+++ /dev/null
-/* Copyright (c) 2002-2004,2006,2008 Apple Inc.
- *
- * smimePolicy.cpp
- *
- * Test CSSMOID_APPLE_TP_SMIME and CSSMOID_APPLE_TP_ICHAT TP policies.
- *
- */
-
-#include <utilLib/common.h>
-#include <utilLib/cspwrap.h>
-#include <clAppUtils/clutils.h>
-#include <clAppUtils/certVerify.h>
-#include <clAppUtils/BlobList.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <Security/cssm.h>
-#include <Security/x509defs.h>
-#include <Security/oidsattr.h>
-#include <Security/oidscert.h>
-#include <Security/oidsalg.h>
-#include <Security/certextensions.h>
-#include <Security/cssmapple.h>
-#include <security_cdsa_utils/cuPrintCert.h>
-#include <string.h>
-
-/* key labels */
-#define SUBJ_KEY_LABEL "subjectKey"
-#define ROOT_KEY_LABEL "rootKey"
-
-/* key and signature algorithm - shouldn't matter for this test */
-#define SIG_ALG_DEFAULT CSSM_ALGID_SHA1WithRSA
-#define SIG_OID_DEFAULT CSSMOID_SHA1WithRSA
-#define KEY_ALG_DEFAULT CSSM_ALGID_RSA
-
-#define KEY_SIZE_DEFAULT 512
-
-static void usage(char **argv)
-{
- printf("Usage: %s [options]\n", argv[0]);
- printf("Options:\n");
- printf(" p(rint leaf certs)\n");
- printf(" P(ause for MallocDebug)\n");
- printf(" q(uiet)\n");
- printf(" v(erbose)\n");
- exit(1);
-}
-
-/*
- * RDN components for root
- */
-CSSM_APPLE_TP_NAME_OID rootRdn[] =
-{
- { "Apple Computer", &CSSMOID_OrganizationName },
- { "The Big Cheese", &CSSMOID_Title }
-};
-#define NUM_ROOT_NAMES (sizeof(rootRdn) / sizeof(CSSM_APPLE_TP_NAME_OID))
-
-/*
- * Test cases
- */
-typedef struct {
- /* test description */
- const char *testDesc;
-
- /* policy: CVP_SMIME or CVP_iChat */
- CertVerifyPolicy policy;
-
- /* email addrs for leaf cert - zero, one, or two of these */
- const char *subjNameEmail; // CSSMOID_EmailAddress
- const char *subjAltNameEmail; // RFC822Name
- CSSM_BOOL subjAltNameCritical;
-
- /* common name portion of Subject Name, optional */
- const char *subjNameCommon;
-
- /* email addrs for CertGroupVerify */
- const char *vfyEmailAddrs;
-
- /* Key Usage - if zero, no KU extension */
- CE_KeyUsage certKeyUse;
- CSSM_BOOL keyUseCritical;
-
- /* key usage specified in CertGroupVerify */
- CE_KeyUsage vfyKeyUse;
-
- /* ExtendedKeyUSage OID - NULL means no EKU */
- const CSSM_OID *ekuOid;
-
- /* expected error - NULL or e.g. "CSSMERR_TP_VERIFY_ACTION_FAILED" */
- const char *expectErrStr;
-
- /* one optional per-cert error string */
- /* e.g., "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE" */
- const char *certErrorStr;
-
- /* addenda - at end so we don't have to update every existing test case.
- * For iChat, orgUnit and org fields in SubjectName.
