int getCachedFields(TestParams *testParams) { CSSM_RETURN crtn; CSSM_HANDLE cacheHand1; CSSM_HANDLE cacheHand2; unsigned fieldNum; unsigned loopNum; CSSM_DATA cert; for(loopNum=0; loopNum<testParams->numLoops; loopNum++) { if(testParams->verbose) { printf("getCachedFields loop %d\n", loopNum); } else if(!testParams->quiet) { printChar(testParams->progressChar); } /* get two cached certs */ cert.Data = certData; cert.Length = certLength; crtn = CSSM_CL_CertCache(testParams->clHand, &cert, &cacheHand1); if(crtn) { printError("CSSM_CL_CertCache(1)", crtn); return 1; } crtn = CSSM_CL_CertCache(testParams->clHand, &cert, &cacheHand2); if(crtn) { printError("CSSM_CL_CertCache(2)", crtn); return 1; } /* grind thru the known OIDs */ for(fieldNum=0; fieldNum<NUM_FIELD_OIDS; fieldNum++) { int rtn = checkOneField(testParams->clHand, cacheHand1, cacheHand2, fieldOids[fieldNum]); if(rtn) { return 1; } } CSSM_CL_CertAbortCache(testParams->clHand, cacheHand1); CSSM_CL_CertAbortCache(testParams->clHand, cacheHand2); /* leak debug */ #if DO_PAUSE fpurge(stdin); printf("Hit CR to continue: "); getchar(); #endif } /* outer loop */ return 0; }
/* * Guess an incoming blob's type, format and (for keys only) algorithm * by examining its contents. Returns true on success, in which case * *inputFormat, *itemType, and *keyAlg are all valid. Caller optionally * passes in valid values any number of these as a clue. */ bool impExpImportGuessByExamination( CFDataRef inData, SecExternalFormat *inputFormat, // may be kSecFormatUnknown on entry SecExternalItemType *itemType, // may be kSecItemTypeUnknown on entry CSSM_ALGORITHMS *keyAlg) // CSSM_ALGID_NONE - unknown { if( ( (*inputFormat == kSecFormatUnknown) || (*inputFormat == kSecFormatX509Cert) ) && ( (*itemType == kSecItemTypeUnknown) || (*itemType == kSecItemTypeCertificate) ) ) { /* * See if it parses as a cert */ CSSM_CL_HANDLE clHand = cuClStartup(); if(clHand == 0) { return CSSMERR_CSSM_ADDIN_LOAD_FAILED; } CSSM_HANDLE cacheHand; CSSM_RETURN crtn; CSSM_DATA cdata = { CFDataGetLength(inData), (uint8 *)CFDataGetBytePtr(inData) }; crtn = CSSM_CL_CertCache(clHand, &cdata, &cacheHand); bool brtn = false; if(crtn == CSSM_OK) { *inputFormat = kSecFormatX509Cert; *itemType = kSecItemTypeCertificate; SecImpInferDbg("Inferred kSecFormatX509Cert via CL"); CSSM_CL_CertAbortCache(clHand, cacheHand); brtn = true; } cuClDetachUnload(clHand); if(brtn) { return true; } } /* TBD: need way to inquire of P12 lib if this is a valid-looking PFX */ if( ( (*inputFormat == kSecFormatUnknown) || (*inputFormat == kSecFormatNetscapeCertSequence) ) && ( (*itemType == kSecItemTypeUnknown) || (*itemType == kSecItemTypeAggregate) ) ) { /* See if it's a netscape cert sequence */ CSSM_RETURN crtn = impExpNetscapeCertImport(inData, 0, NULL, NULL, NULL); if(crtn == CSSM_OK) { *inputFormat = kSecFormatNetscapeCertSequence; *itemType = kSecItemTypeAggregate; SecImpInferDbg("Inferred netscape-cert-sequence by decoding"); return true; } } /* See if it's a key */ return impExpGuessKeyParams(inData, inputFormat, itemType, keyAlg); }
