/*
* Verify proper asymmetric key wrap !EXTRACTABLE handling.
*
* Gen unwrapped ref key, !CSSM_KEYATTR_EXTRACTABLE;
* Gen wrapping key - a simple DES key;
* vfy you can't wrap unwrappedKey with wrappingKey;
*/
int asymBadWrapTest(
CSSM_CSP_HANDLE cspHand,
CSSM_ALGORITHMS alg,
const char *keyAlgStr,
uint32 keySizeInBits,
CSSM_BOOL quiet)
{
CSSM_KEY pubKey;
CSSM_KEY privKey;
if(!quiet) {
printf(" ...testing access to !EXTRACTABLE key bits via CUSTOM wrap\n");
}
/* gen ref key, CSSM_KEYATTR_SENSITIVE, !EXTRACTABLE */
if(genKeyPair(cspHand, alg, keyAlgStr, keySizeInBits,
&pubKey, CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE,
CSSM_KEYUSE_ANY,
&privKey, CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_SENSITIVE,
CSSM_KEYUSE_ANY,
CSSM_OK, quiet, CSSM_FALSE, "RETURN_REF | SENSITIVE")) {
return 1;
}
if(badWrapTest(cspHand,
&privKey,
CSSM_KEYBLOB_WRAPPED_FORMAT_APPLE_CUSTOM,
quiet, keyAlgStr,
"!EXTRACTABLE wrap")) {
return 1;
}
cspFreeKey(cspHand, &privKey);
cspFreeKey(cspHand, &pubKey);
return 0;
}
/*
* Generate public and private ref keys, munge various fields in the header,
* verify that attempts to use the munged key result in
* CSSMERR_CSP_INVALID_KEY_REFERENCE.
*/
int asymHeaderTest(
CSSM_CSP_HANDLE cspHand,
CSSM_ALGORITHMS keyAlg,
const char *keyAlgStr,
CSSM_ALGORITHMS encrAlg,
CSSM_ALGORITHMS signAlg,
uint32 keySizeInBits,
CSSM_BOOL quiet)
{
CSSM_KEY privKey;
CSSM_KEY pubKey;
if(!quiet) {
printf(" ...testing munged ref key header\n");
}
if(genKeyPair(cspHand, keyAlg, keyAlgStr, keySizeInBits,
&pubKey, CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE,
CSSM_KEYUSE_ANY,
&privKey, CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE,
CSSM_KEYUSE_ANY,
CSSM_OK, quiet, CSSM_FALSE, "RETURN_REF")) {
return 1;
}
if(badHdrTest(cspHand, &privKey, quiet, keyAlgStr)) {
return 1;
}
if(badHdrTest(cspHand, &pubKey, quiet, keyAlgStr)) {
return 1;
}
cspFreeKey(cspHand, &privKey);
cspFreeKey(cspHand, &pubKey);
return 0;
}
/*
* Verify asymmetric key null wrap behavior:
* gen ref key, CSSM_KEYATTR_SENSITIVE, vfy you can't do null wrap;
* gen ref key, !CSSM_KEYATTR_EXTRACTABLE, vfy you can't do null wrap;
*/
static int asymNullWrapTest(
CSSM_CSP_HANDLE cspHand,
CSSM_ALGORITHMS alg,
const char *keyAlgStr,
uint32 keySizeInBits,
CSSM_BOOL quiet)
{
CSSM_KEY pubKey;
CSSM_KEY privKey;
if(!quiet) {
printf(" ...testing access to inaccessible key bits via NULL wrap\n");
}
/* gen priv ref key, CSSM_KEYATTR_SENSITIVE, vfy you can't do null wrap */
if(genKeyPair(cspHand, alg, keyAlgStr, keySizeInBits,
&pubKey, CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE,
CSSM_KEYUSE_ANY,
&privKey, CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_SENSITIVE,
CSSM_KEYUSE_ANY,
CSSM_OK, quiet, CSSM_FALSE, "RETURN_REF | SENSITIVE")) {
return 1;
}
if(nullWrapTest(cspHand, &privKey, quiet, CSSMERR_CSP_INVALID_KEYATTR_MASK,
keyAlgStr, "SENSITIVE")) {
return 1;
}
cspFreeKey(cspHand, &privKey);
cspFreeKey(cspHand, &pubKey);
/* gen priv ref key, !CSSM_KEYATTR_EXTRACTABLE, vfy you can't do null wrap */
if(genKeyPair(cspHand, alg, keyAlgStr, keySizeInBits,
&pubKey, CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE,
CSSM_KEYUSE_ANY,
&privKey, CSSM_KEYATTR_RETURN_REF /* | !EXTRACTABLE */, CSSM_KEYUSE_ANY,
CSSM_OK, quiet, CSSM_FALSE, "RETURN_REF | !EXTRACTABLE")) {
return 1;
}
if(nullWrapTest(cspHand, &privKey, quiet, CSSMERR_CSP_INVALID_KEYATTR_MASK,
keyAlgStr, "!EXTRACTABLE")) {
return 1;
}
cspFreeKey(cspHand, &privKey);
cspFreeKey(cspHand, &pubKey);
return 0;
}
BOOL genKeyPair( PROV_CTX* pProvCtx, KEY_INFO* pKey ){
if ( pKey->algId != CALG_GOST_SIGN ){
SetLastError( NTE_BAD_ALGID );
return FALSE;
}
if ( pKey->hKeyInformation == NULL ){
SetLastError( NTE_BAD_KEY_STATE );
return FALSE;
}
CONTAINER_IRZ *pContainerIRZ = (CONTAINER_IRZ*) pProvCtx->pContainer->hServiceInformation;
KEY_SIGN_INFO *pKeyInfo = (KEY_SIGN_INFO*) pKey->hKeyInformation;
// Generate key pair in proper.