- */
- const char *orgUnit;
- const char *orgName; /* nominally either Apple Computer, Inc. */
-
-} SP_TestCase;
-
-/*
- * upper case char in each component to make sure both ends get
- * normalized as appropriate
- */
-#define GOOD_EMAIL "Alice@Apple.com"
-#define BAD_EMAIL "bob@apple.com" /* always bad */
-#define CASE_EMAIL_GOOD "Alice@APPLE.com" /* always good */
-/*
- * iChat: good
- * SMIME, emailAddrs in subjAltName: bad
- * SMIME, emailAddrs in SUbjectName RDN: good
- */
-#define CASE_EMAIL_BAD "ALice@Apple.com"
-#define COMMON_NAME "Alice"
-
-/* for Apple-custom iChat name encoding */
-/* first the constant org field, case sensitive */
-#define ICHAT_ORG "Apple Computer, Inc." /* reference */
-#define ICHAT_ORG_CASE "APPLE Computer, Inc." /* should fail */
-#define ICHAT_ORG_BAD "Apple Computer, Inc"
-
-/* commonName = name, orgUnit = domain, case insensitive */
-#define ICHAT_NAME "Alice" /* commonName */
-#define ICHAT_DOMAIN "mac.com" /* orgUnit */
-#define ICHAT_HANDLE "Alice@mac.com" /* what we pass in */
-
-#define ICHAT_HANDLE_CASE1 "ALice@mac.com"
-#define ICHAT_HANDLE_CASE2 "Alice@mAc.com"
-#define ICHAT_NAME_CASE "ALice"
-#define ICHAT_DOMAIN_CASE "maC.com"
-#define ICHAT_NAME_BAD "Alice_"
-#define ICHAT_DOMAIN_BAD "mac.co"
-#define ICHAT_HANDLE_BAD1 "Alice@mac.co"
-#define ICHAT_HANDLE_BAD2 "Alicg@mac.com"
-#define ICHAT_HANDLE_BAD3 "Alicemac.com"
-#define ICHAT_HANDLE_BAD4 "Alice@mac@com"
-
-#define KEYUSE_NONE 0
-
-SP_TestCase testCases[] =
-{
- /* move these to end after we debug 'em */
- /* custom iChat name encoding */
- {
- "iChat custom",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_APPLE_EKU_ICHAT_SIGNING,
- NULL, NULL,
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- /* verify this EKU */
- &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
- NULL, NULL,
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- /* verify this EKU */
- &CSSMOID_ExtendedKeyUsageAny,
- NULL, NULL,
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom, alt case in name",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME_CASE, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
- NULL, NULL,
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom, alt case in domain",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_APPLE_EKU_ICHAT_SIGNING,
- NULL, NULL,
- ICHAT_DOMAIN_CASE, ICHAT_ORG
- },
- {
- "iChat custom, alt case in org, expect fail",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
- "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- ICHAT_DOMAIN, ICHAT_ORG_CASE
- },
- {
- "iChat custom, bad name",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME_BAD, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_APPLE_EKU_ICHAT_SIGNING,
- "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom, bad name",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME_BAD, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
- "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom, bad domain",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_ExtendedKeyUsageAny,
- "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- ICHAT_DOMAIN_BAD, ICHAT_ORG
- },
- {
- "iChat custom, bad org",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
- "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- ICHAT_DOMAIN, ICHAT_ORG_BAD
- },
- {
- "iChat custom, bad handle (short)",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE_BAD1,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
- "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom, bad handle (bad name component)",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE_BAD2,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
- "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom, bad handle (no @)",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE_BAD3,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
- "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom, bad handle (two @s)",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE_BAD4,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
- "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom, no EKU",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
- "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom, bad EKU",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_TimeStamping,
- "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
- "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
- ICHAT_DOMAIN, ICHAT_ORG
- },
-
- /* end of move to end */
- {
- "Email addrs in subjAltName, S/MIME",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL, // ekuOid
- NULL, NULL
- },
- {
- "Email addrs in subjAltName, iChat",
- CVP_iChat,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- NULL, NULL
- },
- {
- "Email addrs in subject name, S/MIME",
- CVP_SMIME,
- GOOD_EMAIL, NULL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- NULL, NULL
- },
- {
- "Email addrs in subject name, iChat",
- CVP_iChat,
- GOOD_EMAIL, NULL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- NULL, NULL
- },
- {
- /*
- * The spec (RFC 2632) says that if there is no email address
- * in the cert at all, then the TP doesn't have to
- * enforce a match. So this one works, since we're not
- * putting any email addresses in the cert.
- */
- "No Email addrs, S/MIME",
- CVP_SMIME,
- NULL, NULL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- NULL, NULL
- },
- {
- /*
- * For iChat the same scenario fails; it requires an email address in
- * the cert if we pass one in.
