X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/b04fe171f0375ecd5d8a24747ca1dff85720a0ca..6b200bc335dc93c5516ccb52f14bd896d8c7fad7:/SecurityTests/clxutils/sslSubjName/sslSubjName.cpp

diff --git a/SecurityTests/clxutils/sslSubjName/sslSubjName.cpp b/SecurityTests/clxutils/sslSubjName/sslSubjName.cpp
deleted file mode 100644
index 9ca1a34f..00000000
--- a/SecurityTests/clxutils/sslSubjName/sslSubjName.cpp
+++ /dev/null
@@ -1,595 +0,0 @@
-/* Copyright (c) 2002-2004,2006,2008 Apple Inc.
- *
- * sslSubjName.c
- *
- * Verify comparision of app-specified host name vs. various
- * forms of hostname in a cert.
- *
- */
-
-#include <utilLib/common.h>
-#include <utilLib/cspwrap.h>
-#include <clAppUtils/clutils.h>
-#include <clAppUtils/certVerify.h>
-#include <clAppUtils/BlobList.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <Security/cssm.h>
-#include <Security/x509defs.h>
-#include <Security/oidsattr.h>
-#include <Security/oidscert.h>
-#include <Security/oidsalg.h>
-#include <Security/certextensions.h>
-#include <Security/cssmapple.h>
-#include <string.h>
-#include <security_cdsa_utils/cuFileIo.h>
-
-/* key labels */
-#define SUBJ_KEY_LABEL		"subjectKey"
-#define ROOT_KEY_LABEL		"rootKey"
-
-/* key and signature algorithm - shouldn't matter for this test */
-#define SIG_ALG_DEFAULT		CSSM_ALGID_SHA1WithRSA
-#define SIG_OID_DEFAULT		CSSMOID_SHA1WithRSA
-#define KEY_ALG_DEFAULT		CSSM_ALGID_RSA
-
-#define KEY_SIZE_DEFAULT	512
-
-#define CERT_FILE		"sslCert.cer"
-
-static void usage(char **argv)
-{
-	printf("Usage: %s [options]\n", argv[0]);
-	printf("Options:\n");
-	printf("    w(write certs)\n");
-	printf("    q(uiet)\n");
-	printf("    v(erbose)\n");
-	exit(1);
-}
-
-/*
- * RDN components for root, subject
- */
-CSSM_APPLE_TP_NAME_OID rootRdn[] = 
-{
-	{ "Apple Computer",					&CSSMOID_OrganizationName },
-	{ "The Big Cheese",					&CSSMOID_Title }
-};
-#define NUM_ROOT_NAMES	(sizeof(rootRdn) / sizeof(CSSM_APPLE_TP_NAME_OID))
-
-#define SUBJ_COMMON_NAME	"something.org"
-
-CSSM_APPLE_TP_NAME_OID subjRdn[] = 
-{
-	{ "Apple Computer",					&CSSMOID_OrganizationName },
-	/* overridden when creating the cert */
-	{ NULL,								&CSSMOID_CommonName }
-};
-#define SUBJ_COMMON_NAME_DEX	1
-
-#define NUM_SUBJ_NAMES	(sizeof(subjRdn) / sizeof(CSSM_APPLE_TP_NAME_OID))
-
-
-/*
- * Test cases
- */
-typedef struct {
-	/* test description */
-	const char		*testDesc;
-	
-	/* host names for leaf cert - zero or one of these */
-	const char		*certDnsName;
-	const char		*certIpAddr;
-	
-	/* subject common name */
-	const char		*commonName;
-	
-	/* host name for CertGroupVerify */
-	const char		*vfyHostName;
-	
-	/* expected error - NULL or e.g. "CSSMERR_APPLETP_CRL_NOT_TRUSTED" */
-	const char		*expectErrStr;
-	
-	/* one optional per-cert error string */
-	const char		*certErrorStr;
-	
-} SSN_TestCase;
-
-SSN_TestCase testCases[] = 
-{
-	{
-		"DNS Name foo.bar, vfyName foo.bar",
-		"foo.bar", NULL, SUBJ_COMMON_NAME, "foo.bar",
-		NULL, 
-		NULL
-	},
-	{
-		"DNS Name foo.bar, vfyName something.org, expect fail due to "
-			"DNS present",
-		"foo.bar", NULL, SUBJ_COMMON_NAME, "something.org",