if ( pKeyInfo->pPrKey != NULL || pKeyInfo->pPubKey != NULL ){
DEBUG( 1, "While generating key pair: Key already exists." );
}
if ( !genKeyPair( &pKeyInfo->pPubKey, &(pKeyInfo->pPrKey), &pKeyInfo->params, &pContainerIRZ->rand ) ){
SetLastError( NTE_FAIL );
return FALSE;
}
// Write the key to the token.
LPSTR szPrKey = new CHAR[PRIVATEKEY_CHAR_LEN+1];
LPSTR szPubKey = new CHAR[PUBLICKEY_CHAR_LEN+1];
if ( !privateKeyToString( pKeyInfo, szPrKey ) ){
/* \todo release resources.*/
SetLastError( NTE_FAIL );
return FALSE;
}
if ( !pubKeyToString( pKeyInfo, szPubKey ) ){
/* \todo release resources.*/
SetLastError( NTE_FAIL );
return FALSE;
}
WritePrivateProfileStringA(
"PRIVATEKEY",
"PRIVATEKEY",
szPrKey,
pContainerIRZ->szToken);
WritePrivateProfileStringA(
"PUBLICKEY",
"PUBLICKEY",
szPubKey,
pContainerIRZ->szToken);
delete[] szPrKey;
delete[] szPubKey;
return TRUE;
}
/*
* Generate key pair, specified pub key attr and expected result, standard
* "good" priv key attr. Used by asymAttrTest().
*/
static int pubKeyAttrTest(
CSSM_CSP_HANDLE cspHand,
CSSM_ALGORITHMS alg,
const char *keyAlgStr,
uint32 keySizeInBits,
CSSM_KEYATTR_FLAGS pubKeyAttr,
CSSM_RETURN expectRtn,
CSSM_BOOL quiet,
const char *testStr)
{
CSSM_KEY pubKey;
CSSM_KEY privKey;
return genKeyPair(cspHand, alg, keyAlgStr, keySizeInBits,
&pubKey, pubKeyAttr, CSSM_KEYUSE_ANY,
&privKey, CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_SENSITIVE, CSSM_KEYUSE_ANY,
expectRtn, quiet, CSSM_TRUE, testStr);
}
int main(int argc, char **argv)
{
bool verbose = false;
int arg;
while ((arg = getopt(argc, argv, "vh")) != -1) {
switch (arg) {
case 'v':
verbose = true;
break;
case 'h':
usage(argv);
}
}
if(optind != argc) {
usage(argv);
}
printNoDialog();
/* initial setup */
verboseDisp(verbose, "deleting keychain");
unlink(KEYCHAIN_NAME);
verboseDisp(verbose, "creating keychain");
SecKeychainRef kcRef = NULL;
OSStatus ortn = SecKeychainCreate(KEYCHAIN_NAME,
strlen(KEYCHAIN_PWD), KEYCHAIN_PWD,
false, NULL, &kcRef);
if(ortn) {
cssmPerror("SecKeychainCreate", ortn);
exit(1);
}
/*
* 1. Generate key pair with cleartext public key.
* Ensure we can use the public key when keychain is locked with no
* user interaction.
