/*
* Determine if specified identity's cert's issuer and serial number match the
* provided issuer and serial number. Returns nonzero on match, else returns zero.
*/
static int pkinit_issuer_sn_match(
SecIdentityRef idRef,
const CSSM_DATA *matchIssuerSerial)
{
OSStatus ortn;
SecCertificateRef certRef = NULL;
CSSM_DATA INIT_CDATA(certIssuerSerial);
int ourRtn = 0;
assert(idRef != NULL);
assert(matchIssuerSerial != NULL);
/* Get this cert's issuer/serial number */
ortn = SecIdentityCopyCertificate(idRef, &certRef);
if(ortn) {
pkiCssmErr("SecIdentityCopyCertificate", ortn);
return 0;
}
/* subsequent errors to errOut: */
ortn = pkinit_get_cert_issuer_sn(certRef, &certIssuerSerial);
if(ortn) {
pkiCssmErr("SecIdentityCopyCertificate", ortn);
goto errOut;
}
ourRtn = pkiCompareCssmData(matchIssuerSerial, &certIssuerSerial) ? 1 : 0;
errOut:
if(certRef != NULL) {
CFRelease(certRef);
}
if(certIssuerSerial.Data != NULL) {
free(certIssuerSerial.Data);
}
return ourRtn;
}
static CFDictionaryRef
SecItemCopyAttributeDictionary(CFTypeRef ref) {
CFDictionaryRef refDictionary = NULL;
CFTypeID typeID = CFGetTypeID(ref);
if (typeID == SecKeyGetTypeID()) {
refDictionary = SecKeyCopyAttributeDictionary((SecKeyRef)ref);
} else if (typeID == SecCertificateGetTypeID()) {
refDictionary =
SecCertificateCopyAttributeDictionary((SecCertificateRef)ref);
} else if (typeID == SecIdentityGetTypeID()) {
assert(false);
SecIdentityRef identity = (SecIdentityRef)ref;
SecCertificateRef cert = NULL;
SecKeyRef key = NULL;
if (!SecIdentityCopyCertificate(identity, &cert) &&
!SecIdentityCopyPrivateKey(identity, &key))
{
CFDataRef data = SecCertificateCopyData(cert);
CFDictionaryRef key_dict = SecKeyCopyAttributeDictionary(key);
if (key_dict && data) {
refDictionary = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, key_dict);
CFDictionarySetValue((CFMutableDictionaryRef)refDictionary,
CFSTR(CERTIFICATE_DATA_COLUMN_LABEL), data);
}
CFReleaseNull(key_dict);
CFReleaseNull(data);
}
CFReleaseNull(cert);
CFReleaseNull(key);
} else {
refDictionary = NULL;
}
return refDictionary;
}
/*
* Store the specified certificate (or, more likely, some platform-dependent
* reference to it) as the specified principal's signing certificate. Passing
* in NULL for the client_cert has the effect of deleting the relevant entry
* in the cert storage.
*/
krb5_error_code krb5_pkinit_set_client_cert_from_signing_cert(
const char *principal, /* full principal string */
krb5_pkinit_signing_cert_t client_cert)
{
SecIdentityRef idRef = (SecIdentityRef)client_cert;
SecCertificateRef certRef = NULL;
OSStatus ortn;
krb5_error_code ourRtn = 0;
if (NULL != idRef) {
if (CFGetTypeID(idRef) != SecIdentityGetTypeID()) {
ourRtn = KRB5KRB_ERR_GENERIC;
goto fin;
}
/* Get the cert */
ortn = SecIdentityCopyCertificate(idRef, &certRef);
if (ortn) {
pkiCssmErr("SecIdentityCopyCertificate", ortn);
ourRtn = KRB5KRB_ERR_GENERIC;
goto fin;
}
}
ourRtn = krb5_pkinit_set_client_cert(principal, (krb5_pkinit_cert_t)certRef);
fin:
if (certRef)
CFRelease(certRef);
return ourRtn;
}
QSslCertificate AccessCert::cert()
{
#ifdef Q_OS_MAC
SecIdentityRef identity = 0;
OSStatus err = SecIdentityCopyPreference( CFSTR("ocsp.sk.ee"), 0, 0, &identity );
if( !identity )
return QSslCertificate();
SecCertificateRef certref = 0;
err = SecIdentityCopyCertificate( identity, &certref );
CFRelease( identity );
if( !certref )
return QSslCertificate();
CFDataRef certdata = SecCertificateCopyData( certref );
CFRelease( certref );
if( !certdata )
return QSslCertificate();
QSslCertificate cert(
QByteArray( (const char*)CFDataGetBytePtr( certdata ), CFDataGetLength( certdata ) ), QSsl::Der );
CFRelease( certdata );
return cert;
#else
return PKCS12Certificate::fromPath(
Application::confValue( Application::PKCS12Cert ).toString(),
Application::confValue( Application::PKCS12Pass ).toString() ).certificate();
#endif
}
/*
* Assume incoming identity contains a root (e.g., created by
* certtool) and add that cert to ST's trusted anchors. This
* enables ST's verify of the incoming chain to succeed without
* a kludgy "AllowAnyRoot" specification.
*/
OSStatus addIdentityAsTrustedRoot(
SSLContextRef ctx,
CFArrayRef identArray)
{
CFIndex numItems = CFArrayGetCount(identArray);
if(numItems == 0) {
printf("***addIdentityAsTrustedRoot: empty identArray\n");
return errSecParam;
}
/* Root should be the last item - could be identity, could be cert */
CFTypeRef theItem = CFArrayGetValueAtIndex(identArray, numItems - 1);
if(CFGetTypeID(theItem) == SecIdentityGetTypeID()) {
/* identity */
SecCertificateRef certRef;
OSStatus ortn = SecIdentityCopyCertificate(
(SecIdentityRef)theItem, &certRef);
if(ortn) {
cssmPerror("SecIdentityCopyCertificate", ortn);
printf("***Error gettting cert from identity\n");
return ortn;
}
ortn = addTrustedSecCert(ctx, certRef, false);
CFRelease(certRef);
return ortn;
}
else if(CFGetTypeID(theItem) == SecCertificateGetTypeID()) {
/* certificate */
return addTrustedSecCert(ctx, (SecCertificateRef)theItem, false);
}
else {
printf("***Bogus item in identity array\n");
return errSecParam;
}
}
extern "C" int32_t AppleCryptoNative_X509CopyCertFromIdentity(SecIdentityRef identity, SecCertificateRef* pCertOut)
{
if (pCertOut != nullptr)
*pCertOut = nullptr;
// This function handles null inputs for both identity and cert.
return SecIdentityCopyCertificate(identity, pCertOut);
}
int
nss_cms_FindCertAndKeyByRecipientList(SecCmsRecipient **recipient_list, void *wincx)
{
SecCmsRecipient *recipient;
SecCertificateRef cert = NULL;
SecPrivateKeyRef privKey = NULL;
SecIdentityRef identity = NULL;
CFTypeRef keychainOrArray = NULL; // @@@ The caller should be able to pass this in somehow.
