+++ /dev/null
-/*
- * Examine and test a keychain's identity
- */
-#include <Security/Security.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
-#include <security_cdsa_utils/cuPrintCert.h>
-#include <utilLib/common.h>
-#include <utilLib/cspwrap.h>
-#include <clAppUtils/clutils.h>
-
-typedef enum {
- KC_Nop,
- KC_GetInfo,
- KC_LockKC,
- KC_UnlockKC,
- KC_SignVfy,
- KC_KeyCertInfo
-} KcOp;
-
-static void usage(char **argv)
-{
- printf("Usage: %s keychain|- cmd [options]\n", argv[0]);
- printf("Command:\n");
- printf(" i get KC info\n");
- printf(" k get key and cert info\n");
- printf(" l lock\n");
- printf(" u unlock\n");
- printf(" s sign and verify\n");
- printf("Options:\n");
- printf(" p=passphrase\n");
- printf("Specifying '-' for keychain means NULL, default\n");
- exit(1);
-}
-
-static void showError(
- OSStatus ortn,
- const char *msg)
-{
- const char *errStr = NULL;
- switch(ortn) {
- case errSecItemNotFound:
- errStr = "errSecItemNotFound"; break;
- case errSecNoSuchKeychain:
- errStr = "errSecNoSuchKeychain"; break;
- case errSecNotAvailable:
- errStr = "errSecNotAvailable"; break;
- /* more? */
- default:
- if(ortn < (CSSM_BASE_ERROR +
- (CSSM_ERRORCODE_MODULE_EXTENT * 8))) {
- /* assume CSSM error */
- errStr = cssmErrToStr(ortn);
- }
- break;
-
- }
- if(errStr) {
- printf("***Error on %s: %s\n", msg, errStr);
- }
- else {
- printf("***Error on %s: %d(d)\n", msg, (int)ortn);
- }
-}
-
-static void printDataAsHex(
- const CSSM_DATA *d,
- unsigned maxToPrint = 0) // optional, 0 means print it all
-{
- unsigned i;
- bool more = false;
- uint32 len = d->Length;
- uint8 *cp = d->Data;
-
- if((maxToPrint != 0) && (len > maxToPrint)) {
- len = maxToPrint;
- more = true;
- }
- for(i=0; i<len; i++) {
- printf("%02X ", ((unsigned char *)cp)[i]);
- }
- if(more) {
- printf("...\n");
- }
- else {
- printf("\n");
- }
-}
-
-static void printKeyHeader(
- const CSSM_KEYHEADER &hdr)
-{
- printf(" Algorithm : ");
- switch(hdr.AlgorithmId) {
- case CSSM_ALGID_RSA:
- printf("RSA\n");
- break;
- case CSSM_ALGID_DSA:
- printf("DSA\n");
- break;
- case CSSM_ALGID_FEE:
- printf("FEE\n");
- break;
- case CSSM_ALGID_DH:
- printf("Diffie-Hellman\n");
- break;
- default:
- printf("Unknown(%u(d), 0x%x)\n", (unsigned)hdr.AlgorithmId,
- (unsigned)hdr.AlgorithmId);
- }
- printf(" Key Size : %u bits\n",
- (unsigned)hdr.LogicalKeySizeInBits);
- printf(" Key Use : ");
- CSSM_KEYUSE usage = hdr.KeyUsage;
- if(usage & CSSM_KEYUSE_ANY) {
- printf("CSSM_KEYUSE_ANY ");
- }
- if(usage & CSSM_KEYUSE_ENCRYPT) {
- printf("CSSM_KEYUSE_ENCRYPT ");
- }
- if(usage & CSSM_KEYUSE_DECRYPT) {
- printf("CSSM_KEYUSE_DECRYPT ");
- }
- if(usage & CSSM_KEYUSE_SIGN) {
- printf("CSSM_KEYUSE_SIGN ");
- }
- if(usage & CSSM_KEYUSE_VERIFY) {
- printf("CSSM_KEYUSE_VERIFY ");
- }
- if(usage & CSSM_KEYUSE_SIGN_RECOVER) {
- printf("CSSM_KEYUSE_SIGN_RECOVER ");
- }
- if(usage & CSSM_KEYUSE_VERIFY_RECOVER) {
- printf("CSSM_KEYUSE_VERIFY_RECOVER ");
- }
- if(usage & CSSM_KEYUSE_WRAP) {
- printf("CSSM_KEYUSE_WRAP ");
- }
- if(usage & CSSM_KEYUSE_UNWRAP) {
- printf("CSSM_KEYUSE_UNWRAP ");
- }
- if(usage & CSSM_KEYUSE_DERIVE) {
- printf("CSSM_KEYUSE_DERIVE ");
- }
- printf("\n");
-
-}
-
-static OSStatus getIdentity(
