X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/b04fe171f0375ecd5d8a24747ca1dff85720a0ca..6b200bc335dc93c5516ccb52f14bd896d8c7fad7:/SecurityTests/clxutils/signerAndSubj/signerAndSubj.cpp

diff --git a/SecurityTests/clxutils/signerAndSubj/signerAndSubj.cpp b/SecurityTests/clxutils/signerAndSubj/signerAndSubj.cpp
deleted file mode 100644
index 43a2609e..00000000
--- a/SecurityTests/clxutils/signerAndSubj/signerAndSubj.cpp
+++ /dev/null
@@ -1,717 +0,0 @@
-/* Copyright (c) 1998,2003,2005-2006,2008 Apple Inc.
- *
- * signerAndSubj.c
- *
- * Create two certs - a root, and a subject cert signed by the root. Includes
- * extension construction. Verify certs every which way, including various expected
- * failures.
- *
- * Revision History
- * ----------------
- *  31 Aug 2000 Doug Mitchell at Apple
- *		Ported to X/CDSA2.
- *  20 Jul 1998	Doug Mitchell at NeXT
- *		Created.
- */
-
-#include <utilLib/common.h>
-#include <utilLib/cspwrap.h>
-#include <security_cdsa_utils/cuFileIo.h>
-#include <clAppUtils/CertBuilderApp.h>
-#include <clAppUtils/clutils.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <Security/cssm.h>
-#include <Security/x509defs.h>
-#include <Security/oidsattr.h>
-#include <Security/oidscert.h>
-#include <Security/oidsalg.h>
-#include <Security/certextensions.h>
-#include <Security/cssmapple.h>
-#include <string.h>
-
-#define SUBJ_KEY_LABEL		"subjectKey"
-#define ROOT_KEY_LABEL		"rootKey"
-/* default key and signature algorithm */
-#define SIG_ALG_DEFAULT		CSSM_ALGID_SHA1WithRSA
-#define KEY_ALG_DEFAULT		CSSM_ALGID_RSA
-
-/* for write certs/components option */
-#define ROOT_CERT_FILE_NAME		"ssRootCert.der"
-#define ROOT_TBS_FILE_NAME		"ssRootTBS.der"
-#define SUBJ_CERT_FILE_NAME		"ssSubjCert.der"
-#define SUBJ_TBS_FILE_NAME		"ssSubjTBS.der"
-#define ROOT_PRIV_KEY_FILE		"ssRootPriv.der"
-#define SUBJ_PRIV_KEY_FILE		"ssSubjPriv.der"
-
-static void usage(char **argv)
-{
-	printf("Usage: %s [options]\n", argv[0]);
-	printf("Options:\n");
-	printf("    w[rite certs and components]\n");
-	printf("    a=alg  where alg is s(RSA/SHA1), m(RSA/MD5), f(FEE/MD5), F(FEE/SHA1),\n");
-	printf("           2(RSA/SHA224), 6(RSA/SHA256), 3(RSA/SHA384) 5=RSA/SHA512,\n");
-	printf("           e(ECDSA), E(ANSI/ECDSA), 7(ECDSA/SHA256), 8(ECDSA/SHA384), 9(ECDSA/SHA512)\n");
-	printf("    k=keySizeInBits\n");
-	exit(1);
-}
-
-/*
- * RDN components for root, subject
- */
-CB_NameOid rootRdn[] = 
-{
-	{ "Apple Computer",					&CSSMOID_OrganizationName },
-	{ "The Big Cheese",					&CSSMOID_Title }
-};
-#define NUM_ROOT_NAMES	(sizeof(rootRdn) / sizeof(CB_NameOid))
-
-CB_NameOid subjRdn[] = 
-{