*/
/* generate key pair, cleartext public key */
verboseDisp(verbose, "creating key pair, cleartext public key");
SecKeyRef pubKeyRef = NULL;
SecKeyRef privKeyRef = NULL;
if(genKeyPair(false, kcRef, &pubKeyRef, &privKeyRef)) {
exit(1);
}
/* Use generated cleartext public key with locked keychain */
verboseDisp(verbose, "locking keychain, exporting public key");
SecKeychainLock(kcRef);
CFDataRef exportData = NULL;
ortn = SecKeychainItemExport(pubKeyRef, kSecFormatOpenSSL, 0, NULL, &exportData);
if(ortn) {
cssmPerror("SecKeychainCreate", ortn);
exit(1);
}
CFRelease(exportData);
verboseDisp(verbose, "locking keychain, encrypting with public key");
SecKeychainLock(kcRef);
if(pubKeyEncrypt(pubKeyRef)) {
exit(1);
}
/* reset */
verboseDisp(verbose, "deleting keys");
ortn = SecKeychainItemDelete((SecKeychainItemRef)pubKeyRef);
if(ortn) {
cssmPerror("SecKeychainItemDelete", ortn);
exit(1);
}
ortn = SecKeychainItemDelete((SecKeychainItemRef)privKeyRef);
if(ortn) {
cssmPerror("SecKeychainItemDelete", ortn);
exit(1);
}
CFRelease(pubKeyRef);
CFRelease(privKeyRef);
/*
* 2. Generate key pair with encrypted public key.
* Ensure that user interaction is required when we use the public key
* when keychain is locked.
*/
verboseDisp(verbose, "programmatically unlocking keychain");
ortn = SecKeychainUnlock(kcRef, strlen(KEYCHAIN_PWD), KEYCHAIN_PWD, TRUE);
if(ortn) {
cssmPerror("SecKeychainItemDelete", ortn);
exit(1);
}
/* generate key pair, encrypted public key */
verboseDisp(verbose, "creating key pair, encrypted public key");
if(genKeyPair(true, kcRef, &pubKeyRef, &privKeyRef)) {
exit(1);
}
/* Use generated encrypted public key with locked keychain */
verboseDisp(verbose, "locking keychain, exporting public key");
SecKeychainLock(kcRef);
printExpectDialog();
ortn = SecKeychainItemExport(pubKeyRef, kSecFormatOpenSSL, 0, NULL, &exportData);
if(ortn) {
cssmPerror("SecKeychainCreate", ortn);
exit(1);
}
/* we'll use that exported blob later to test import */
if(!didGetDialog()) {
exit(1);
}
verboseDisp(verbose, "locking keychain, encrypting with public key");
SecKeychainLock(kcRef);
printExpectDialog();
if(pubKeyEncrypt(pubKeyRef)) {
exit(1);
}
if(!didGetDialog()) {
exit(1);
}
/* reset */
printNoDialog();
verboseDisp(verbose, "locking keychain");
SecKeychainLock(kcRef);
verboseDisp(verbose, "deleting keys");
ortn = SecKeychainItemDelete((SecKeychainItemRef)pubKeyRef);
if(ortn) {
cssmPerror("SecKeychainItemDelete", ortn);
exit(1);
}
ortn = SecKeychainItemDelete((SecKeychainItemRef)privKeyRef);
if(ortn) {
cssmPerror("SecKeychainItemDelete", ortn);
exit(1);
}
CFRelease(pubKeyRef);
CFRelease(privKeyRef);
/*
* 3. Import public key, storing in cleartext. Ensure that the import
* doesn't require unlock, and ensure we can use the public key
* when keychain is locked with no user interaction.
*/
printNoDialog();
verboseDisp(verbose, "locking keychain");
SecKeychainLock(kcRef);
/* import public key - default is in the clear */
verboseDisp(verbose, "importing public key, store in the clear (default)");
CFArrayRef outArray = NULL;
SecExternalFormat format = kSecFormatOpenSSL;
SecExternalItemType type = kSecItemTypePublicKey;
ortn = SecKeychainItemImport(exportData,
NULL, &format, &type,
0, NULL,
kcRef, &outArray);
if(ortn) {
cssmPerror("SecKeychainItemImport", ortn);
exit(1);
}
CFRelease(exportData);
if(CFArrayGetCount(outArray) != 1) {
printf("***Unexpected outArray size (%ld) after import\n",
(long)CFArrayGetCount(outArray));
exit(1);
}
pubKeyRef = (SecKeyRef)CFArrayGetValueAtIndex(outArray, 0);
if(CFGetTypeID(pubKeyRef) != SecKeyGetTypeID()) {
printf("***Unexpected item type after import\n");
exit(1);
}
/* Use imported cleartext public key with locked keychain */
verboseDisp(verbose, "locking keychain, exporting public key");
SecKeychainLock(kcRef);
exportData = NULL;
ortn = SecKeychainItemExport(pubKeyRef, kSecFormatOpenSSL, 0, NULL, &exportData);
if(ortn) {
cssmPerror("SecKeychainItemExport", ortn);
exit(1);
}
/* we'll use exportData again */
verboseDisp(verbose, "locking keychain, encrypting with public key");
SecKeychainLock(kcRef);
if(pubKeyEncrypt(pubKeyRef)) {
exit(1);
}
/* reset */
verboseDisp(verbose, "deleting key");
ortn = SecKeychainItemDelete((SecKeychainItemRef)pubKeyRef);
if(ortn) {
cssmPerror("SecKeychainItemDelete", ortn);
exit(1);
}
CFRelease(pubKeyRef);
/*
* Import public key, storing in encrypted form.