-		"CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-		"0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-	},
-	{
-		"DNS Name foo.bar, vfyName foo.foo.bar, expect fail",
-		"foo.bar", NULL, SUBJ_COMMON_NAME, "foo.foo.bar",
-		"CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-		"0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-	},
-	{
-		"IP Name 1.0.5.8, vfyName 1.0.5.8",
-		NULL, "1.0.5.8", SUBJ_COMMON_NAME, "1.0.5.8",
-		NULL, 
-		NULL
-	},
-	{
-		"IP Name 1.0.5.8, vfyName 1.00.5.008",
-		NULL, "1.0.5.8", SUBJ_COMMON_NAME, "1.00.5.008",
-		NULL, 
-		NULL
-	},
-	{
-		"IP Name 1.0.5.8, vfyName something.org",
-		NULL, "1.0.5.8", SUBJ_COMMON_NAME, "something.org",
-		NULL, 
-		NULL
-	},
-	{
-		"IP Name 1.0.5.8, vfyName 2.0.5.8, expect fail",
-		NULL, "1.0.5.8", SUBJ_COMMON_NAME, "2.0.5.8",
-		"CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-		"0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-	},
-	{
-		"DNS Name *.foo.bar, vfyName bar.foo.bar",
-		"*.foo.bar", NULL, SUBJ_COMMON_NAME, "bar.foo.bar",
-		NULL, 
-		NULL
-	},
-	{
-		"DNS Name *.foo.bar, vfyName foo.bar, expect fail",
-		"*.foo.bar", NULL, SUBJ_COMMON_NAME, "foo.bar",
-		"CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-		"0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-	},
-	{
-		"DNS Name *foo.bar, vfyName barfoo.bar",
-		"*foo.bar", NULL, SUBJ_COMMON_NAME, "barfoo.bar",
-		NULL, 
-		NULL
-	},
-	{
-		"DNS Name *foo*.bar, vfyName barfoo.bar",
-		"*foo*.bar", NULL, SUBJ_COMMON_NAME, "barfoo.bar",
-		NULL, 
-		NULL
-	},
-	{
-		"DNS Name *foo*.bar, vfyName foobar.bar",
-		"*foo*.bar", NULL, SUBJ_COMMON_NAME, "foobar.bar",
-		NULL, 
-		NULL
-	},
-	{
-		"DNS Name *foo*.bar, vfyName foo.bar",
-		"*foo*.bar", NULL, SUBJ_COMMON_NAME, "foo.bar",
-		NULL, 
-		NULL
-	},
-	{
-		"DNS Name *foo.bar, vfyName bar.foo.bar, should fail",
-		"*foo.bar", NULL, SUBJ_COMMON_NAME, "bar.foo.bar",
-		"CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-		"0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-	},
-	{
-		"DNS Name *foo.bar, vfyName foobar.bar, should fail",
-		"*foo.bar", NULL, SUBJ_COMMON_NAME, "foobar.bar",
-		"CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-		"0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-	},
-	{
-		"No DNS or IP name, commonName = vfyName = 1.0.5.8",
-		NULL, NULL, "1.0.5.8", "1.0.5.8",
-		"CSSMERR_APPLETP_HOSTNAME_MISMATCH", 
-		"0:CSSMERR_APPLETP_HOSTNAME_MISMATCH"
-	},
-};
-
-#define NUM_TEST_CASES	(sizeof(testCases) / sizeof(SSN_TestCase))
-
-/*
- * Convert a string containing a dotted IP address to 4 bytes.
- * Returns nonzero on error.
- * FIXME - should handle 16-byte IP addresses. 
- */
-static int convertIp(
-	const char 	*str,
-	uint8 		*buf)
-{
-	char cbuf[4];
-	for(unsigned dex=0; dex<3; dex++) {
-		char *nextDot = strchr(str, '.');
-		if(nextDot == NULL) {
-			return 1;
-		}
-		memset(cbuf, 0, sizeof(cbuf));
-		memmove(cbuf, str, nextDot - str);
-		*buf = atoi(cbuf);
-		buf++;				// next out char
-		str = nextDot + 1;	// next in char after dot
-		
-	}
-	/* str points to last char */
-	if(str == NULL) {
-		return 1;
-	}
-	*buf = atoi(str);
-	return 0;
-}
-
-/*
- * Generate a pair of certs.