- SecKeychainRef kcRef,
- CSSM_KEYUSE keyUse,
- SecIdentityRef &idRef)
-{
- SecIdentitySearchRef srchRef = nil;
- OSStatus ortn = SecIdentitySearchCreate(kcRef, keyUse, &srchRef);
- if(ortn) {
- showError(ortn, "SecIdentitySearchCreate");
- return ortn;
- }
- ortn = SecIdentitySearchCopyNext(srchRef, &idRef);
- if(ortn) {
- showError(ortn, "SecIdentitySearchCopyNext");
- return ortn;
- }
- if(CFGetTypeID(idRef) != SecIdentityGetTypeID()) {
- printf("SecIdentitySearchCopyNext CFTypeID failure!\n");
- return paramErr;
- }
- return noErr;
-}
-
-static OSStatus getKeyCertInfo(
- SecCertificateRef certRef,
- SecKeyRef keyRef,
- CSSM_KEY_PTR cssmKey,
- CSSM_CSP_HANDLE cspHand)
-{
- /* display the private key */
- if(cssmKey == NULL) {
- printf(" ***malformed CSSM_KEY\n");
- }
- else {
- printf("Private Key :\n");
- printKeyHeader(cssmKey->KeyHeader);
- printf(" Key Blob : ");
- printDataAsHex(&cssmKey->KeyData, 8);
- }
-
- /* and the cert */
- CSSM_DATA certData;
- OSStatus ortn = SecCertificateGetData(certRef, &certData);
- if(ortn) {
- showError(ortn, "SecCertificateGetData");
- return ortn;
- }
- printf("\nCertificate :\n");
- printCert((unsigned char *)certData.Data, (unsigned)certData.Length,
- CSSM_TRUE);
- return noErr;
-}
-
-#define SIG_ALG CSSM_ALGID_SHA1WithRSA
-
-static OSStatus signVfy(
- SecCertificateRef certRef,
- SecKeyRef keyRef,
- CSSM_KEY_PTR cssmKey,
- CSSM_CSP_HANDLE cspHand)
-{
- uint8 someData[] = {0,1,2,3,4,5,6,7,8};
- CSSM_DATA ptext = {sizeof(someData), someData};
- CSSM_DATA sig = {0, NULL};
- CSSM_RETURN crtn;
-
- /* sign with CSPDL */
- crtn = cspSign(cspHand, SIG_ALG, cssmKey, &ptext, &sig);
- if(crtn) {
- printf("Error signing with private key\n");
- return crtn;
- }
-
- /* attach to CL */
- CSSM_CL_HANDLE clHand = clStartup();
- if(clHand == 0) {
- printf("***Error attaching to CL\n");
- return ioErr;
- }
-
- /* get the public key from the cert */
- CSSM_DATA certData;
- OSStatus ortn = SecCertificateGetData(certRef, &certData);
- if(ortn) {
- showError(ortn, "SecCertificateGetData");
- return ortn;
- }
- CSSM_KEY_PTR pubKey = NULL;
- crtn = CSSM_CL_CertGetKeyInfo(clHand, &certData, &pubKey);
- if(crtn) {
- printError("CSSM_CL_CertGetKeyInfo", crtn);
- return crtn;
- }
-
- /* attach to raw CSP */
- CSSM_CSP_HANDLE rawCspHand = cspStartup();
- if(rawCspHand == 0) {
- printf("***Error attaching to raw CSP\n");
- return ioErr;
- }
-
- /* verify with raw CSP and raw public key */
- crtn = cspSigVerify(rawCspHand, SIG_ALG, pubKey, &ptext,
- &sig, CSSM_OK);
- if(crtn) {
- printf("Error verifying with public key\n");
- return crtn;
- }
-
- /* free everything */
- CSSM_ModuleDetach(rawCspHand);
- CSSM_ModuleDetach(clHand);
- printf("...sign with private key, vfy with cert OK\n");
- return noErr;
-}
-
-/* get cert and private key (in Sec and CSSM form) from identity */
-static OSStatus getKeyCert(
- SecIdentityRef idRef,
- SecCertificateRef &certRef, // RETURNED
- SecKeyRef &keyRef, // private key, RETURNED
- CSSM_KEY_PTR &cssmKey) // private key, RETURNED
-{
- OSStatus ortn = SecIdentityCopyCertificate(idRef, &certRef);
- if(ortn) {
- showError(ortn, "SecIdentityCopyCertificate");
- return ortn;
- }
- ortn = SecIdentityCopyPrivateKey(idRef, &keyRef);