int index;
for (index = 0; recipient_list[index] != NULL; ++index)
{
recipient = recipient_list[index];
switch (recipient->kind)
{
case RLIssuerSN:
identity = CERT_FindIdentityByIssuerAndSN(keychainOrArray, recipient->id.issuerAndSN);
break;
case RLSubjKeyID:
identity = CERT_FindIdentityBySubjectKeyID(keychainOrArray, recipient->id.subjectKeyID);
break;
}
if (identity)
break;
}
if (!recipient)
goto loser;
if (SecIdentityCopyCertificate(identity, &cert))
goto loser;
if (SecIdentityCopyPrivateKey(identity, &privKey))
goto loser;
CFRelease(identity);
recipient->cert = cert;
recipient->privkey = privKey;
return index;
loser:
if (identity)
CFRelease(identity);
if (cert)
CFRelease(cert);
if (privKey)
CFRelease(privKey);
return -1;
}
static CFArrayRef
copy_certificate_labels(CFArrayRef certs, CFStringRef cert_label,
CFArrayRef * ret_identities)
{
CFMutableArrayRef cert_labels = NULL;
CFMutableArrayRef certs_filtered = NULL;
int count;
int i;
CFRange r;
count = CFArrayGetCount(certs);
cert_labels = CFArrayCreateMutable(NULL, count + 1, &kCFTypeArrayCallBacks);
/* add the first element which is reserved to mean no cert is selected */
CFArrayAppendValue(cert_labels, cert_label);
r.location = 0;
r.length = 1;
certs_filtered = CFArrayCreateMutable(NULL, count, &kCFTypeArrayCallBacks);
for (i = 0; i < count; i++) {
SecCertificateRef cert = NULL;
SecIdentityRef identity;
CFStringRef str = NULL;
identity = (SecIdentityRef)CFArrayGetValueAtIndex(certs, i);
SecIdentityCopyCertificate(identity, &cert);
if (cert != NULL) {
str = SecCertificateCopyShortDescription(NULL, cert, NULL);
CFRelease(cert);
}
if (str != NULL) {
int instance;
CFStringRef new_str;
for (instance = 2, new_str = CFRetain(str);
CFArrayContainsValue(cert_labels, r, new_str); instance++) {
CFRelease(new_str);
new_str
= CFStringCreateWithFormat(NULL, NULL,
CFSTR("%@ (%d)"), str,
instance);
}
CFArrayAppendValue(cert_labels, new_str);
r.length++;
CFRelease(new_str);
CFRelease(str);
CFArrayAppendValue(certs_filtered, identity);
}
}
*ret_identities = certs_filtered;
return (cert_labels);
}
static CFStringRef
identity_copy_username(SecIdentityRef identity)
{
SecCertificateRef cert;
OSStatus status;
CFStringRef username;
status = SecIdentityCopyCertificate(identity, &cert);
if (status != noErr) {
fprintf(stderr, "SecIdentityCopyCertificate failed %ld\n",
(long)status);
return (NULL);
}
username = EAPSecCertificateCopyUserNameString(cert);
CFRelease(cert);
return (username);
}
//
// Pre-Signing contexts
//
PreSigningContext::PreSigningContext(const SecCodeSigner::Signer &signer)
{
// construct a cert chain
if (signer.signingIdentity() != SecIdentityRef(kCFNull)) {
CFRef<SecCertificateRef> signingCert;
MacOSError::check(SecIdentityCopyCertificate(signer.signingIdentity(), &signingCert.aref()));
CFRef<SecPolicyRef> policy = SecPolicyCreateWithOID(kSecPolicyAppleCodeSigning);
CFRef<SecTrustRef> trust;
MacOSError::check(SecTrustCreateWithCertificates(CFArrayRef(signingCert.get()), policy, &trust.aref()));
SecTrustResultType result;
MacOSError::check(SecTrustEvaluate(trust, &result));
CSSM_TP_APPLE_EVIDENCE_INFO *info;
MacOSError::check(SecTrustGetResult(trust, &result, &mCerts.aref(), &info));
this->certs = mCerts;
}
// other stuff
this->identifier = signer.signingIdentifier();
}
static OSStatus
_EAPSecIdentityCreateCertificateTrustChain(SecIdentityRef identity,
CFArrayRef * ret_chain)
{
SecCertificateRef cert = NULL;
CFArrayRef certs;
SecPolicyRef policy = NULL;
OSStatus status;
SecTrustRef trust = NULL;
SecTrustResultType trust_result;
*ret_chain = NULL;
ok(policy = SecPolicyCreateBasicX509(), "SecPolicyCreateBasicX509");
ok_status(status = SecIdentityCopyCertificate(identity, &cert), "SecIdentityCopyCertificate");
certs = CFArrayCreate(NULL, (const void **)&cert,
1, &kCFTypeArrayCallBacks);
CFReleaseNull(cert);
ok_status(status = SecTrustCreateWithCertificates(certs, policy, &trust),
"SecTrustCreateWithCertificates");
CFReleaseNull(certs);
ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate");
{
CFMutableArrayRef array;
CFIndex count = SecTrustGetCertificateCount(trust);
CFIndex i;
isnt(count, 0, "SecTrustGetCertificateCount is nonzero");
array = CFArrayCreateMutable(NULL, count, &kCFTypeArrayCallBacks);
for (i = 0; i < count; i++) {
SecCertificateRef s;
s = SecTrustGetCertificateAtIndex(trust, i);
CFArrayAppendValue(array, s);
}
*ret_chain = array;
}
CFReleaseNull(trust);
CFReleaseNull(policy);
return (status);
}
SecCmsSignerInfoRef
SecCmsSignerInfoCreate(SecCmsMessageRef cmsg, SecIdentityRef identity, SECOidTag digestalgtag)
{
SecCmsSignerInfoRef signerInfo = NULL;
SecCertificateRef cert = NULL;
SecPrivateKeyRef signingKey = NULL;
if (SecIdentityCopyCertificate(identity, &cert))
goto loser;
if (SecIdentityCopyPrivateKey(identity, &signingKey))
goto loser;
signerInfo = nss_cmssignerinfo_create(cmsg, SecCmsSignerIDIssuerSN, cert, NULL, NULL, signingKey, digestalgtag);
loser:
if (cert)
CFRelease(cert);
if (signingKey)
CFRelease(signingKey);
return signerInfo;
}
void extract_certificate_from_identity(const void *value, void *context)
{
if (!context || !value)
return;
CSSM_DATA certData = {0,};
SecCertificateRef certificateRef;
OSStatus status = SecIdentityCopyCertificate((SecIdentityRef)value, &certificateRef);
if (!status)
{
status = SecCertificateGetData(certificateRef, &certData);
CFRelease(certificateRef);
if (!status)
{
CFDataRef cert = CFDataCreate(kCFAllocatorDefault, (UInt8 *)certData.Data, certData.Length);
CFArrayAppendValue((CFMutableArrayRef)context, cert);
CFRelease(cert);
if (certData.Data)
free(certData.Data);
}
}
}
static OSStatus
parseIncomingCerts(CFArrayRef certs,
SSLCertificate **destCertChain, /* &ctx->{localCertChain,encryptCertChain} */
tls_private_key_t *sslPrivKey) /* &ctx->signingPrivKeyRef, etc. */
{
OSStatus ortn;
CFIndex ix, numCerts;
SecIdentityRef identity;
SSLCertificate *certChain = NULL; /* Retained */
SecCertificateRef leafCert = NULL; /* Retained */
SecKeyRef privKey = NULL; /* Retained */
assert(destCertChain != NULL); /* though its referent may be NULL */
assert(sslPrivKey != NULL);
if (certs == NULL) {
sslErrorLog("parseIncomingCerts: NULL incoming cert array\n");
ortn = errSSLBadCert;
goto errOut;
}
numCerts = CFArrayGetCount(certs);
if (numCerts == 0) {
sslErrorLog("parseIncomingCerts: empty incoming cert array\n");
ortn = errSSLBadCert;
goto errOut;
}
certChain=sslMalloc(numCerts*sizeof(SSLCertificate));
if (!certChain) {
ortn = errSecAllocate;
goto errOut;
}
/*
* Certs[0] is an SecIdentityRef from which we extract subject cert,
* privKey, pubKey.
*
* 1. ensure the first element is a SecIdentityRef.
*/
identity = (SecIdentityRef)CFArrayGetValueAtIndex(certs, 0);
if (identity == NULL) {
sslErrorLog("parseIncomingCerts: bad cert array (1)\n");
ortn = errSecParam;
goto errOut;
}
if (CFGetTypeID(identity) != SecIdentityGetTypeID()) {
sslErrorLog("parseIncomingCerts: bad cert array (2)\n");
ortn = errSecParam;
goto errOut;
}
/*
* 2. Extract cert, keys and convert to local format.
*/
ortn = SecIdentityCopyCertificate(identity, &leafCert);
if (ortn) {
sslErrorLog("parseIncomingCerts: bad cert array (3)\n");
goto errOut;
}
/* Fetch private key from identity */
ortn = SecIdentityCopyPrivateKey(identity, &privKey);
if (ortn) {
sslErrorLog("parseIncomingCerts: SecIdentityCopyPrivateKey err %d\n",
(int)ortn);
goto errOut;
}
/* Convert the input array of SecIdentityRef at the start to an array of
all certificates. */
SSLCopyBufferFromData(SecCertificateGetBytePtr(leafCert), SecCertificateGetLength(leafCert), &certChain[0].derCert);
certChain[0].next = NULL;
for (ix = 1; ix < numCerts; ++ix) {
SecCertificateRef intermediate =
(SecCertificateRef)CFArrayGetValueAtIndex(certs, ix);
if (intermediate == NULL) {
sslErrorLog("parseIncomingCerts: bad cert array (5)\n");
ortn = errSecParam;
goto errOut;
}
if (CFGetTypeID(intermediate) != SecCertificateGetTypeID()) {
sslErrorLog("parseIncomingCerts: bad cert array (6)\n");
ortn = errSecParam;
goto errOut;
}
SSLCopyBufferFromData(SecCertificateGetBytePtr(intermediate), SecCertificateGetLength(intermediate), &certChain[ix].derCert);
certChain[ix].next = NULL;
certChain[ix-1].next = &certChain[ix];
}
size_t size = SecKeyGetBlockSize(privKey);
tls_private_key_desc_t desc;
if(SecKeyGetAlgorithmId(privKey) == kSecRSAAlgorithmID) {
desc.type = tls_private_key_type_rsa;
desc.rsa.sign = mySSLPrivKeyRSA_sign;
