+++ /dev/null
-/*
- * secTime.cpp - measure performance of Sec* ops
- */
-
-#include <Security/Security.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/param.h>
-#include <CoreFoundation/CoreFoundation.h>
-#include <security_utilities/devrandom.h>
-#include <clAppUtils/certVerify.h>
-#include <clAppUtils/clutils.h>
-#include <utilLib/common.h>
-
-/*
- * Hard coded test params
- */
-
-/*
- * The keychain we open and search for certs.
- * MUST exist in ~/Library/Keychains.
- * YOU can create it with
- * % certtool c k=secTimeKc c p=secTimeKc Z
- */
-#define ST_KC_NAME "secTimeKc"
-
-/*
- * Certs to verify with SecTrust. We have a variety because the timing on
- * this test is highly dependent on the position of the verifying anchor
- * within the system anchors list. (This does not apply to Trust Settings).
- */
-typedef struct {
- const char *certFileName;
- const char *hostName;
-} CertToVerify;
-
-static const CertToVerify certsToVerify[] =
-{
- {
- /* issuer: Secure Server Certification Authority */
- "amazon_v3.100.cer",
- "www.amazon.com"
- },
- {
- /* issuer: Equifax Secure Certificate Authority */
- "firstamlink.cer",
- "www.firstamlink.com"
- },
-};
-
-#define NUM_ST_CERTS (sizeof(certsToVerify) / sizeof(certsToVerify[0]))
-
-/* explicit anchor for certsToVerify[0] */
-#define ST_ANCHOR_NAME "SecureServer.509.cer" /* verifies ST_CERT_HOST */
-
-/*
- * Cert chain for cgv3*()
- */
-#define THAWTE_LEAF "dmitchThawte.cer"
-#define THAWTE_CA "ThawteCA.cer"
-#define THAWTE_ROOT "ThawteRoot.cer"
-
-static void usage(char **argv)
-{
- printf("Usage: %s [option ...]\n", argv[0]);
- printf("Options:\n");
- printf(" t=testspec; default=all\n");
- printf(" test specs: o keychainOpen\n");
- printf(" s keychainSearch\n");
- printf(" e secTrustEvaluate\n");
- printf(" k SecKeychainCopySearchList\n");
- printf(" v TP CertGroupVerify, system anchor\n");
- printf(" V TP CertGroupVerify, explicit anchor\n");
- printf(" 3 TP CertGroupVerify, 3 certs w/anchor\n");
- printf(" l=loops (only valid if testspec is given)\n");
- exit(1);
-}
-
-static void printSecErr(
- const char *op,
- OSStatus ortn)
-{
- printf("%s returned %ld\n", op, (unsigned long)ortn);
-}
-
-/*
- * Struct passed around to test-specific functions.
- */
-typedef struct {
- const char *testName;
- void *testPriv;
-} TestParams;
-
-/*
- * Each subtest has three functions - init, run, cleanup, called out
- * from main().
- *
- * Init's job is one-time setup - open files, setup buffers, etc.
- * PErsistent state can be saved in TestParams->testPriv.
- */
-typedef OSStatus (*testInitFcn)(TestParams *testParams);
-
-/*
- * Run's job is to perform 1 iteration with as
- * little overhead as possible. Return the time spect actually
- * doing the deed in *timeSpent.
- */
-typedef OSStatus (*testRunFcn)(TestParams *testParams,
- unsigned loopNum,
- CFAbsoluteTime *timeSpent);
-
-/*
- * CLeanu up any resources allocd in init.