* Ensure that user interaction is required when we use the public key
* when keychain is locked.
*/
/* import public key, encrypted in the keychain */
SecKeyImportExportParameters impExpParams;
memset(&impExpParams, 0, sizeof(impExpParams));
impExpParams.version = SEC_KEY_IMPORT_EXPORT_PARAMS_VERSION;
impExpParams.keyAttributes = CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE |
CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT;
verboseDisp(verbose, "importing public key, store encrypted");
printExpectDialog();
outArray = NULL;
format = kSecFormatOpenSSL;
type = kSecItemTypePublicKey;
ortn = SecKeychainItemImport(exportData,
NULL, &format, &type,
0, &impExpParams,
kcRef, &outArray);
if(ortn) {
cssmPerror("SecKeychainItemImport", ortn);
exit(1);
}
if(!didGetDialog()) {
exit(1);
}
CFRelease(exportData);
if(CFArrayGetCount(outArray) != 1) {
printf("***Unexpected outArray size (%ld) after import\n",
(long)CFArrayGetCount(outArray));
exit(1);
}
pubKeyRef = (SecKeyRef)CFArrayGetValueAtIndex(outArray, 0);
if(CFGetTypeID(pubKeyRef) != SecKeyGetTypeID()) {
printf("***Unexpected item type after import\n");
exit(1);
}
/* Use imported encrypted public key with locked keychain */
verboseDisp(verbose, "locking keychain, exporting public key");
SecKeychainLock(kcRef);
printExpectDialog();
ortn = SecKeychainItemExport(pubKeyRef, kSecFormatOpenSSL, 0, NULL, &exportData);
if(ortn) {
cssmPerror("SecKeychainItemExport", ortn);
exit(1);
}
if(!didGetDialog()) {
exit(1);
}
CFRelease(exportData);
verboseDisp(verbose, "locking keychain, encrypting with public key");
SecKeychainLock(kcRef);
printExpectDialog();
if(pubKeyEncrypt(pubKeyRef)) {
exit(1);
}
if(!didGetDialog()) {
exit(1);
}
SecKeychainDelete(kcRef);
printf("...test succeeded.\n");
return 0;
}
/*
* Given a KeyHashTest:
* -- cook up key pair, raw, specified formats
* -- NULL unwrap each raw to ref;
* -- obtain four key digests;
* -- ensure all digests match;
*/
static int doTest(
CSSM_CSP_HANDLE rawCspHand, // generate keys here
CSSM_CSP_HANDLE refCspHand, // null unwrap here
KeyHashTest *testParam,
CSSM_BOOL verbose,
CSSM_BOOL quiet)
{
CSSM_RETURN crtn;
CSSM_KEY pubKey;
CSSM_KEY privKey;
CSSM_KEY pubKeyRef;
CSSM_KEY privKeyRef;
CSSM_DATA_PTR rawPubHash;
CSSM_DATA_PTR rawPrivHash;
CSSM_DATA_PTR refPubHash;
CSSM_DATA_PTR refPrivHash;
int rtn = 0;
/* generate key pair, specified raw form */
crtn = genKeyPair(rawCspHand,
testParam->keyAlg,
testParam->keySizeInBits,
&pubKey,
testParam->pubKeyForm,
&privKey,
testParam->privKeyForm,
testParam->algParams);
if(crtn) {
return testError(quiet);
}
/* null unwrap both raw keys to ref form */
crtn = cspRawKeyToRef(refCspHand, &pubKey, &pubKeyRef);
if(crtn) {
return testError(quiet);
}
crtn = cspRawKeyToRef(refCspHand, &privKey, &privKeyRef);
if(crtn) {
return testError(quiet);
}
/* calculate four key digests */
crtn = cspKeyHash(rawCspHand, &pubKey, &rawPubHash);
if(crtn) {
return testError(quiet);
}
crtn = cspKeyHash(rawCspHand, &privKey, &rawPrivHash);
if(crtn) {
return testError(quiet);
}
crtn = cspKeyHash(refCspHand, &pubKeyRef, &refPubHash);
if(crtn) {
return testError(quiet);
}