- */
-static CSSM_RETURN genCerts(
-	CSSM_CL_HANDLE	clHand,
-	CSSM_CSP_HANDLE	cspHand,	
-	CSSM_TP_HANDLE	tpHand,	
-	CSSM_KEY_PTR	rootPrivKey,
-	CSSM_KEY_PTR	rootPubKey,
-	CSSM_KEY_PTR	subjPubKey,
-	/* one of these goes into leaf's subjectAltName */
-	const char		*subjIpAddr,
-	const char		*subjDnsName,
-	const char		*commonName,
-	CSSM_DATA		&rootCert,		// RETURNED
-	CSSM_DATA		&subjCert)		// RETURNED
-	
-{
-	CSSM_DATA					refId;	
-								// mallocd by CSSM_TP_SubmitCredRequest
-	CSSM_RETURN					crtn;
-	CSSM_APPLE_TP_CERT_REQUEST	certReq;
-	CSSM_TP_REQUEST_SET			reqSet;
-	sint32						estTime;
-	CSSM_BOOL					confirmRequired;
-	CSSM_TP_RESULT_SET_PTR		resultSet;
-	CSSM_ENCODED_CERT			*encCert;
-	CSSM_TP_CALLERAUTH_CONTEXT 	CallerAuthContext;
-	CSSM_FIELD					policyId;
-	CE_GeneralNames				genNames;
-	CE_GeneralName				genName;
-	uint8						ipNameBuf[4];
-	/* 
-	 * Two extensions. Subject has two (KeyUsage and possibly 
-	 * subjectAltName); root has KeyUsage and  BasicConstraints.
-	 */
-	CE_DataAndType 				rootExts[2];
-	CE_DataAndType 				leafExts[2];
-	unsigned					numLeafExts;
-	
-	if(subjIpAddr && subjDnsName) {
-		printf("***Max of one of {subjIpAddr, subjDnsName} at a "
-			"time, please.\n");
-		exit(1);
-	}
-	if(subjIpAddr) {
-		if(convertIp(subjIpAddr, ipNameBuf)) {
-			printf("**Malformed IP address. Aborting.\n");
-			exit(1);
-		}
-	}
-	
-	/* A KeyUsage extension for both certs */
-	rootExts[0].type = DT_KeyUsage;
-	rootExts[0].critical = CSSM_FALSE;
-	rootExts[0].extension.keyUsage = 
-		CE_KU_DigitalSignature | CE_KU_KeyCertSign;
-
-	leafExts[0].type = DT_KeyUsage;
-	leafExts[0].critical = CSSM_FALSE;
-	leafExts[0].extension.keyUsage =  CE_KU_DigitalSignature;
-
-	/* BasicConstraints for root only */
-	rootExts[1].type = DT_BasicConstraints;
-	rootExts[1].critical = CSSM_TRUE;
-	rootExts[1].extension.basicConstraints.cA = CSSM_TRUE;
-	rootExts[1].extension.basicConstraints.pathLenConstraintPresent = 
-			CSSM_TRUE;
-	rootExts[1].extension.basicConstraints.pathLenConstraint = 2;
-
-	/* possible subjectAltName for leaf */
-	numLeafExts = 1;
-	if(subjIpAddr || subjDnsName) {
-		numLeafExts++;
-		leafExts[1].type = DT_SubjectAltName;
-		leafExts[1].critical = CSSM_TRUE;
-		
-		genName.berEncoded = CSSM_FALSE;
-		if(subjIpAddr) {
-			genName.name.Data = (uint8 *)ipNameBuf;
-			genName.name.Length = 4;
-			genName.nameType = GNT_IPAddress;
-		}
-		else {
-			genName.name.Data = (uint8 *)subjDnsName;
-			genName.nameType = GNT_DNSName;
-			genName.name.Length = strlen(subjDnsName);
-		}
-		genNames.numNames = 1;
-		genNames.generalName = &genName;
-		leafExts[1].extension.subjectAltName = genNames;
-	}
-	
-	/* certReq for root */
-	memset(&certReq, 0, sizeof(CSSM_APPLE_TP_CERT_REQUEST));
-	certReq.cspHand = cspHand;
-	certReq.clHand = clHand;
-	certReq.serialNumber = 0x12345678;
-	certReq.numSubjectNames = NUM_ROOT_NAMES;
-	certReq.subjectNames = rootRdn;
-	certReq.numIssuerNames = 0;
-	certReq.issuerNames = NULL;
-	certReq.certPublicKey = rootPubKey;
-	certReq.issuerPrivateKey = rootPrivKey;
-	certReq.signatureAlg = SIG_ALG_DEFAULT;
-	certReq.signatureOid = SIG_OID_DEFAULT;
-	certReq.notBefore = 0;			// now
-	certReq.notAfter = 10000;		// seconds from now
