+++ /dev/null
-/*
- * certTime - measure performacne of cert parse and build.
- */
-
-#include <security_cdsa_utils/cuFileIo.h>
-#include <clAppUtils/CertBuilderApp.h>
-#include <utilLib/common.h>
-#include <utilLib/cspwrap.h>
-#include <clAppUtils/clutils.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-#include <Security/cssm.h>
-#include <Security/x509defs.h>
-#include <Security/oidsattr.h>
-#include <Security/oidscert.h>
-#include <Security/certextensions.h>
-#include <CoreFoundation/CoreFoundation.h>
-#include "extenCooker.h"
-
-#define KEYSIZE_DEF 1024
-#define CL_KEY_VIA_GET_KEY 0
-
-static void usage(char **argv)
-{
- printf("Usage: %s op loops [options]\n", argv[0]);
- printf("Op:\n");
- printf(" p parse\n");
- printf(" g parse & get all fields\n");
- #if CL_KEY_VIA_GET_KEY
- printf(" t parse & get some fields, emulating TPCertInfo, GetKeyInfo\n");
- #else
- printf(" t parse & get some fields, emulating TPCertInfo, fetchField(key)\n");
- #endif
- printf(" c create\n");
- printf(" s create & sign\n");
- printf(" v verify\n");
- printf("Options:\n");
- printf(" b RSA blinding on\n");
- printf(" k=keysize (default = %d)\n", KEYSIZE_DEF);
- exit(1);
-}
-
-/*
- * The certs we'll be parsing
- */
-static const char *certNames[] =
-{
- "anchor_0", // GTE CyberTrust Root, no extens
- "anchor_9", // VeriSign, no extens
- "anchor_34", // TrustCenter, 6 extens
- "anchor_44", // USERTRUST, 5 extens, incl. cRLDistributionPoints
- "anchor_76", // QuoVadis, 6 extens, incl. authorityInfoAccess
- "anchor_80", // KMD-CA Kvalificeret3 6 extens
-};
-
-#define NUM_PARSED_CERTS (sizeof(certNames) / sizeof(certNames[0]))
-
-/* dummy RDN - subject and issuer - we aren't testing this */
-CB_NameOid dummyRdn[] =
-{
- { "Apple Computer", &CSSMOID_OrganizationName },
- { "Doug Mitchell", &CSSMOID_CommonName }
-};
-#define NUM_DUMMY_NAMES (sizeof(dummyRdn) / sizeof(CB_NameOid))
-
-#define KEY_ALG CSSM_ALGID_RSA
-#define SIG_ALG CSSM_ALGID_SHA1WithRSA
-#define SUBJ_KEY_LABEL "subjectKey"
-
-
-/*
- * Set of extensions we'll be creating
- */
-/* empty freeFcn means no extension-specific resources to free */
-#define NO_FREE NULL
-
-static ExtenTest extenTests[] = {
- { kuCreate, kuCompare, NO_FREE,
- sizeof(CE_KeyUsage), CSSMOID_KeyUsage,
- "KeyUsage", 'k' },
- { ekuCreate, ekuCompare, NO_FREE,
- sizeof(CE_ExtendedKeyUsage), CSSMOID_ExtendedKeyUsage,
- "ExtendedKeyUsage", 'x' },
- { authKeyIdCreate, authKeyIdCompare, authKeyIdFree,
- sizeof(CE_AuthorityKeyID), CSSMOID_AuthorityKeyIdentifier,
- "AuthorityKeyID", 'a' },
- { genNamesCreate, genNamesCompare, genNamesFree,
- sizeof(CE_GeneralNames), CSSMOID_SubjectAltName,
- "SubjectAltName", 't' },
-};
-
-#define MAX_EXTENSIONS (sizeof(extenTests) / sizeof(ExtenTest))
-
-static int doParse(
- CSSM_CL_HANDLE clHand,
- const CSSM_DATA &cert,
- unsigned loops)
-{
- CSSM_HANDLE cacheHand;