desc.rsa.decrypt = mySSLPrivKeyRSA_decrypt;
desc.rsa.size = SecKeyGetBlockSize(privKey);
} else if (SecKeyGetAlgorithmId(privKey) == kSecECDSAAlgorithmID) {
desc.type = tls_private_key_type_ecdsa;
desc.ecdsa.sign = mySSLPrivKeyECDSA_sign;
desc.ecdsa.curve = SecECKeyGetNamedCurve(privKey);
#if TARGET_OS_IPHONE
/* Compute signature size from key size */
desc.ecdsa.size = 8+2*size;
#else
desc.ecdsa.size = size;
#endif
} else {
ortn = errSecParam;
goto errOut;
}
*sslPrivKey = tls_private_key_create(&desc, privKey, (tls_private_key_ctx_release)&CFRelease);
if(*sslPrivKey)
ortn = errSecSuccess;
else
ortn = errSecAllocate;
/* SUCCESS */
errOut:
CFReleaseSafe(leafCert);
if (ortn) {
free(certChain);
CFReleaseSafe(privKey);
*destCertChain = NULL;
} else {
*destCertChain = certChain;
}
return ortn;
}
int main(int argc, char **argv)
{
char *kcName = NULL;
SecKeychainRef kcRef = NULL;
char *prefName = NULL;
bool doSet = false;
if((argc < 2) || (argv[1][0] == 'h')) {
usage(argv);
}
if(!strcmp(argv[1], "get")) {
doSet = false;
}
else if(!strcmp(argv[1], "set")) {
doSet = true;
}
else {
printf("Bad op argument\n");
usage(argv);
}
extern int optind;
optind = 2;
extern char *optarg;
int arg;
while ((arg = getopt(argc, argv, "p:k:h")) != -1) {
switch (arg) {
case 'p':
prefName = optarg;
break;
case 'k':
kcName = optarg;
break;
case 'h':
usage(argv);
}
}
if(optind != argc) {
usage(argv);
}
if(prefName == NULL) {
printf("***You must specify a preference name via -p.\n");
usage(argv);
}
CFStringRef prefStr = CFStringCreateWithCString(NULL, prefName, kCFStringEncodingASCII);
if(prefStr == NULL) {
printf("***Error converting pref name '%s' to CFString.\n", prefName);
exit(1);
}
OSStatus ortn;
if(kcName) {
ortn = SecKeychainOpen(kcName, &kcRef);
if(ortn) {
cssmPerror("SecKeychainOpen", ortn);
exit(1);
}
}
SecIdentityRef idRef = NULL;
if(doSet) {
ortn = sslSimpleIdentPicker(kcRef, &idRef);
if(ortn) {
printf("Error picking identity; aborting.\n");
exit(1);
}
ortn = SecIdentitySetPreference(idRef, prefStr, 0);
if(ortn) {
cssmPerror("SecIdentitySetPreference", ortn);
exit(1);
}
printf("...Identity preference set for name '%s'.\n", prefName);
}
else {
ortn = SecIdentityCopyPreference(prefStr, 0, NULL, &idRef);
if(ortn) {
cssmPerror("SecIdentityCopyPreference", ortn);
}
else {
SecCertificateRef certRef = NULL;
ortn = SecIdentityCopyCertificate(idRef, &certRef);
if(ortn) {
cssmPerror("SecIdentityCopyCertificate", ortn);
exit(1);
}
char *idName = kcItemPrintableName((SecKeychainItemRef)certRef);
printf("Identity for prefName '%s' found : '%s'\n",
prefName, idName);
free(idName);
CFRelease(certRef);
}
}
CFRelease(idRef);
return 0;
}
OSStatus
parseIncomingCerts(
SSLContext *ctx,
CFArrayRef certs,
CFArrayRef *destCertChain, /* &ctx->{localCertChain,encryptCertChain} */
SSLPubKey **sslPubKey, /* &ctx->signingPubKey, etc. */
SSLPrivKey **sslPrivKey, /* &ctx->signingPrivKeyRef, etc. */
CFIndex *signerAlg) /* optional */
{
OSStatus ortn;
CFIndex ix, numCerts;
SecIdentityRef identity;
CFMutableArrayRef certChain = NULL; /* Retained */
SecCertificateRef leafCert = NULL; /* Retained */
SecKeyRef pubKey = NULL; /* Retained */
SecKeyRef privKey = NULL; /* Retained */
SecTrustRef trust = NULL; /* Retained */
SecTrustResultType trustResult;
assert(ctx != NULL);
assert(destCertChain != NULL); /* though its referent may be NULL */
assert(sslPubKey != NULL);
assert(sslPrivKey != NULL);
if (certs == NULL) {
sslErrorLog("parseIncomingCerts: NULL incoming cert array\n");
ortn = errSSLBadCert;
goto errOut;
}
numCerts = CFArrayGetCount(certs);
if (numCerts == 0) {
sslErrorLog("parseIncomingCerts: empty incoming cert array\n");
ortn = errSSLBadCert;
goto errOut;
}
/*
* Certs[0] is an SecIdentityRef from which we extract subject cert,
* privKey, pubKey.
*
* 1. ensure the first element is a SecIdentityRef.
*/
identity = (SecIdentityRef)CFArrayGetValueAtIndex(certs, 0);
if (identity == NULL) {
sslErrorLog("parseIncomingCerts: bad cert array (1)\n");
ortn = paramErr;
goto errOut;
}
if (CFGetTypeID(identity) != SecIdentityGetTypeID()) {
sslErrorLog("parseIncomingCerts: bad cert array (2)\n");
ortn = paramErr;
goto errOut;
}
/*
* 2. Extract cert, keys and convert to local format.
*/
ortn = SecIdentityCopyCertificate(identity, &leafCert);
if (ortn) {
sslErrorLog("parseIncomingCerts: bad cert array (3)\n");
goto errOut;
}
/* Fetch private key from identity */
ortn = SecIdentityCopyPrivateKey(identity, &privKey);
if (ortn) {
sslErrorLog("parseIncomingCerts: SecIdentityCopyPrivateKey err %d\n",
(int)ortn);
goto errOut;
}
/* Convert the input array of SecIdentityRef at the start to an array of
all certificates. */
certChain = CFArrayCreateMutable(kCFAllocatorDefault, numCerts,
&kCFTypeArrayCallBacks);
if (!certChain) {
ortn = memFullErr;
goto errOut;
}
CFArrayAppendValue(certChain, leafCert);
for (ix = 1; ix < numCerts; ++ix) {
SecCertificateRef intermediate =
(SecCertificateRef)CFArrayGetValueAtIndex(certs, ix);
if (intermediate == NULL) {
sslErrorLog("parseIncomingCerts: bad cert array (5)\n");
ortn = paramErr;
goto errOut;
}
if (CFGetTypeID(intermediate) != SecCertificateGetTypeID()) {
sslErrorLog("parseIncomingCerts: bad cert array (6)\n");
ortn = paramErr;
goto errOut;
}
CFArrayAppendValue(certChain, intermediate);
}
/* Obtain public key from cert */
#if TARGET_OS_IOS
ortn = SecTrustCreateWithCertificates(certChain, NULL, &trust);
#else
{
SecPolicyRef policy = SecPolicyCreateBasicX509();
ortn = SecTrustCreateWithCertificates(certChain, policy, &trust);
CFReleaseSafe(policy);
if (!ortn) {
/* We are only interested in getting the public key from the leaf
* cert here, so for best performance, don't try to build a chain
* or search any keychains.
*/
CFArrayRef emptyArray = CFArrayCreate(NULL, NULL, 0, NULL);
(void)SecTrustSetAnchorCertificates(trust, emptyArray);
(void)SecTrustSetKeychains(trust, emptyArray);
CFReleaseSafe(emptyArray);
}
}
#endif
if (ortn) {
sslErrorLog("parseIncomingCerts: SecTrustCreateWithCertificates err %d\n",
(int)ortn);
goto errOut;
}
ortn = SecTrustEvaluate(trust, &trustResult);
if (ortn) {
sslErrorLog("parseIncomingCerts: SecTrustEvaluate err %d\n",
(int)ortn);
goto errOut;
}
pubKey = SecTrustCopyPublicKey(trust);
if (pubKey == NULL) {
sslErrorLog("parseIncomingCerts: SecTrustCopyPublicKey failed\n");
ortn = -67712; // errSecInvalidKeyRef
goto errOut;
}
/* SUCCESS */
errOut:
CFReleaseSafe(trust);
CFReleaseSafe(leafCert);
CFReleaseSafe(*destCertChain);
sslFreePubKey(sslPubKey);
sslFreePrivKey(sslPrivKey);
if (ortn) {
CFReleaseSafe(certChain);
CFReleaseSafe(pubKey);
CFReleaseSafe(privKey);
*destCertChain = NULL;
} else {
*destCertChain = certChain;
*sslPubKey = (SSLPubKey*)pubKey;
*sslPrivKey = (SSLPrivKey*)privKey;
}
return ortn;
}
OSStatus
parseIncomingCerts(
SSLContext *ctx,
CFArrayRef certs,
SSLCertificate **destCert, /* &ctx->{localCert,encryptCert} */
CSSM_KEY_PTR *pubKey, /* &ctx->signingPubKey, etc. */
SecKeyRef *privKeyRef, /* &ctx->signingPrivKeyRef, etc. */
CSSM_ALGORITHMS *signerAlg) /* optional */
{
CFIndex numCerts;
CFIndex cert;
SSLCertificate *certChain = NULL;
SSLCertificate *thisSslCert;
OSStatus ortn;
SecIdentityRef identity;
SecCertificateRef certRef;
SecKeyRef keyRef;
CSSM_DATA certData;
CSSM_CL_HANDLE clHand; // carefully derive from a SecCertificateRef
CSSM_RETURN crtn;
CSSM_KEY_PTR *pubKey;
SecKeyRef *privKeyRef;
assert(ctx != NULL);
assert(destCert != NULL); /* though its referent may be NULL */
assert(sslPubKey != NULL);
assert(sslPrivKeyRef != NULL);
pubKey = &sslPubKey->key;
privKeyRef = &sslPrivKey->key;
sslDeleteCertificateChain(*destCert, ctx);
*destCert = NULL;
*pubKey = NULL;
*privKeyRef = NULL;
if(certs == NULL) {
sslErrorLog("parseIncomingCerts: NULL incoming cert array\n");
return errSSLBadCert;
}
numCerts = CFArrayGetCount(certs);
if(numCerts == 0) {
sslErrorLog("parseIncomingCerts: empty incoming cert array\n");
return errSSLBadCert;
}
/*
* Certs[0] is an SecIdentityRef from which we extract subject cert,
* privKeyRef, pubKey.
*
* 1. ensure the first element is a SecIdentityRef.
*/
identity = (SecIdentityRef)CFArrayGetValueAtIndex(certs, 0);
if(identity == NULL) {
sslErrorLog("parseIncomingCerts: bad cert array (1)\n");
return paramErr;
}
if(CFGetTypeID(identity) != SecIdentityGetTypeID()) {
sslErrorLog("parseIncomingCerts: bad cert array (2)\n");
return paramErr;
}
/*
* 2. Extract cert, keys and convert to local format.