/* * No cert- or CDSA-related exceptions thrown by remainder. * This is the core initializer: have the CL parse and cache the cert. */ CSSM_RETURN CertParser::initWithData( const CSSM_DATA &certData) { assert(mClHand != 0); CSSM_RETURN crtn = CSSM_CL_CertCache(mClHand, &certData, &mCacheHand); #if CP_DEBUG if(crtn) { cssmPerror("CSSM_CL_CertCache", crtn); } #endif return crtn; }
/* * Print subject and/or issuer of a cert. */ void printCertName( const unsigned char *cert, unsigned certLen, WhichName whichName) { CSSM_CL_HANDLE clHand = getClHand(); CSSM_HANDLE cacheHand; CSSM_DATA certData = {certLen, (uint8 *)cert}; CSSM_RETURN crtn; bool printSubj = false; bool printIssuer = false; switch(whichName) { case NameBoth: printSubj = true; printIssuer = true; break; case NameSubject: printSubj = true; break; case NameIssuer: printIssuer = true; break; default: printf("***BRRZAP! Illegal whichName argument\n"); return; } crtn = CSSM_CL_CertCache(clHand, &certData, &cacheHand); if(crtn) { printf("***Error parsing cert\n"); cssmPerror("CSSM_CL_CertCache", crtn); return; } if(printSubj) { printOneCertName(clHand, cacheHand, "Subject", &CSSMOID_X509V1SubjectNameStd); } if(printIssuer) { printOneCertName(clHand, cacheHand, "Issuer", &CSSMOID_X509V1IssuerNameStd); } CSSM_CL_CertAbortCache(clHand, cacheHand); return; }
/* * Given a DER encoded certificate, obtain the associated IssuerAndSerialNumber. */ krb5_error_code krb5int_pkinit_get_issuer_serial( const krb5_data *cert, krb5_data *issuer_and_serial) { CSSM_HANDLE cacheHand = 0; CSSM_RETURN crtn = CSSM_OK; CSSM_DATA certData = { cert->length, (uint8 *)cert->data }; CSSM_HANDLE resultHand = 0; CSSM_DATA_PTR derIssuer = NULL; CSSM_DATA_PTR serial; krb5_data krb_serial; krb5_data krb_issuer; uint32 numFields; krb5_error_code ourRtn = 0; CSSM_CL_HANDLE clHand = pkiClStartup(); if(clHand == 0) { return CSSMERR_CSSM_ADDIN_LOAD_FAILED; } /* subsequent errors to errOut: */ crtn = CSSM_CL_CertCache(clHand, &certData, &cacheHand); if(crtn) { pkiCssmErr("CSSM_CL_CertCache", crtn); ourRtn = ASN1_PARSE_ERROR; goto errOut; } /* obtain the two fields; issuer is DER encoded */ crtn = CSSM_CL_CertGetFirstCachedFieldValue(clHand, cacheHand, &CSSMOID_X509V1IssuerNameStd, &resultHand, &numFields, &derIssuer); if(crtn) { pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(issuer)", crtn); ourRtn = ASN1_PARSE_ERROR; goto errOut; } crtn = CSSM_CL_CertGetFirstCachedFieldValue(clHand, cacheHand, &CSSMOID_X509V1SerialNumber, &resultHand, &numFields, &serial); if(crtn) { pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(serial)", crtn); ourRtn = ASN1_PARSE_ERROR; goto errOut; } PKI_CSSM_TO_KRB_DATA(derIssuer, &krb_issuer); PKI_CSSM_TO_KRB_DATA(serial, &krb_serial); ourRtn = krb5int_pkinit_issuer_serial_encode(&krb_issuer, &krb_serial, issuer_and_serial); errOut: if(derIssuer) { CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1IssuerNameStd, derIssuer); } if(serial) { CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SerialNumber, serial); } if(cacheHand) { CSSM_CL_CertAbortCache(clHand, cacheHand); } if(clHand) { pkiClDetachUnload(clHand); } return ourRtn; }