- */
- "No Email addrs, iChat",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- "CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS",
- "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS"
- },
- {
- "Wrong email addrs in SubjectName, S/MIME",
- CVP_SMIME,
- BAD_EMAIL, NULL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
- "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
- },
- {
- "Wrong email addrs in SubjectName, iChat",
- CVP_iChat,
- BAD_EMAIL, NULL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
- "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
- },
- {
- "Wrong email addrs in SubjectAltName, S/MIME",
- CVP_SMIME,
- NULL, BAD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
- "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
- },
- {
- "Wrong email addrs in SubjectAltName, iChat",
- CVP_iChat,
- NULL, BAD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
- "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
- },
-
- /*
- * The presence of an incorrect email address is not supposed
- * be an error as long as the right one is in there somewhere.
- */
- {
- "Wrong addrs in subj name, correct in subjAltName, S/MIME",
- CVP_SMIME,
- BAD_EMAIL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- NULL, NULL
- },
- {
- "Wrong addrs in subj name, correct in subjAltName, iChat",
- CVP_iChat,
- BAD_EMAIL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- NULL, NULL
- },
- {
- "Wrong addrs in subjAltname, correct in subjName, S/MIME",
- CVP_SMIME,
- GOOD_EMAIL, BAD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- NULL, NULL
- },
- {
- "Wrong addrs in subjAltname, correct in subjName, iChat",
- CVP_iChat,
- GOOD_EMAIL, BAD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- NULL, NULL
- },
- /* empty subject name processing - S/MIME only*/
- {
- "Empty subj name, correct subjAltName, no search",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_TRUE,
- NULL, NULL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- NULL, NULL
- },
- {
- "Empty subj name, correct subjAltName, good search",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_TRUE,
- NULL, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- NULL, NULL
- },
- {
- "Empty subj name, correct subjAltName, not critical, no search",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- NULL, NULL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- "CSSMERR_TP_VERIFY_ACTION_FAILED",
- "0:CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT"
- },
- {
- "Empty subj name, correct subjAltName, not critical, good search",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- NULL, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- "CSSMERR_TP_VERIFY_ACTION_FAILED",
- "0:CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT"
- },
- {
- "Empty subj name, empty subjAltName, no search",
- CVP_SMIME,
- NULL, NULL, CSSM_FALSE,
- NULL, NULL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- "CSSMERR_TP_VERIFY_ACTION_FAILED",
- "0:CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS"
- },
-
- /* case sensitivity handling */
- {
- "Different case domain in subjAltName, S/MIME",
- CVP_SMIME,
- NULL, CASE_EMAIL_GOOD, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL, // ekuOid
- NULL, NULL
- },
- {
- "Different case domain in subjAltName, iChat",
- CVP_iChat,
- NULL, CASE_EMAIL_GOOD, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- NULL, NULL
- },
- {
- "Different case domain in subjectName, S/MIME",
- CVP_SMIME,
- CASE_EMAIL_GOOD, NULL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- NULL, NULL
- },
- {
- "Different case domain in subjectName, iChat",
- CVP_iChat,
- CASE_EMAIL_GOOD, NULL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- NULL, NULL
- },
- /*