-	certReq.numExtensions = 2;
-	certReq.extensions = rootExts;
-	
-	reqSet.NumberOfRequests = 1;
-	reqSet.Requests = &certReq;
-	
-	/* a big CSSM_TP_CALLERAUTH_CONTEXT just to specify an OID */
-	memset(&CallerAuthContext, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
-	memset(&policyId, 0, sizeof(CSSM_FIELD));
-	policyId.FieldOid = CSSMOID_APPLE_TP_LOCAL_CERT_GEN;
-	CallerAuthContext.Policy.NumberOfPolicyIds = 1;
-	CallerAuthContext.Policy.PolicyIds = &policyId;
-	
-	/* generate root cert */
-	crtn = CSSM_TP_SubmitCredRequest(tpHand,
-		NULL,				// PreferredAuthority
-		CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
-		&reqSet,
-		&CallerAuthContext,	
-		&estTime,
-		&refId);
-	if(crtn) {
-		printError("CSSM_TP_SubmitCredRequest", crtn);
-		return crtn;
-	}
-	crtn = CSSM_TP_RetrieveCredResult(tpHand,
-		&refId,
-		NULL,				// CallerAuthCredentials
-		&estTime,
-		&confirmRequired,
-		&resultSet);
-	if(crtn) {
-		printError("CSSM_TP_RetrieveCredResult", crtn);
-		return crtn;
-	}
-	if(resultSet == NULL) {
-		printf("***CSSM_TP_RetrieveCredResult returned NULL result set.\n");
-		return crtn;
-	}
-	encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
-	rootCert = encCert->CertBlob;
-
-	/* now a subject cert signed by the root cert */
-	certReq.serialNumber = 0x8765;
-	certReq.numSubjectNames = NUM_SUBJ_NAMES;
-	subjRdn[SUBJ_COMMON_NAME_DEX].string = commonName;
-	certReq.subjectNames = subjRdn;
-	certReq.numIssuerNames = NUM_ROOT_NAMES;
-	certReq.issuerNames = rootRdn;
-	certReq.certPublicKey = subjPubKey;
-	certReq.issuerPrivateKey = rootPrivKey;
-	certReq.numExtensions = numLeafExts;
-	certReq.extensions = leafExts;
-
-	crtn = CSSM_TP_SubmitCredRequest(tpHand,
-		NULL,				// PreferredAuthority
-		CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
-		&reqSet,
-		&CallerAuthContext,
-		&estTime,
-		&refId);
-	if(crtn) {
-		printError("CSSM_TP_SubmitCredRequest (2)", crtn);
-		return crtn;
-	}
-	crtn = CSSM_TP_RetrieveCredResult(tpHand,
-		&refId,
-		NULL,				// CallerAuthCredentials
-		&estTime,
-		&confirmRequired,
-		&resultSet);		// leaks.....
-	if(crtn) {
-		printError("CSSM_TP_RetrieveCredResult (2)", crtn);
-		return crtn;
-	}
-	if(resultSet == NULL) {
-		printf("***CSSM_TP_RetrieveCredResult (2) returned NULL "
-				"result set.\n");
-		return crtn;
-	}
-	encCert = (CSSM_ENCODED_CERT *)resultSet->Results;
-	subjCert = encCert->CertBlob;
-
-	return CSSM_OK;
-}
-
-int main(int argc, char **argv)
-{
-	CSSM_CL_HANDLE	clHand;			// CL handle
-	CSSM_CSP_HANDLE	cspHand;		// CSP handle
-	CSSM_TP_HANDLE	tpHand;			// TP handle
-	CSSM_DATA		rootCert;		
-	CSSM_DATA		subjCert;	
-	CSSM_KEY		subjPubKey;		// subject's RSA public key blob
-	CSSM_KEY		subjPrivKey;	// subject's RSA private key - ref format
-	CSSM_KEY		rootPubKey;		// root's RSA public key blob
-	CSSM_KEY		rootPrivKey;	// root's RSA private key - ref format
-	CSSM_RETURN		crtn = CSSM_OK;
-	int				vfyRtn = 0;
-	int				arg;
-	SSN_TestCase	*testCase;
-	unsigned		testNum;
-	
-	CSSM_BOOL		quiet = CSSM_FALSE;
-	CSSM_BOOL		verbose = CSSM_FALSE;
-	CSSM_BOOL		writeCerts = CSSM_FALSE;
-	
-	for(arg=1; arg<argc; arg++) {
-		char *argp = argv[arg];
-		switch(argp[0]) {
-			case 'q':