- */
-typedef OSStatus (*testCleanupFcn)(TestParams *testParams);
-
-/*
- * Static declaration of a test
- */
-typedef struct {
- const char *testName;
- unsigned loops;
- testInitFcn init;
- testRunFcn run;
- testCleanupFcn cleanup;
- char testSpec; // for t=xxx cmd line opt
-} TestDefs;
-
-#pragma mark ---- Individual tests ----
-
-#ifdef use_these_as_a_template
-
-static OSStatus xxxInit(
- TestParams *testParams)
-{
- return noErr;
-}
-
-static OSStatus xxRun(
- TestParams *testParams,
- unsigned loopNum,
- CFAbsoluteTime *timeSpent)
-{
- CFAbsoluteTime startTime = CFAbsoluteTimeGetCurrent();
- /* do the op here */
- *timeSpent = CFAbsoluteTimeGetCurrent() - startTime;
- return noErr;
-}
-
-static OSStatus xxxCleanup(
- TestParams *testParams)
-{
- return noErr;
-}
-#endif /* template */
-
-#pragma mark -- keychain open --
-
-static OSStatus kcOpenInit(
- TestParams *testParams)
-{
- return noErr;
-}
-
-static OSStatus kcOpenRun(
- TestParams *testParams,
- unsigned loopNum,
- CFAbsoluteTime *timeSpent)
-{
- SecKeychainRef kcRef;
- SecKeychainStatus status;
-
- CFAbsoluteTime startTime = CFAbsoluteTimeGetCurrent();
- OSStatus ortn = SecKeychainOpen(ST_KC_NAME, &kcRef);
- if(ortn) {
- printSecErr("SecKeychainOpen", ortn);
- return ortn;
- }
- ortn = SecKeychainGetStatus(kcRef, &status);
- if(ortn) {
- printSecErr("SecKeychainGetStatus", ortn);
- CFRelease(kcRef);
- if(errSecNoSuchKeychain == ortn) {
- printf("The keychain %s does not exist. Please create it"
- " and populate it like so:\n", ST_KC_NAME);
- printf(" certtool c k=%s c p=%s Z\n",
- ST_KC_NAME, ST_KC_NAME);
- }
- return ortn;
- }
- CFAbsoluteTime endTime = CFAbsoluteTimeGetCurrent();
- *timeSpent = endTime - startTime;
- CFRelease(kcRef);
- return noErr;
-}
-
-static OSStatus kcOpenCleanup(
- TestParams *testParams)
-{
- return noErr;
-}
-
-#pragma mark -- keychain lookup --
-
-/*
- * Private *testPriv is a kcRef.
- */
-static OSStatus kcSearchInit(
- TestParams *testParams)
-{
- SecKeychainRef kcRef;
- OSStatus ortn = SecKeychainOpen(ST_KC_NAME, &kcRef);
- if(ortn) {
- printSecErr("SecKeychainOpen", ortn);
- return ortn;
- }
- testParams->testPriv = (void *)kcRef;
- return noErr;
-}
-
-static OSStatus kcSearchRun(
- TestParams *testParams,
- unsigned loopNum,
- CFAbsoluteTime *timeSpent)
-{
- SecKeychainRef kcRef = (SecKeychainRef)testParams->testPriv;
- SecKeychainSearchRef srchRef = NULL;
- SecKeychainItemRef certRef = NULL;
- CFAbsoluteTime endTime;
- CFAbsoluteTime startTime = CFAbsoluteTimeGetCurrent();
-
- /* search for any cert */
- OSStatus ortn = SecKeychainSearchCreateFromAttributes(kcRef,
- kSecCertificateItemClass,
- NULL, // no attrs
- &srchRef);
- if(ortn) {
- printSecErr("SecKeychainSearchCreateFromAttributes", ortn);
- return ortn;
- }
- ortn = SecKeychainSearchCopyNext(srchRef, &certRef);
- if(ortn) {
- printSecErr("SecKeychainSearchCopyNext", ortn);
- goto done;
- }
- endTime = CFAbsoluteTimeGetCurrent();
- *timeSpent = endTime - startTime;
-done:
- if(srchRef) {
- CFRelease(srchRef);
- }
- if(certRef) {
- CFRelease(certRef);
- }
- return ortn;
-}
-
-
-static OSStatus kcSearchCleanup(
- TestParams *testParams)
-{
- SecKeychainRef kcRef = (SecKeychainRef)testParams->testPriv;
- CFRelease(kcRef);
- return noErr;
-}
-
-#pragma mark -- SecTrustEvaluate --
-
-/*
- * Priv data is an array of SecCertificateRef containing certs to evaluate.
