Security-57740.51.3.tar.gz

[apple/security.git] / SecurityTests / clxutils / sslSubjName / sslSubjName.cpp

diff --git a/SecurityTests/clxutils/sslSubjName/sslSubjName.cpp b/SecurityTests/clxutils/sslSubjName/sslSubjName.cpp
deleted file mode 100644 (file)
index 9ca1a34..0000000
--- a/SecurityTests/clxutils/sslSubjName/sslSubjName.cpp
+++ /dev/null
@@ -1,595 +0,0 @@
-/* Copyright (c) 2002-2004,2006,2008 Apple Inc.
- *
- * sslSubjName.c
- *
- * Verify comparision of app-specified host name vs. various
- * forms of hostname in a cert.
- *
- */
-
-#include <utilLib/common.h>
-#include <utilLib/cspwrap.h>
-#include <clAppUtils/clutils.h>
-#include <clAppUtils/certVerify.h>
-#include <clAppUtils/BlobList.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <Security/cssm.h>
-#include <Security/x509defs.h>
-#include <Security/oidsattr.h>
-#include <Security/oidscert.h>
-#include <Security/oidsalg.h>
-#include <Security/certextensions.h>
-#include <Security/cssmapple.h>
-#include <string.h>
-#include <security_cdsa_utils/cuFileIo.h>
-
-/* key labels */
-#define SUBJ_KEY_LABEL         "subjectKey"
-#define ROOT_KEY_LABEL         "rootKey"
-
-/* key and signature algorithm - shouldn't matter for this test */
-#define SIG_ALG_DEFAULT                CSSM_ALGID_SHA1WithRSA
-#define SIG_OID_DEFAULT                CSSMOID_SHA1WithRSA
-#define KEY_ALG_DEFAULT                CSSM_ALGID_RSA
-
-#define KEY_SIZE_DEFAULT       512
-
-#define CERT_FILE              "sslCert.cer"
-
-static void usage(char **argv)
-{
-       printf("Usage: %s [options]\n", argv[0]);
-       printf("Options:\n");
-       printf("    w(write certs)\n");
-       printf("    q(uiet)\n");
-       printf("    v(erbose)\n");
-       exit(1);
-}
-
-/*
- * RDN components for root, subject
- */
-CSSM_APPLE_TP_NAME_OID rootRdn[] = 
-{
-       { "Apple Computer",                                     &CSSMOID_OrganizationName },
-       { "The Big Cheese",                                     &CSSMOID_Title }
-};
-#define NUM_ROOT_NAMES (sizeof(rootRdn) / sizeof(CSSM_APPLE_TP_NAME_OID))
-
-#define SUBJ_COMMON_NAME       "something.org"
-
-CSSM_APPLE_TP_NAME_OID subjRdn[] = 
-{
-       { "Apple Computer",                                     &CSSMOID_OrganizationName },
-       /* overridden when creating the cert */
-       { NULL,                                                         &CSSMOID_CommonName }
-};
-#define SUBJ_COMMON_NAME_DEX   1
-
-#define NUM_SUBJ_NAMES (sizeof(subjRdn) / sizeof(CSSM_APPLE_TP_NAME_OID))
-
-
-/*
- * Test cases
- */
-typedef struct {
-       /* test description */
-       const char              *testDesc;
-       
-       /* host names for leaf cert - zero or one of these */
-       const char              *certDnsName;
-       const char              *certIpAddr;
-       
-       /* subject common name */
-       const char              *commonName;
-       
-       /* host name for CertGroupVerify */
-       const char              *vfyHostName;
-       
-       /* expected error - NULL or e.g. "CSSMERR_APPLETP_CRL_NOT_TRUSTED" */
-       const char              *expectErrStr;
-       
-       /* one optional per-cert error string */
-       const char              *certErrorStr;
-       
-} SSN_TestCase;
-
-SSN_TestCase testCases[] = 
-{
-       {
-               "DNS Name foo.bar, vfyName foo.bar",
-               "foo.bar", NULL, SUBJ_COMMON_NAME, "foo.bar",
-               NULL, 
-               NULL
-       },
-       {
-               "DNS Name foo.bar, vfyName something.org, expect fail due to "
-                       "DNS present",
-               "foo.bar", NULL, SUBJ_COMMON_NAME, "something.org",
-               "CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-               "0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-       },
-       {
-               "DNS Name foo.bar, vfyName foo.foo.bar, expect fail",
-               "foo.bar", NULL, SUBJ_COMMON_NAME, "foo.foo.bar",
-               "CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-               "0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-       },