- CSSM_RETURN crtn;
-
- for(unsigned loop=0; loop<loops; loop++) {
- crtn = CSSM_CL_CertCache(clHand, &cert, &cacheHand);
- if(crtn) {
- printError("CSSM_CL_CertCache", crtn);
- return 1;
- }
- crtn = CSSM_CL_CertAbortCache(clHand, cacheHand);
- if(crtn) {
- printError("CSSM_CL_CrlAbortCache", crtn);
- return 1;
- }
- }
- return 0;
-}
-
-/* Emulate TPCertInfo constructor */
-
-static CSSM_RETURN fetchCertField(
- CSSM_CL_HANDLE clHand,
- CSSM_HANDLE certHand,
- const CSSM_OID *fieldOid,
- CSSM_DATA_PTR *fieldData) // mallocd by CL and RETURNED
-{
- CSSM_RETURN crtn;
-
- uint32 NumberOfFields = 0;
- CSSM_HANDLE resultHand = 0;
- *fieldData = NULL;
- crtn = CSSM_CL_CertGetFirstCachedFieldValue(
- clHand,
- certHand,
- fieldOid,
- &resultHand,
- &NumberOfFields,
- fieldData);
- if(crtn) {
- printError("fetchCertField", crtn);
- return crtn;
- }
- if(NumberOfFields != 1) {
- printf("***fetchCertField: numFields %d, expected 1\n",
- (int)NumberOfFields);
- }
- CSSM_CL_CertAbortQuery(clHand, resultHand);
- return CSSM_OK;
-}
-
-
-static int doGetSomeFields(
- CSSM_CL_HANDLE clHand,
- const CSSM_DATA &cert,
- unsigned loops)
-{
- CSSM_HANDLE cacheHand;
- CSSM_RETURN crtn;
-
- /* fetched by TPClItemInfo constructor */
- CSSM_DATA_PTR issuerName;
- CSSM_DATA_PTR sigAlg;
- CSSM_DATA_PTR notBefore;
- CSSM_DATA_PTR notAfter;
- /* fetched by TPCertInfo */
- CSSM_DATA_PTR subjectName;
- #if CL_KEY_VIA_GET_KEY
- CSSM_KEY_PTR subjPubKey;
- #else
- CSSM_DATA_PTR subjPubKeyData;
- #endif
-
- for(unsigned loop=0; loop<loops; loop++) {
- /* parse and cache */
- crtn = CSSM_CL_CertCache(clHand, &cert, &cacheHand);
- if(crtn) {
- printError("CSSM_CL_CertCache", crtn);
- return 1;
- }
- /* fetch the fields */
- fetchCertField(clHand, cacheHand, &CSSMOID_X509V1IssuerName, &issuerName);
- fetchCertField(clHand, cacheHand, &CSSMOID_X509V1SignatureAlgorithmTBS,
- &sigAlg);
- fetchCertField(clHand, cacheHand, &CSSMOID_X509V1ValidityNotBefore,
- ¬Before);
- fetchCertField(clHand, cacheHand, &CSSMOID_X509V1ValidityNotAfter, ¬After);
- fetchCertField(clHand, cacheHand, &CSSMOID_X509V1SubjectName, &subjectName);
- #if CL_KEY_VIA_GET_KEY
- CSSM_CL_CertGetKeyInfo(clHand, &cert, &subjPubKey);
- #else
- fetchCertField(clHand, cacheHand, &CSSMOID_CSSMKeyStruct, &subjPubKeyData);
- #endif
-
- /* free the fields */
- CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1IssuerName, issuerName);
- CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SignatureAlgorithmTBS, sigAlg);
- CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1ValidityNotBefore, notBefore);
- CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1ValidityNotAfter, notAfter);
- CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SubjectName, subjectName);
- #if CL_KEY_VIA_GET_KEY
- appFree(subjPubKey->KeyData.Data, 0);
- appFree(subjPubKey, 0);
- #else
