static void tests(void)
{
CFErrorRef error = NULL;
CFDataRef testData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, (const UInt8 *)testbytes, testbytes_size, kCFAllocatorNull);
SecCertificateRef cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, public_cert_der, sizeof(public_cert_der));
CFArrayRef certInArray = CFArrayCreateForCFTypes(kCFAllocatorDefault, cert, NULL);
SecKeyRef full_key = SecKeyCreateECPrivateKey(kCFAllocatorDefault, private_key_der, sizeof(private_key_der), kSecKeyEncodingPkcs1);
SecTrustRef trust = NULL;
SecPolicyRef basic = SecPolicyCreateBasicX509();
OSStatus status = SecTrustCreateWithCertificates(cert, basic, &trust);
ok_status(status, "created");
CFReleaseNull(basic);
status = SecTrustSetAnchorCertificates(trust, certInArray);
ok_status(status, "Anchors");
SecTrustResultType result;
status = SecTrustEvaluate(trust, &result);
ok_status(status, "Trust evaluation");
is(result, (SecTrustResultType)kSecTrustResultUnspecified, "Trust result");
CFDataRef encrypted = SecCopyEncryptedToServer(trust, testData, &error);
ok(encrypted != NULL, "Encrypt to server (%@)", error);
CFReleaseNull(error);
ok(!CFEqualSafe(testData, encrypted), "encrypted different");
CFDataRef decrypted = SecCopyDecryptedForServer(full_key, encrypted, &error);
ok(decrypted != NULL, "Decrypt from server (%@)", error);
ok(CFEqualSafe(testData, decrypted), "round trip");
CFReleaseNull(cert);
CFReleaseNull(certInArray);
CFReleaseNull(trust);
CFReleaseNull(testData);
CFReleaseNull(encrypted);
CFReleaseNull(decrypted);
}
int init_server_keys(bool ecdsa,
unsigned char *cert_der, size_t cert_der_len,
unsigned char *key_der, size_t key_der_len,
SSLCertificate *cert, tls_private_key_t *key)
{
int err = 0;
cert->next = NULL;
cert->derCert.data = cert_der;
cert->derCert.length = cert_der_len;
SecKeyRef privKey = NULL;
#if TARGET_OS_IPHONE
if(ecdsa)
{
privKey = SecKeyCreateECPrivateKey(kCFAllocatorDefault, key_der, key_der_len,
kSecKeyEncodingPkcs1);
} else {
privKey = SecKeyCreateRSAPrivateKey(kCFAllocatorDefault, key_der, key_der_len,
kSecKeyEncodingPkcs1);
}
require_action(privKey, fail, err=-1);
#else
// Create the SecKeyRef
CFErrorRef error = NULL;
CFDataRef keyData = CFDataCreate(kCFAllocatorDefault, key_der, key_der_len);
CFMutableDictionaryRef parameters = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL);
CFDictionarySetValue(parameters, kSecAttrKeyType, ecdsa?kSecAttrKeyTypeECDSA:kSecAttrKeyTypeRSA);
CFDictionarySetValue(parameters, kSecAttrKeyClass, kSecAttrKeyClassPrivate);
privKey = SecKeyCreateFromData(parameters, keyData, &error);
require_action(privKey, fail, err=(int)CFErrorGetCode(error));
#endif
size_t keySize = SecKeyGetBlockSize(privKey);
if(ecdsa) {
#if TARGET_OS_IPHONE
/* Compute signature size from key size */
size_t sigSize = 8+2*keySize;
#else
size_t sigSize = keySize;
#endif
require((*key = tls_private_key_ecdsa_create(privKey, sigSize,
SecECKeyGetNamedCurve(privKey), mySSLPrivKeyECDSA_sign)), fail);
} else {
require((*key = tls_private_key_rsa_create(privKey, keySize,
mySSLPrivKeyRSA_sign, mySSLPrivKeyRSA_decrypt)), fail);
}
err = 0;
fail:
#if !TARGET_OS_IPHONE
CFReleaseSafe(parameters);
CFReleaseSafe(keyData);
CFReleaseSafe(error);
#endif
return err;
}
static void tests(void)
{
CFDataRef message = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
_user_one_p12, sizeof(_user_one_p12), kCFAllocatorNull);
CFArrayRef items = NULL;
SecCertificateRef cert = NULL;
SecKeyRef pkey = NULL;
is_status(SecPKCS12Import(message, NULL, NULL), errSecAuthFailed,
"try null password on a known good p12");
CFStringRef password = CFSTR("user-one");
CFDictionaryRef options = CFDictionaryCreate(NULL,
(const void **)&kSecImportExportPassphrase,
(const void **)&password, 1,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
ok_status(SecPKCS12Import(message, options, &items), "import user one");