- * local-part:
- * SMIME, emailAddrs in SubjectName - case insensitive
- * SMIME, emailAddrs in SubjectAltName - case sensitive
- * iChat, anywhere - case insensitive
- */
- {
- /* the only time local-part is case sensitive */
- "Different case local-part in subjAltName, SMIME",
- CVP_SMIME,
- NULL, CASE_EMAIL_BAD, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
- "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
- },
- {
- "Different case local-part in subjAltName, iChat",
- CVP_iChat,
- NULL, CASE_EMAIL_BAD, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- NULL, NULL
- },
- {
- "Different case local-part in SubjectName, S/MIME",
- CVP_SMIME,
- CASE_EMAIL_BAD, NULL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- NULL, NULL
- },
- {
- "Different case local-part in SubjectName, iChat",
- CVP_iChat,
- CASE_EMAIL_BAD, NULL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- NULL, NULL
- },
- {
- /* just to test a corner case of tpNormalizeAddrSpec */
- "local-part missing @ in SubjectName",
- CVP_SMIME,
- "alice_apple.com", NULL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- NULL,
- "CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND",
- "0:CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND"
- },
-
- /***
- *** Key Usage testing
- ***
- *** All leaf certs have good email addrs in subjectAltName
- ***/
- {
- "Key Usage good 1",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- CE_KU_DigitalSignature, CSSM_TRUE, CE_KU_DigitalSignature,
- NULL,
- NULL, NULL
- },
- {
- "Key Usage good 2",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- CE_KU_DigitalSignature | CE_KU_NonRepudiation, CSSM_TRUE,
- CE_KU_DigitalSignature,
- NULL,
- NULL, NULL
- },
- {
- "KeyUsage in cert but not verified",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- CE_KU_DigitalSignature | CE_KU_NonRepudiation, CSSM_TRUE,
- KEYUSE_NONE, // no use specified
- NULL,
- NULL, NULL
- },
- {
- "Key Usage bad 1",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- CE_KU_DigitalSignature, CSSM_TRUE, CE_KU_NonRepudiation,
- NULL,
- "CSSMERR_TP_VERIFY_ACTION_FAILED",
- "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE"
- },
- {
- "Key Usage bad 2",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- CE_KU_DigitalSignature | CE_KU_NonRepudiation, CSSM_TRUE,
- CE_KU_CRLSign,
- NULL,
- "CSSMERR_TP_VERIFY_ACTION_FAILED",
- "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE"
- },
- #if 0
- /* obsolete per radar 3523221 */
- {
- "Key Usage not critical",
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- CE_KU_DigitalSignature, CSSM_FALSE, CE_KU_DigitalSignature,
- NULL,
- "CSSMERR_TP_VERIFY_ACTION_FAILED",
- "0:CSSMERR_APPLETP_SMIME_KEYUSAGE_NOT_CRITICAL"
- },
- #endif
- /*
- * The tricky ones involving KeyAgreement
- */
- {
- "Key Usage KeyAgreement good 1",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- CE_KU_KeyAgreement | CE_KU_EncipherOnly, CSSM_TRUE,
- CE_KU_KeyAgreement | CE_KU_EncipherOnly,
- NULL,
- NULL, NULL
- },
- {
- "Key Usage KeyAgreement good 2",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- CE_KU_KeyAgreement | CE_KU_DecipherOnly, CSSM_TRUE,
- CE_KU_KeyAgreement | CE_KU_DecipherOnly,
- NULL,
- NULL, NULL
- },
- {
- "Key Usage KeyAgreement no {En,De}CipherOnly",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- CE_KU_KeyAgreement | CE_KU_DecipherOnly, CSSM_TRUE,
- CE_KU_KeyAgreement,
- NULL,
- "CSSMERR_TP_VERIFY_ACTION_FAILED",
- "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE"
- },
- {
- "Key Usage KeyAgreement bad EncipherOnly",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- CE_KU_KeyAgreement | CE_KU_DecipherOnly, CSSM_TRUE,
- CE_KU_KeyAgreement | CE_KU_EncipherOnly,
- NULL,
- "CSSMERR_TP_VERIFY_ACTION_FAILED",