*/
ortn = SecIdentityCopyCertificate(identity, &certRef);
if(ortn) {
sslErrorLog("parseIncomingCerts: bad cert array (3)\n");
return ortn;
}
ortn = secCertToSslCert(ctx, certRef, &thisSslCert);
if(ortn) {
sslErrorLog("parseIncomingCerts: bad cert array (4)\n");
return ortn;
}
/* enqueue onto head of cert chain */
thisSslCert->next = certChain;
certChain = thisSslCert;
if(signerAlg != NULL) {
ortn = sslCertSignerAlg(certRef, signerAlg);
if(ortn) {
return ortn;
}
}
/* fetch private key from identity */
ortn = SecIdentityCopyPrivateKey(identity, &keyRef);
if(ortn) {
sslErrorLog("parseIncomingCerts: SecIdentityCopyPrivateKey err %d\n",
(int)ortn);
return ortn;
}
*privKeyRef = keyRef;
/* obtain public key from cert */
ortn = SecCertificateGetCLHandle(certRef, &clHand);
if(ortn) {
sslErrorLog("parseIncomingCerts: SecCertificateGetCLHandle err %d\n",
(int)ortn);
return ortn;
}
certData.Data = thisSslCert->derCert.data;
certData.Length = thisSslCert->derCert.length;
crtn = CSSM_CL_CertGetKeyInfo(clHand, &certData, pubKey);
if(crtn) {
sslErrorLog("parseIncomingCerts: CSSM_CL_CertGetKeyInfo err\n");
return (OSStatus)crtn;
}
/* OK, that's the subject cert. Fetch optional remaining certs. */
/*
* Convert: CFArray of SecCertificateRefs --> chain of SSLCertificates.
* Incoming certs have root last; SSLCertificate chain has root
* first.
*/
for(cert=1; cert<numCerts; cert++) {
certRef = (SecCertificateRef)CFArrayGetValueAtIndex(certs, cert);
if(certRef == NULL) {
sslErrorLog("parseIncomingCerts: bad cert array (5)\n");
return paramErr;
}
if(CFGetTypeID(certRef) != SecCertificateGetTypeID()) {
sslErrorLog("parseIncomingCerts: bad cert array (6)\n");
return paramErr;
}
/* Extract cert, convert to local format.
*/
ortn = secCertToSslCert(ctx, certRef, &thisSslCert);
if(ortn) {
sslErrorLog("parseIncomingCerts: bad cert array (7)\n");
return ortn;
}
/* enqueue onto head of cert chain */
thisSslCert->next = certChain;
certChain = thisSslCert;
}
/* SUCCESS */
*destCert = certChain;
return noErr;
/* free certChain, everything in it, other vars, return ortn */
sslDeleteCertificateChain(certChain, ctx);
/* FIXME - anything else? */
return ortn;
}
int main(int argc, char **argv)
{
RingBuffer serverToClientRing;
RingBuffer clientToServerRing;
unsigned numBufs = DEFAULT_NUM_BUFS;
unsigned bufSize = DEFAULT_BUF_SIZE;
unsigned chunkSize = DEFAULT_CHUNK;
unsigned char clientBuf[DEFAULT_CHUNK];
unsigned char serverBuf[DEFAULT_CHUNK];
RingBufferArgs clientArgs;
RingBufferArgs serverArgs;
bool abortFlag = false;
pthread_t client_thread = NULL;
int result;
OSStatus ortn;
unsigned char sessionTicket[SESSION_TICKET_SIZE];
int ourRtn = 0;
CFArrayRef idArray = NULL; /* for SSLSetCertificate */
CFArrayRef anchorArray = NULL; /* trusted roots */
char *hostName = NULL;
/* user-spec'd variables */
char *kcName = NULL;
unsigned xferSize = DEFAULT_XFER;
bool pauseOnError = false;
bool runForever = false;
bool skipPAC = false;
extern int optind;
extern char *optarg;
int arg;
optind = 1;
while ((arg = getopt(argc, argv, "x:c:k:h:np")) != -1) {
switch (arg) {
case 'x':
{
unsigned xsize = atoi(optarg);
if(xsize == 0) {
runForever = true;
/* and leave xferSize alone */
}
else {
xferSize = xsize;
}
break;
}
case 'k':
kcName = optarg;
break;
case 'n':
skipPAC = true;
break;
case 'h':
/* mainly to test EAP session ticket and ServerName simultaneously */
hostName = optarg;
break;
case 'p':
pauseOnError = true;
break;
default:
usage(argv);
}
}
if(optind != argc) {
usage(argv);
}
/* set up ring buffers */
ringBufSetup(&serverToClientRing, "serveToClient", numBufs, bufSize);
ringBufSetup(&clientToServerRing, "clientToServe", numBufs, bufSize);
/* get optional server SecIdentity */
if(kcName) {
SecKeychainRef kcRef = NULL;
SecCertificateRef anchorCert = NULL;
SecIdentityRef idRef = NULL;
idArray = getSslCerts(kcName,
CSSM_FALSE, /* encryptOnly */
CSSM_FALSE, /* completeCertChain */
NULL, /* anchorFile */
&kcRef);
if(idArray == NULL) {
printf("***Can't get signing cert from %s\n", kcName);
exit(1);
}
idRef = (SecIdentityRef)CFArrayGetValueAtIndex(idArray, 0);
ortn = SecIdentityCopyCertificate(idRef, &anchorCert);
if(ortn) {
cssmPerror("SecIdentityCopyCertificate", ortn);
exit(1);
}
anchorArray = CFArrayCreate(NULL, (const void **)&anchorCert,
1, &kCFTypeArrayCallBacks);
CFRelease(kcRef);
CFRelease(anchorCert);
}
/* set up server side */
memset(&serverArgs, 0, sizeof(serverArgs));
serverArgs.xferSize = xferSize;
serverArgs.xferBuf = serverBuf;
serverArgs.chunkSize = chunkSize;
serverArgs.ringWrite = &serverToClientRing;
serverArgs.ringRead = &clientToServerRing;
serverArgs.goFlag = &clientArgs.iAmReady;
serverArgs.abortFlag = &abortFlag;
serverArgs.pauseOnError = pauseOnError;
appGetRandomBytes(serverArgs.sharedSecret, SHARED_SECRET_SIZE);
if(!skipPAC) {
serverArgs.setMasterSecret = true;
}
serverArgs.idArray = idArray;
serverArgs.trustedRoots = anchorArray;
/* set up client side */
memset(&clientArgs, 0, sizeof(clientArgs));
clientArgs.xferSize = xferSize;
clientArgs.xferBuf = clientBuf;
clientArgs.chunkSize = chunkSize;
clientArgs.ringWrite = &clientToServerRing;
clientArgs.ringRead = &serverToClientRing;
clientArgs.goFlag = &serverArgs.iAmReady;
clientArgs.abortFlag = &abortFlag;
clientArgs.pauseOnError = pauseOnError;
memmove(clientArgs.sharedSecret, serverArgs.sharedSecret, SHARED_SECRET_SIZE);
clientArgs.hostName = hostName;
/* for now set up an easily recognizable ticket */
for(unsigned dex=0; dex<SESSION_TICKET_SIZE; dex++) {
sessionTicket[dex] = dex;
}
clientArgs.sessionTicket = sessionTicket;
clientArgs.sessionTicketLen = SESSION_TICKET_SIZE;
/* client always tries setting the master secret in this test */
clientArgs.setMasterSecret = true;
clientArgs.trustedRoots = anchorArray;
/* fire up client thread */
result = pthread_create(&client_thread, NULL,
rbClientThread, &clientArgs);
if(result) {
printf("***pthread_create returned %d, aborting\n", result);
exit(1);
}
/*
* And the server pseudo thread. This returns when all data has been transferred.