-	/* note extra space for normalize test */
-	{ "Apple  Computer",				&CSSMOID_OrganizationName },
-	{ "Doug Mitchell",					&CSSMOID_CommonName }
-};
-#define NUM_SUBJ_NAMES	(sizeof(subjRdn) / sizeof(CB_NameOid))
-
-static CSSM_BOOL compareKeyData(const CSSM_KEY *key1, const CSSM_KEY *key2);
-static CSSM_RETURN verifyCert(CSSM_CL_HANDLE clHand,
-	CSSM_CSP_HANDLE	cspHand,
-	CSSM_DATA_PTR	cert,
-	CSSM_DATA_PTR	signerCert,
-	CSSM_KEY_PTR	key,
-	CSSM_ALGORITHMS	sigAlg,
-	CSSM_RETURN		expectResult,
-	const char 		*opString);
-
-
-int main(int argc, char **argv)
-{
-	CSSM_CL_HANDLE	clHand;			// CL handle
-	CSSM_X509_NAME	*subjName;
-	CSSM_X509_NAME	*rootName;
-	CSSM_X509_TIME	*notBefore;		// UTC-style "not before" time
-	CSSM_X509_TIME	*notAfter;		// UTC-style "not after" time
-	CSSM_DATA_PTR	rawCert;		// from CSSM_CL_CertCreateTemplate
-	CSSM_DATA		signedRootCert;	// from CSSM_CL_CertSign
-	CSSM_DATA		signedSubjCert;	// from CSSM_CL_CertSign
-	CSSM_CSP_HANDLE	cspHand;		// CSP handle
-	CSSM_KEY		subjPubKey;		// subject's RSA public key blob
-	CSSM_KEY		subjPrivKey;	// subject's RSA private key - ref format
-	CSSM_KEY		rootPubKey;		// root's RSA public key blob
-	CSSM_KEY		rootPrivKey;	// root's RSA private key - ref format
-	CSSM_RETURN		crtn;
-	CSSM_KEY_PTR	extractRootKey;	// from CSSM_CL_CertGetKeyInfo()
-	CSSM_KEY_PTR	extractSubjKey;	// ditto
-	CSSM_CC_HANDLE	signContext;	// for signing/verifying the cert
-	unsigned		badByte;
-	int				arg;
-	unsigned		errorCount = 0;
-	
-	/* user-spec'd variables */
-	CSSM_BOOL		writeBlobs = CSSM_FALSE;
-	CSSM_ALGORITHMS	keyAlg = KEY_ALG_DEFAULT;
-	CSSM_ALGORITHMS sigAlg = SIG_ALG_DEFAULT;
-	uint32			keySizeInBits = CSP_KEY_SIZE_DEFAULT;
-	
-	/* 
-	 * Two extensions. Subject has one (KeyUsage); root has KeyUsage and 
-	 * BasicConstraints.
-	 */
-	CSSM_X509_EXTENSION 	exts[2];
-	CE_KeyUsage				keyUsage;
-	CE_BasicConstraints		bc;
-	
-	for(arg=1; arg<argc; arg++) {
-		switch(argv[arg][0]) {
-			case 'w':
-				writeBlobs = CSSM_TRUE;
-				break;
-			case 'a':
-				if((argv[arg][1] == '\0') || (argv[arg][2] == '\0')) {
-					usage(argv);
-				}
-				switch(argv[arg][2]) {
-					case 's':
-						keyAlg = CSSM_ALGID_RSA;
-						sigAlg = CSSM_ALGID_SHA1WithRSA;
-						break;
-					case 'm':
-						keyAlg = CSSM_ALGID_RSA;
-						sigAlg = CSSM_ALGID_MD5WithRSA;
-						break;
-					case 'f':
-						keyAlg = CSSM_ALGID_FEE;
-						sigAlg = CSSM_ALGID_FEE_MD5;
-						break;
-					case 'F':
-						keyAlg = CSSM_ALGID_FEE;
-						sigAlg = CSSM_ALGID_FEE_SHA1;
-						break;
-					case 'e':
-						keyAlg = CSSM_ALGID_FEE;
-						sigAlg = CSSM_ALGID_SHA1WithECDSA;
-						break;
-					case 'E':