- CSSM_CL_FreeFieldValue(clHand, &CSSMOID_CSSMKeyStruct, subjPubKeyData);
- #endif
-
- crtn = CSSM_CL_CertAbortCache(clHand, cacheHand);
- if(crtn) {
- printError("CSSM_CL_CrlAbortCache", crtn);
- return 1;
- }
- }
- return 0;
-}
-
-static int doGetFields(
- CSSM_CL_HANDLE clHand,
- const CSSM_DATA &cert,
- unsigned loops)
-{
- uint32 numFields;
- CSSM_FIELD_PTR certFields;
- CSSM_RETURN crtn;
-
- for(unsigned loop=0; loop<loops; loop++) {
- crtn = CSSM_CL_CertGetAllFields(clHand, &cert, &numFields,
- &certFields);
- if(crtn) {
- printError("CSSM_CL_CertGetAllFields", crtn);
- return 1;
- }
- crtn = CSSM_CL_FreeFields(clHand, numFields, &certFields);
- if(crtn) {
- printError("CSSM_CL_FreeFields", crtn);
- return 1;
- }
- }
- return 0;
-}
-
-static int doVerify(
- CSSM_CL_HANDLE clHand,
- const CSSM_DATA &cert,
- unsigned loops)
-{
- CSSM_RETURN crtn;
-
- for(unsigned loop=0; loop<loops; loop++) {
- crtn = CSSM_CL_CertVerify(clHand,
- CSSM_INVALID_HANDLE,
- &cert,
- &cert,
- NULL, // VerifyScope
- 0); // ScopeSize
- if(crtn) {
- printError("CSSM_CL_CertVerify", crtn);
- return 1;
- }
- }
- return 0;
-}
-
-/*
- * Stuff to be created before entering the timed cert create routine.
- */
-typedef struct {
- CSSM_KEY privKey;
- CSSM_KEY pubKey;
- CSSM_X509_NAME *dummyName;
- CSSM_X509_TIME *notBefore;
- CSSM_X509_TIME *notAfter;
- CSSM_X509_EXTENSION extens[MAX_EXTENSIONS];
-} PresetParams;
-
-/*
- * One-time only setup of cert creation params.
- */
- static int createSetup(
- CSSM_CL_HANDLE clHand,
- CSSM_CSP_HANDLE cspHand,
- unsigned keySize,
- PresetParams ¶ms)
-{
- CSSM_RETURN crtn;
-
- crtn = cspGenKeyPair(cspHand,
- KEY_ALG,
- SUBJ_KEY_LABEL,
- strlen(SUBJ_KEY_LABEL),
- keySize,
- ¶ms.pubKey,
- CSSM_FALSE, // pubIsRef
- CSSM_KEYUSE_VERIFY,
- CSSM_KEYBLOB_RAW_FORMAT_NONE,
- ¶ms.privKey,
- CSSM_TRUE, // privIsRef - doesn't matter
- CSSM_KEYUSE_SIGN,
- CSSM_KEYBLOB_RAW_FORMAT_NONE,
- CSSM_FALSE);
- if(crtn) {
- return 1;
- }
- params.dummyName = CB_BuildX509Name(dummyRdn, NUM_DUMMY_NAMES);
- if(params.dummyName == NULL) {
- printf("CB_BuildX509Name failure");
- return 1;
- }
- params.notBefore = CB_BuildX509Time(0);
- params.notAfter = CB_BuildX509Time(10000);
-
- /* now some extensions */
- for(unsigned dex=0; dex<MAX_EXTENSIONS; dex++) {
- CSSM_X509_EXTENSION &extn = params.extens[dex];
- ExtenTest &etest = extenTests[dex];
-
- void *extVal = CSSM_MALLOC(etest.extenSize);
- memset(extVal, 0, etest.extenSize);
- etest.createFcn(extVal);
-
- extn.extnId = etest.extenOid;
- extn.critical = randBool();
- extn.format = CSSM_X509_DATAFORMAT_PARSED;
- extn.value.parsedValue = extVal;
- extn.BERvalue.Data = NULL;
- extn.BERvalue.Length = 0;
- }
- return 0;
-}
-
-static int doCreate(
- CSSM_CL_HANDLE clHand,
- CSSM_CSP_HANDLE cspHand,
- unsigned loops,
- PresetParams ¶ms,
- bool doSign,
- bool rsaBlind)
-{
- for(unsigned loop=0; loop<loops; loop++) {
