+++ /dev/null
-/*
- * p12Reencode - take a p12 PFX, decode and reencode
- */
-#include <Security/SecImportExport.h>\ 1
-#include <Security/Security.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <utilLib/common.h>
-
-static void usage(char **argv)
-{
- printf("Usage: %s pfx password keychain1 keychain2 [l=loops] [q(uiet)] "
- "[v(erbose)]\n", argv[0]);
- exit(1);
-}
-
-
-#define WRITE_BLOBS 0
-#if WRITE_BLOBS
-static void writeBlobs(CFDataRef pfx1, CFDataRef pfx2)
-{
- writeFile("pfx1.der", CFDataGetBytePtr(pfx1), CFDataGetLength(pfx1));
- writeFile("pfx2.der", CFDataGetBytePtr(pfx2), CFDataGetLength(pfx2));
- printf("...wrote %u bytes to pfx1.der, %u bytes to pfx2.der\n",
- CFDataGetLength(pfx1), CFDataGetLength(pfx2));
-}
-#else
-#define writeBlobs(p1, p2)
-#endif
-
-#if 0
-/* Not possible using import/export API */
-/* compare attrs, all of which are optional */
-static int compareAttrs(
- CFStringRef refFriendlyName,
- CFDataRef refLocalKeyId,
- CFStringRef testFriendlyName,
- CFDataRef testLocalKeyId,
- char *itemType,
- CSSM_BOOL quiet)
-{
- if(refFriendlyName == NULL) {
- if(testFriendlyName != NULL) {
- printf("****s refFriendlyName NULL, testFriendlyName "
- "non-NULL\n", itemType);
- return testError(quiet);
- }
- }
- else {
- CFComparisonResult res = CFStringCompare(refFriendlyName,
- testFriendlyName, 0);
- if(res != kCFCompareEqualTo) {
- printf("***%s friendlyName Miscompare\n", itemType);
- return testError(quiet);
- }
- }
-
- if(refLocalKeyId == NULL) {
- if(testLocalKeyId != NULL) {
- printf("****s refLocalKeyId NULL, testLocalKeyId "
- "non-NULL\n", itemType);
- return testError(quiet);
- }
- }
- else {
- if(compareCfData(refLocalKeyId, testLocalKeyId)) {
- printf("***%s localKeyId Miscompare\n", itemType);
- return testError(quiet);
- }
- }
-
- /* release the attrs */
- if(refFriendlyName) {
- CFRelease(refFriendlyName);
- }
- if(refLocalKeyId) {
- CFRelease(refLocalKeyId);
- }
- if(testFriendlyName) {
- CFRelease(testFriendlyName);
- }
- if(testLocalKeyId) {
- CFRelease(testLocalKeyId);
- }
- return 0;
-}
-#endif
-
-static void setUpKeyParams(
- SecKeyImportExportParameters &keyParams,
- CFStringRef pwd)
-{
- memset(&keyParams, 0, sizeof(keyParams));
- keyParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
- keyParams.passphrase = pwd;
-}
-
-/*
- * Basic import/export: convert between CFArray of keychain items and a CFDataRef
- */
-static OSStatus p12Import(
- CFDataRef pfx,
- CFStringRef pwd,
- SecKeychainRef kcRef,
- CFArrayRef *outArray)
-{
- SecKeyImportExportParameters keyParams;
- setUpKeyParams(keyParams, pwd);
- OSStatus ortn;
- SecExternalFormat format = kSecFormatPKCS12;
-
- ortn = SecKeychainItemImport(pfx, NULL, &format, NULL, 0, &keyParams,
- kcRef, outArray);
- if(ortn) {
- cssmPerror("SecKeychainItemImport", ortn);
- }
- return ortn;
-}
-
-static OSStatus p12Export(
- CFArrayRef inArray,
- CFStringRef pwd,
- CFDataRef *pfx)
-{
- SecKeyImportExportParameters keyParams;
- setUpKeyParams(keyParams, pwd);
- OSStatus ortn;
-
- ortn = SecKeychainItemExport(inArray, kSecFormatPKCS12, 0, &keyParams, pfx);
- if(ortn) {
- cssmPerror("SecKeychainItemExport", ortn);
- }
- return ortn;
-}
-
-/*
- * Compare two CFArrayRefs containing various items, subsequent to decode. Returns
- * nonzero if they differ.
