+++ /dev/null
-/*
- * makeCrl.cpp - create a CRL revoking a given cert
- */
-
-#include <stdlib.h>
-#include <strings.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <Security/Security.h>
-#include <Security/SecAsn1Coder.h>
-#include <Security/SecAsn1Types.h>
-#include <Security/X509Templates.h>
-#include <Security/keyTemplates.h>
-#include <Security/SecKeyPriv.h>
-#include <Security/SecIdentityPriv.h>
-#include <utilLib/common.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <clAppUtils/timeStr.h>
-
-#define THIS_UPDATE_DEF 0
-#define NEXT_UPDATE_DEF (60 * 60 * 24)
-#define REVOKE_TIME_DEF (60 * 60 * 12)
-
-static void usage(char **argv)
-{
- printf("usage: %s [requiredParams...] [options...]\n", argv[0]);
- printf("Required parameters:\n");
- printf(" -s subjectCert\n");
- printf(" -i issuerCert\n");
- printf(" -o outputFile\n");
- printf("Options:\n");
- printf(" -k keychain -- contains issuerCert identity; default is default KC list\n");
- printf(" -r revokeTime -- seconds after 'now' cert is revoked; default is %d\n",
- REVOKE_TIME_DEF);
- printf(" -t thisUpdate -- CRL thisUpdate, seconds after 'now'; default is %d\n",
- THIS_UPDATE_DEF);
- printf(" -n thisUpdate -- CRL nextUpdate, seconds after 'now'; default is %d\n",
- NEXT_UPDATE_DEF);
- /* etc. */
- exit(1);
-}
-
-/* seconds from now --> NSS_Time */
-/* caller must eventually free nssTime.item.Data */
-static void secondsToNssTime(
- int seconds,
- NSS_Time *nssTime)
-{
- char *revocationDate = genTimeAtNowPlus(seconds);
- nssTime->item.Data = (uint8 *)revocationDate;
- nssTime->item.Length = strlen(revocationDate);
- nssTime->tag = SEC_ASN1_GENERALIZED_TIME;
-}
-
-/* sign some data using a SecKeyRef */
-static OSStatus secSign(
- SecKeyRef signingKey,
- CSSM_ALGORITHMS sigAlg,
- const CSSM_DATA *ptext,
- CSSM_DATA *sig)
-{
- const CSSM_KEY *cssmKey;
- CSSM_CSP_HANDLE cspHand;
- const CSSM_ACCESS_CREDENTIALS *creds;
- CSSM_CC_HANDLE sigHand = 0;
- CSSM_RETURN crtn;
- OSStatus ortn;
-
- ortn = SecKeyGetCSSMKey(signingKey, &cssmKey);
- if(ortn) {
- cssmPerror("SecKeyGetCSSMKey", ortn);
- return ortn;
- }
- ortn = SecKeyGetCSPHandle(signingKey, &cspHand);
- if(ortn) {
- cssmPerror("SecKeyGetCSPHandle", ortn);
- return ortn;
- }
- ortn = SecKeyGetCredentials(signingKey,
- CSSM_ACL_AUTHORIZATION_SIGN,
- kSecCredentialTypeDefault,
- &creds);
- if(ortn) {
- cssmPerror("SecKeyGetCredentials", ortn);
- return ortn;
- }
- crtn = CSSM_CSP_CreateSignatureContext(cspHand,
- sigAlg,
- creds,
- cssmKey,
- &sigHand);
- if(crtn) {
- cssmPerror("CSSM_CSP_CreateSignatureContext", crtn);
- return crtn;
- }
- sig->Data = NULL;
- sig->Length = 0;
- crtn = CSSM_SignData(sigHand,
- ptext,
- 1,
- CSSM_ALGID_NONE, // digestAlg for raw sign
- sig);
- CSSM_DeleteContext(sigHand);
- return crtn;
-}
-
-/* basic "create and sign a CRL" routine - the CL is not capable of this */
-static int makeCrl(