- "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE"
- },
- {
- "Key Usage KeyAgreement bad DecipherOnly",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- CE_KU_KeyAgreement | CE_KU_EncipherOnly, CSSM_TRUE,
- CE_KU_KeyAgreement | CE_KU_DecipherOnly,
- NULL,
- "CSSMERR_TP_VERIFY_ACTION_FAILED",
- "0:CSSMERR_APPLETP_SMIME_BAD_KEY_USE"
- },
-
- /* Extended Key Usage tests */
- {
- "Extended Key Usage EmailProtection, S/MIME",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- NULL, NULL
- },
- {
- "Extended Key Usage EmailProtection, iChat",
- CVP_iChat,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_EmailProtection,
- NULL, NULL
- },
- {
- "Extended Key Usage ExtendedKeyUsageAny, S/MIME",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_ExtendedKeyUsageAny,
- NULL, NULL
- },
- {
- "Extended Key Usage ExtendedKeyUsageAny, iChat",
- CVP_iChat,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_ExtendedKeyUsageAny,
- NULL, NULL
- },
- {
- "Extended Key Usage TimeStamping (bad), S/MIME",
- CVP_SMIME,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_TimeStamping,
- "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
- "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE"
- },
- {
- "Extended Key Usage TimeStamping (bad), iChat",
- CVP_iChat,
- NULL, GOOD_EMAIL, CSSM_FALSE,
- COMMON_NAME, GOOD_EMAIL,
- KEYUSE_NONE, CSSM_FALSE, KEYUSE_NONE,
- &CSSMOID_TimeStamping,
- "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
- "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE"
- },
- {
- "iChat custom, missing ICHAT_SIGNING EKU",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE,
- CE_KU_DigitalSignature, CSSM_TRUE, CE_KU_DigitalSignature,
- NULL, // requires &CSSMOID_APPLE_EKU_ICHAT_SIGNING,
- "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
- "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
- ICHAT_DOMAIN, ICHAT_ORG
- },
- {
- "iChat custom, missing ICHAT_ENCRYPTION EKU",
- CVP_iChat,
- NULL, NULL, CSSM_FALSE, // no email address
- ICHAT_NAME, ICHAT_HANDLE,
- CE_KU_DataEncipherment, CSSM_TRUE, CE_KU_DataEncipherment,
- NULL, // requires &CSSMOID_APPLE_EKU_ICHAT_ENCRYPTION,
- "CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
- "0:CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE",
- ICHAT_DOMAIN, ICHAT_ORG
- },
-};
-
-#define NUM_TEST_CASES (sizeof(testCases) / sizeof(SP_TestCase))
-
-/*
- * Generate a pair of certs. Root is standard, we never mess with
- * it.
- */
-static CSSM_RETURN genCerts(
- CSSM_CL_HANDLE clHand,
- CSSM_CSP_HANDLE cspHand,
- CSSM_TP_HANDLE tpHand,
- CSSM_KEY_PTR rootPrivKey,
- CSSM_KEY_PTR rootPubKey,
- CSSM_KEY_PTR subjPubKey,
-
- /* all five SubjectName components are optional */
- const char *subjNameEmail, // CSSMOID_EmailAddress
- const char *subjAltNameEmail, // RFC822Name
- const char *subjNameCommon,
- CSSM_BOOL subjAltNameCritical,
- const char *subjOrgUnit,
- const char *subjOrgName,
-
- /* Key Usage - if zero, no KU extension */
- CE_KeyUsage certKeyUse,
- CSSM_BOOL keyUseCritical,
-
- /* ExtendedKeyUSage OID - if NULL, no EKU extension */
- const CSSM_OID *ekuOid,
-
- CSSM_DATA &rootCert, // RETURNED
- CSSM_DATA &subjCert) // RETURNED
-
-{
- CSSM_DATA refId;
- // mallocd by CSSM_TP_SubmitCredRequest
- CSSM_RETURN crtn;
- CSSM_APPLE_TP_CERT_REQUEST certReq;
- CSSM_TP_REQUEST_SET reqSet;
- sint32 estTime;
- CSSM_BOOL confirmRequired;
- CSSM_TP_RESULT_SET_PTR resultSet;
- CSSM_ENCODED_CERT *encCert;
- CSSM_TP_CALLERAUTH_CONTEXT CallerAuthContext;
- CSSM_FIELD policyId;
- CE_GeneralNames genNames;
- CE_GeneralName genName;
- CE_ExtendedKeyUsage extendedKeyUse;
-
- /*
- * Subject has zero, one, two, or three extensions (KeyUsage,
- * subjectAltName, extendedKeyUsage); root has two: KeyUsage and
- * BasicConstraints.
