int getCachedFields(TestParams *testParams)
{
CSSM_RETURN crtn;
CSSM_HANDLE cacheHand1;
CSSM_HANDLE cacheHand2;
unsigned fieldNum;
unsigned loopNum;
CSSM_DATA cert;
for(loopNum=0; loopNum<testParams->numLoops; loopNum++) {
if(testParams->verbose) {
printf("getCachedFields loop %d\n", loopNum);
}
else if(!testParams->quiet) {
printChar(testParams->progressChar);
}
/* get two cached certs */
cert.Data = certData;
cert.Length = certLength;
crtn = CSSM_CL_CertCache(testParams->clHand, &cert, &cacheHand1);
if(crtn) {
printError("CSSM_CL_CertCache(1)", crtn);
return 1;
}
crtn = CSSM_CL_CertCache(testParams->clHand, &cert, &cacheHand2);
if(crtn) {
printError("CSSM_CL_CertCache(2)", crtn);
return 1;
}
/* grind thru the known OIDs */
for(fieldNum=0; fieldNum<NUM_FIELD_OIDS; fieldNum++) {
int rtn = checkOneField(testParams->clHand,
cacheHand1,
cacheHand2,
fieldOids[fieldNum]);
if(rtn) {
return 1;
}
}
CSSM_CL_CertAbortCache(testParams->clHand, cacheHand1);
CSSM_CL_CertAbortCache(testParams->clHand, cacheHand2);
/* leak debug */
#if DO_PAUSE
fpurge(stdin);
printf("Hit CR to continue: ");
getchar();
#endif
} /* outer loop */
return 0;
}
/*
* Guess an incoming blob's type, format and (for keys only) algorithm
* by examining its contents. Returns true on success, in which case
* *inputFormat, *itemType, and *keyAlg are all valid. Caller optionally
* passes in valid values any number of these as a clue.
*/
bool impExpImportGuessByExamination(
CFDataRef inData,
SecExternalFormat *inputFormat, // may be kSecFormatUnknown on entry
SecExternalItemType *itemType, // may be kSecItemTypeUnknown on entry
CSSM_ALGORITHMS *keyAlg) // CSSM_ALGID_NONE - unknown
{
if( ( (*inputFormat == kSecFormatUnknown) ||
(*inputFormat == kSecFormatX509Cert)
) &&
( (*itemType == kSecItemTypeUnknown) ||
(*itemType == kSecItemTypeCertificate) ) ) {
/*
* See if it parses as a cert
*/
CSSM_CL_HANDLE clHand = cuClStartup();
if(clHand == 0) {
return CSSMERR_CSSM_ADDIN_LOAD_FAILED;
}
CSSM_HANDLE cacheHand;
CSSM_RETURN crtn;
CSSM_DATA cdata = { CFDataGetLength(inData),
(uint8 *)CFDataGetBytePtr(inData) };
crtn = CSSM_CL_CertCache(clHand, &cdata, &cacheHand);
bool brtn = false;
if(crtn == CSSM_OK) {
*inputFormat = kSecFormatX509Cert;
*itemType = kSecItemTypeCertificate;
SecImpInferDbg("Inferred kSecFormatX509Cert via CL");
CSSM_CL_CertAbortCache(clHand, cacheHand);
brtn = true;
}
cuClDetachUnload(clHand);
if(brtn) {
return true;
}
}
/* TBD: need way to inquire of P12 lib if this is a valid-looking PFX */
if( ( (*inputFormat == kSecFormatUnknown) ||
(*inputFormat == kSecFormatNetscapeCertSequence)
) &&
( (*itemType == kSecItemTypeUnknown) ||
(*itemType == kSecItemTypeAggregate) ) ) {
/* See if it's a netscape cert sequence */
CSSM_RETURN crtn = impExpNetscapeCertImport(inData, 0, NULL, NULL, NULL);
if(crtn == CSSM_OK) {
*inputFormat = kSecFormatNetscapeCertSequence;
*itemType = kSecItemTypeAggregate;
SecImpInferDbg("Inferred netscape-cert-sequence by decoding");
return true;
}
}
/* See if it's a key */
return impExpGuessKeyParams(inData, inputFormat, itemType, keyAlg);
}
/*
* No cert- or CDSA-related exceptions thrown by remainder.