- if(ortn) {
- showError(ortn, "SecIdentityCopyPrivateKey");
- return ortn;
- }
- ortn = SecKeyGetCSSMKey(keyRef, (const CSSM_KEY **)&cssmKey);
- if(ortn) {
- showError(ortn, "SecKeyGetCSSMKey");
- }
- return ortn;
-}
-
-int main(int argc, char **argv)
-{
- SecKeychainRef kcRef = nil;
- OSStatus ortn;
- int arg;
- char *argp;
-
- /* user-spec'd variables */
- KcOp op = KC_Nop;
- char *pwd = NULL;
- char *kcName;
-
- if(argc < 3) {
- usage(argv);
- }
- kcName = argv[1];
- if(!strcmp("-", kcName)) {
- /* null - no open */
- kcName = NULL;
- }
- switch(argv[2][0]) {
- case 'i':
- op = KC_GetInfo; break;
- case 'l':
- op = KC_LockKC; break;
- case 'u':
- op = KC_UnlockKC; break;
- case 's':
- op = KC_SignVfy; break;
- case 'k':
- op = KC_KeyCertInfo; break;
- default:
- usage(argv);
- }
- for(arg=3; arg<argc; arg++) {
- argp = argv[arg];
- switch(argp[0]) {
- case 'p':
- pwd = &argp[2];
- break;
- default:
- usage(argv);
- }
- }
-
- if(kcName != NULL) {
- ortn = SecKeychainOpen(kcName, &kcRef);
- if(ortn) {
- showError(ortn, "SecKeychainOpen");
- printf("Cannot open keychain at %s. Aborting.\n", kcName);
- exit(1);
- }
- }
-
- /* handle trivial commands right now */
- switch(op) {
- case KC_LockKC:
- ortn = SecKeychainLock(kcRef);
- if(ortn) {
- showError(ortn, "SecKeychainLock");
- exit(1);
- }
- printf("...keychain %s locked.\n", argv[1]);
- exit(0);
-
- case KC_UnlockKC:
- if(pwd == NULL) {
- printf("***Warning: unlocking with no password\n");
- }
- ortn = SecKeychainUnlock(kcRef,
- pwd ? strlen(pwd) : 0,
- pwd,
- pwd ? true : false); // usePassword
- if(ortn) {
- showError(ortn, "SecKeychainUnlock");
- exit(1);
- }
- printf("...keychain %s unlocked.\n", argv[1]);
- exit(0);
-
- case KC_GetInfo:
- {
- SecKeychainStatus kcStat;
- ortn = SecKeychainGetStatus(kcRef, &kcStat);
- if(ortn) {
- showError(ortn, "SecKeychainGetStatus");
- exit(1);
- }
- printf("...SecKeychainStatus = %u ( ", (unsigned)kcStat);
- if(kcStat & kSecUnlockStateStatus) {
- printf("UnlockState ");
- }
- if(kcStat & kSecReadPermStatus) {
- printf("RdPerm ");
- }
- if(kcStat & kSecWritePermStatus) {
- printf("WrPerm ");
- }
- printf(")\n");
- exit(0);
- }
-
- default:
- /* more processing below */
- break;
- }
-
- /* remaining cmds need an identity */
- SecIdentityRef idRef;
- ortn = getIdentity(kcRef, CSSM_KEYUSE_SIGN, idRef);
- if(ortn) {
- printf("***No identity found in keychain %s. Aborting.\n", kcName);
- exit(1);
- }
-
- /* and a CSP */
- CSSM_CSP_HANDLE cspHand;
- ortn = SecKeychainGetCSPHandle(kcRef, &cspHand);
- if(ortn) {
- showError(ortn, "SecKeychainGetCSPHandle");
- exit(1);
- }
-
- /* and the cert and keys */
- SecCertificateRef certRef = nil;
- SecKeyRef keyRef = nil;
- CSSM_KEY_PTR privKey = NULL;
- ortn = getKeyCert(idRef, certRef, keyRef, privKey);
- if(ortn) {
- printf("***Incomplete identity\n");
- exit(1);
- }
-
- switch(op) {
- case KC_KeyCertInfo:
- ortn = getKeyCertInfo(certRef, keyRef, privKey, cspHand);
- break;
- case KC_SignVfy:
- ortn = signVfy(certRef, keyRef, privKey, cspHand);
- break;
- default:
- printf("BRRRZAP!\n");
- exit(1);
- }
- CFRelease(idRef);
- if(kcRef) {
- CFRelease(kcRef);
- }
- return (int)ortn;
-}
projects / apple / security.git / blobdiff