- const unsigned char *subjectCert,
- unsigned subjectCertLen,
- SecKeyRef signingKey,
- int revokeTime, // revocation time, seconds from now (+/-)
- int crlThisUpdate, // CRL thisUpdate, seconds from now (+/-)
- int crlNextUpdate, // CRL nextUpdate, seconds from now (+/-)
- unsigned char **crlOut, // mallocd and returned
- unsigned *crlOutLen) // returned
-{
- SecAsn1CoderRef coder = NULL;
- OSStatus ortn;
- int ourRtn = -1;
- NSS_Certificate subject;
- NSS_RevokedCert revokedCert;
- NSS_TBSCrl tbsCrl;
- NSS_SignedCertOrCRL crl;
- CSSM_DATA encodedCrl = {0, NULL};
- uint8 nullEnc[2] = {5, 0};
- CSSM_DATA nullEncData = {2, nullEnc};
-
- ortn = SecAsn1CoderCreate(&coder);
- if(ortn) {
- cssmPerror("SecAsn1CoderCreate", ortn);
- goto errOut;
- }
-
- /* decode subject to get serial number and issuer */
- memset(&subject, 0, sizeof(subject));
- ortn = SecAsn1Decode(coder, subjectCert, subjectCertLen, kSecAsn1SignedCertTemplate,
- &subject);
- if(ortn) {
- cssmPerror("SecAsn1Decode(subjectCert)", ortn);
- goto errOut;
- }
-
- /* revoked cert entry - no extensions */
- revokedCert.userCertificate = subject.tbs.serialNumber;
- secondsToNssTime(revokeTime, &revokedCert.revocationDate);
- revokedCert.extensions = NULL;
-
- /* TBS CRL - assume RSA signing key for now */
- memset(&tbsCrl, 0, sizeof(tbsCrl));
- tbsCrl.signature.algorithm = CSSMOID_SHA1WithRSA;
- tbsCrl.signature.parameters = nullEncData;
- tbsCrl.issuer = subject.tbs.issuer;
- secondsToNssTime(crlThisUpdate, &tbsCrl.thisUpdate);
- secondsToNssTime(crlNextUpdate, &tbsCrl.nextUpdate);
- tbsCrl.revokedCerts = (NSS_RevokedCert **)(SecAsn1Malloc(coder, sizeof(void *) * 2));
- tbsCrl.revokedCerts[0] = &revokedCert;
- tbsCrl.revokedCerts[1] = NULL;
- tbsCrl.extensions = NULL;
-
- /* encode TBS */
- memset(&crl, 0, sizeof(crl));
- ortn = SecAsn1EncodeItem(coder, &tbsCrl, kSecAsn1TBSCrlTemplate, &crl.tbsBlob);
- if(ortn) {
- cssmPerror("SecAsn1EncodeItem(tbsCrl)", ortn);
- goto errOut;
- }
-
- /* encode top-level algid */
- ortn = SecAsn1EncodeItem(coder, &tbsCrl.signature,
- kSecAsn1AlgorithmIDTemplate, &crl.signatureAlgorithm);
- if(ortn) {
- cssmPerror("SecAsn1EncodeItem(signatureAlgorithm)", ortn);
- goto errOut;
- }
-
- /* sign TBS */
- ortn = secSign(signingKey, CSSM_ALGID_SHA1WithRSA, &crl.tbsBlob,
- &crl.signature);
- if(ortn) {
- goto errOut;
- }
-
- /* Encode result. Signature is bit string... */
- crl.signature.Length *= 8;
- ortn = SecAsn1EncodeItem(coder, &crl,
- kSecAsn1SignedCertOrCRLTemplate, &encodedCrl);
- if(ortn) {
- cssmPerror("SecAsn1EncodeItem(encodedCrl)", ortn);
- goto errOut;
- }
- *crlOut = (unsigned char *)malloc(encodedCrl.Length);
- *crlOut = (unsigned char *)encodedCrl.Data;
- *crlOutLen = encodedCrl.Length;
- ourRtn = 0;
-
-errOut:
- if(coder) {
- SecAsn1CoderRelease(coder);
- }
- if(revokedCert.revocationDate.item.Data) {
- CSSM_FREE(revokedCert.revocationDate.item.Data);