*/
ortn = rbServerThread(&serverArgs);
if(abortFlag) {
printf("***Test aborted.\n");
exit(1);
}
printf("\n");
printf("SSL Protocol Version : %s\n",
sslGetProtocolVersionString(serverArgs.negotiatedProt));
printf("SSL Cipher : %s\n",
sslGetCipherSuiteString(serverArgs.negotiatedCipher));
if(skipPAC) {
if(clientArgs.sessionWasResumed) {
printf("***skipPAC true, but client reported sessionWasResumed\n");
ourRtn = -1;
}
if(serverArgs.sessionWasResumed) {
printf("***skipPAC true, but server reported sessionWasResumed\n");
ourRtn = -1;
}
if(ourRtn == 0) {
printf("...PAC session attempted by client; refused by server;\n");
printf(" Normal session proceeded correctly.\n");
}
}
else {
if(!clientArgs.sessionWasResumed) {
printf("***client reported !sessionWasResumed\n");
ourRtn = -1;
}
if(!serverArgs.sessionWasResumed) {
printf("***server reported !sessionWasResumed\n");
ourRtn = -1;
}
if(memcmp(clientBuf, serverBuf, DEFAULT_CHUNK)) {
printf("***Data miscompare***\n");
ourRtn = -1;
}
if(ourRtn == 0) {
printf("...PAC session resumed correctly.\n");
}
}
/* FIXME other stuff? */
return ourRtn;
}
/* Create and identity and try to retrieve it. */
static void tests(void)
{
SecCertificateRef cert = NULL;
SecKeyRef privKey = NULL;
SecIdentityRef identity = NULL;
isnt(cert = SecCertificateCreateWithBytes(NULL, _c1, sizeof(_c1)),
NULL, "create certificate");
isnt(privKey = SecKeyCreateRSAPrivateKey(NULL, _k1, sizeof(_k1),
kSecKeyEncodingPkcs1), NULL, "create private key");
const void *certkeys[] = {
kSecValueRef
};
const void *certvalues[] = {
cert
};
CFDictionaryRef certDict = CFDictionaryCreate(NULL, certkeys, certvalues,
array_size(certkeys), NULL, NULL);
ok_status(SecItemAdd(certDict, NULL), "add certificate");
CFReleaseNull(certDict);
const void *privkeys[] = {
kSecValueRef
};
const void *privvalues[] = {
privKey
};
CFDictionaryRef privDict = CFDictionaryCreate(NULL, privkeys, privvalues,
array_size(privkeys), NULL, NULL);
ok_status(SecItemAdd(privDict, NULL), "add private key");
CFReleaseNull(privDict);
isnt(identity = SecIdentityCreate(NULL, cert, privKey), NULL, "create identity");
/* Lookup the key and certificate using SecItemCopyMatching(). */
CFDataRef pk_digest = CFDataCreate(NULL, _k1_digest, sizeof(_k1_digest));
const void *q_keys[] = {
kSecClass,
kSecAttrApplicationLabel,
kSecReturnRef
};
const void *q_values[] = {
kSecClassKey,
pk_digest,
kCFBooleanTrue
};
CFDictionaryRef query = CFDictionaryCreate(NULL, q_keys, q_values,
array_size(q_keys), NULL, NULL);
CFTypeRef result_key;
ok_status(SecItemCopyMatching(query, &result_key), "lookup key");
isnt(CFEqual(privKey, result_key), 0, "keys match");
CFReleaseNull(query);
q_keys[1] = kSecAttrPublicKeyHash;
q_values[0] = kSecClassCertificate;
query = CFDictionaryCreate(NULL, q_keys, q_values,
array_size(q_keys), NULL, NULL);
CFTypeRef result_cert;
ok_status(SecItemCopyMatching(query, &result_cert), "lookup certificate");
isnt(CFEqual(cert, result_cert), 0, "certificates match");
CFReleaseNull(query);
/* Cleanup. */
CFReleaseNull(result_key);
CFReleaseNull(result_cert);
/* identity lookup */
const void *idnt_keys[] = {
kSecClass,
kSecAttrApplicationLabel,
kSecReturnRef
};
const void *idnt_values[] = {
kSecClassIdentity,
pk_digest,
kCFBooleanTrue
};
CFTypeRef result_idnt;
SecCertificateRef result_cert2;
query = CFDictionaryCreate(NULL, idnt_keys, idnt_values,
array_size(idnt_keys), NULL, NULL);
ok_status(SecItemCopyMatching(query, &result_idnt), "lookup identity");
isnt(result_idnt, NULL, "found identity?");
is(CFGetRetainCount(result_idnt), 1, "result_idnt rc = 1");
isnt(CFEqual(identity, result_idnt), 0, "identities match");
CFReleaseNull(identity);
ok_status(SecIdentityCopyCertificate((SecIdentityRef)result_idnt, &result_cert2), "get cert from identity");
isnt(CFEqual(cert, result_cert2), 0, "certificates match");
CFRelease(query);
CFRelease(pk_digest);
CFReleaseNull(result_cert2);
certDict = CFDictionaryCreate(NULL, certkeys, certvalues,
array_size(certkeys), NULL, NULL);
ok_status(SecItemDelete(certDict), "delete certificate via ref");
is_status(errSecItemNotFound, SecItemCopyMatching(certDict, NULL), "verify certificate is gone");
CFReleaseNull(certDict);
privDict = CFDictionaryCreate(NULL, privkeys, privvalues,
array_size(privkeys), NULL, NULL);
ok_status(SecItemDelete(privDict), "delete key via ref");
is_status(errSecItemNotFound, SecItemCopyMatching(privDict, NULL), "verify key is gone");
CFReleaseNull(privDict);
/* add certificate to offset cert row id from key row id */
SecCertificateRef apple_ca_cert = NULL;
isnt(apple_ca_cert = SecCertificateCreateWithBytes(NULL, _c0, sizeof(_c0)),
NULL, "create apple ca certificate");
CFDictionaryRef appleCertDict = CFDictionaryCreate(NULL, (const void **)&kSecValueRef, (const void **)&apple_ca_cert, 1, NULL, NULL);
ok_status(SecItemAdd(appleCertDict, NULL), "add apple ca certificate to offset key and cert rowid");
/* add identity, get persistent ref */
const void *keys_identity[] = { kSecValueRef, kSecReturnPersistentRef };
const void *values_identity[] = { result_idnt, kCFBooleanTrue };
CFDictionaryRef identity_add = CFDictionaryCreate(NULL, keys_identity, values_identity,
array_size(keys_identity), NULL, NULL);
CFTypeRef persist = NULL;
ok_status(SecItemAdd(identity_add, &persist), "add identity ref");
ok(persist, "got back persistent ref");
/* <rdar://problem/6537195> SecItemAdd returns success when it shouldn't */
CFTypeRef persist_again = NULL;
is_status(errSecDuplicateItem, SecItemAdd(identity_add, &persist_again),
"fail to add identity ref again");
ok(!persist_again, "no persistent ref this time");
/* find by persistent ref */
const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef };
const void *values_persist[] = { kCFBooleanTrue, persist };
CFDictionaryRef persist_find = CFDictionaryCreate(NULL, keys_persist, values_persist,
(array_size(keys_persist)), NULL, NULL);
CFTypeRef results2 = NULL;
ok_status(SecItemCopyMatching(persist_find, &results2), "find identity by persistent ref");
is(CFGetRetainCount(results2), 1, "results2 rc = 1");
// not implemented ok(CFEqual(result_idnt, results2), "same item (attributes)");
CFReleaseNull(results2);
/* find identity, key and cert by ref and return persistent ref */
const void *keys_ref_to_persist[] = { kSecReturnPersistentRef, kSecValueRef };
const void *values_ref_to_persist[] = { kCFBooleanTrue, NULL };
CFTypeRef items[] = { result_idnt, privKey, cert, NULL };
CFTypeRef *item = items;
while (*item) {
values_ref_to_persist[1] = *item;
CFDictionaryRef ref_to_persist_find = CFDictionaryCreate(NULL, keys_ref_to_persist, values_ref_to_persist,
(array_size(keys_ref_to_persist)), NULL, NULL);
results2 = NULL;
ok_status(SecItemCopyMatching(ref_to_persist_find, &results2), "find persistent ref for identity ref");
ok(NULL != results2, "good persistent ref");
is(CFGetRetainCount(results2), 1, "results2 rc = 1");
CFReleaseNull(results2);
CFReleaseNull(ref_to_persist_find);
item++;
}
/* delete identity by identity ref */
ok_status(SecItemDelete(identity_add), "delete identity by identity ref");
is(SecItemCopyMatching(persist_find, &results2), errSecItemNotFound,
"make sure identity by persistent ref is no longer there");
CFRelease(persist_find);
CFReleaseNull(persist);
ok_status(SecItemAdd(identity_add, &persist), "add identity ref back");
CFRelease(identity_add);
/* delete identity by persistent ref */
CFDictionaryRef persist_delete = CFDictionaryCreate(NULL,
&kSecValuePersistentRef, &persist, 1, NULL, NULL);
ok_status(SecItemDelete(persist_delete),
"delete identity by persistent ref");
is(SecItemCopyMatching(persist_delete, &results2), errSecItemNotFound,
"make sure identity by persistent ref is no longer there");
CFRelease(persist_delete);
CFReleaseNull(persist);
/* add identity with a label set */
CFStringRef zomg_label = CFSTR("zomg");
CFMutableDictionaryRef lbl_idnt_query =
CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
CFDictionarySetValue(lbl_idnt_query, kSecValueRef, result_idnt);
CFDictionarySetValue(lbl_idnt_query, kSecAttrLabel, zomg_label);
ok_status(SecItemAdd(lbl_idnt_query, NULL), "add identity ref");
/* find identity with label*/
CFDictionaryRemoveAllValues(lbl_idnt_query);
CFDictionarySetValue(lbl_idnt_query, kSecClass, kSecClassIdentity);
CFDictionarySetValue(lbl_idnt_query, kSecAttrLabel, zomg_label);
ok_status(SecItemCopyMatching(lbl_idnt_query, NULL), "find identity by label");
/* find certs with label */
CFTypeRef zomg_cert;
CFDictionaryRemoveAllValues(lbl_idnt_query);
CFDictionarySetValue(lbl_idnt_query, kSecClass, kSecClassCertificate);
CFDictionarySetValue(lbl_idnt_query, kSecAttrLabel, zomg_label);
CFDictionarySetValue(lbl_idnt_query, kSecReturnRef, kCFBooleanTrue);
ok_status(SecItemCopyMatching(lbl_idnt_query, &zomg_cert), "find cert by label");
/* find keys with label */
CFTypeRef zomg_key;
CFDictionaryRemoveAllValues(lbl_idnt_query);
CFDictionarySetValue(lbl_idnt_query, kSecClass, kSecClassKey);
CFDictionarySetValue(lbl_idnt_query, kSecAttrLabel, zomg_label);
CFDictionarySetValue(lbl_idnt_query, kSecReturnRef, kCFBooleanTrue);
ok_status(SecItemCopyMatching(lbl_idnt_query, &zomg_key), "find key by label");
/* update label on key */
CFStringRef new_label_value = CFSTR("zzzomg");
CFDictionaryRef new_label = CFDictionaryCreate(kCFAllocatorDefault, (const void **)&kSecAttrLabel, (const void **)&new_label_value, 1, NULL, NULL);
CFDictionaryRemoveAllValues(lbl_idnt_query);
CFDictionarySetValue(lbl_idnt_query, kSecValueRef, zomg_key);
ok_status(SecItemUpdate(lbl_idnt_query, new_label), "update label to zzzomg for key");
CFTypeRef zomg_idnt = NULL;