- * Each run evaluates one of them.
- */
-static OSStatus secTrustInit(
- TestParams *testParams)
-{
- unsigned char *certData;
- unsigned certLen;
- CSSM_DATA cdata;
-
- SecCertificateRef *certRefs;
-
- certRefs = (SecCertificateRef *)malloc(
- sizeof(SecCertificateRef) * NUM_ST_CERTS);
-
- for(unsigned dex=0; dex<NUM_ST_CERTS; dex++) {
- if(readFile(certsToVerify[dex].certFileName, &certData, &certLen)) {
- printf("***Can not find cert file %s. Aborting.\n",
- certsToVerify[dex].certFileName);
- return -1;
- }
- cdata.Data = certData;
- cdata.Length = certLen;
- SecCertificateRef certRef;
- OSStatus ortn = SecCertificateCreateFromData(&cdata,
- CSSM_CERT_X_509v3,
- CSSM_CERT_ENCODING_DER,
- &certRef);
- if(ortn) {
- printSecErr("SecCertificateCreateFromData", ortn);
- return ortn;
- }
- free(certData); // mallocd by readFile()
- certRefs[dex] = certRef;
- }
- testParams->testPriv = certRefs;
- return noErr;
-}
-
-static OSStatus secTrustRun(
- TestParams *testParams,
- unsigned loopNum,
- CFAbsoluteTime *timeSpent)
-{
- unsigned whichDex = loopNum % NUM_ST_CERTS;
- SecCertificateRef *certRefs = (SecCertificateRef *)testParams->testPriv;
- SecCertificateRef certRef = certRefs[whichDex];
-
- /*
- * We measure the whole enchilada, that's what SecureTransport
- * has to do
- */
- CFAbsoluteTime startTime = CFAbsoluteTimeGetCurrent();
-
- CFMutableArrayRef certs;
- certs = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks);
- CFArrayInsertValueAtIndex(certs, 0, certRef);
-
- SecPolicyRef policy = NULL;
- SecPolicySearchRef policySearch = NULL;
-
- OSStatus ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
- &CSSMOID_APPLE_TP_SSL,
- NULL, // policy opts
- &policySearch);
- if(ortn) {
- printSecErr("SecPolicySearchCreate", ortn);
- return ortn;
- }
-
- ortn = SecPolicySearchCopyNext(policySearch, &policy);
- if(ortn) {
- printSecErr("SecPolicySearchCopyNext", ortn);
- return ortn;
- }
- CFRelease(policySearch);
-
- SecTrustRef secTrust;
- ortn = SecTrustCreateWithCertificates(certs, policy, &secTrust);
- if(ortn) {
- printSecErr("SecTrustCreateWithCertificates", ortn);
- return ortn;
- }
- /* no action data for now */
-
- SecTrustResultType secTrustResult;
- ortn = SecTrustEvaluate(secTrust, &secTrustResult);
- if(ortn) {
- printSecErr("SecTrustEvaluate", ortn);
- return ortn;
- }
-
- CFRelease(certs);
- CFRelease(secTrust);
- CFRelease(policy);
-
- CFAbsoluteTime endTime = CFAbsoluteTimeGetCurrent();
- *timeSpent = endTime - startTime;
-
- return noErr;
-}
-
-static OSStatus secTrustCleanup(
- TestParams *testParams)
-{
- SecCertificateRef *certRefs = (SecCertificateRef*)testParams->testPriv;
- for(unsigned dex=0; dex<NUM_ST_CERTS; dex++) {
- CFRelease(certRefs[dex]);
- }
- free(certRefs);
- return noErr;
-}
-
-#pragma mark -- SecKeychainCopySearchList --
-