crtn = cspKeyHash(refCspHand, &privKeyRef, &refPrivHash);
if(crtn) {
return testError(quiet);
}
if(verbose) {
printf("...raw pub key hash:\n");
dumpBuf(rawPubHash->Data, rawPubHash->Length);
printf("...ref pub key hash:\n");
dumpBuf(refPubHash->Data, refPubHash->Length);
printf("...raw priv key hash:\n");
dumpBuf(rawPrivHash->Data, rawPrivHash->Length);
printf("...ref priv key hash:\n");
dumpBuf(refPrivHash->Data, refPrivHash->Length);
}
/* compare */
rtn += compareKeyHashes(rawPubHash, "Raw public",
refPubHash, "Ref public", verbose);
rtn += compareKeyHashes(rawPrivHash, "Raw private",
refPrivHash, "Ref private", verbose);
rtn += compareKeyHashes(refPubHash, "Ref public",
refPrivHash, "Ref private", verbose);
if(rtn) {
rtn = testError(quiet);
}
cspFreeKey(rawCspHand, &pubKey);
cspFreeKey(rawCspHand, &privKey);
cspFreeKey(refCspHand, &pubKeyRef);
cspFreeKey(refCspHand, &privKeyRef);
appFreeCssmData(rawPubHash, CSSM_TRUE);
appFreeCssmData(rawPrivHash, CSSM_TRUE);
appFreeCssmData(refPubHash, CSSM_TRUE);
appFreeCssmData(refPrivHash, CSSM_TRUE);
return rtn;
}
int doAsymTests(
CSSM_CSP_HANDLE cspHand,
privAlg palg,
CSSM_BOOL refKeys,
CSSM_BOOL quiet)
{
CSSM_ALGORITHMS keyAlg;
CSSM_ALGORITHMS sigAlg;
CSSM_ALGORITHMS encrAlg;
CSSM_ENCRYPT_MODE encrMode;
CSSM_PADDING encrPad;
uint32 keySizeInBits;
const char *keyAlgStr;
privAlgToCssm(palg, &keyAlg, &sigAlg, &encrAlg, &encrMode,
&encrPad, &keySizeInBits, &keyAlgStr);
CSSM_KEY pubKey;
CSSM_KEY privKey;
int irtn;
CSSM_KEYATTR_FLAGS pubKeyAttr = CSSM_KEYATTR_EXTRACTABLE;
CSSM_KEYATTR_FLAGS privKeyAttr = CSSM_KEYATTR_EXTRACTABLE;
if(refKeys) {
pubKeyAttr |= CSSM_KEYATTR_RETURN_REF;
privKeyAttr |= CSSM_KEYATTR_RETURN_REF;
}
else {
pubKeyAttr |= CSSM_KEYATTR_RETURN_DATA;
privKeyAttr |= CSSM_KEYATTR_RETURN_DATA;
}
if(!quiet) {
printf("...testing %s with %s keys\n", keyAlgStr,
refKeys ? "Ref" : "Raw");
printf(" ...verifying empty Dates\n");
}
irtn = genKeyPair(cspHand, keyAlg, keyAlgStr, keySizeInBits,
&pubKey, pubKeyAttr, CSSM_KEYUSE_ANY,
&privKey, privKeyAttr, CSSM_KEYUSE_ANY,
quiet,
CSSM_FALSE, 0, // no StartDate
CSSM_FALSE, 0); // no EndDate
if(irtn) {
return irtn;
}
irtn = doEncrypt(cspHand, keyAlgStr, &pubKey, encrAlg, encrMode,
encrPad, CSSM_OK, quiet);
if(irtn) {
printf("***Failure on encrypting with empty Key Dates\n");
return irtn;
}
irtn = doDecrypt(cspHand, keyAlgStr, &privKey, encrAlg, encrMode,
encrPad, DR_BadData, quiet);
if(irtn) {
printf("***Failure on decrypting with empty Key Dates\n");
return irtn;
}
irtn = doSign(cspHand, keyAlgStr, &privKey, sigAlg,
CSSM_OK, quiet);
if(irtn) {
printf("***Failure on signing with empty Key Dates\n");
return irtn;
}
irtn = doVerify(cspHand, keyAlgStr, &pubKey, sigAlg,
KD_VERIFY_FAIL_ERR, quiet);
if(irtn) {
printf("***Failure on verifying with empty Key Dates\n");
return irtn;
}
cspFreeKey(cspHand, &pubKey);
cspFreeKey(cspHand, &privKey);
if(!quiet) {
printf(" ...verifying Good Dates\n");
}
irtn = genKeyPair(cspHand, keyAlg, keyAlgStr, keySizeInBits,
&pubKey, pubKeyAttr, CSSM_KEYUSE_ANY,
&privKey, privKeyAttr, CSSM_KEYUSE_ANY,
quiet,
CSSM_TRUE, 0, // StartDate = today
CSSM_TRUE, 1); // EndDate = tomorrow
if(irtn) {