-       {
-               "IP Name 1.0.5.8, vfyName 1.0.5.8",
-               NULL, "1.0.5.8", SUBJ_COMMON_NAME, "1.0.5.8",
-               NULL, 
-               NULL
-       },
-       {
-               "IP Name 1.0.5.8, vfyName 1.00.5.008",
-               NULL, "1.0.5.8", SUBJ_COMMON_NAME, "1.00.5.008",
-               NULL, 
-               NULL
-       },
-       {
-               "IP Name 1.0.5.8, vfyName something.org",
-               NULL, "1.0.5.8", SUBJ_COMMON_NAME, "something.org",
-               NULL, 
-               NULL
-       },
-       {
-               "IP Name 1.0.5.8, vfyName 2.0.5.8, expect fail",
-               NULL, "1.0.5.8", SUBJ_COMMON_NAME, "2.0.5.8",
-               "CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-               "0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-       },
-       {
-               "DNS Name *.foo.bar, vfyName bar.foo.bar",
-               "*.foo.bar", NULL, SUBJ_COMMON_NAME, "bar.foo.bar",
-               NULL, 
-               NULL
-       },
-       {
-               "DNS Name *.foo.bar, vfyName foo.bar, expect fail",
-               "*.foo.bar", NULL, SUBJ_COMMON_NAME, "foo.bar",
-               "CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-               "0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-       },
-       {
-               "DNS Name *foo.bar, vfyName barfoo.bar",
-               "*foo.bar", NULL, SUBJ_COMMON_NAME, "barfoo.bar",
-               NULL, 
-               NULL
-       },
-       {
-               "DNS Name *foo*.bar, vfyName barfoo.bar",
-               "*foo*.bar", NULL, SUBJ_COMMON_NAME, "barfoo.bar",
-               NULL, 
-               NULL
-       },
-       {
-               "DNS Name *foo*.bar, vfyName foobar.bar",
-               "*foo*.bar", NULL, SUBJ_COMMON_NAME, "foobar.bar",
-               NULL, 
-               NULL
-       },
-       {
-               "DNS Name *foo*.bar, vfyName foo.bar",
-               "*foo*.bar", NULL, SUBJ_COMMON_NAME, "foo.bar",
-               NULL, 
-               NULL
-       },
-       {
-               "DNS Name *foo.bar, vfyName bar.foo.bar, should fail",
-               "*foo.bar", NULL, SUBJ_COMMON_NAME, "bar.foo.bar",
-               "CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-               "0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-       },
-       {
-               "DNS Name *foo.bar, vfyName foobar.bar, should fail",
-               "*foo.bar", NULL, SUBJ_COMMON_NAME, "foobar.bar",
-               "CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-               "0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-       },
-       {
-               "No DNS or IP name, commonName = vfyName = 1.0.5.8",
-               NULL, NULL, "1.0.5.8", "1.0.5.8",
-               "CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-               "0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-       },
-};
-
-#define NUM_TEST_CASES (sizeof(testCases) / sizeof(SSN_TestCase))
-
-/*
- * Convert a string containing a dotted IP address to 4 bytes.
- * Returns nonzero on error.
- * FIXME - should handle 16-byte IP addresses. 
- */
-static int convertIp(
-       const char      *str,
-       uint8           *buf)
-{
-       char cbuf[4];
-       for(unsigned dex=0; dex<3; dex++) {
-               char *nextDot = strchr(str, '.');
-               if(nextDot == NULL) {
-                       return 1;
-               }
-               memset(cbuf, 0, sizeof(cbuf));
-               memmove(cbuf, str, nextDot - str);
-               *buf = atoi(cbuf);
-               buf++;                          // next out char
-               str = nextDot + 1;      // next in char after dot
-               
-       }
-       /* str points to last char */
-       if(str == NULL) {
-               return 1;
-       }
-       *buf = atoi(str);
-       return 0;
-}
-
-/*
- * Generate a pair of certs.