is(CFArrayGetCount(items), 1, "one identity");
CFDictionaryRef item = CFArrayGetValueAtIndex(items, 0);
SecIdentityRef identity = NULL;
ok(identity = (SecIdentityRef)CFDictionaryGetValue(item, kSecImportItemIdentity), "pull identity from imported data");
ok(CFGetTypeID(identity)==SecIdentityGetTypeID(),"this is a SecIdentityRef");
ok_status(SecIdentityCopyPrivateKey(identity, &pkey),"get private key");
ok_status(SecIdentityCopyCertificate(identity, &cert), "get certificate");
CFReleaseNull(items);
CFReleaseNull(message);
CFReleaseNull(options);
CFReleaseNull(password);
CFReleaseNull(cert);
CFReleaseNull(pkey);
message = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
_user_two_p12, sizeof(_user_two_p12), kCFAllocatorNull);
items = NULL;
password = CFSTR("user-two");
options = CFDictionaryCreate(NULL,
(const void **)&kSecImportExportPassphrase,
(const void **)&password, 1,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
ok_status(SecPKCS12Import(message, options, &items), "import user two");
is(CFArrayGetCount(items), 1, "one identity");
item = CFArrayGetValueAtIndex(items, 0);
ok(identity = (SecIdentityRef)CFDictionaryGetValue(item, kSecImportItemIdentity), "pull identity from imported data");
ok(CFGetTypeID(identity)==SecIdentityGetTypeID(),"this is a SecIdentityRef");
ok_status(SecIdentityCopyPrivateKey(identity, &pkey),"get private key");
ok_status(SecIdentityCopyCertificate(identity, &cert), "get certificate");
CFReleaseNull(items);
CFReleaseNull(message);
CFReleaseNull(options);
CFReleaseNull(password);
CFReleaseNull(cert);
CFReleaseNull(pkey);
message = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
ECDSA_fails_import_p12, ECDSA_fails_import_p12_len, kCFAllocatorNull);
items = NULL;
password = CFSTR("test");
options = CFDictionaryCreate(NULL,
(const void **)&kSecImportExportPassphrase,
(const void **)&password, 1,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
ok_status(SecPKCS12Import(message, options, &items), "import ECDSA_fails_import_p12");
is(CFArrayGetCount(items), 1, "one identity");
item = CFArrayGetValueAtIndex(items, 0);
ok(identity = (SecIdentityRef)CFDictionaryGetValue(item, kSecImportItemIdentity), "pull identity from imported data");
ok(CFGetTypeID(identity)==SecIdentityGetTypeID(),"this is a SecIdentityRef");
ok_status(SecIdentityCopyPrivateKey(identity, &pkey),"get private key");
ok_status(SecIdentityCopyCertificate(identity, &cert), "get certificate");
CFDataRef pubdata = NULL;
SecKeyRef pubkey = NULL;
ok_status(SecKeyCopyPublicBytes(pkey, &pubdata), "pub key from priv key");
ok(pubkey = SecKeyCreateECPublicKey(kCFAllocatorDefault,
CFDataGetBytePtr(pubdata), CFDataGetLength(pubdata), kSecKeyEncodingBytes),
"recreate seckey");
/* Sign something. */
uint8_t something[20] = {0x80, 0xbe, 0xef, 0xba, 0xd0, };
size_t sigLen = SecKeyGetSize(pkey, kSecKeySignatureSize);
uint8_t sig[sigLen];
ok_status(SecKeyRawSign(pkey, kSecPaddingPKCS1,
something, sizeof(something), sig, &sigLen), "sign something");
ok_status(SecKeyRawVerify(pubkey, kSecPaddingPKCS1,
something, sizeof(something), sig, sigLen), "verify sig on something");
CFReleaseNull(pubdata);
CFReleaseNull(pubkey);
CFReleaseNull(pkey);
ok(pkey = SecKeyCreateECPrivateKey(kCFAllocatorDefault,
ECDSA_fails_import_priv_only, ECDSA_fails_import_priv_only_len,
kSecKeyEncodingPkcs1), "import privkey without pub");
ok_status(SecKeyCopyPublicBytes(pkey, &pubdata), "pub key from priv key");
ok(pubkey = SecKeyCreateECPublicKey(kCFAllocatorDefault,
CFDataGetBytePtr(pubdata), CFDataGetLength(pubdata), kSecKeyEncodingBytes),
"recreate seckey");
ok_status(SecKeyRawVerify(pubkey, kSecPaddingPKCS1,
something, sizeof(something), sig, sigLen), "verify sig on something");
CFReleaseNull(pubdata);
CFReleaseNull(pubkey);
CFReleaseNull(pkey);
CFReleaseNull(items);
CFReleaseNull(message);
CFReleaseNull(options);
CFReleaseNull(password);
CFReleaseNull(cert);
}