* This is the core initializer: have the CL parse and cache the cert.
*/
CSSM_RETURN CertParser::initWithData(
const CSSM_DATA &certData)
{
assert(mClHand != 0);
CSSM_RETURN crtn = CSSM_CL_CertCache(mClHand, &certData, &mCacheHand);
#if CP_DEBUG
if(crtn) {
cssmPerror("CSSM_CL_CertCache", crtn);
}
#endif
return crtn;
}
/*
* Print subject and/or issuer of a cert.
*/
void printCertName(
const unsigned char *cert,
unsigned certLen,
WhichName whichName)
{
CSSM_CL_HANDLE clHand = getClHand();
CSSM_HANDLE cacheHand;
CSSM_DATA certData = {certLen, (uint8 *)cert};
CSSM_RETURN crtn;
bool printSubj = false;
bool printIssuer = false;
switch(whichName) {
case NameBoth:
printSubj = true;
printIssuer = true;
break;
case NameSubject:
printSubj = true;
break;
case NameIssuer:
printIssuer = true;
break;
default:
printf("***BRRZAP! Illegal whichName argument\n");
return;
}
crtn = CSSM_CL_CertCache(clHand, &certData, &cacheHand);
if(crtn) {
printf("***Error parsing cert\n");
cssmPerror("CSSM_CL_CertCache", crtn);
return;
}
if(printSubj) {
printOneCertName(clHand, cacheHand, "Subject", &CSSMOID_X509V1SubjectNameStd);
}
if(printIssuer) {
printOneCertName(clHand, cacheHand, "Issuer", &CSSMOID_X509V1IssuerNameStd);
}
CSSM_CL_CertAbortCache(clHand, cacheHand);
return;
}
/*
* Given a DER encoded certificate, obtain the associated IssuerAndSerialNumber.
*/
krb5_error_code krb5int_pkinit_get_issuer_serial(
const krb5_data *cert,
krb5_data *issuer_and_serial)
{
CSSM_HANDLE cacheHand = 0;
CSSM_RETURN crtn = CSSM_OK;
CSSM_DATA certData = { cert->length, (uint8 *)cert->data };
CSSM_HANDLE resultHand = 0;
CSSM_DATA_PTR derIssuer = NULL;
CSSM_DATA_PTR serial;
krb5_data krb_serial;
krb5_data krb_issuer;
uint32 numFields;
krb5_error_code ourRtn = 0;
CSSM_CL_HANDLE clHand = pkiClStartup();
if(clHand == 0) {
return CSSMERR_CSSM_ADDIN_LOAD_FAILED;
}
/* subsequent errors to errOut: */
crtn = CSSM_CL_CertCache(clHand, &certData, &cacheHand);
if(crtn) {
pkiCssmErr("CSSM_CL_CertCache", crtn);
ourRtn = ASN1_PARSE_ERROR;
goto errOut;
}
/* obtain the two fields; issuer is DER encoded */
crtn = CSSM_CL_CertGetFirstCachedFieldValue(clHand, cacheHand,
&CSSMOID_X509V1IssuerNameStd, &resultHand, &numFields, &derIssuer);
if(crtn) {
pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(issuer)", crtn);
ourRtn = ASN1_PARSE_ERROR;
goto errOut;
}
crtn = CSSM_CL_CertGetFirstCachedFieldValue(clHand, cacheHand,
&CSSMOID_X509V1SerialNumber, &resultHand, &numFields, &serial);
if(crtn) {
pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(serial)", crtn);
ourRtn = ASN1_PARSE_ERROR;
goto errOut;
}
PKI_CSSM_TO_KRB_DATA(derIssuer, &krb_issuer);
PKI_CSSM_TO_KRB_DATA(serial, &krb_serial);
ourRtn = krb5int_pkinit_issuer_serial_encode(&krb_issuer, &krb_serial, issuer_and_serial);
errOut:
if(derIssuer) {
CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1IssuerNameStd, derIssuer);
}
if(serial) {
CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SerialNumber, serial);
}
if(cacheHand) {
CSSM_CL_CertAbortCache(clHand, cacheHand);
}
if(clHand) {
pkiClDetachUnload(clHand);
}
return ourRtn;
}