-						keyAlg = CSSM_ALGID_ECDSA;
-						sigAlg = CSSM_ALGID_SHA1WithECDSA;
-						break;
-					case '7':
-						keyAlg = CSSM_ALGID_ECDSA;
-						sigAlg = CSSM_ALGID_SHA256WithECDSA;
-						break;
-					case '8':
-						keyAlg = CSSM_ALGID_ECDSA;
-						sigAlg = CSSM_ALGID_SHA384WithECDSA;
-						break;
-					case '9':
-						keyAlg = CSSM_ALGID_ECDSA;
-						sigAlg = CSSM_ALGID_SHA512WithECDSA;
-						break;
-					case '2':
-						keyAlg = CSSM_ALGID_RSA;
-						sigAlg = CSSM_ALGID_SHA224WithRSA;
-						break;
-					case '6':
-						keyAlg = CSSM_ALGID_RSA;
-						sigAlg = CSSM_ALGID_SHA256WithRSA;
-						break;
-					case '3':
-						keyAlg = CSSM_ALGID_RSA;
-						sigAlg = CSSM_ALGID_SHA384WithRSA;
-						break;
-					case '5':
-						keyAlg = CSSM_ALGID_RSA;
-						sigAlg = CSSM_ALGID_SHA512WithRSA;
-						break;
-					default:
-						usage(argv);
-				}
-				break;
-		    case 'k':
-				keySizeInBits = atoi(&argv[arg][2]);
-				break;
-			default:
-				usage(argv);
-		}
-	}
-	
-	/* connect to CL and CSP */
-	clHand = clStartup();
-	if(clHand == 0) {
-		return 0;
-	}
-	cspHand = cspStartup();
-	if(cspHand == 0) {
-		return 0;
-	}
-
-	/* subsequent errors to abort: to detach */
-	
-	/* cook up an RSA key pair for the subject */
-	crtn = cspGenKeyPair(cspHand,
-		keyAlg,
-		SUBJ_KEY_LABEL,
-		strlen(SUBJ_KEY_LABEL),
-		keySizeInBits,
-		&subjPubKey,
-		CSSM_FALSE,			// pubIsRef - should work both ways, but not yet
-		CSSM_KEYUSE_VERIFY,
-		CSSM_KEYBLOB_RAW_FORMAT_NONE,
-		&subjPrivKey,
-		CSSM_FALSE,			// privIsRef
-		CSSM_KEYUSE_SIGN,
-		CSSM_KEYBLOB_RAW_FORMAT_NONE,
-		CSSM_FALSE);
-	if(crtn) {
-		errorCount++;
-		goto abort;
-	}
-	if(writeBlobs) {
-		writeFile(SUBJ_PRIV_KEY_FILE, subjPrivKey.KeyData.Data,
-			subjPrivKey.KeyData.Length);
-		printf("...wrote %lu bytes to %s\n", subjPrivKey.KeyData.Length,
-			SUBJ_PRIV_KEY_FILE);
-	}
-
-	/* and the root */
-	crtn = cspGenKeyPair(cspHand,
-		keyAlg,
-		ROOT_KEY_LABEL,
-		strlen(ROOT_KEY_LABEL),
-		keySizeInBits,
-		&rootPubKey,
-		CSSM_FALSE,			// pubIsRef - should work both ways, but not yet
-		CSSM_KEYUSE_VERIFY,
-		CSSM_KEYBLOB_RAW_FORMAT_NONE,
-		&rootPrivKey,
-		CSSM_FALSE,			// privIsRef
-		CSSM_KEYUSE_SIGN,
-		CSSM_KEYBLOB_RAW_FORMAT_NONE,
-		CSSM_FALSE);
-	if(crtn) {
-		errorCount++;
-		goto abort;
-	}
-	if(writeBlobs) {
-		writeFile(ROOT_PRIV_KEY_FILE, rootPrivKey.KeyData.Data,
-			rootPrivKey.KeyData.Length);
-		printf("...wrote %lu bytes to %s\n", rootPrivKey.KeyData.Length,
-			ROOT_PRIV_KEY_FILE);
-	}
-
-	if(compareKeyData(&rootPubKey, &subjPubKey)) {
-	 	printf("**WARNING: Identical root and subj keys!\n");
-	}
-
-	/*
-	 * Cook up various cert fields.