-static OSStatus kcCSLInit(
- TestParams *testParams)
-{
- return noErr;
-}
-
-static OSStatus kcCSLRun(
- TestParams *testParams,
- unsigned loopNum,
- CFAbsoluteTime *timeSpent)
-{
- CFArrayRef sl;
- CFAbsoluteTime startTime = CFAbsoluteTimeGetCurrent();
- OSStatus ortn = SecKeychainCopySearchList(&sl);
- if(ortn) {
- printSecErr("SecKeychainCopySearchList", ortn);
- return ortn;
- }
- CFRelease(sl);
- *timeSpent = CFAbsoluteTimeGetCurrent() - startTime;
- return noErr;
-}
-
-static OSStatus kcCSLCleanup(
- TestParams *testParams)
-{
- return noErr;
-}
-
-#pragma mark -- CSSM_TP_CertGroupVerify, system anchors --
-
-/* private data allocated in cgvInit */
-typedef struct {
- CSSM_TP_HANDLE tpHand;
- CSSM_CL_HANDLE clHand;
- CSSM_CSP_HANDLE cspHand;
- BlobList *certs[NUM_ST_CERTS];
- BlobList *anchors; /* cgvAnchor* only */
-} CgvParams;
-
-static OSStatus cgvInit(
- TestParams *testParams)
-{
- CgvParams *cgvParams = (CgvParams *)malloc(sizeof(CgvParams));
- memset(cgvParams, 0, sizeof(CgvParams));
- cgvParams->tpHand = tpStartup();
- cgvParams->clHand = clStartup();
- cgvParams->cspHand = cspStartup();
- for(unsigned dex=0; dex<NUM_ST_CERTS; dex++) {
- cgvParams->certs[dex] = new BlobList();
- cgvParams->certs[dex]->addFile(certsToVerify[dex].certFileName);
- }
- cgvParams->anchors = NULL;
- testParams->testPriv = cgvParams;
- return noErr;
-}
-
-static OSStatus cgvRun(
- TestParams *testParams,
- unsigned loopNum,
- CFAbsoluteTime *timeSpent)
-{
- CgvParams *cgvParams = (CgvParams *)testParams->testPriv;
- BlobList nullList;
- unsigned whichDex = loopNum % NUM_ST_CERTS;
- BlobList *certBlob = cgvParams->certs[whichDex];
-
- CFAbsoluteTime startTime = CFAbsoluteTimeGetCurrent();
- int rtn = certVerifySimple(
- cgvParams->tpHand,
- cgvParams->clHand,
- cgvParams->cspHand,
- *certBlob, // contains one cert, the subject
- nullList, // roots
- CSSM_TRUE, // useSystemAnchors
- CSSM_FALSE, // leafCertIsCa
- CSSM_FALSE, // allow expired root
- CVP_SSL,
- certsToVerify[whichDex].hostName,
- CSSM_FALSE, // sslClient
- NULL, // senderEmail
- 0, // key use
- NULL, // expected error str
- 0, // numCertErrors
- NULL,
- 0, // numCertStatus
- NULL,
- CSSM_FALSE, // trustSettings
- CSSM_TRUE, // quiet
- CSSM_FALSE); // verbose
- *timeSpent = CFAbsoluteTimeGetCurrent() - startTime;
- if(rtn) {
- printf("***certVerify error\n");
- return (OSStatus)rtn;
- }
- return noErr;
-}
-
-static OSStatus cgvCleanup(
- TestParams *testParams)
-{
- CgvParams *cgvParams = (CgvParams *)testParams->testPriv;
- CSSM_ModuleDetach(cgvParams->cspHand);
- CSSM_ModuleDetach(cgvParams->tpHand);
- CSSM_ModuleDetach(cgvParams->clHand);
- for(unsigned dex=0; dex<NUM_ST_CERTS; dex++) {
- delete cgvParams->certs[dex];
- }
- if(cgvParams->anchors) {
- delete(cgvParams->anchors);
- }
- free(cgvParams);
- return noErr;
-}
-