return irtn;
}
irtn = doEncrypt(cspHand, keyAlgStr, &pubKey, encrAlg, encrMode,
encrPad, CSSM_OK, quiet);
if(irtn) {
printf("***Failure on encrypting with good Key Dates\n");
return irtn;
}
irtn = doDecrypt(cspHand, keyAlgStr, &privKey, encrAlg, encrMode,
encrPad, DR_BadData, quiet);
if(irtn) {
printf("***Failure on decrypting with Good Key Dates\n");
return irtn;
}
irtn = doSign(cspHand, keyAlgStr, &privKey, sigAlg,
CSSM_OK, quiet);
if(irtn) {
printf("***Failure on signing with Good Key Dates\n");
return irtn;
}
irtn = doVerify(cspHand, keyAlgStr, &pubKey, sigAlg,
KD_VERIFY_FAIL_ERR, quiet);
if(irtn) {
printf("***Failure on verifying with Good Key Dates\n");
return irtn;
}
cspFreeKey(cspHand, &pubKey);
cspFreeKey(cspHand, &privKey);
if(!quiet) {
printf(" ...verifying Bad StartDate\n");
}
irtn = genKeyPair(cspHand, keyAlg, keyAlgStr, keySizeInBits,
&pubKey, pubKeyAttr, CSSM_KEYUSE_ANY,
&privKey, privKeyAttr, CSSM_KEYUSE_ANY,
quiet,
CSSM_TRUE, 1, // StartDate = tomorrow
CSSM_TRUE, 1); // EndDate = tomorrow
if(irtn) {
return irtn;
}
irtn = doEncrypt(cspHand, keyAlgStr, &pubKey, encrAlg, encrMode,
encrPad, CSSMERR_CSP_APPLE_INVALID_KEY_START_DATE, quiet);
if(irtn) {
printf("***Failure on encrypting with bad StartDate\n");
return irtn;
}
irtn = doDecrypt(cspHand, keyAlgStr, &privKey, encrAlg, encrMode,
encrPad, DR_BadStartDate, quiet);
if(irtn) {
printf("***Failure on decrypting with bad StartDate\n");
return irtn;
}
irtn = doSign(cspHand, keyAlgStr, &privKey, sigAlg,
CSSMERR_CSP_APPLE_INVALID_KEY_START_DATE, quiet);
if(irtn) {
printf("***Failure on signing with bad StartDate\n");
return irtn;
}
irtn = doVerify(cspHand, keyAlgStr, &pubKey, sigAlg,
CSSMERR_CSP_APPLE_INVALID_KEY_START_DATE, quiet);
if(irtn) {
printf("***Failure on verifying with bad StartDate\n");
return irtn;
}
cspFreeKey(cspHand, &pubKey);
cspFreeKey(cspHand, &privKey);
if(!quiet) {
printf(" ...verifying Bad EndDate\n");
}
irtn = genKeyPair(cspHand, keyAlg, keyAlgStr, keySizeInBits,
&pubKey, pubKeyAttr, CSSM_KEYUSE_ANY,
&privKey, privKeyAttr, CSSM_KEYUSE_ANY,
quiet,
CSSM_TRUE, 0, // StartDate = today
CSSM_TRUE, -1); // EndDate = yesterday
if(irtn) {
return irtn;
}
irtn = doEncrypt(cspHand, keyAlgStr, &pubKey, encrAlg, encrMode,
encrPad, CSSMERR_CSP_APPLE_INVALID_KEY_END_DATE, quiet);
if(irtn) {
printf("***Failure on encrypting with bad EndDate\n");
return irtn;
}
irtn = doDecrypt(cspHand, keyAlgStr, &privKey, encrAlg, encrMode,
encrPad, DR_BadEndDate, quiet);
if(irtn) {
printf("***Failure on decrypting with bad EndDate\n");
return irtn;
}
irtn = doSign(cspHand, keyAlgStr, &privKey, sigAlg,
CSSMERR_CSP_APPLE_INVALID_KEY_END_DATE, quiet);
if(irtn) {
printf("***Failure on signing with bad EndDate\n");
return irtn;
}
irtn = doVerify(cspHand, keyAlgStr, &pubKey, sigAlg,
CSSMERR_CSP_APPLE_INVALID_KEY_END_DATE, quiet);
if(irtn) {
printf("***Failure on verifying with bad EndDate\n");
return irtn;
}
cspFreeKey(cspHand, &pubKey);
cspFreeKey(cspHand, &privKey);
return 0;
}
int doStoreTests(
CSSM_CSP_HANDLE cspHand, // must be CSPDL
CSSM_DL_DB_HANDLE dlDbHand,
privAlg palg,
CSSM_BOOL isAsym,
CSSM_BOOL quiet)
{
CSSM_ALGORITHMS keyAlg;