-	 * First, the RDNs for subject and issuer. 
-	 */
-	rootName = CB_BuildX509Name(rootRdn, NUM_ROOT_NAMES);
-	subjName = CB_BuildX509Name(subjRdn, NUM_SUBJ_NAMES);
-	if((rootName == NULL) || (subjName == NULL)) {
-		printf("CB_BuildX509Name failure");
-		errorCount++;
-		goto abort;
-	}
-	
-	/* not before/after in generalized time format */
-	notBefore = CB_BuildX509Time(0);
-	notAfter  = CB_BuildX509Time(10000);
-
-	/* A KeyUsage extension for both certs */
-	exts[0].extnId = CSSMOID_KeyUsage;
-	exts[0].critical = CSSM_FALSE;
-	exts[0].format = CSSM_X509_DATAFORMAT_PARSED;
-	keyUsage = CE_KU_DigitalSignature | CE_KU_KeyCertSign |
-			   CE_KU_KeyEncipherment | CE_KU_DataEncipherment;
-	exts[0].value.parsedValue = &keyUsage;
-	exts[0].BERvalue.Data = NULL;
-	exts[0].BERvalue.Length = 0;
-
-	/* BasicConstraints for root only */
-	exts[1].extnId = CSSMOID_BasicConstraints;
-	exts[1].critical = CSSM_TRUE;
-	exts[1].format = CSSM_X509_DATAFORMAT_PARSED;
-	bc.cA = CSSM_TRUE;
-	bc.pathLenConstraintPresent = CSSM_TRUE;
-	bc.pathLenConstraint = 2;
-	exts[1].value.parsedValue = &bc;
-	exts[1].BERvalue.Data = NULL;
-	exts[1].BERvalue.Length = 0;
-	
-	/* cook up root cert */
-	printf("Creating root cert...\n");
-	rawCert = CB_MakeCertTemplate(clHand,
-		0x12345678,			// serial number
-		rootName,
-		rootName,
-		notBefore,
-		notAfter,
-		&rootPubKey,
-		sigAlg,
-		NULL,				// subjUniqueId
-		NULL,				// issuerUniqueId
-		exts,				// extensions
-		2);					// numExtensions
-
-	if(rawCert == NULL) {
-		errorCount++;
-		goto abort;
-	}
-	if(writeBlobs) {
-		writeFile(ROOT_TBS_FILE_NAME, rawCert->Data, rawCert->Length);
-		printf("...wrote %lu bytes to %s\n", rawCert->Length, ROOT_TBS_FILE_NAME);
-	}
-	
-	/* Self-sign; this is a root cert */
-	crtn = CSSM_CSP_CreateSignatureContext(cspHand,
-			sigAlg,
-			NULL,			// AccessCred
-			&rootPrivKey,
-			&signContext);
-	if(crtn) {
-		printError("CSSM_CSP_CreateSignatureContext", crtn);
-		errorCount++;
-		goto abort;
-	}
-	signedRootCert.Data = NULL;
-	signedRootCert.Length = 0;
-	crtn = CSSM_CL_CertSign(clHand,
-		signContext,
-		rawCert,			// CertToBeSigned
-		NULL,				// SignScope
-		0,					// ScopeSize,
-		&signedRootCert);
-	if(crtn) {
-		printError("CSSM_CL_CertSign", crtn);
-		errorCount++;
-		goto abort;
-	}
-	crtn = CSSM_DeleteContext(signContext);
-	if(crtn) {
-		printError("CSSM_DeleteContext", crtn);
-		errorCount++;
-		goto abort;
-	}
-	appFreeCssmData(rawCert, CSSM_TRUE);
-	if(writeBlobs) {
-		writeFile(ROOT_CERT_FILE_NAME, signedRootCert.Data, signedRootCert.Length);
-		printf("...wrote %lu bytes to %s\n", signedRootCert.Length, 
-			ROOT_CERT_FILE_NAME);
-	}
-
-	/* now a subject cert signed by the root cert */
-	printf("Creating subject cert...\n");
-	rawCert = CB_MakeCertTemplate(clHand,
-		0x8765,				// serial number
-		rootName,
-		subjName,
-		notBefore,
-		notAfter,
-		&subjPubKey,
-		sigAlg,
-		NULL,				// subjUniqueId