- */
- CE_DataAndType rootExts[2];
- CE_DataAndType leafExts[3];
- unsigned numLeafExts = 0;
-
- /*
- * root extensions
- * 1. KeyUSage
- */
- rootExts[0].type = DT_KeyUsage;
- rootExts[0].critical = CSSM_TRUE;
- rootExts[0].extension.keyUsage =
- CE_KU_DigitalSignature | CE_KU_KeyCertSign;
-
- /*
- * 2. BasicConstraints
- */
- rootExts[1].type = DT_BasicConstraints;
- rootExts[1].critical = CSSM_TRUE;
- rootExts[1].extension.basicConstraints.cA = CSSM_TRUE;
- rootExts[1].extension.basicConstraints.pathLenConstraintPresent =
- CSSM_TRUE;
- rootExts[1].extension.basicConstraints.pathLenConstraint = 2;
-
- /*
- * Leaf extensions - all are optional
- */
- if(certKeyUse) {
- leafExts[0].type = DT_KeyUsage;
- leafExts[0].critical = keyUseCritical;
- leafExts[0].extension.keyUsage = certKeyUse;
- numLeafExts++;
- }
- if(subjAltNameEmail) {
- leafExts[numLeafExts].type = DT_SubjectAltName;
- leafExts[numLeafExts].critical = subjAltNameCritical;
-
- genName.berEncoded = CSSM_FALSE;
- genName.name.Data = (uint8 *)subjAltNameEmail;
- genName.nameType = GNT_RFC822Name;
- genName.name.Length = strlen(subjAltNameEmail);
-
- genNames.numNames = 1;
- genNames.generalName = &genName;
- leafExts[numLeafExts].extension.subjectAltName = genNames;
- numLeafExts++;
- }
- if(ekuOid) {
- leafExts[numLeafExts].type = DT_ExtendedKeyUsage;
- leafExts[numLeafExts].critical = CSSM_FALSE; // don't care - right?
- extendedKeyUse.numPurposes = 1;
- extendedKeyUse.purposes = (CSSM_OID_PTR)ekuOid;
- leafExts[numLeafExts].extension.extendedKeyUsage = extendedKeyUse;
- numLeafExts++;
- }
-
- /*
- * Variable length subject name for leaf
- */
- CSSM_APPLE_TP_NAME_OID subjRdn[4];
- unsigned numSubjNames = 0;
- if(subjNameEmail) {
- subjRdn[0].string = subjNameEmail;
- subjRdn[0].oid = &CSSMOID_EmailAddress;
- numSubjNames++;
- }
- if(subjNameCommon) {
- subjRdn[numSubjNames].string = subjNameCommon;
- subjRdn[numSubjNames].oid = &CSSMOID_CommonName;
- numSubjNames++;
- }
- if(subjOrgUnit) {
- subjRdn[numSubjNames].string = subjOrgUnit;
- subjRdn[numSubjNames].oid = &CSSMOID_OrganizationalUnitName;
- numSubjNames++;
- }
- if(subjOrgName) {
- subjRdn[numSubjNames].string = subjOrgName;
- subjRdn[numSubjNames].oid = &CSSMOID_OrganizationName;
- numSubjNames++;
- }
-
- /* certReq for root */
- memset(&certReq, 0, sizeof(CSSM_APPLE_TP_CERT_REQUEST));
- certReq.cspHand = cspHand;
- certReq.clHand = clHand;
- certReq.serialNumber = 0x12345678;
- certReq.numSubjectNames = NUM_ROOT_NAMES;
- certReq.subjectNames = rootRdn;
- certReq.numIssuerNames = 0;
- certReq.issuerNames = NULL;
- certReq.certPublicKey = rootPubKey;
- certReq.issuerPrivateKey = rootPrivKey;
- certReq.signatureAlg = SIG_ALG_DEFAULT;
- certReq.signatureOid = SIG_OID_DEFAULT;
- certReq.notBefore = 0; // now
- certReq.notAfter = 10000; // seconds from now
- certReq.numExtensions = 2;
- certReq.extensions = rootExts;
-
- reqSet.NumberOfRequests = 1;
- reqSet.Requests = &certReq;
-
- /* a big CSSM_TP_CALLERAUTH_CONTEXT just to specify an OID */
- memset(&CallerAuthContext, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
- memset(&policyId, 0, sizeof(CSSM_FIELD));
- policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN;