- */
-static CSSM_RETURN genCerts(
-       CSSM_CL_HANDLE  clHand,
-       CSSM_CSP_HANDLE cspHand,        
-       CSSM_TP_HANDLE  tpHand, 
-       CSSM_KEY_PTR    rootPrivKey,
-       CSSM_KEY_PTR    rootPubKey,
-       CSSM_KEY_PTR    subjPubKey,
-       /* one of these goes into leaf's subjectAltName */
-       const char              *subjIpAddr,
-       const char              *subjDnsName,
-       const char              *commonName,
-       CSSM_DATA               &rootCert,              // RETURNED
-       CSSM_DATA               &subjCert)              // RETURNED
-       
-{
-       CSSM_DATA                                       refId;  
-                                                               // mallocd by CSSM_TP_SubmitCredRequest
-       CSSM_RETURN                                     crtn;
-       CSSM_APPLE_TP_CERT_REQUEST      certReq;
-       CSSM_TP_REQUEST_SET                     reqSet;
-       sint32                                          estTime;
-       CSSM_BOOL                                       confirmRequired;
-       CSSM_TP_RESULT_SET_PTR          resultSet;
-       CSSM_ENCODED_CERT                       *encCert;
-       CSSM_TP_CALLERAUTH_CONTEXT      CallerAuthContext;
-       CSSM_FIELD                                      policyId;
-       CE_GeneralNames                         genNames;
-       CE_GeneralName                          genName;
-       uint8                                           ipNameBuf[4];
-       /* 
-        * Two extensions. Subject has two (KeyUsage and possibly 
-        * subjectAltName); root has KeyUsage and  BasicConstraints.
-        */
-       CE_DataAndType                          rootExts[2];
-       CE_DataAndType                          leafExts[2];
-       unsigned                                        numLeafExts;
-       
-       if(subjIpAddr && subjDnsName) {
-               printf("***Max of one of {subjIpAddr, subjDnsName} at a "
-                       "time, please.\n");
-               exit(1);
-       }
-       if(subjIpAddr) {
-               if(convertIp(subjIpAddr, ipNameBuf)) {
-                       printf("**Malformed IP address. Aborting.\n");
-                       exit(1);
-               }
-       }
-       
-       /* A KeyUsage extension for both certs */
-       rootExts[0].type = DT_KeyUsage;
-       rootExts[0].critical = CSSM_FALSE;
-       rootExts[0].extension.keyUsage = 
-               CE_KU_DigitalSignature | CE_KU_KeyCertSign;
-
-       leafExts[0].type = DT_KeyUsage;
-       leafExts[0].critical = CSSM_FALSE;
-       leafExts[0].extension.keyUsage =  CE_KU_DigitalSignature;
-
-       /* BasicConstraints for root only */
-       rootExts[1].type = DT_BasicConstraints;
-       rootExts[1].critical = CSSM_TRUE;
-       rootExts[1].extension.basicConstraints.cA = CSSM_TRUE;
-       rootExts[1].extension.basicConstraints.pathLenConstraintPresent = 
-                       CSSM_TRUE;
-       rootExts[1].extension.basicConstraints.pathLenConstraint = 2;
-
-       /* possible subjectAltName for leaf */
-       numLeafExts = 1;
-       if(subjIpAddr || subjDnsName) {
-               numLeafExts++;
-               leafExts[1].type = DT_SubjectAltName;
-               leafExts[1].critical = CSSM_TRUE;
-               
-               genName.berEncoded = CSSM_FALSE;
-               if(subjIpAddr) {
-                       genName.name.Data = (uint8 *)ipNameBuf;
-                       genName.name.Length = 4;
-                       genName.nameType = GNT_IPAddress;
-               }
-               else {
-                       genName.name.Data = (uint8 *)subjDnsName;
-                       genName.nameType = GNT_DNSName;
-                       genName.name.Length = strlen(subjDnsName);
-               }
-               genNames.numNames = 1;
-               genNames.generalName = &genName;
-               leafExts[1].extension.subjectAltName = genNames;
-       }
-       
-       /* certReq for root */
-       memset(&certReq, 0, sizeof(CSSM_APPLE_TP_CERT_REQUEST));
-       certReq.cspHand = cspHand;
-       certReq.clHand = clHand;
-       certReq.serialNumber = 0x12345678;
-       certReq.numSubjectNames = NUM_ROOT_NAMES;
-       certReq.subjectNames = rootRdn;
-       certReq.numIssuerNames = 0;
-       certReq.issuerNames = NULL;
-       certReq.certPublicKey = rootPubKey;
-       certReq.issuerPrivateKey = rootPrivKey;
-       certReq.signatureAlg = SIG_ALG_DEFAULT;
-       certReq.signatureOid = SIG_OID_DEFAULT;
-       certReq.notBefore = 0;                  // now
-       certReq.notAfter = 10000;               // seconds from now
-       certReq.numExtensions = 2;
-       certReq.extensions = rootExts;
-       
-       reqSet.NumberOfRequests = 1;
-       reqSet.Requests = &certReq;
