvp->valueType = nameOid->berTag;
- atvp->value.Length = nameOid->nameLen;
- atvp->value.Data = (uint8 *)CSSM_MALLOC(nameOid->nameLen);
- memmove(atvp->value.Data, nameOid->nameVal, nameOid->nameLen);
- }
- return top;
-}
-
-/* just make these static and reuse them */
-static CSSM_X509_TIME *notBefore;
-static CSSM_X509_TIME *notAfter;
-
-/*
- * Core test routine.
- * -- build a cert with issuer and subject as per specified name components
- * -- extract inferred label
- * -- compare inferred label to expected value
- * -- if labelIsCommonName true, verify that SecCertificateCopyCommonName() yields
- * the same string as inferred label
- */
-static int doTest(
- const char *testName,
- bool quiet,
- CSSM_CSP_HANDLE cspHand,
- CSSM_CL_HANDLE clHand,
- CSSM_KEY_PTR privKey,
- CSSM_KEY_PTR pubKey,
-
- /* input names - one or two */
- const void *name1Val,
- CSSM_SIZE name1Len,
- CSSM_BER_TAG berTag1,
- const CSSM_OID *name1Oid,
- const void *name2Val, // optional
- CSSM_SIZE name2Len,
- CSSM_BER_TAG berTag2,
- const CSSM_OID *name2Oid,
-
- /* expected label */
- CFStringRef expectedLabel,
- bool labelIsCommonName)
-{
- if(!quiet) {
- printf("...%s\n", testName);
- }
-
- /* build the subject/issuer name */
- NameOid nameArray[2] = { {name1Val, name1Len, name1Oid, berTag1 },
- {name2Val, name2Len, name2Oid, berTag2 } };
- unsigned numNames = name2Val ? 2 : 1;
-
- CSSM_X509_NAME *name = buildX509Name(nameArray, numNames);
- if(name == NULL) {
- printf("***buildX509Name screwup\n");
- return -1;
- }
-
- /* build the cert template */
- CSSM_DATA_PTR certTemp = CB_MakeCertTemplate(
- clHand, 0x123456,
- name, name,
- notBefore, notAfter,
- pubKey, SIG_ALG,
- NULL, NULL, // subject/issuer UniqueID
- NULL, 0); // extensions
- if(certTemp == NULL) {
- printf("***CB_MakeCertTemplate screwup\n");
- return -1;
- }
-
- /* sign the cert */
- CSSM_DATA signedCert = {0, NULL};
- CSSM_CC_HANDLE sigHand;
- CSSM_RETURN crtn = CSSM_CSP_CreateSignatureContext(cspHand,
- SIG_ALG,
- NULL, // no passphrase for now
- privKey,
- &sigHand);
- if(crtn) {
- /* should never happen */
- cssmPerror("CSSM_CSP_CreateSignatureContext", crtn);
- return 1;
- }
- crtn = CSSM_CL_CertSign(clHand,
- sigHand,
- certTemp, // CertToBeSigned
- NULL, // SignScope per spec
- 0, // ScopeSize per spec
- &signedCert);
- if(crtn) {
- cssmPerror("CSSM_CL_CertSign", crtn);
- return 1;
- }
- CSSM_DeleteContext(sigHand);
- CSSM_FREE(certTemp->Data);
- CSSM_FREE(certTemp);
-
- /*
- * OK, we have a signed cert.
- * Turn it into a SecCertificateRef and get the inferred label.