-				quiet = CSSM_TRUE;
-				break;
-			case 'v':
-				verbose = CSSM_TRUE;
-				break;
-			case 'w':
-				writeCerts = CSSM_TRUE;
-				break;
-			default:
-				usage(argv);
-		}
-	}
-	
-	testStartBanner("sslSubjName", argc, argv);
-	
-	/* connect to CL, TP, and CSP */
-	clHand = clStartup();
-	if(clHand == 0) {
-		return 0;
-	}
-	tpHand = tpStartup();
-	if(tpHand == 0) {
-		return 0;
-	}
-	cspHand = cspStartup();
-	if(cspHand == 0) {
-		return 0;
-	}
-
-	/* subsequent errors to abort: to detach */
-	
-	/* cook up an RSA key pair for the subject */
-	crtn = cspGenKeyPair(cspHand,
-		KEY_ALG_DEFAULT,
-		SUBJ_KEY_LABEL,
-		strlen(SUBJ_KEY_LABEL),
-		KEY_SIZE_DEFAULT,
-		&subjPubKey,
-		CSSM_FALSE,			// pubIsRef
-		CSSM_KEYUSE_VERIFY,
-		CSSM_KEYBLOB_RAW_FORMAT_NONE,
-		&subjPrivKey,
-		CSSM_TRUE,			// privIsRef - doesn't matter
-		CSSM_KEYUSE_SIGN,
-		CSSM_KEYBLOB_RAW_FORMAT_NONE,
-		CSSM_FALSE);
-	if(crtn) {
-		return crtn;
-	}
-
-	/* and the root */
-	crtn = cspGenKeyPair(cspHand,
-		KEY_ALG_DEFAULT,
-		ROOT_KEY_LABEL,
-		strlen(ROOT_KEY_LABEL),
-		KEY_SIZE_DEFAULT,
-		&rootPubKey,
-		CSSM_FALSE,			// pubIsRef
-		CSSM_KEYUSE_VERIFY,
-		CSSM_KEYBLOB_RAW_FORMAT_NONE,
-		&rootPrivKey,
-		CSSM_TRUE,			// privIsRef - doesn't matter
-		CSSM_KEYUSE_SIGN,
-		CSSM_KEYBLOB_RAW_FORMAT_NONE,
-		CSSM_FALSE);
-	if(crtn) {
-		goto abort;
-	}
-
-	for(testNum=0; testNum<NUM_TEST_CASES; testNum++) {
-		testCase = &testCases[testNum];
-		if(!quiet) {
-			printf("%s\n", testCase->testDesc);
-		}
-		crtn = genCerts(clHand, cspHand, tpHand,
-			&rootPrivKey, &rootPubKey, &subjPubKey,
-			testCase->certIpAddr, testCase->certDnsName, testCase->commonName,
-			rootCert, subjCert);
-		BlobList leaf;
-		BlobList root;
-		/* BlobList uses regular free() on the referent of the blobs */
-		leaf.addBlob(subjCert, CSSM_TRUE);
-		root.addBlob(rootCert, CSSM_TRUE);
-		if(crtn) {
-			if(testError(quiet)) {
-				break;
-			}
-		}
-		if(writeCerts) {
-			if(writeFile(CERT_FILE, subjCert.Data, subjCert.Length)) {
-				printf("***Error writing cert to %s\n", CERT_FILE);
-			}
-			else {
-				printf("...wrote %lu bytes to %s\n", subjCert.Length, CERT_FILE);
-			}
-		}
-		vfyRtn = certVerifySimple(tpHand, clHand, cspHand,
-			leaf, root,
-			CSSM_FALSE,		// useSystemAnchors
-			CSSM_FALSE,		// leafCertIsCA
-			CSSM_FALSE,		// allow expired root
-			CVP_SSL,
-			testCase->vfyHostName,
-			CSSM_FALSE,		// sslClient
-			NULL,
-			NULL,
-			testCase->expectErrStr,
-			testCase->certErrorStr ? 1 : 0,
-			testCase->certErrorStr ? (const char **)&testCase->certErrorStr :
-				NULL,
-			0, NULL,		// certStatus
-			CSSM_FALSE,		// trustSettings
-			quiet,
-			verbose);
-		if(vfyRtn) {
-			if(testError(quiet)) {
-				break;
-			}
-		}
-		/* cert data freed by ~BlobList */
-	}
-
-	/* free keys */
-	cspFreeKey(cspHand, &rootPubKey);
-	cspFreeKey(cspHand, &rootPrivKey);
-	cspFreeKey(cspHand, &subjPubKey);
-	cspFreeKey(cspHand, &subjPrivKey);
-
-abort:
-	if(cspHand != 0) {
-		CSSM_ModuleDetach(cspHand);
-	}
-	if(clHand != 0) {
-		CSSM_ModuleDetach(clHand);
-	}
-	if(tpHand != 0) {
-		CSSM_ModuleDetach(tpHand);
-	}
-	if(!vfyRtn && !crtn && !quiet) {
-		printf("...test passed\n");
-	}
-	return 0;
-}
-
-