- CSSM_DATA_PTR rawCert = CB_MakeCertTemplate(clHand,
- 0x12345678, // serial number
- params.dummyName,
- params.dummyName,
- params.notBefore,
- params.notAfter,
- ¶ms.pubKey,
- SIG_ALG,
- NULL, // subjUniqueId
- NULL, // issuerUniqueId
- params.extens, // extensions
- /* vary numExtensions per loop */
- loop % MAX_EXTENSIONS);
- if(rawCert == NULL) {
- printf("Error creating cert template.\n");
- return 1;
- }
- if(doSign) {
- CSSM_DATA signedCert = {0, NULL};
- CSSM_CC_HANDLE sigHand;
- CSSM_RETURN crtn = CSSM_CSP_CreateSignatureContext(cspHand,
- SIG_ALG,
- NULL, // no passphrase for now
- ¶ms.privKey,
- &sigHand);
- if(crtn) {
- printError("CreateSignatureContext", crtn);
- return 1;
- }
-
- if(rsaBlind) {
- CSSM_CONTEXT_ATTRIBUTE newAttr;
- newAttr.AttributeType = CSSM_ATTRIBUTE_RSA_BLINDING;
- newAttr.AttributeLength = sizeof(uint32);
- newAttr.Attribute.Uint32 = 1;
- crtn = CSSM_UpdateContextAttributes(sigHand, 1, &newAttr);
- if(crtn) {
- printError("CSSM_UpdateContextAttributes", crtn);
- return crtn;
- }
- }
-
- crtn = CSSM_CL_CertSign(clHand,
- sigHand,
- rawCert, // CertToBeSigned
- NULL, // SignScope per spec
- 0, // ScopeSize per spec
- &signedCert);
- if(crtn) {
- printError("CSSM_CL_CertSign", crtn);
- return 1;
- }
- CSSM_DeleteContext(sigHand);
- CSSM_FREE(signedCert.Data);
- }
- CSSM_FREE(rawCert->Data);
- CSSM_FREE(rawCert);
- }
- return 0;
-}
-
-typedef enum {
- CTO_Parse,
- CTO_GetFields,
- CTO_GetSomeFields,
- CTO_Create, // sign is an option for this one
- CTO_Verify
-} CT_Op;
-
-int main(int argc, char **argv)
-{
- CSSM_CL_HANDLE clHand;
- CSSM_CSP_HANDLE cspHand;
- int arg;
- int rtn;
- char *argp;
- unsigned i;
- PresetParams params;
- CSSM_DATA certData[NUM_PARSED_CERTS];
-
- /* user-specificied params */
- CT_Op op;
- unsigned loops = 0;
- bool doSign = false;
- const char *opStr = NULL;
- bool rsaBlinding = false;
- unsigned keySize = KEYSIZE_DEF;
-
- if(argc < 3) {
- usage(argv);
- }
- switch(argv[1][0]) {
- case 'p':
- op = CTO_Parse;
- opStr = "Parsed";
- break;
- case 'g':
- op = CTO_GetFields;
- opStr = "Parsed with GetAllFields";
- break;
- case 't':
- op = CTO_GetSomeFields;
- #if CL_KEY_VIA_GET_KEY
- opStr = "Parsed with some GetFields and GetKeyInfo";
- #else
- opStr = "Parsed with some GetFields";
- #endif
- break;
- case 'c':
- op = CTO_Create;
- opStr = "Created";
- break;
- case 's':
- op = CTO_Create;
- opStr = "Created and Signed";
- doSign = true;
- break;
- case 'v':
- op = CTO_Verify;
- opStr = "Verified";
- break;
- default:
- usage(argv);
- }
-
- loops = atoi(argv[2]);
- for(arg=3; arg<argc; arg++) {
- argp = argv[arg];
- switch(argp[0]) {
- case 'b':
- rsaBlinding = true;
- break;
- case 'k':
- keySize = atoi(&argp[2]);
- break;
- default:
- usage(argv);
- }
- }
-
- /* common setup */
- clHand = clStartup();
- if(clHand == 0) {
- return 0;