- */
- OSStatus ortn;
- SecCertificateRef certRef;
- ortn = SecCertificateCreateFromData(&signedCert,
- CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER,
- &certRef);
- if(ortn) {
- cssmPerror("SecCertificateCreateFromData", ortn);
- return -1;
- }
- CFStringRef inferredLabel;
- ortn = SecCertificateInferLabel(certRef, &inferredLabel);
- if(ortn) {
- cssmPerror("SecCertificateCreateFromData", ortn);
- return -1;
- }
- CFComparisonResult res = CFStringCompare(inferredLabel, expectedLabel, 0);
- if(res != kCFCompareEqualTo) {
- fprintf(stderr, "*** label miscompare in test '%s' ***\n", testName);
- fprintf(stderr, "expected label : ");
- CFShow(expectedLabel);
- fprintf(stderr, "inferred label : ");
- CFShow(inferredLabel);
- if(writeFile(CERT_FILE_OUT, signedCert.Data, signedCert.Length)) {
- fprintf(stderr, "***Error writing cert to %s\n", CERT_FILE_OUT);
- }
- else {
- fprintf(stderr, "...write %lu bytes to %s\n", (unsigned long)signedCert.Length,
- CERT_FILE_OUT);
- }
- return -1;
- }
-
- if(labelIsCommonName) {
- CFStringRef commonName = NULL;
- ortn = SecCertificateCopyCommonName(certRef, &commonName);
- if(ortn) {
- cssmPerror("SecCertificateCopyCommonName", ortn);
- return -1;
- }
- res = CFStringCompare(inferredLabel, commonName, 0);
- if(res != kCFCompareEqualTo) {
- printf("*** CommonName miscompare in test '%s' ***\n", testName);
- printf("Common Name : '");
- CFShow(commonName);
- printf("'\n");
- printf("inferred label : '");
- CFShow(inferredLabel);
- printf("'\n");
- if(writeFile(CERT_FILE_OUT, signedCert.Data, signedCert.Length)) {
- printf("***Error writing cert to %s\n", CERT_FILE_OUT);
- }
- else {
- printf("...write %lu bytes to %s\n", (unsigned long)signedCert.Length,
- CERT_FILE_OUT);
- }
- return -1;
- }
- CFRelease(commonName);
- }
- CFRelease(certRef);
- CSSM_FREE(signedCert.Data);
- CB_FreeX509Name(name);
- CFRelease(inferredLabel);
- return 0;
-}
-
-int main(int argc, char **argv)
-{
- bool quiet = false;
- bool doPause = false;
-
- int arg;
- while ((arg = getopt(argc, argv, "pqh")) != -1) {
- switch (arg) {
- case 'q':
- quiet = true;
- break;
- case 'p':
- doPause = true;
- break;
- case 'h':
- usage(argv);
- }
- }
- if(optind != argc) {
- usage(argv);
- }
-
- testStartBanner("certLabelTest", argc, argv);
-
- CSSM_CL_HANDLE clHand = clStartup();
- CSSM_CSP_HANDLE cspHand = cspStartup();
-
- /* create a key pair */
- CSSM_RETURN crtn;
- CSSM_KEY pubKey;
- CSSM_KEY privKey;
-
- crtn = cspGenKeyPair(cspHand, KEY_ALG,
- "someLabel", 8,
- KEY_SIZE,
- &pubKey, CSSM_FALSE, CSSM_KEYUSE_ANY, CSSM_KEYBLOB_RAW_FORMAT_NONE,
- &privKey, CSSM_FALSE, CSSM_KEYUSE_ANY, CSSM_KEYBLOB_RAW_FORMAT_NONE,
- CSSM_FALSE);
- if(crtn) {
- printf("***Error generating RSA key pair. Aborting.\n");
- exit(1);
- }
-
- /* common params, reused for each test */
- notBefore = CB_BuildX509Time(0);
- notAfter = CB_BuildX509Time(100000);
-
- /*
- * Grind thru test cases.