CSSM_ALGORITHMS signAlg;
CSSM_ALGORITHMS encrAlg;
CSSM_ENCRYPT_MODE encrMode;
CSSM_PADDING encrPad;
uint32 keySizeInBits;
const char *keyAlgStr;
privAlgToCssm(palg, &keyAlg, &signAlg, &encrAlg, &encrMode,
&encrPad, &keySizeInBits, &keyAlgStr);
CSSM_KEY symKey;
CSSM_KEY privKey;
CSSM_KEY pubKey;
int irtn;
CSSM_KEY_PTR lookupKey = NULL; // obtained from DB
CSSM_KEY_PTR compareKey; // &symKey or &pubKey
CT_KeyType lookupType;
CSSM_KEYATTR_FLAGS pubKeyAttr =
CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_EXTRACTABLE |
CSSM_KEYATTR_PERMANENT;
CSSM_KEYATTR_FLAGS privKeyAttr =
CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_PERMANENT;
if(!quiet) {
printf("...testing %s key storage\n", keyAlgStr);
printf(" ...verifying empty Dates\n");
}
if(isAsym) {
lookupType = CKT_Public;
compareKey = &pubKey;
irtn = genKeyPair(cspHand, keyAlg, keyAlgStr, keySizeInBits,
&pubKey, pubKeyAttr, CSSM_KEYUSE_ANY,
&privKey, privKeyAttr, CSSM_KEYUSE_ANY,
quiet,
CSSM_FALSE, 0, // no StartDate
CSSM_FALSE, 0, // no EndDate
&dlDbHand);
}
else {
lookupType = CKT_Session;
compareKey = &symKey;
irtn = genSymKey(cspHand, &symKey, keyAlg, keyAlgStr,
keySizeInBits,
CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_PERMANENT,
CSSM_KEYUSE_ANY, quiet,
CSSM_FALSE, 0, // no StartDate
CSSM_FALSE, 0, // no EndDate
&dlDbHand);
}
if(irtn) {
return irtn;
}
/*
* fetch stored key from DB, ensure it has same start/end date
*/
if(fetchStoredKey(dlDbHand, lookupType,
compareKey, "Store key with empty Dates", quiet,
&lookupKey)) {
return 1;
}
/* quickie test, use it for encrypt */
irtn = doEncrypt(cspHand, keyAlgStr, lookupKey, encrAlg, encrMode,
encrPad, CSSM_OK, quiet);
if(irtn) {
printf("***Failure on encrypt, lookup with empty Key Dates\n");
return irtn;
}
/* free and delete everything */
if(isAsym) {
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &pubKey);
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &privKey);
}
else {
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &symKey);
}
cspFreeKey(cspHand, lookupKey);
/*********************/
if(!quiet) {
printf(" ...verifying Good Dates\n");
}
if(isAsym) {
lookupType = CKT_Public;
compareKey = &pubKey;
irtn = genKeyPair(cspHand, keyAlg, keyAlgStr, keySizeInBits,
&pubKey, pubKeyAttr, CSSM_KEYUSE_ANY,
&privKey, privKeyAttr, CSSM_KEYUSE_ANY,
quiet,
CSSM_TRUE, 0, // StartDate = today
CSSM_TRUE, 1, // EndDate = tomorrow
&dlDbHand);
}
else {
lookupType = CKT_Session;
compareKey = &symKey;
irtn = genSymKey(cspHand, &symKey, keyAlg, keyAlgStr,
keySizeInBits,
CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_PERMANENT,
CSSM_KEYUSE_ANY, quiet,
CSSM_TRUE, 0, // StartDate = today
CSSM_TRUE, 1, // EndDate = tomorrow
&dlDbHand);
}
if(irtn) {
return irtn;
}
/*
* fetch stored key from DB, ensure it has same start/end date
*/
if(fetchStoredKey(dlDbHand, lookupType,
compareKey, "Store key with Good Dates", quiet,
&lookupKey)) {
return 1;
}
/* quickie test, use it for encrypt */
irtn = doEncrypt(cspHand, keyAlgStr, lookupKey, encrAlg, encrMode,
encrPad, CSSM_OK, quiet);
if(irtn) {
printf("***Failure on encrypt, lookup with Good Key Dates\n");
return irtn;
}