- }
- cspHand = cspStartup();
- if(cspHand == 0) {
- return 0;
- }
-
- /* per-test setup */
- switch(op) {
- unsigned dex;
- unsigned len;
-
- case CTO_Parse:
- case CTO_GetFields:
- case CTO_GetSomeFields:
- case CTO_Verify:
- /* read in the certs */
- for(dex=0; dex<NUM_PARSED_CERTS; dex++) {
- CSSM_DATA &cdata = certData[dex];
- if(readFile(certNames[dex],
- (unsigned char **)&cdata.Data,
- &len)) {
- printf("Error reading cert %s. Aborting.\n",
- certNames[dex]);
- exit(1);
- }
- cdata.Length = len;
- }
- break;
- case CTO_Create:
- /* set up keys, names */
- if(createSetup(clHand, cspHand, keySize, params)) {
- exit(1);
- }
- break;
- }
-
- /* one loop outside of timer to heat up test bed */
- switch(op) {
- case CTO_Parse:
- rtn = doParse(clHand, certData[0], 1);
- break;
- case CTO_GetFields:
- rtn = doGetFields(clHand, certData[0], 1);
- break;
- case CTO_GetSomeFields:
- rtn = doGetSomeFields(clHand, certData[0], 1);
- break;
- case CTO_Verify:
- rtn = doVerify(clHand, certData[0], 1);
- break;
- case CTO_Create:
- rtn = doCreate(clHand, cspHand, 1, params, true, rsaBlinding);
- break;
- }
- if(rtn) {
- printf("This program needs work. Try again.\n");
- return 1;
- }
-
- CFAbsoluteTime startTime, endTime;
- startTime = CFAbsoluteTimeGetCurrent();
-
- /* begin timed loop */
- switch(op) {
- case CTO_Parse:
- for(i=0; i<NUM_PARSED_CERTS; i++) {
- rtn = doParse(clHand, certData[i], loops);
- if(rtn) {
- break;
- }
- }
- break;
- case CTO_GetFields:
- for(i=0; i<NUM_PARSED_CERTS; i++) {
- rtn = doGetFields(clHand, certData[i], loops);
- if(rtn) {
- break;
- }
- }
- break;
- case CTO_GetSomeFields:
- for(i=0; i<NUM_PARSED_CERTS; i++) {
- rtn = doGetSomeFields(clHand, certData[i], loops);
- if(rtn) {
- break;
- }
- }
- break;
- case CTO_Verify:
- for(i=0; i<NUM_PARSED_CERTS; i++) {
- rtn = doVerify(clHand, certData[i], loops);
- if(rtn) {
- break;
- }
- }
- break;
- case CTO_Create:
- rtn = doCreate(clHand, cspHand, loops, params, doSign,
- rsaBlinding);
- break;
- }
- endTime = CFAbsoluteTimeGetCurrent();
- CFAbsoluteTime deltaTime = endTime - startTime;
-
- if(rtn) {
- printf("Error in main loop. Try again.\n");
- return 1;
- }
-
- unsigned numCerts = loops;
- if(op != CTO_Create) {
- numCerts *= NUM_PARSED_CERTS;
- }
-
- printf("=== %u certs %s ===\n", numCerts, opStr);
- printf("Total time %g s\n", deltaTime);
- printf("%g ms per cert\n", (deltaTime / (double)numCerts) * 1000.0);
-
- /* cleanup */
- if(op == CTO_Create) {
- CB_FreeX509Name(params.dummyName);
- CB_FreeX509Time(params.notBefore);
- CB_FreeX509Time(params.notAfter);
- cspFreeKey(cspHand, ¶ms.pubKey);
- cspFreeKey(cspHand, ¶ms.privKey);
- }
- else {
- for(i=0; i<NUM_PARSED_CERTS; i++) {
- free(certData[i].Data);
- }
- }
- CSSM_ModuleDetach(cspHand);
- CSSM_ModuleDetach(clHand);
- return 0;
-}
-
projects / apple / security.git / blobdiff