- }
- if(tbsCrl.thisUpdate.item.Data) {
- CSSM_FREE(tbsCrl.thisUpdate.item.Data);
- }
- if(revokedCert.revocationDate.item.Data) {
- CSSM_FREE(tbsCrl.nextUpdate.item.Data);
- }
- return ourRtn;
-}
-
-int main(int argc, char **argv)
-{
- char *subjectName = NULL;
- char *issuerName = NULL;
- char *outFileName = NULL;
- char *kcName = NULL;
- int revokeTime = REVOKE_TIME_DEF;
- int thisUpdate = THIS_UPDATE_DEF;
- int nextUpdate = NEXT_UPDATE_DEF;
-
- extern char *optarg;
- int arg;
- while ((arg = getopt(argc, argv, "s:i:o:k:r:t:n:h")) != -1) {
- switch (arg) {
- case 's':
- subjectName = optarg;
- break;
- case 'i':
- issuerName = optarg;
- break;
- case 'o':
- outFileName = optarg;
- break;
- case 'k':
- kcName = optarg;
- break;
- case 'r':
- revokeTime = atoi(optarg);
- break;
- case 't':
- thisUpdate = atoi(optarg);
- break;
- case 'n':
- nextUpdate = atoi(optarg);
- break;
- default:
- case 'h':
- usage(argv);
- }
- }
- if(optind != argc) {
- usage(argv);
- }
- if((subjectName == NULL) || (issuerName == NULL) || (outFileName == NULL)) {
- usage(argv);
- }
-
- /* get input files */
- unsigned char *subjectCert;
- unsigned subjectCertLen;
- unsigned char *issuerCert;
- unsigned issuerCertLen;
- if(readFile(subjectName, &subjectCert, &subjectCertLen)) {
- printf("***Error reading %s. \n", subjectName);
- exit(1);
- }
- if(readFile(issuerName, &issuerCert, &issuerCertLen)) {
- printf("***Error reading %s. \n", issuerName);
- exit(1);
- }
-
- /* get issuer identity and signing key */
- SecKeychainRef kcRef = NULL;
- OSStatus ortn;
- if(kcName) {
- ortn = SecKeychainOpen(kcName, &kcRef);
- if(ortn) {
- cssmPerror("SecKeychainOpen", ortn);
- exit(1);
- }
- }
- SecCertificateRef certRef = NULL;
- SecIdentityRef idRef = NULL;
- SecKeyRef signingKey = NULL;
- CSSM_DATA issuerCData = {issuerCertLen, (uint8 *)issuerCert};
- ortn = SecCertificateCreateFromData(&issuerCData,
- CSSM_CERT_X_509v3,
- CSSM_CERT_ENCODING_DER,
- &certRef);
- if(ortn) {
- cssmPerror("SecCertificateCreateFromData", ortn);
- exit(1);
- }
- ortn = SecIdentityCreateWithCertificate(kcRef, certRef, &idRef);
- if(ortn) {
- cssmPerror("SecIdentityCreateWithCertificate", ortn);
- exit(1);
- }
- ortn = SecIdentityCopyPrivateKey(idRef, &signingKey);
- if(ortn) {
- cssmPerror("SecIdentityCopyPrivateKey", ortn);
- exit(1);
- }
-
- /* create and sign the CRL */
- unsigned char *crlOut = NULL;
- unsigned crlOutLen = 0;
- if(makeCrl(subjectCert, subjectCertLen,
- signingKey,
- revokeTime, thisUpdate, nextUpdate,
- &crlOut, &crlOutLen)) {
- printf("***Error creating CRL. Aborting.\n");
- exit(1);
- }
-
- /* ==> outFile */
- if(writeFile(outFileName, crlOut, crlOutLen)) {
- printf("***Error writing CRL to %s\n", outFileName);
- }
- else {
- printf("...wrote %u bytes to %s.\n", crlOutLen, outFileName);
- }
- /* cleanup if you must */
-
- return 0;
-}
projects / apple / security.git / blobdiff