-       
-       /* a big CSSM_TP_CALLERAUTH_CONTEXT just to specify an OID */
-       memset(&CallerAuthContext, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
-       memset(&policyId, 0, sizeof(CSSM_FIELD));
-       policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN;
-       CallerAuthContext.Policy.NumberOfPolicyIds = 1;
-       CallerAuthContext.Policy.PolicyIds = &policyId;
-       
-       /* generate root cert */
-       crtn = CSSM_TP_SubmitCredRequest(tpHand,
-               NULL,                           // PreferredAuthority
-               CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
-               &reqSet,
-               &CallerAuthContext,     
-               &estTime,
-               &refId);
-       if(crtn) {
-               printError("CSSM_TP_SubmitCredRequest", crtn);
-               return crtn;
-       }
-       crtn = CSSM_TP_RetrieveCredResult(tpHand,
-               &refId,
-               NULL,                           // CallerAuthCredentials
-               &estTime,
-               &confirmRequired,
-               &resultSet);
-       if(crtn) {
-               printError("CSSM_TP_RetrieveCredResult", crtn);
-               return crtn;
-       }
-       if(resultSet == NULL) {
-               printf("***CSSM_TP_RetrieveCredResult returned NULL result set.\n");
-               return crtn;
-       }
-       encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
-       rootCert = encCert->CertBlob;
-
-       /* now a subject cert signed by the root cert */
-       certReq.serialNumber = 0x8765;
-       certReq.numSubjectNames = NUM_SUBJ_NAMES;
-       subjRdn[SUBJ_COMMON_NAME_DEX].string = commonName;
-       certReq.subjectNames = subjRdn;
-       certReq.numIssuerNames = NUM_ROOT_NAMES;
-       certReq.issuerNames = rootRdn;
-       certReq.certPublicKey = subjPubKey;
-       certReq.issuerPrivateKey = rootPrivKey;
-       certReq.numExtensions = numLeafExts;
-       certReq.extensions = leafExts;
-
-       crtn = CSSM_TP_SubmitCredRequest(tpHand,
-               NULL,                           // PreferredAuthority
-               CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
-               &reqSet,
-               &CallerAuthContext,
-               &estTime,
-               &refId);
-       if(crtn) {
-               printError("CSSM_TP_SubmitCredRequest (2)", crtn);
-               return crtn;
-       }
-       crtn = CSSM_TP_RetrieveCredResult(tpHand,
-               &refId,
-               NULL,                           // CallerAuthCredentials
-               &estTime,
-               &confirmRequired,
-               &resultSet);            // leaks.....
-       if(crtn) {
-               printError("CSSM_TP_RetrieveCredResult (2)", crtn);
-               return crtn;
-       }
-       if(resultSet == NULL) {
-               printf("***CSSM_TP_RetrieveCredResult (2) returned NULL "
-                               "result set.\n");
-               return crtn;
-       }
-       encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
-       subjCert = encCert->CertBlob;
-
-       return CSSM_OK;
-}
-
-int main(int argc, char **argv)
-{
-       CSSM_CL_HANDLE  clHand;                 // CL handle
-       CSSM_CSP_HANDLE cspHand;                // CSP handle
-       CSSM_TP_HANDLE  tpHand;                 // TP handle
-       CSSM_DATA               rootCert;               
-       CSSM_DATA               subjCert;       
-       CSSM_KEY                subjPubKey;             // subject's RSA public key blob
-       CSSM_KEY                subjPrivKey;    // subject's RSA private key - ref format
-       CSSM_KEY                rootPubKey;             // root's RSA public key blob
-       CSSM_KEY                rootPrivKey;    // root's RSA private key - ref format
-       CSSM_RETURN             crtn = CSSM_OK;
-       int                             vfyRtn = 0;
-       int                             arg;
-       SSN_TestCase    *testCase;
-       unsigned                testNum;
-       
-       CSSM_BOOL               quiet = CSSM_FALSE;
-       CSSM_BOOL               verbose = CSSM_FALSE;
-       CSSM_BOOL               writeCerts = CSSM_FALSE;
-       
-       for(arg=1; arg<argc; arg++) {
-               char *argp = argv[arg];
-               switch(argp[0]) {
-                       case 'q':
-                               quiet = CSSM_TRUE;
-                               break;
-                       case 'v':
-                               verbose = CSSM_TRUE;
-                               break;
-                       case 'w':
-                               writeCerts = CSSM_TRUE;
-                               break;
-                       default:
-                               usage(argv);