- *
- * As of April 9 2004, we do NOT see CRLs so we don't compare them. I think
- * we need a SecCRLRef...
- */
-static int compareDecodedArrays(
- CFArrayRef refArray,
- CFArrayRef testArray,
- CSSM_BOOL quiet)
-{
- OSStatus ortn;
- int ourRtn = 0;
-
- CFIndex numRefItems = CFArrayGetCount(refArray);
- CFIndex numTestItems = CFArrayGetCount(testArray);
- if(numRefItems != numTestItems) {
- printf("***item count mismatch: ref %ld test %ld\n",
- numRefItems, numTestItems);
- return 1;
- }
- for(CFIndex dex=0; dex<numRefItems; dex++) {
- CFTypeRef refItem = CFArrayGetValueAtIndex(refArray, dex);
- CFTypeRef testItem = CFArrayGetValueAtIndex(testArray, dex);
- CFTypeID theType = CFGetTypeID(refItem);
- if(theType != CFGetTypeID(testItem)) {
- printf("***item type mismatch: ref %ld test %ld\n",
- theType, CFGetTypeID(testItem));
- return 1;
- }
- if(theType == SecCertificateGetTypeID()) {
- /* cert: compare raw data */
- CSSM_DATA refData;
- CSSM_DATA testData;
- ortn = SecCertificateGetData((SecCertificateRef)refItem, &refData);
- if(ortn) {
- cssmPerror("SecCertificateGetData", ortn);
- return ++ourRtn;
- }
- ortn = SecCertificateGetData((SecCertificateRef)testItem, &testData);
- if(ortn) {
- cssmPerror("SecCertificateGetData", ortn);
- return ++ourRtn;
- }
- if(!appCompareCssmData(&refData, &testData)) {
- printf("***Data miscompare on cert %ld\n", dex);
- ourRtn = testError(quiet);
- if(ourRtn) {
- return ourRtn;
- }
- }
- }
- else if(theType == SecKeyGetTypeID()) {
- /* Keys - an inexact science to be sure since we don't attempt
- * to access the raw key material */
-
- const CSSM_KEY *refKey;
- ortn = SecKeyGetCSSMKey((SecKeyRef)refItem, &refKey);
- if(ortn) {
- cssmPerror("SecKeyGetCSSMKey", ortn);
- return ++ourRtn;
- }
- const CSSM_KEY *testKey;
- ortn = SecKeyGetCSSMKey((SecKeyRef)testItem, &testKey);
- if(ortn) {
- cssmPerror("SecPkcs12GetCssmPrivateKey", ortn);
- return ++ourRtn;
- }
-
- /* compare key sizes and algorithm */
- if(refKey->KeyHeader.LogicalKeySizeInBits !=
- testKey->KeyHeader.LogicalKeySizeInBits) {
- printf("***Key size miscompare on Key %ld\n", dex);
- ourRtn = testError(quiet);
- if(ourRtn) {
- return ourRtn;
- }
- }
- if(refKey->KeyHeader.AlgorithmId !=
- testKey->KeyHeader.AlgorithmId) {
- printf("***AlgorithmId miscompare on Key %ld\n", dex);
- ourRtn = testError(quiet);
- if(ourRtn) {
- return ourRtn;
- }
- }
- }
- else {
- /* this program may need work here. e.g. for SecCRLRefs */
- printf("***Unknown type ID (%ld)\n", theType);
- ourRtn++;
- }
- }
-
- return ourRtn;
-}
-
-int main(int argc, char **argv)
-{
- unsigned char *pfx;
- unsigned pfxLen;
- SecKeychainRef kcRef1 = nil; // reference, 1st import destination
- SecKeychainRef kcRef2 = nil; // subsequent import destination
-
- CSSM_BOOL quiet = CSSM_FALSE;
- unsigned loops = 10;
- bool verbose = false;
- bool doPause = false;
- char *kcName = NULL;
-
- int i;
-
- if(argc < 5) {
- usage(argv);
- }
-
- if(readFile(argv[1], &pfx, &pfxLen)) {
- printf("***Error reading PFX from %s. Aborting.\n", argv[1]);
- exit(1);
- }
- CFStringRef pwd = CFStringCreateWithCString(NULL, argv[2],