CFDictionaryRemoveAllValues(lbl_idnt_query);
CFDictionarySetValue(lbl_idnt_query, kSecReturnRef, kCFBooleanTrue);
CFDictionarySetValue(lbl_idnt_query, kSecAttrLabel, zomg_label);
CFDictionarySetValue(lbl_idnt_query, kSecClass, kSecClassIdentity);
ok_status(SecItemCopyMatching(lbl_idnt_query, &zomg_idnt), "still finding zomg ident");
CFReleaseNull(zomg_idnt);
CFDictionaryRemoveAllValues(lbl_idnt_query);
CFDictionarySetValue(lbl_idnt_query, kSecValueRef, zomg_cert);
ok_status(SecItemUpdate(lbl_idnt_query, new_label), "update label to zzzomg for cert");
CFReleaseNull(new_label);
CFDictionaryRemoveAllValues(lbl_idnt_query);
CFDictionarySetValue(lbl_idnt_query, kSecReturnRef, kCFBooleanTrue);
CFDictionarySetValue(lbl_idnt_query, kSecAttrLabel, zomg_label);
CFDictionarySetValue(lbl_idnt_query, kSecClass, kSecClassIdentity);
is_status(errSecItemNotFound, SecItemCopyMatching(lbl_idnt_query, &zomg_idnt), "no longer find identity by label");
CFDictionaryRemoveAllValues(lbl_idnt_query);
CFDictionarySetValue(lbl_idnt_query, kSecReturnRef, kCFBooleanTrue);
CFDictionarySetValue(lbl_idnt_query, kSecAttrLabel, new_label_value);
CFDictionarySetValue(lbl_idnt_query, kSecClass, kSecClassIdentity);
ok_status(SecItemCopyMatching(lbl_idnt_query, &zomg_idnt), "finding ident with zzzomg label");
/* Find zomg identity with canonical issuer */
{
unsigned char DN[] = {
0x30, 0x32, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
0x07, 0x70, 0x6c, 0x75, 0x74, 0x6f, 0x43, 0x41, 0x31, 0x1e, 0x30, 0x1c,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x0c,
0x0f, 0x70, 0x6c, 0x75, 0x74, 0x6f, 0x40, 0x70, 0x6c, 0x75, 0x74, 0x6f,
0x2e, 0x63, 0x6f, 0x6d
};
unsigned int DN_len = 52;
CFMutableDictionaryRef find_by_issuer = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
CFDataRef issuer = SecCertificateGetNormalizedIssuerContent(cert);
CFTypeRef found_by_issuer = NULL;
CFDictionarySetValue(find_by_issuer, kSecAttrIssuer, issuer);
CFDictionarySetValue(find_by_issuer, kSecClass, kSecClassIdentity);
CFDictionarySetValue(find_by_issuer, kSecReturnRef, kCFBooleanTrue);
ok_status(SecItemCopyMatching(find_by_issuer, &found_by_issuer), "find identity by cert issuer");
ok(CFEqual(found_by_issuer, zomg_idnt), "should be same as zomg_idnt");
CFReleaseNull(found_by_issuer);
issuer = CFDataCreate(kCFAllocatorDefault, DN, DN_len);
CFDictionarySetValue(find_by_issuer, kSecAttrIssuer, issuer);
ok_status(SecItemCopyMatching(find_by_issuer, &found_by_issuer), "find identity by cert issuer");
CFReleaseNull(issuer);
ok(CFEqual(found_by_issuer, zomg_idnt), "should be same as zomg_idnt");
CFReleaseNull(found_by_issuer);
CFReleaseNull(find_by_issuer);
}
ok_status(SecItemDelete(lbl_idnt_query), "delete ident with zzzomg label");
/* Delete the apple cert last */
ok_status(SecItemDelete(appleCertDict), "delete apple ca certificate");
CFReleaseNull(appleCertDict);
CFReleaseNull(apple_ca_cert);
CFRelease(zomg_key);
CFRelease(zomg_cert);
CFRelease(zomg_idnt);
CFRelease(zomg_label);
CFRelease(new_label_value);
CFRelease(lbl_idnt_query);
CFReleaseNull(result_idnt);
CFReleaseNull(privKey);
CFReleaseNull(cert);
}
int findFirstEncryptionPublicKeyOnToken(SecKeyRef *publicKey, SecKeychainRef *keychainRef, CFDataRef *label)
{
if (!publicKey || !keychainRef)
return paramErr;
OSStatus status = noErr;
CFArrayRef identityArray = NULL;
SecKeyRef tmpKeyRef = NULL;
SecCertificateRef certificate = NULL;
SecKeychainRef tmpKeychainRef = NULL;
try
{
status = findEncryptionIdentities((CFTypeRef *)&identityArray);
if (status)
MacOSError::throwMe(status);
if (!identityArray ||
(CFGetTypeID(identityArray)!=CFArrayGetTypeID()) ||
(CFArrayGetCount(identityArray)==0))
MacOSError::throwMe(paramErr);
CFTypeRef tmpref = CFArrayGetValueAtIndex(identityArray, 0);
if (CFGetTypeID(tmpref)!=SecIdentityGetTypeID())
MacOSError::throwMe(paramErr);
status = SecIdentityCopyCertificate(SecIdentityRef(tmpref), &certificate);
if (status)
MacOSError::throwMe(status);
if (!certificate)
MacOSError::throwMe(errKCItemNotFound);
status = findCertificatePublicKeyHash(certificate, label);
if (status)
MacOSError::throwMe(status);
status = SecKeychainItemCopyKeychain(SecKeychainItemRef(certificate), &tmpKeychainRef);
if (status)
MacOSError::throwMe(status);
status = SecCertificateCopyPublicKey(certificate, &tmpKeyRef);
if (status)
MacOSError::throwMe(status);
// Found an encryption key
*publicKey = tmpKeyRef;
*keychainRef = tmpKeychainRef;
}
catch (const MacOSError &err)
{
status = err.osStatus();
cssmPerror("findFirstEncryptionPublicKeyOnToken", status);
}
catch (...)
{
fprintf(stderr, "findFirstEncryptionPublicKeyOnToken: unknown exception\n");
status = errKCItemNotFound;
}
if (status)
{
if (identityArray)
CFRelease(identityArray);
if (certificate)
CFRelease(certificate);
}
if (identityArray)
CFRelease(identityArray);
if (certificate)
CFRelease(certificate);
return status;
}
static void tests(void)
{
CFDataRef message = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
_user_one_p12, sizeof(_user_one_p12), kCFAllocatorNull);
CFArrayRef items = NULL;
SecCertificateRef cert = NULL;
SecKeyRef pkey = NULL;
is_status(SecPKCS12Import(message, NULL, NULL), errSecAuthFailed,
"try null password on a known good p12");
CFStringRef password = CFSTR("user-one");
CFDictionaryRef options = CFDictionaryCreate(NULL,
(const void **)&kSecImportExportPassphrase,
(const void **)&password, 1,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
ok_status(SecPKCS12Import(message, options, &items), "import user one");
is(CFArrayGetCount(items), 1, "one identity");
CFDictionaryRef item = CFArrayGetValueAtIndex(items, 0);
SecIdentityRef identity = NULL;
ok(identity = (SecIdentityRef)CFDictionaryGetValue(item, kSecImportItemIdentity), "pull identity from imported data");
ok(CFGetTypeID(identity)==SecIdentityGetTypeID(),"this is a SecIdentityRef");
ok_status(SecIdentityCopyPrivateKey(identity, &pkey),"get private key");
ok_status(SecIdentityCopyCertificate(identity, &cert), "get certificate");
CFReleaseNull(items);
CFReleaseNull(message);
CFReleaseNull(options);
CFReleaseNull(password);
CFReleaseNull(cert);
CFReleaseNull(pkey);
message = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
_user_two_p12, sizeof(_user_two_p12), kCFAllocatorNull);
items = NULL;
password = CFSTR("user-two");
options = CFDictionaryCreate(NULL,
(const void **)&kSecImportExportPassphrase,
(const void **)&password, 1,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
ok_status(SecPKCS12Import(message, options, &items), "import user two");
is(CFArrayGetCount(items), 1, "one identity");
item = CFArrayGetValueAtIndex(items, 0);
ok(identity = (SecIdentityRef)CFDictionaryGetValue(item, kSecImportItemIdentity), "pull identity from imported data");
ok(CFGetTypeID(identity)==SecIdentityGetTypeID(),"this is a SecIdentityRef");
ok_status(SecIdentityCopyPrivateKey(identity, &pkey),"get private key");
ok_status(SecIdentityCopyCertificate(identity, &cert), "get certificate");
CFReleaseNull(items);
CFReleaseNull(message);
CFReleaseNull(options);
CFReleaseNull(password);
CFReleaseNull(cert);
CFReleaseNull(pkey);
message = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
ECDSA_fails_import_p12, ECDSA_fails_import_p12_len, kCFAllocatorNull);
items = NULL;
password = CFSTR("test");
options = CFDictionaryCreate(NULL,
(const void **)&kSecImportExportPassphrase,
(const void **)&password, 1,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
ok_status(SecPKCS12Import(message, options, &items), "import ECDSA_fails_import_p12");
is(CFArrayGetCount(items), 1, "one identity");
item = CFArrayGetValueAtIndex(items, 0);
ok(identity = (SecIdentityRef)CFDictionaryGetValue(item, kSecImportItemIdentity), "pull identity from imported data");
ok(CFGetTypeID(identity)==SecIdentityGetTypeID(),"this is a SecIdentityRef");
ok_status(SecIdentityCopyPrivateKey(identity, &pkey),"get private key");
ok_status(SecIdentityCopyCertificate(identity, &cert), "get certificate");
CFDataRef pubdata = NULL;
SecKeyRef pubkey = NULL;
ok_status(SecKeyCopyPublicBytes(pkey, &pubdata), "pub key from priv key");
ok(pubkey = SecKeyCreateECPublicKey(kCFAllocatorDefault,
CFDataGetBytePtr(pubdata), CFDataGetLength(pubdata), kSecKeyEncodingBytes),
"recreate seckey");
/* Sign something. */
uint8_t something[20] = {0x80, 0xbe, 0xef, 0xba, 0xd0, };
size_t sigLen = SecKeyGetSize(pkey, kSecKeySignatureSize);
uint8_t sig[sigLen];
ok_status(SecKeyRawSign(pkey, kSecPaddingPKCS1,
something, sizeof(something), sig, &sigLen), "sign something");
ok_status(SecKeyRawVerify(pubkey, kSecPaddingPKCS1,
something, sizeof(something), sig, sigLen), "verify sig on something");
CFReleaseNull(pubdata);
CFReleaseNull(pubkey);
CFReleaseNull(pkey);
ok(pkey = SecKeyCreateECPrivateKey(kCFAllocatorDefault,
ECDSA_fails_import_priv_only, ECDSA_fails_import_priv_only_len,
kSecKeyEncodingPkcs1), "import privkey without pub");
ok_status(SecKeyCopyPublicBytes(pkey, &pubdata), "pub key from priv key");
ok(pubkey = SecKeyCreateECPublicKey(kCFAllocatorDefault,
CFDataGetBytePtr(pubdata), CFDataGetLength(pubdata), kSecKeyEncodingBytes),
"recreate seckey");
ok_status(SecKeyRawVerify(pubkey, kSecPaddingPKCS1,
something, sizeof(something), sig, sigLen), "verify sig on something");
CFReleaseNull(pubdata);
CFReleaseNull(pubkey);
CFReleaseNull(pkey);
CFReleaseNull(items);
CFReleaseNull(message);
CFReleaseNull(options);
CFReleaseNull(password);
CFReleaseNull(cert);
}
/*
* Given a SecIdentityRef, do our best to construct a complete, ordered, and
* verified cert chain, returning the result in a CFArrayRef. The result is
* suitable for use when calling SSLSetCertificate().