-#pragma mark -- CSSM_TP_CertGroupVerify, explicit anchors --
-
-static OSStatus cgvAnchorInit(
- TestParams *testParams)
-{
- CgvParams *cgvParams = (CgvParams *)malloc(sizeof(CgvParams));
- memset(cgvParams, 0, sizeof(CgvParams));
- cgvParams->tpHand = tpStartup();
- cgvParams->clHand = clStartup();
- cgvParams->cspHand = cspStartup();
- cgvParams->certs[0] = new BlobList();
- cgvParams->certs[0]->addFile(certsToVerify[0].certFileName);
- cgvParams->anchors = new BlobList();
- cgvParams->anchors->addFile(ST_ANCHOR_NAME);
- testParams->testPriv = cgvParams;
- return noErr;
-}
-
-static OSStatus cgvAnchorRun(
- TestParams *testParams,
- unsigned loopNum,
- CFAbsoluteTime *timeSpent)
-{
- CgvParams *cgvParams = (CgvParams *)testParams->testPriv;
- BlobList nullList;
-
- CertVerifyArgs vfyArgs;
- memset(&vfyArgs, 0, sizeof(vfyArgs));
- vfyArgs.version = CERT_VFY_ARGS_VERS;
-
- vfyArgs.tpHand = cgvParams->tpHand;
- vfyArgs.clHand = cgvParams->clHand;
- vfyArgs.cspHand = cgvParams->cspHand;
- vfyArgs.certs = cgvParams->certs[0];
- vfyArgs.roots = cgvParams->anchors;
- vfyArgs.allowUnverified = CSSM_TRUE;
- vfyArgs.vfyPolicy = CVP_SSL;
- vfyArgs.revokePolicy = CRP_None;
- vfyArgs.sslHost = certsToVerify[0].hostName;
- vfyArgs.revokePolicy = CRP_None;
- vfyArgs.quiet = CSSM_TRUE;
-
- CFAbsoluteTime startTime = CFAbsoluteTimeGetCurrent();
- int rtn = certVerify(&vfyArgs);
- *timeSpent = CFAbsoluteTimeGetCurrent() - startTime;
- if(rtn) {
- printf("***certVerify error\n");
- return (OSStatus)rtn;
- }
- return noErr;
-}
-
-/* cleanup - use cgvCleanup() */
-
-#pragma mark -- CSSM_TP_CertGroupVerify, 3 certs with anchor --
-
-static OSStatus cgv3Init(
- TestParams *testParams)
-{
- CgvParams *cgvParams = (CgvParams *)malloc(sizeof(CgvParams));
- memset(cgvParams, 0, sizeof(CgvParams));
- cgvParams->tpHand = tpStartup();
- cgvParams->clHand = clStartup();
- cgvParams->cspHand = cspStartup();
- cgvParams->certs[0] = new BlobList();
- cgvParams->certs[0]->addFile(THAWTE_LEAF);
- cgvParams->certs[0]->addFile(THAWTE_CA);
- cgvParams->certs[0]->addFile(THAWTE_ROOT);
- cgvParams->anchors = new BlobList();
- cgvParams->anchors->addFile(THAWTE_ROOT);
- testParams->testPriv = cgvParams;
- return noErr;
-}
-
-static OSStatus cgv3Run(
- TestParams *testParams,
- unsigned loopNum,
- CFAbsoluteTime *timeSpent)
-{
- CgvParams *cgvParams = (CgvParams *)testParams->testPriv;
- BlobList nullList;
-
- CertVerifyArgs vfyArgs;
- memset(&vfyArgs, 0, sizeof(vfyArgs));
- vfyArgs.version = CERT_VFY_ARGS_VERS;
-
- vfyArgs.tpHand = cgvParams->tpHand;
- vfyArgs.clHand = cgvParams->clHand;
- vfyArgs.cspHand = cgvParams->cspHand;
- vfyArgs.certs = cgvParams->certs[0]; /* that's three certs */
- vfyArgs.roots = cgvParams->anchors;
- vfyArgs.allowUnverified = CSSM_TRUE;
- vfyArgs.vfyPolicy = CVP_Basic;
- vfyArgs.revokePolicy = CRP_None;