-		NULL,				// issuerUniqueId
-		exts,				// extensions
-		1);					// numExtensions
-	if(rawCert == NULL) {
-		errorCount++;
-		goto abort;
-	}
-	if(writeBlobs) {
-		writeFile(SUBJ_TBS_FILE_NAME, rawCert->Data, rawCert->Length);
-		printf("...wrote %lu bytes to %s\n", rawCert->Length, SUBJ_TBS_FILE_NAME);
-	}
-
-	/* sign by root */
-	crtn = CSSM_CSP_CreateSignatureContext(cspHand,
-			sigAlg,
-			NULL,			// AccessCred
-			&rootPrivKey,
-			&signContext);
-	if(crtn) {
-		printError("CSSM_CSP_CreateSignatureContext", crtn);
-		errorCount++;
-		goto abort;
-	}
-	signedSubjCert.Data = NULL;
-	signedSubjCert.Length = 0;
-	crtn = CSSM_CL_CertSign(clHand,
-		signContext,
-		rawCert,			// CertToBeSigned
-		NULL,				// SignScope
-		0,					// ScopeSize,
-		&signedSubjCert);
-	if(crtn) {
-		printError("CSSM_CL_CertSign", crtn);
-		errorCount++;
-		goto abort;
-	}
-	crtn = CSSM_DeleteContext(signContext);
-	if(crtn) {
-		printError("CSSM_DeleteContext", crtn);
-		errorCount++;
-		goto abort;
-	}
-	appFreeCssmData(rawCert, CSSM_TRUE);
-	if(writeBlobs) {
-		writeFile(SUBJ_CERT_FILE_NAME, signedSubjCert.Data, signedSubjCert.Length);
-		printf("...wrote %lu bytes to %s\n", signedSubjCert.Length, 
-			SUBJ_CERT_FILE_NAME);
-	}
-
-	/* Free the stuff we allocd to get here */
-	CB_FreeX509Name(rootName);
-	CB_FreeX509Name(subjName);
-	CB_FreeX509Time(notBefore);
-	CB_FreeX509Time(notAfter);
-
-	/*
-	 * Extract public keys from the two certs, verify.
-	 */
-	crtn = CSSM_CL_CertGetKeyInfo(clHand, &signedSubjCert, &extractSubjKey);
-	if(crtn) {
-		printError("CSSM_CL_CertGetKeyInfo", crtn);
-	}
-	else {
-		/* compare key data - header is different.
-		 * Known header differences:
-		 *  -- CspID - CSSM_CL_CertGetKeyInfo returns a key with NULL for
-		 *     this field
-		 * --  Format. rootPubKey      : 6 (CSSM_KEYBLOB_RAW_FORMAT_BSAFE)
-		 *             extractRootKey  : 1 (CSSM_KEYBLOB_RAW_FORMAT_PKCS1)
-		 * --  KeyAttr. rootPubKey     : 0x20 (CSSM_KEYATTR_EXTRACTABLE)
-		 *              extractRootKey : 0x0
-		 */
-		if(!compareKeyData(extractSubjKey, &subjPubKey)) {
-			printf("***CSSM_CL_CertGetKeyInfo(signedSubjCert) returned bad key data\n");
-		}
-		if(extractSubjKey->KeyHeader.LogicalKeySizeInBits !=
-				subjPubKey.KeyHeader.LogicalKeySizeInBits) {
-			printf("***EffectiveKeySizeInBits mismatch: extract %u subj %u\n",
-				(unsigned)extractSubjKey->KeyHeader.LogicalKeySizeInBits,
-				(unsigned)subjPubKey.KeyHeader.LogicalKeySizeInBits);
-		}
-	}
-	crtn = CSSM_CL_CertGetKeyInfo(clHand, &signedRootCert, &extractRootKey);
-	if(crtn) {
-		printError("CSSM_CL_CertGetKeyInfo", crtn);
-	}
-	else {
-		if(!compareKeyData(extractRootKey, &rootPubKey)) {
-			printf("***CSSM_CL_CertGetKeyInfo(signedRootCert) returned bad key data\n");
-		}
-	}
-
-	/*
-	 * Verify:
-	 */
-	printf("Verifying certificates...\n");
-	
-	/*
-	 *  Verify root cert by root pub key, should succeed.