- kCFStringEncodingASCII);
- if(pwd == NULL) {
- printf("Bad password (%s)\n", argv[2]);
- exit(1);
- }
- kcName = argv[3];
- OSStatus ortn = SecKeychainOpen(kcName, &kcRef1);
- if(ortn) {
- cssmPerror("SecKeychainOpen", ortn);
- exit(1);
- }
- kcName = argv[4];
- ortn = SecKeychainOpen(kcName, &kcRef2);
- if(ortn) {
- cssmPerror("SecKeychainOpen", ortn);
- exit(1);
- }
-
- for(i=5; i<argc; i++) {
- char *arg = argv[i];
- switch(arg[0]) {
- case 'l':
- loops = atoi(&arg[2]);
- break;
- case 'q':
- quiet = CSSM_TRUE;
- break;
- case 'p':
- doPause = true;
- break;
- case 'v':
- verbose = true;
- break;
- default:
- usage(argv);
- }
- }
-
- /* do first decode to get the PFX into "our" form */
- CFArrayRef refArray;
- CFDataRef cfdPfx = CFDataCreate(NULL, pfx, pfxLen);
-
- if(verbose) {
- printf(" ...initial decode\n");
- }
- ortn = p12Import(cfdPfx, pwd, kcRef1, &refArray);
- if(ortn) {
- printf("Error on initial p12Import; aborting.\n");
- exit(1);
- }
-
- /* reencode. At this point the PFXs will not be identical since
- * everyone packages these up a little differently. */
- CFDataRef refPfx = NULL;
- if(verbose) {
- printf(" ...first reencode\n");
- }
- ortn = p12Export(refArray, pwd, &refPfx);
- if(ortn) {
- printf("Error on initial p12Export; aborting.\n");
- exit(1);
- }
- CFDataRef pfxToDecode = refPfx;
- CFRetain(pfxToDecode);
-
- for(unsigned loop=0; loop<loops; loop++) {
- if(!quiet) {
- printf("..loop %u\n", loop);
- }
- CFArrayRef testArray;
- if(verbose) {
- printf(" ...decode\n");
- }
- ortn = p12Import(pfxToDecode, pwd, kcRef2, &testArray);
- if(ortn) {
- return ortn;
- }
-
- /*
- * Compare that decode to our original
- */
- if(compareDecodedArrays(refArray, testArray, quiet)) {
- exit(1);
- }
-
- /* now reencode, should get blob with same length but different
- * data (because salt is random each time) */
- CFDataRef newPfx = NULL;
- if(verbose) {
- printf(" ...reencode\n");
- }
- ortn = p12Export(testArray, pwd, &newPfx);
- if(ortn) {
- exit(1);
- }
-
- if(CFDataGetLength(refPfx) != CFDataGetLength(newPfx)) {
- printf("***PFX length miscompare after reencode\n");
- writeBlobs(refPfx, newPfx);
- return 1;
- }
- if(!memcmp(CFDataGetBytePtr(refPfx), CFDataGetBytePtr(newPfx),
- CFDataGetLength(refPfx))) {
- printf("***Unexpected PFX data compare after reencode\n");
- writeBlobs(refPfx, newPfx);
- return 1;
- }
- CFRelease(pfxToDecode);
- pfxToDecode = newPfx;
- if(doPause) {
- fpurge(stdin);
- printf("Hit CR to continue: ");
- getchar();
- }
-
- /* delete everything we imported into kcRef2 */
- CFIndex numItems = CFArrayGetCount(testArray);
- for(CFIndex dex=0; dex<numItems; dex++) {
- SecKeychainItemRef itemRef =
- (SecKeychainItemRef)CFArrayGetValueAtIndex(refArray, dex);
- ortn = SecKeychainItemDelete(itemRef);
- if(ortn) {
- cssmPerror("SecKeychainItemDelete", ortn);
- /*
- * keep going, but if we're looping this will result in a dup
- * item error on the next import
- */
- }
- }
- CFRelease(testArray);
- }
- if(!quiet) {
- printf("...p12Reencode complete\n");
- }
- return ortn;
-}
-
projects / apple / security.git / blobdiff