- vfyArgs.sslHost = certsToVerify[0].hostName;
- vfyArgs.revokePolicy = CRP_None;
- vfyArgs.quiet = CSSM_TRUE;
-
- CFAbsoluteTime startTime = CFAbsoluteTimeGetCurrent();
- int rtn = certVerify(&vfyArgs);
- *timeSpent = CFAbsoluteTimeGetCurrent() - startTime;
- if(rtn) {
- printf("***certVerify error\n");
- return (OSStatus)rtn;
- }
- return noErr;
-}
-
-static OSStatus cgv3Cleanup(
- TestParams *testParams)
-{
- CgvParams *cgvParams = (CgvParams *)testParams->testPriv;
- CSSM_ModuleDetach(cgvParams->cspHand);
- CSSM_ModuleDetach(cgvParams->tpHand);
- CSSM_ModuleDetach(cgvParams->clHand);
- delete cgvParams->certs[0];
- delete(cgvParams->anchors);
- free(cgvParams);
- return noErr;
-}
-
-#pragma mark ---- Static array of all tests ----
-
-static TestDefs testDefs[] =
-{
- { "Keychain open",
- 100,
- kcOpenInit,
- kcOpenRun,
- kcOpenCleanup,
- 'o',
- },
- { "Keychain cert search",
- 100,
- kcSearchInit,
- kcSearchRun,
- kcSearchCleanup,
- 's',
- },
- { "SecTrustEvaluate",
- 100,
- secTrustInit,
- secTrustRun,
- secTrustCleanup,
- 'e',
- },
- { "TP CertGroupVerify, system anchors",
- 100,
- cgvInit,
- cgvRun,
- cgvCleanup,
- 'v',
- },
- { "TP CertGroupVerify, explicit anchor",
- 100,
- cgvAnchorInit,
- cgvAnchorRun,
- cgvCleanup,
- 'V',
- },
- { "TP CertGroupVerify, 3 certs with anchor",
- 100,
- cgv3Init,
- cgv3Run,
- cgv3Cleanup,
- '3',
- },
- { "SecKeychainCopySearchList",
- 100,
- kcCSLInit,
- kcCSLRun,
- kcCSLCleanup,
- 'k',
- },
-};
-
-#define NUM_TESTS (sizeof(testDefs) / sizeof(testDefs[0]))
-
-int main(int argc, char **argv)
-{
- TestParams testParams;
- TestDefs *testDef;
- OSStatus ortn;
- int arg;
- char *argp;
- unsigned cmdLoops = 0; // can be specified in cmd line
- // if not, use TestDefs.loops
- char testSpec = '\0'; // allows specification of one test
- // otherwise run all
-
- for(arg=1; arg<argc; arg++) {
- argp = argv[arg];
- switch(argp[0]) {
- case 't':
- testSpec = argp[2];
- break;
- case 'l':
- cmdLoops = atoi(&argp[2]);
- break;
- default:
- usage(argv);
- }
- }
-
- for(unsigned testNum=0; testNum<NUM_TESTS; testNum++) {
- testDef = &testDefs[testNum];
- unsigned loopCount;
-
- if(testSpec && (testDef->testSpec != testSpec)) {
- continue;
- }
- printf("%s:\n", testDef->testName);
- ortn = testDef->init(&testParams);
- if(ortn) {
- exit(1);
- }
- if(cmdLoops) {
- /* user specified */
- loopCount = cmdLoops;
- }
- else {
- /* default */
- loopCount = testDef->loops;
- }
- CFAbsoluteTime totalTime = 0;
- CFAbsoluteTime thisTime;
- for(unsigned loop=0; loop<loopCount; loop++) {
- ortn = testDef->run(&testParams, loop, &thisTime);
- if(ortn) {
- exit(1);
- }
- totalTime += thisTime;
- }
- testDef->cleanup(&testParams);
- printf(" %3.2f ms per op\n", (totalTime / loopCount) * 1000.0);
- }
- return 0;
-}
projects / apple / security.git / blobdiff