- */
- int ourRtn;
-
- /* very basic */
- ourRtn = doTest("simple ASCII common name", quiet,
- cspHand, clHand, &privKey, &pubKey,
- "Simple Name", strlen("Simple Name"), BER_TAG_PRINTABLE_STRING, &CSSMOID_CommonName,
- NULL, 0, BER_TAG_UNKNOWN, NULL,
- CFSTR("Simple Name"), true);
- if(ourRtn) {
- exit(1);
- }
-
- /* test concatentation of description */
- ourRtn = doTest("ASCII common name plus ASCII description", quiet,
- cspHand, clHand, &privKey, &pubKey,
- "Simple Name", strlen("Simple Name"), BER_TAG_PRINTABLE_STRING, &CSSMOID_CommonName,
- "Description", strlen("Description"), BER_TAG_PRINTABLE_STRING, &CSSMOID_Description,
- CFSTR("Simple Name (Description)"), false);
- if(ourRtn) {
- exit(1);
- }
-
- /* basic, specifying UTF8 (should be same as PRINTABLE) */
- ourRtn = doTest("simple UTF8 common name", quiet,
- cspHand, clHand, &privKey, &pubKey,
- "Simple Name", strlen("Simple Name"), BER_TAG_PKIX_UTF8_STRING, &CSSMOID_CommonName,
- NULL, 0, BER_TAG_UNKNOWN, NULL,
- CFSTR("Simple Name"), true);
- if(ourRtn) {
- exit(1);
- }
-
- /* label from org name instead of common name */
- ourRtn = doTest("label from OrgName", quiet,
- cspHand, clHand, &privKey, &pubKey,
- "Simple Name", strlen("Simple Name"), BER_TAG_PRINTABLE_STRING, &CSSMOID_OrganizationName,
- NULL, 0, BER_TAG_UNKNOWN, NULL,
- CFSTR("Simple Name"), false);
- if(ourRtn) {
- exit(1);
- }
-
- /* label from orgUnit name instead of common name */
- ourRtn = doTest("label from OrgUnit", quiet,
- cspHand, clHand, &privKey, &pubKey,
- "Simple Name", strlen("Simple Name"), BER_TAG_PRINTABLE_STRING, &CSSMOID_OrganizationalUnitName,
- NULL, 0, BER_TAG_UNKNOWN, NULL,
- CFSTR("Simple Name"), false);
- if(ourRtn) {
- exit(1);
- }
-
- /* label from orgUnit name, description is ignored (it's only used if the
- * label comes from CommonName) */
- ourRtn = doTest("label from OrgUnit, description is ignored", quiet,
- cspHand, clHand, &privKey, &pubKey,
- "Simple Name", strlen("Simple Name"), BER_TAG_PRINTABLE_STRING, &CSSMOID_OrganizationalUnitName,
- "Description", strlen("Description"), BER_TAG_PRINTABLE_STRING, &CSSMOID_Description,
- CFSTR("Simple Name"), false);
- if(ourRtn) {
- exit(1);
- }
-
- /* Radar 3529689: T61/Teletex, ISOLatin encoding, commonName only */
- CFStringRef t61Str = CFStringCreateWithBytes(NULL, JurgenPetersen, sizeof(JurgenPetersen),
- kCFStringEncodingISOLatin1, true);
- ourRtn = doTest("T61/Teletex name from Radar 3529689", quiet,
- cspHand, clHand, &privKey, &pubKey,
- JurgenPetersen, sizeof(JurgenPetersen), BER_TAG_TELETEX_STRING, &CSSMOID_CommonName,
- NULL, 0, BER_TAG_UNKNOWN, NULL,
- t61Str, true);
- if(ourRtn) {
- exit(1);
- }
-
- /* Now convert that ISOLatin into Unicode and try with that */
- CFDataRef unicodeStr = CFStringCreateExternalRepresentation(NULL, t61Str,
- kCFStringEncodingUnicode, 0);
- if(unicodeStr == NULL) {
- printf("***Error converting to Unicode\n");
- exit(1);
- }
- ourRtn = doTest("Unicode CommonName", quiet,
- cspHand, clHand, &privKey, &pubKey,
- CFDataGetBytePtr(unicodeStr), CFDataGetLength(unicodeStr),
- BER_TAG_PKIX_BMP_STRING, &CSSMOID_CommonName,
- NULL, 0, BER_TAG_UNKNOWN, NULL,
- t61Str, true);
- if(ourRtn) {
- exit(1);
- }
- CFRelease(unicodeStr);
-
- /* Mix up ISOLatin Common Name and ASCII Description to ensure that the encodings
- * of the two components are handled separately */
- CFMutableStringRef combo = CFStringCreateMutable(NULL, 0);
- CFStringAppend(combo, t61Str);
- CFStringAppendCString(combo, " (Description)", kCFStringEncodingASCII);
- ourRtn = doTest("ISOLatin Common Name and ASCII Description", quiet,
- cspHand, clHand, &privKey, &pubKey,
- JurgenPetersen, sizeof(JurgenPetersen), BER_TAG_TELETEX_STRING, &CSSMOID_CommonName,
- "Description", strlen("Description"), BER_TAG_PRINTABLE_STRING, &CSSMOID_Description,
- combo, false);
- if(ourRtn) {
- exit(1);
- }
- CFRelease(combo);
- CFRelease(t61Str);
-
- if(doPause) {
- fpurge(stdin);
- printf("Pausing for leaks testing; CR to continue: ");
- getchar();
- }
- if(!quiet) {
- printf("...success\n");
- }
- return 0;
-}
projects / apple / security.git / blobdiff