-	 */
-	if(verifyCert(clHand,
-			cspHand,
-			&signedRootCert,
-			NULL,
-			&rootPubKey,
-			sigAlg,
-			CSSM_OK,
-			"Verify(root by root key)")) {
-		errorCount++;
-		/* continue */
-	}
-	
-	/*
-	 *  Verify root cert by root cert, should succeed.
-	 */
-	if(verifyCert(clHand,
-			cspHand,
-			&signedRootCert,
-			&signedRootCert,
-			NULL,
-			CSSM_ALGID_NONE,			// sigAlg not used here
-			CSSM_OK,
-			"Verify(root by root cert)")) {
-		errorCount++;
-		/* continue */
-	}
-
-
-	/*
-	 *  Verify subject cert by root pub key, should succeed.
-	 */
-	if(verifyCert(clHand,
-			cspHand,
-			&signedSubjCert,
-			NULL,
-			&rootPubKey,
-			sigAlg,
-			CSSM_OK,
-			"Verify(subj by root key)")) {
-		errorCount++;
-		/* continue */
-	}
-
-	/*
-	 *  Verify subject cert by root cert, should succeed.
-	 */
-	if(verifyCert(clHand,
-			cspHand,
-			&signedSubjCert,
-			&signedRootCert,
-			NULL,
-			CSSM_ALGID_NONE,			// sigAlg not used here
-			CSSM_OK,
-			"Verify(subj by root cert)")) {
-		errorCount++;
-		/* continue */
-	}
-
-	/*
-	 *  Verify subject cert by root cert AND key, should succeed.
-	 */
-	if(verifyCert(clHand,
-			cspHand,
-			&signedSubjCert,
-			&signedRootCert,
-			&rootPubKey,
-			sigAlg,
-			CSSM_OK,
-			"Verify(subj by root cert and key)")) {
-		errorCount++;
-		/* continue */
-	}
-
-	/*
-	 *  Verify subject cert by extracted root pub key, should succeed.
-	 */
-	if(verifyCert(clHand,
-			cspHand,
-			&signedSubjCert,
-			NULL,
-			extractRootKey,
-			sigAlg,
-			CSSM_OK,
-			"Verify(subj by extracted root key)")) {
-		errorCount++;
-		/* continue */
-	}
-
-	/*
-	 *  Verify subject cert by subject pub key, should fail.
-	 */
-	if(verifyCert(clHand,
-			cspHand,
-			&signedSubjCert,
-			NULL,
-			&subjPubKey,
-			sigAlg,
-			CSSMERR_CL_VERIFICATION_FAILURE,
-			"Verify(subj by subj key)")) {
-		errorCount++;
-		/* continue */
-	}
-
-	/*
-	 *  Verify subject cert by subject cert, should fail.
-	 */
-	if(verifyCert(clHand,
-			cspHand,
-			&signedSubjCert,
-			&signedSubjCert,
-			NULL,
-			CSSM_ALGID_NONE,			// sigAlg not used here
-			CSSMERR_CL_VERIFICATION_FAILURE,
-			"Verify(subj by subj cert)")) {
-		errorCount++;
-		/* continue */
-	}
-
-	/*
-	 *  Verify erroneous subject cert by root pub key, should fail.