/* free and delete everything */
if(isAsym) {
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &pubKey);
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &privKey);
}
else {
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &symKey);
}
cspFreeKey(cspHand, lookupKey);
/*********************/
if(!quiet) {
printf(" ...verifying Bad StartDate\n");
}
if(isAsym) {
lookupType = CKT_Public;
compareKey = &pubKey;
irtn = genKeyPair(cspHand, keyAlg, keyAlgStr, keySizeInBits,
&pubKey, pubKeyAttr, CSSM_KEYUSE_ANY,
&privKey, privKeyAttr, CSSM_KEYUSE_ANY,
quiet,
CSSM_TRUE, 1, // StartDate = tomorrow
CSSM_TRUE, 1, // EndDate = tomorrow
&dlDbHand);
}
else {
lookupType = CKT_Session;
compareKey = &symKey;
irtn = genSymKey(cspHand, &symKey, keyAlg, keyAlgStr,
keySizeInBits,
CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_PERMANENT,
CSSM_KEYUSE_ANY, quiet,
CSSM_TRUE, 1, // StartDate = tomorrow
CSSM_TRUE, 1, // EndDate = tomorrow
&dlDbHand);
}
if(irtn) {
return irtn;
}
/*
* fetch stored key from DB, ensure it has same start/end date
*/
if(fetchStoredKey(dlDbHand, lookupType,
compareKey, "Store key with Bad StartDate", quiet,
&lookupKey)) {
return 1;
}
/* quickie test, use it for encrypt */
irtn = doEncrypt(cspHand, keyAlgStr, lookupKey, encrAlg, encrMode,
encrPad, CSSMERR_CSP_APPLE_INVALID_KEY_START_DATE, quiet);
if(irtn) {
printf("***Failure on encrypt, lookup with Bad Start Dates\n");
return irtn;
}
/* free and delete everything */
if(isAsym) {
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &pubKey);
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &privKey);
}
else {
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &symKey);
}
cspFreeKey(cspHand, lookupKey);
/*********************/
if(!quiet) {
printf(" ...verifying Bad EndDate\n");
}
if(isAsym) {
lookupType = CKT_Public;
compareKey = &pubKey;
irtn = genKeyPair(cspHand, keyAlg, keyAlgStr, keySizeInBits,
&pubKey, pubKeyAttr, CSSM_KEYUSE_ANY,
&privKey, privKeyAttr, CSSM_KEYUSE_ANY,
quiet,
CSSM_TRUE, 0, // StartDate = today
CSSM_TRUE, -1, // EndDate = yesterday
&dlDbHand);
}
else {
lookupType = CKT_Session;
compareKey = &symKey;
irtn = genSymKey(cspHand, &symKey, keyAlg, keyAlgStr,
keySizeInBits,
CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_PERMANENT,
CSSM_KEYUSE_ANY, quiet,
CSSM_TRUE, 0, // StartDate = today
CSSM_TRUE, -1, // EndDate = yesterday
&dlDbHand);
}
if(irtn) {
return irtn;
}
/*
* fetch stored key from DB, ensure it has same start/end date
*/
if(fetchStoredKey(dlDbHand, lookupType,
compareKey, "Store key with Bad EndDate", quiet,
&lookupKey)) {
return 1;
}
/* quickie test, use it for encrypt */
irtn = doEncrypt(cspHand, keyAlgStr, lookupKey, encrAlg, encrMode,
encrPad, CSSMERR_CSP_APPLE_INVALID_KEY_END_DATE, quiet);
if(irtn) {
printf("***Failure on encrypt, lookup with Bad End Dates\n");
return irtn;
}
/* free and delete everything */
if(isAsym) {
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &pubKey);
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &privKey);
}
else {
cspDeleteKey(cspHand, dlDbHand.DLHandle, dlDbHand.DBHandle,
&keyLabelData, &symKey);
}
cspFreeKey(cspHand, lookupKey);
return 0;
}