- CallerAuthContext.Policy.NumberOfPolicyIds = 1;
- CallerAuthContext.Policy.PolicyIds = &policyId;
-
- /* generate root cert */
- crtn = CSSM_TP_SubmitCredRequest(tpHand,
- NULL, // PreferredAuthority
- CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
- &reqSet,
- &CallerAuthContext,
- &estTime,
- &refId);
- if(crtn) {
- printError("CSSM_TP_SubmitCredRequest", crtn);
- return crtn;
- }
- crtn = CSSM_TP_RetrieveCredResult(tpHand,
- &refId,
- NULL, // CallerAuthCredentials
- &estTime,
- &confirmRequired,
- &resultSet);
- if(crtn) {
- printError("CSSM_TP_RetrieveCredResult", crtn);
- return crtn;
- }
- if(resultSet == NULL) {
- printf("***CSSM_TP_RetrieveCredResult returned NULL result set.\n");
- return crtn;
- }
- encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
- rootCert = encCert->CertBlob;
- CSSM_FREE(encCert);
- CSSM_FREE(resultSet);
-
- /* now a subject cert signed by the root cert */
- certReq.serialNumber = 0x8765;
- certReq.numSubjectNames = numSubjNames;
- certReq.subjectNames = subjRdn;
- certReq.numIssuerNames = NUM_ROOT_NAMES;
- certReq.issuerNames = rootRdn;
- certReq.certPublicKey = subjPubKey;
- certReq.issuerPrivateKey = rootPrivKey;
- certReq.numExtensions = numLeafExts;
- certReq.extensions = leafExts;
-
- crtn = CSSM_TP_SubmitCredRequest(tpHand,
- NULL, // PreferredAuthority
- CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
- &reqSet,
- &CallerAuthContext,
- &estTime,
- &refId);
- if(crtn) {
- printError("CSSM_TP_SubmitCredRequest (2)", crtn);
- return crtn;
- }
- crtn = CSSM_TP_RetrieveCredResult(tpHand,
- &refId,
- NULL, // CallerAuthCredentials
- &estTime,
- &confirmRequired,
- &resultSet); // leaks.....
- if(crtn) {
- printError("CSSM_TP_RetrieveCredResult (2)", crtn);
- return crtn;
- }
- if(resultSet == NULL) {
- printf("***CSSM_TP_RetrieveCredResult (2) returned NULL "
- "result set.\n");
- return crtn;
- }
- encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
- subjCert = encCert->CertBlob;
- CSSM_FREE(encCert);
- CSSM_FREE(resultSet);
-
- return CSSM_OK;
-}
-
-static void copyToBlob(
- const CSSM_DATA &src,
- CSSM_DATA &blob)
-{
- blob.Data = (uint8 *)malloc(src.Length);
- blob.Length = src.Length;
- memmove(blob.Data, src.Data, src.Length);
-}
-
-int main(int argc, char **argv)
-{
- CSSM_CL_HANDLE clHand; // CL handle
- CSSM_CSP_HANDLE cspHand; // CSP handle
- CSSM_TP_HANDLE tpHand; // TP handle
- CSSM_DATA rootCert;
- CSSM_DATA subjCert;
- CSSM_KEY subjPubKey; // subject's RSA public key blob
- CSSM_KEY subjPrivKey; // subject's RSA private key - ref format
- CSSM_KEY rootPubKey; // root's RSA public key blob
- CSSM_KEY rootPrivKey; // root's RSA private key - ref format
- CSSM_RETURN crtn = CSSM_OK;
- int vfyRtn = 0;
- int arg;
- SP_TestCase *testCase;
- unsigned testNum;
-
- CSSM_BOOL printLeafCerts = CSSM_FALSE;
- CSSM_BOOL quiet = CSSM_FALSE;
- CSSM_BOOL verbose = CSSM_FALSE;
- CSSM_BOOL doPause = CSSM_FALSE;
-
- for(arg=1; arg<argc; arg++) {
- char *argp = argv[arg];
- switch(argp[0]) {
- case 'p':
- printLeafCerts = CSSM_TRUE;
- break;
- case 'P':
- doPause = CSSM_TRUE;
- break;
- case 'q':
- quiet = CSSM_TRUE;
- break;
- case 'v':
- verbose = CSSM_TRUE;
- break;
- default:
- usage(argv);
- }
- }
-
- testStartBanner("smimePolicy", argc, argv);
-
- /* connect to CL, TP, and CSP */
- clHand = clStartup();
- if(clHand == 0) {
- return 0;
- }
- tpHand = tpStartup();
- if(tpHand == 0) {
- return 0;
- }
- cspHand = cspStartup();
- if(cspHand == 0) {
- return 0;
- }
-
- /* subsequent errors to abort: to detach */
-
- /* cook up an RSA key pair for the subject */
- crtn = cspGenKeyPair(cspHand,
- KEY_ALG_DEFAULT,
- SUBJ_KEY_LABEL,
- strlen(SUBJ_KEY_LABEL),
- KEY_SIZE_DEFAULT,
- &subjPubKey,
- CSSM_FALSE, // pubIsRef
- CSSM_KEYUSE_VERIFY,
- CSSM_KEYBLOB_RAW_FORMAT_NONE,
- &subjPrivKey,
- CSSM_TRUE, // privIsRef - doesn't matter
- CSSM_KEYUSE_SIGN,
- CSSM_KEYBLOB_RAW_FORMAT_NONE,
- CSSM_FALSE);
- if(crtn) {
- return crtn;
- }
-
- /* and the root */
- crtn = cspGenKeyPair(cspHand,
- KEY_ALG_DEFAULT,
- ROOT_KEY_LABEL,
- strlen(ROOT_KEY_LABEL),
- KEY_SIZE_DEFAULT,
- &rootPubKey,
- CSSM_FALSE, // pubIsRef
- CSSM_KEYUSE_VERIFY,
- CSSM_KEYBLOB_RAW_FORMAT_NONE,
- &rootPrivKey,
- CSSM_TRUE, // privIsRef - doesn't matter
- CSSM_KEYUSE_SIGN,
- CSSM_KEYBLOB_RAW_FORMAT_NONE,
- CSSM_FALSE);
- if(crtn) {
- goto abort;
- }
-
- for(testNum=0; testNum<NUM_TEST_CASES; testNum++) {
- testCase = &testCases[testNum];
- if(!quiet) {
- printf("%s\n", testCase->testDesc);
- }
- crtn = genCerts(clHand, cspHand, tpHand,
- &rootPrivKey, &rootPubKey, &subjPubKey,
- testCase->subjNameEmail, testCase->subjAltNameEmail,
- testCase->subjNameCommon, testCase->subjAltNameCritical,
- testCase->orgUnit, testCase->orgName,
- testCase->certKeyUse, testCase->keyUseCritical, testCase->ekuOid,
- rootCert, subjCert);
- if(printLeafCerts) {
- printCert(subjCert.Data, subjCert.Length, CSSM_FALSE);
- }
- BlobList leaf;
- BlobList root;
- /* BlobList uses regular free() on the referent of the blobs */
- CSSM_DATA blob;
- copyToBlob(subjCert, blob);
- CSSM_FREE(subjCert.Data);
- leaf.addBlob(blob);
- copyToBlob(rootCert, blob);
- CSSM_FREE(rootCert.Data);
- root.addBlob(blob);
- if(crtn) {
- if(testError(quiet)) {
- break;
- }
- }
- vfyRtn = certVerifySimple(tpHand, clHand, cspHand,
- leaf, root,
- CSSM_FALSE, // useSystemAnchors
- CSSM_FALSE, // leafCertIsCA
- CSSM_FALSE, // allow expired root
- testCase->policy,
- NULL, // sslHost
- CSSM_FALSE, // sslClient
- testCase->vfyEmailAddrs,
- testCase->vfyKeyUse,
- testCase->expectErrStr,
- testCase->certErrorStr ? 1 : 0,
- testCase->certErrorStr ? (const char **)&testCase->certErrorStr :
- NULL,
- 0, NULL, // certStatus
- CSSM_FALSE, // trustSettings
- quiet,
- verbose);
- if(vfyRtn) {
- if(testError(quiet)) {
- break;
- }
- }
- /* cert data freed by ~BlobList */
-
- if(doPause) {
- fpurge(stdin);
- printf("Pausing for mallocDebug. CR to continue: ");
- getchar();
- }
- }
-
- /* free keys */
- cspFreeKey(cspHand, &rootPubKey);
- cspFreeKey(cspHand, &rootPrivKey);
- cspFreeKey(cspHand, &subjPubKey);
- cspFreeKey(cspHand, &subjPrivKey);
-
-abort:
- if(cspHand != 0) {
- CSSM_ModuleDetach(cspHand);
- }
- if(clHand != 0) {
- CSSM_ModuleDetach(clHand);
- }
- if(tpHand != 0) {
- CSSM_ModuleDetach(tpHand);
- }
- if(!vfyRtn && !crtn && !quiet) {
- printf("...test passed\n");
- }
- return 0;
-}
-
-
projects / apple / security.git / blobdiff