-	 */
-	badByte = genRand(1, signedSubjCert.Length - 1);
-	signedSubjCert.Data[badByte] ^= 0x55;
-	if(verifyCert(clHand,
-			cspHand,
-			&signedSubjCert,
-			NULL,
-			&rootPubKey,
-			sigAlg,
-			CSSMERR_CL_VERIFICATION_FAILURE,
-			"Verify(bad subj by root key)")) {
-		errorCount++;
-		/* continue */
-	}
-
-
-	/* free/delete certs and keys */
-	appFreeCssmData(&signedSubjCert, CSSM_FALSE);
-	appFreeCssmData(&signedRootCert, CSSM_FALSE);
-
-	cspFreeKey(cspHand, &rootPubKey);
-	cspFreeKey(cspHand, &subjPubKey);
-
-	/* These don't work because CSSM_CL_CertGetKeyInfo() gives keys with
-	 * a bogus GUID. This may be a problem with the Apple CSP...
-	 *
-	cspFreeKey(cspHand, extractRootKey);
-	cspFreeKey(cspHand, extractSubjKey);
-	 *
-	 * do it this way instead...*/
-	CSSM_FREE(extractRootKey->KeyData.Data);
-	CSSM_FREE(extractSubjKey->KeyData.Data);
-
-	/* need to do this regardless...*/
-	CSSM_FREE(extractRootKey);
-	CSSM_FREE(extractSubjKey);
-
-abort:
-	if(cspHand != 0) {
-		CSSM_ModuleDetach(cspHand);
-	}
-
-	if(errorCount) {
-		printf("Signer/Subject test failed with %d errors\n", errorCount);
-	}
-	else {
-		printf("Signer/Subject test succeeded\n");
-	}
-	return 0;
-}
-
-
-/* compare KeyData for two keys. */
-static CSSM_BOOL compareKeyData(const CSSM_KEY *key1, const CSSM_KEY *key2)
-{
-	if(key1->KeyData.Length != key2->KeyData.Length) {
-		return CSSM_FALSE;
-	}
-	if(memcmp(key1->KeyData.Data,
-			key2->KeyData.Data,
-			key1->KeyData.Length)) {
-		return CSSM_FALSE;
-	}
-	return CSSM_TRUE;
-}
-
-/* verify a cert using specified key and/or signerCert */
-static CSSM_RETURN verifyCert(CSSM_CL_HANDLE clHand,
-	CSSM_CSP_HANDLE	cspHand,
-	CSSM_DATA_PTR	cert,
-	CSSM_DATA_PTR	signerCert,		// optional
-	CSSM_KEY_PTR	key,			// ditto, to work spec one, other, or both
-	CSSM_ALGORITHMS	sigAlg,			// CSSM_ALGID_SHA1WithRSA, etc. 
-	CSSM_RETURN		expectResult,
-	const char 		*opString)
-{
-	CSSM_RETURN		crtn;
-	CSSM_CC_HANDLE	signContext = CSSM_INVALID_HANDLE;
-
-	if(key) {
-		crtn = CSSM_CSP_CreateSignatureContext(cspHand,
-				sigAlg,
-				NULL,				// AccessCred
-				key,
-				&signContext);
-		if(crtn) {
-			printf("Failure during %s\n", opString);
-			printError("CSSM_CSP_CreateSignatureContext", crtn);
-			return crtn;
-		}
-	}
-	crtn = CSSM_CL_CertVerify(clHand,
-		signContext,
-		cert,					// CertToBeVerified
-		signerCert,				// SignerCert
-		NULL,					// VerifyScope 
-		0);						// ScopeSize
-	if(crtn != expectResult) {
-		printf("Failure during %s\n", opString);
-		if(crtn == CSSM_OK) {
-			printf("Unexpected CSSM_CL_CertVerify success\n");
-		}
-		else if(expectResult == CSSM_OK) {
-			printError("CSSM_CL_CertVerify", crtn);
-		}
-		else {
-			printError("CSSM_CL_CertVerify: expected", expectResult);
-			printError("CSSM_CL_CertVerify: got     ", crtn);
-		}
-		return CSSMERR_CL_VERIFICATION_FAILURE;
-	}
-	if(signContext != CSSM_INVALID_HANDLE) {
-		crtn = CSSM_DeleteContext(signContext);
-		if(crtn) {
-			printf("Failure during %s\n", opString);
-			printError("CSSM_DeleteContext", crtn);
-			return crtn;
-		}
-	}
-	return CSSM_OK;
-}