*/
OSStatus sslCompleteCertChain(
SecIdentityRef identity,
SecCertificateRef trustedAnchor, // optional additional trusted anchor
bool includeRoot, // include the root in outArray
CFArrayRef *outArray) // created and RETURNED
{
CFMutableArrayRef certArray;
SecTrustRef secTrust = NULL;
SecPolicyRef policy = NULL;
SecPolicySearchRef policySearch = NULL;
SecTrustResultType secTrustResult;
CSSM_TP_APPLE_EVIDENCE_INFO *dummyEv; // not used
CFArrayRef certChain = NULL; // constructed chain
CFIndex numResCerts;
certArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
CFArrayAppendValue(certArray, identity);
/*
* Case 1: identity is a root; we're done. Note that this case
* overrides the includeRoot argument.
*/
SecCertificateRef certRef;
OSStatus ortn = SecIdentityCopyCertificate(identity, &certRef);
if(ortn) {
/* should never happen */
cssmPerror("SecIdentityCopyCertificate", ortn);
return ortn;
}
bool isRoot = isCertRefRoot(certRef);
if(isRoot) {
*outArray = certArray;
CFRelease(certRef);
return errSecSuccess;
}
/*
* Now use SecTrust to get a complete cert chain, using all of the
* user's keychains to look for intermediate certs.
* NOTE this does NOT handle root certs which are not in the system
* root cert DB. (The above case, where the identity is a root cert, does.)
*/
CFMutableArrayRef subjCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks);
CFArraySetValueAtIndex(subjCerts, 0, certRef);
/* the array owns the subject cert ref now */
CFRelease(certRef);
/* Get a SecPolicyRef for generic X509 cert chain verification */
ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
&CSSMOID_APPLE_X509_BASIC,
NULL, // value
&policySearch);
if(ortn) {
cssmPerror("SecPolicySearchCreate", ortn);
goto errOut;
}
ortn = SecPolicySearchCopyNext(policySearch, &policy);
if(ortn) {
cssmPerror("SecPolicySearchCopyNext", ortn);
goto errOut;
}
/* build a SecTrustRef for specified policy and certs */
ortn = SecTrustCreateWithCertificates(subjCerts,
policy, &secTrust);
if(ortn) {
cssmPerror("SecTrustCreateWithCertificates", ortn);
goto errOut;
}
if(trustedAnchor) {
/*
* Tell SecTrust to trust this one in addition to the current
* trusted system-wide anchors.
*/
CFMutableArrayRef newAnchors;
CFArrayRef currAnchors;
ortn = SecTrustCopyAnchorCertificates(&currAnchors);
if(ortn) {
/* should never happen */
cssmPerror("SecTrustCopyAnchorCertificates", ortn);
goto errOut;
}
newAnchors = CFArrayCreateMutableCopy(NULL,
CFArrayGetCount(currAnchors) + 1,
currAnchors);
CFRelease(currAnchors);
CFArrayAppendValue(newAnchors, trustedAnchor);
ortn = SecTrustSetAnchorCertificates(secTrust, newAnchors);
CFRelease(newAnchors);
if(ortn) {
cssmPerror("SecTrustSetAnchorCertificates", ortn);
goto errOut;
}
}
/* evaluate: GO */
ortn = SecTrustEvaluate(secTrust, &secTrustResult);
if(ortn) {
cssmPerror("SecTrustEvaluate", ortn);
goto errOut;
}
switch(secTrustResult) {
case kSecTrustResultUnspecified:
/* cert chain valid, no special UserTrust assignments */
case kSecTrustResultProceed:
/* cert chain valid AND user explicitly trusts this */
break;
default:
/*
* Cert chain construction failed.
* Just go with the single subject cert we were given.
*/
printf("***Warning: could not construct completed cert chain\n");
ortn = errSecSuccess;
goto errOut;
}
/* get resulting constructed cert chain */
ortn = SecTrustGetResult(secTrust, &secTrustResult, &certChain, &dummyEv);
if(ortn) {
cssmPerror("SecTrustEvaluate", ortn);
goto errOut;
}
/*
* Copy certs from constructed chain to our result array, skipping
* the leaf (which is already there, as a SecIdentityRef) and possibly
* a root.
*/
numResCerts = CFArrayGetCount(certChain);
if(numResCerts < 2) {
/*
* Can't happen: if subject was a root, we'd already have returned.
* If chain doesn't verify to a root, we'd have bailed after
* SecTrustEvaluate().
*/
printf("***sslCompleteCertChain screwup: numResCerts %d\n",
(int)numResCerts);
ortn = errSecSuccess;
goto errOut;
}
if(!includeRoot) {
/* skip the last (root) cert) */
numResCerts--;
}
for(CFIndex dex=1; dex<numResCerts; dex++) {
certRef = (SecCertificateRef)CFArrayGetValueAtIndex(certChain, dex);
CFArrayAppendValue(certArray, certRef);
}
errOut:
/* clean up */
if(secTrust) {
CFRelease(secTrust);
}
if(subjCerts) {
CFRelease(subjCerts);
}
if(policy) {
CFRelease(policy);
}
if(policySearch) {
CFRelease(policySearch);
}
*outArray = certArray;
return ortn;
}
/*
* Set up a SecCmsMessageRef for a SignedData creation.