-               }
-       }
-       
-       testStartBanner("sslSubjName", argc, argv);
-       
-       /* connect to CL, TP, and CSP */
-       clHand = clStartup();
-       if(clHand == 0) {
-               return 0;
-       }
-       tpHand = tpStartup();
-       if(tpHand == 0) {
-               return 0;
-       }
-       cspHand = cspStartup();
-       if(cspHand == 0) {
-               return 0;
-       }
-
-       /* subsequent errors to abort: to detach */
-       
-       /* cook up an RSA key pair for the subject */
-       crtn = cspGenKeyPair(cspHand,
-               KEY_ALG_DEFAULT,
-               SUBJ_KEY_LABEL,
-               strlen(SUBJ_KEY_LABEL),
-               KEY_SIZE_DEFAULT,
-               &subjPubKey,
-               CSSM_FALSE,                     // pubIsRef
-               CSSM_KEYUSE_VERIFY,
-               CSSM_KEYBLOB_RAW_FORMAT_NONE,
-               &subjPrivKey,
-               CSSM_TRUE,                      // privIsRef - doesn't matter
-               CSSM_KEYUSE_SIGN,
-               CSSM_KEYBLOB_RAW_FORMAT_NONE,
-               CSSM_FALSE);
-       if(crtn) {
-               return crtn;
-       }
-
-       /* and the root */
-       crtn = cspGenKeyPair(cspHand,
-               KEY_ALG_DEFAULT,
-               ROOT_KEY_LABEL,
-               strlen(ROOT_KEY_LABEL),
-               KEY_SIZE_DEFAULT,
-               &rootPubKey,
-               CSSM_FALSE,                     // pubIsRef
-               CSSM_KEYUSE_VERIFY,
-               CSSM_KEYBLOB_RAW_FORMAT_NONE,
-               &rootPrivKey,
-               CSSM_TRUE,                      // privIsRef - doesn't matter
-               CSSM_KEYUSE_SIGN,
-               CSSM_KEYBLOB_RAW_FORMAT_NONE,
-               CSSM_FALSE);
-       if(crtn) {
-               goto abort;
-       }
-
-       for(testNum=0; testNum<NUM_TEST_CASES; testNum++) {
-               testCase = &testCases[testNum];
-               if(!quiet) {
-                       printf("%s\n", testCase->testDesc);
-               }
-               crtn = genCerts(clHand, cspHand, tpHand,
-                       &rootPrivKey, &rootPubKey, &subjPubKey,
-                       testCase->certIpAddr, testCase->certDnsName, testCase->commonName,
-                       rootCert, subjCert);
-               BlobList leaf;
-               BlobList root;
-               /* BlobList uses regular free() on the referent of the blobs */
-               leaf.addBlob(subjCert, CSSM_TRUE);
-               root.addBlob(rootCert, CSSM_TRUE);
-               if(crtn) {
-                       if(testError(quiet)) {
-                               break;
-                       }
-               }
-               if(writeCerts) {
-                       if(writeFile(CERT_FILE, subjCert.Data, subjCert.Length)) {
-                               printf("***Error writing cert to %s\n", CERT_FILE);
-                       }
-                       else {
-                               printf("...wrote %lu bytes to %s\n", subjCert.Length, CERT_FILE);
-                       }
-               }
-               vfyRtn = certVerifySimple(tpHand, clHand, cspHand,
-                       leaf, root,
-                       CSSM_FALSE,             // useSystemAnchors
-                       CSSM_FALSE,             // leafCertIsCA
-                       CSSM_FALSE,             // allow expired root
-                       CVP_SSL,
-                       testCase->vfyHostName,
-                       CSSM_FALSE,             // sslClient
-                       NULL,
-                       NULL,
-                       testCase->expectErrStr,
-                       testCase->certErrorStr ? 1 : 0,
-                       testCase->certErrorStr ? (const char **)&testCase->certErrorStr :
-                               NULL,
-                       0, NULL,                // certStatus
-                       CSSM_FALSE,             // trustSettings
-                       quiet,
-                       verbose);
-               if(vfyRtn) {
-                       if(testError(quiet)) {
-                               break;
-                       }
-               }
-               /* cert data freed by ~BlobList */
-       }
-
-       /* free keys */
-       cspFreeKey(cspHand, &rootPubKey);
-       cspFreeKey(cspHand, &rootPrivKey);
-       cspFreeKey(cspHand, &subjPubKey);
-       cspFreeKey(cspHand, &subjPrivKey);
-
-abort:
-       if(cspHand != 0) {
-               CSSM_ModuleDetach(cspHand);
-       }
-       if(clHand != 0) {
-               CSSM_ModuleDetach(clHand);
-       }
-       if(tpHand != 0) {
-               CSSM_ModuleDetach(tpHand);
-       }
-       if(!vfyRtn && !crtn && !quiet) {
-               printf("...test passed\n");
-       }
-       return 0;
-}
-
-