*/
static OSStatus cmsSetupForSignedData(
CMSEncoderRef cmsEncoder)
{
ASSERT((cmsEncoder->signers != NULL) || (cmsEncoder->otherCerts != NULL));
SecCmsContentInfoRef contentInfo = NULL;
SecCmsSignedDataRef signedData = NULL;
OSStatus ortn;
/* build chain of objects: message->signedData->data */
if(cmsEncoder->cmsMsg != NULL) {
SecCmsMessageDestroy(cmsEncoder->cmsMsg);
}
cmsEncoder->cmsMsg = SecCmsMessageCreate(NULL);
if(cmsEncoder->cmsMsg == NULL) {
return errSecInternalComponent;
}
signedData = SecCmsSignedDataCreate(cmsEncoder->cmsMsg);
if(signedData == NULL) {
return errSecInternalComponent;
}
contentInfo = SecCmsMessageGetContentInfo(cmsEncoder->cmsMsg);
ortn = SecCmsContentInfoSetContentSignedData(cmsEncoder->cmsMsg, contentInfo,
signedData);
if(ortn) {
return cmsRtnToOSStatus(ortn);
}
contentInfo = SecCmsSignedDataGetContentInfo(signedData);
if(cmsEncoder->eContentType.Data != NULL) {
/* Override the default eContentType of id-data */
ortn = SecCmsContentInfoSetContentOther(cmsEncoder->cmsMsg,
contentInfo,
NULL, /* data - provided to encoder, not here */
cmsEncoder->detachedContent,
&cmsEncoder->eContentType);
}
else {
ortn = SecCmsContentInfoSetContentData(cmsEncoder->cmsMsg,
contentInfo,
NULL, /* data - provided to encoder, not here */
cmsEncoder->detachedContent);
}
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsContentInfoSetContent*", ortn);
return ortn;
}
/* optional 'global' (per-SignedData) certs */
if(cmsEncoder->otherCerts != NULL) {
ortn = SecCmsSignedDataAddCertList(signedData, cmsEncoder->otherCerts);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignedDataAddCertList", ortn);
return ortn;
}
}
/* SignerInfos, one per signer */
CFIndex numSigners = 0;
if(cmsEncoder->signers != NULL) {
/* this is optional...in case we're just creating a cert bundle */
numSigners = CFArrayGetCount(cmsEncoder->signers);
}
CFIndex dex;
SecCertificateRef ourCert = NULL;
SecCmsCertChainMode chainMode = SecCmsCMCertChain;
switch(cmsEncoder->chainMode) {
case kCMSCertificateNone:
chainMode = SecCmsCMNone;
break;
case kCMSCertificateSignerOnly:
chainMode = SecCmsCMCertOnly;
break;
case kCMSCertificateChainWithRoot:
chainMode = SecCmsCMCertChainWithRoot;
break;
default:
break;
}
for(dex=0; dex<numSigners; dex++) {
SecCmsSignerInfoRef signerInfo;
SecIdentityRef ourId =
(SecIdentityRef)CFArrayGetValueAtIndex(cmsEncoder->signers, dex);
ortn = SecIdentityCopyCertificate(ourId, &ourCert);
if(ortn) {
CSSM_PERROR("SecIdentityCopyCertificate", ortn);
break;
}
signerInfo = SecCmsSignerInfoCreate(cmsEncoder->cmsMsg, ourId, cmsEncoder->digestalgtag);
if (signerInfo == NULL) {
ortn = errSecInternalComponent;
break;
}
/* we want the cert chain included for this one */
/* NOTE the usage parameter is currently unused by the SMIME lib */
ortn = SecCmsSignerInfoIncludeCerts(signerInfo, chainMode,
certUsageEmailSigner);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoIncludeCerts", ortn);
break;
}
/* other options */
if(cmsEncoder->signedAttributes & kCMSAttrSmimeCapabilities) {
ortn = SecCmsSignerInfoAddSMIMECaps(signerInfo);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddSMIMEEncKeyPrefs", ortn);
break;
}
}
if(cmsEncoder->signedAttributes & kCMSAttrSmimeEncryptionKeyPrefs) {
ortn = SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerInfo, ourCert, NULL);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddSMIMEEncKeyPrefs", ortn);
break;
}
}
if(cmsEncoder->signedAttributes & kCMSAttrSmimeMSEncryptionKeyPrefs) {
ortn = SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(signerInfo, ourCert, NULL);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddMSSMIMEEncKeyPrefs", ortn);
break;
}
}
if(cmsEncoder->signedAttributes & kCMSAttrSigningTime) {
if (cmsEncoder->signingTime == 0)
cmsEncoder->signingTime = CFAbsoluteTimeGetCurrent();
ortn = SecCmsSignerInfoAddSigningTime(signerInfo, cmsEncoder->signingTime);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddSigningTime", ortn);
break;
}
}
if(cmsEncoder->signedAttributes & kCMSAttrAppleCodesigningHashAgility) {
ortn = SecCmsSignerInfoAddAppleCodesigningHashAgility(signerInfo, cmsEncoder->hashAgilityAttrValue);
/* libsecurity_smime made a copy of the attribute value. We don't need it anymore. */
CFReleaseNull(cmsEncoder->hashAgilityAttrValue);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddAppleCodesigningHashAgility", ortn);
break;
}
}
ortn = SecCmsSignedDataAddSignerInfo(signedData, signerInfo);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignedDataAddSignerInfo", ortn);
break;
}
CFRELEASE(ourCert);
ourCert = NULL;
}
if(ortn) {
CFRELEASE(ourCert);
}
return ortn;
}
int main(int argc, char **argv)
{
RingBuffer serverToClientRing;
RingBuffer clientToServerRing;
unsigned numBufs = DEFAULT_NUM_BUFS;
unsigned bufSize = DEFAULT_BUF_SIZE;
unsigned chunkSize = DEFAULT_CHUNK;
unsigned char clientBuf[DEFAULT_CHUNK];
unsigned char serverBuf[DEFAULT_CHUNK];
CFArrayRef idArray; /* for SSLSetCertificate */
CFArrayRef anchorArray; /* trusted roots */
SslRingBufferArgs clientArgs;
SslRingBufferArgs serverArgs;
SecKeychainRef kcRef = NULL;
SecCertificateRef anchorCert = NULL;
SecIdentityRef idRef = NULL;
bool abortFlag = false;
pthread_t client_thread = NULL;
int result;
bool diffieHellman = true; /* FIXME needs work */
OSStatus ortn;
/* user-spec'd variables */
char *kcName = DEFAULT_KC;
unsigned xferSize = DEFAULT_XFER;
SSLCipherSuite cipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA;
SSLProtocol prot = kTLSProtocol1;
char password[200];
bool clientAuthEnable = false;
bool pauseOnError = false;
bool runForever = false;
bool mallocPause = false;
password[0] = 0;
extern int optind;
extern char *optarg;
int arg;
optind = 1;
while ((arg = getopt(argc, argv, "k:x:c:v:w:aBpm")) != -1) {
switch (arg) {
case 'k':
kcName = optarg;
break;
case 'x':
{
unsigned xsize = atoi(optarg);
if(xsize == 0) {
runForever = true;
/* and leave xferSize alone */
}
else {
xferSize = xsize;
}
break;
}
case 'c':
switch(optarg[0]) {
case 'a':
cipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA;
break;
case 'r':
cipherSuite = SSL_RSA_WITH_RC4_128_SHA;
break;
case 'd':
cipherSuite = SSL_RSA_WITH_DES_CBC_SHA;
break;
case 'D':
cipherSuite = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
break;
case 'h':
cipherSuite = SSL_DH_anon_WITH_RC4_128_MD5;
diffieHellman = true;
break;
case 'H':
cipherSuite = SSL_DHE_DSS_WITH_DES_CBC_SHA;
diffieHellman = true;
break;
case 'A':
cipherSuite = TLS_RSA_WITH_AES_256_CBC_SHA;
break;
default:
usage(argv);
}
break;
case 'v':
switch(optarg[0]) {
case 't':
prot = kTLSProtocol1;
break;
case '2':
prot = kSSLProtocol2;
break;
case '3':
prot = kSSLProtocol3;
break;
default:
usage(argv);
}
break;
case 'w':
strcpy(password, optarg);
break;
case 'a':
clientAuthEnable = true;
break;
case 'p':
pauseOnError = true;
break;
case 'm':
mallocPause = true;
break;
default:
usage(argv);
}
}
if(optind != argc) {
usage(argv);
}
/* set up ring buffers */
ringBufSetup(&serverToClientRing, "serveToClient", numBufs, bufSize);
ringBufSetup(&clientToServerRing, "clientToServe", numBufs, bufSize);
/* get server SecIdentity */
idArray = getSslCerts(kcName,
CSSM_FALSE, /* encryptOnly */
CSSM_FALSE, /* completeCertChain */
NULL, /* anchorFile */
&kcRef);
if(idArray == NULL) {
printf("***Can't get signing cert from %s\n", kcName);
exit(1);
}
idRef = (SecIdentityRef)CFArrayGetValueAtIndex(idArray, 0);
ortn = SecIdentityCopyCertificate(idRef, &anchorCert);
if(ortn) {
cssmPerror("SecIdentityCopyCertificate", ortn);
exit(1);
}
anchorArray = CFArrayCreate(NULL, (const void **)&anchorCert,
1, &kCFTypeArrayCallBacks);
/* unlock keychain? */
if(password[0]) {
ortn = SecKeychainUnlock(kcRef, strlen(password), password, true);
if(ortn) {
cssmPerror("SecKeychainUnlock", ortn);
/* oh well */
}
}
CFRelease(kcRef);
if(mallocPause) {
fpurge(stdin);
printf("Pausing for MallocDebug setup. CR to proceed: ");
getchar();
}
/* set up server side */
memset(&serverArgs, 0, sizeof(serverArgs));
serverArgs.idArray = idArray;
serverArgs.trustedRoots = anchorArray;
serverArgs.xferSize = xferSize;
serverArgs.xferBuf = serverBuf;
serverArgs.chunkSize = chunkSize;
serverArgs.runForever = runForever;
serverArgs.cipherSuite = cipherSuite;
serverArgs.prot = prot;
serverArgs.ringWrite = &serverToClientRing;
serverArgs.ringRead = &clientToServerRing;
serverArgs.goFlag = &clientArgs.iAmReady;
serverArgs.abortFlag = &abortFlag;
serverArgs.pauseOnError = pauseOnError;
/* set up client side */
memset(&clientArgs, 0, sizeof(clientArgs));
clientArgs.idArray = NULL; /* until we do client auth */
clientArgs.trustedRoots = anchorArray;
clientArgs.xferSize = xferSize;
clientArgs.xferBuf = clientBuf;
clientArgs.chunkSize = chunkSize;
clientArgs.runForever = runForever;
clientArgs.cipherSuite = cipherSuite;
clientArgs.prot = prot;
clientArgs.ringWrite = &clientToServerRing;
clientArgs.ringRead = &serverToClientRing;
clientArgs.goFlag = &serverArgs.iAmReady;
clientArgs.abortFlag = &abortFlag;
clientArgs.pauseOnError = pauseOnError;
/* fire up client thread */
result = pthread_create(&client_thread, NULL,
sslRbClientThread, &clientArgs);
if(result) {
printf("***pthread_create returned %d, aborting\n", result);
exit(1);
}
/*
* And the server pseudo thread. This returns when all data has been transferred.
*/
ortn = sslRbServerThread(&serverArgs);
if(abortFlag) {
printf("***Test aborted.\n");
exit(1);
}
printf("\n");
if(mallocPause) {
fpurge(stdin);
printf("End of test. Pausing for MallocDebug analysis. CR to proceed: ");
getchar();
}
printf("SSL Protocol Version : %s\n",
sslGetProtocolVersionString(serverArgs.negotiatedProt));
printf("SSL Cipher : %s\n",
sslGetCipherSuiteString(serverArgs.negotiatedCipher));
printf("SSL Handshake : %f s\n",
serverArgs.startData - serverArgs.startHandshake);
printf("Data Transfer : %u bytes in %f s\n", (unsigned)xferSize,
serverArgs.endData - serverArgs.startHandshake);
printf(" : %.1f Kbytes/s\n",
xferSize / (serverArgs.endData - serverArgs.startHandshake) / 1024.0);
return 0;
}
