dotMacRequest.cpp   [plain text]

/* 
 * dotMacRequest.cpp - simple illustration of using SecCertificateRequestCreate() and
 *				       SecCertificateRequestSubmit to post a request for a .mac cert. 
 */
#include <Security/Security.h>
#include <Security/SecCertificateRequest.h>
#include <security_dotmac_tp/dotMacTp.h>
#include <clAppUtils/keyPicker.h>
#include <unistd.h>
#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>

/*
 * Defaults for the test setup du jour 
 */
#define USER_DEFAULT		"dmitch10"
#define PWD_DEFAULT			"password"
#define HOST_DEFAULT		"certmgmt.mac.com"

/* 
 * Type of cert to request
 */
typedef enum {
	CRT_Identity,		/* actually, now "iChat encryption", not "identity" */
	CRT_EmailSign,
	CRT_EmailEncrypt
} CertRequestType;

static void usage(char **argv)
{
	printf("usage: %s op [options]\n", argv[0]);
	printf("Op:\n");
	printf("    i              -- generate iChat encryption cert\n");
	printf("    s              -- generate email signing cert\n");
	printf("    e              -- generate email encrypting cert\n");
	printf("    I              -- search/retrieve request for iChat encryption cert\n");
	printf("    S              -- search/retrieve request for signing cert\n");
	printf("    E              -- search/retrieve request for encrypting cert\n");
	printf("    p              -- pending request poll (via -u)\n");
	printf("Options:\n");
	printf("   -u username     -- Default is %s\n", USER_DEFAULT);
	printf("   -Z password     -- default is %s\n", PWD_DEFAULT);
	printf("   -p              -- pick key pair from existing (default is generate)\n");
	printf("   -k keychain     -- Source/destination of keys\n");
	printf("   -r              -- Renew (default is new)\n");
	printf("   -a              -- async (default is synchronous)\n");
	printf("   -H hostname     -- Alternate .mac server host name (default %s)\n",
									HOST_DEFAULT);
	printf("   -M              -- Pause for MallocDebug\n");
	printf("   -l              -- loop\n");
	exit(1);
}

/* print a string int he form of a CSSM_DATA */
static void printString(
	const CSSM_DATA *str)
{
	for(unsigned dex=0; dex<str->Length; dex++) {
		printf("%c", str->Data[dex]);
	}
}

/* basic "generate keypair" routine */
static OSStatus genKeyPair(
	SecKeychainRef  kcRef,		// optional, NULL means the default list
	SecKeyRef		*pubKey,	// RETURNED
	SecKeyRef		*privKey)   // RETURNED
{
	OSStatus ortn;
	
	ortn = SecKeyCreatePair(kcRef,
		DOT_MAC_KEY_ALG,
		DOT_MAC_KEY_SIZE,
		0,						// context handle
		/* public key usage and attrs */
		CSSM_KEYUSE_ANY,	
		CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_EXTRACTABLE,
		/* private key usage and attrs */
		CSSM_KEYUSE_ANY,	
		CSSM_KEYATTR_RETURN_REF | CSSM_KEYATTR_PERMANENT | CSSM_KEYATTR_EXTRACTABLE |
			CSSM_KEYATTR_SENSITIVE,
		NULL,					// initial access
		pubKey,
		privKey);
	if(ortn) {
		cssmPerror("SecKeyCreatePair", ortn);
	}
	return ortn;
}

/* max number of oid/value pairs */
#define MAX_ATTRS		5

/* 
 * search for a pending .mac cert request, get current status. 
 */
static OSStatus dotMacGetPendingRequest(
	/* required fields */
	const char			*userName,		// REQUIRED, C string
	const char			*password,		// REQUIRED, C string
	CertRequestType		requestType,

	/* optional fields */
	const char			*hostName,		// C string
	SecKeychainRef		keychain)		// destination of created cert (if !async) 
{
	SecCertificateRequestAttribute		attrs[MAX_ATTRS];
	SecCertificateRequestAttribute		*attrp = attrs;
	SecCertificateRequestAttributeList	attrList;

	attrList.count = 0;
	attrList.attr = attrs;
	
	/* user name */
	attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_USERNAME;
	attrp->value.Data = (uint8 *)userName;
	attrp->value.Length = strlen(userName);
	attrp++;
	attrList.count++;
	
	/* password */
	attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_PASSWORD;
	attrp->value.Data = (uint8 *)password;
	attrp->value.Length = strlen(password);
	attrp++;
	attrList.count++;
	
	/* options */

	if(hostName) {
		attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_HOSTNAME;
		attrp->value.Data = (uint8 *)hostName;
		attrp->value.Length = strlen(hostName);
		attrp++;
		attrList.count++;
	}

	/* map CertRequestType to a policy OID */
	const CSSM_OID *policy;
	switch(requestType) {
		case CRT_Identity:
			policy = &CSSMOID_DOTMAC_CERT_REQ_IDENTITY;
			break;
		case CRT_EmailSign:
			policy = &CSSMOID_DOTMAC_CERT_REQ_EMAIL_SIGN;
			break;
		case CRT_EmailEncrypt:
			policy = &CSSMOID_DOTMAC_CERT_REQ_EMAIL_ENCRYPT;
			break;
		default:
			printf("GAK! Bad cert type.\n");
			return -1;
	}
	OSStatus ortn;
	SecCertificateRequestRef certReq = NULL;
	SecCertificateRef certRef = NULL;
	sint32 estTime;
	
	printf("...calling SecCertificateFindRequest\n");
	ortn = SecCertificateFindRequest(policy, 
		CSSM_CERT_X_509v3, 
		CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
		NULL, NULL,			// no keys needed
		&attrList,
		&certReq);
	if(ortn) {
		cssmPerror("SecCertificateFindRequest", ortn);
		return ortn;
	}
	
	printf("...calling SecCertificateRequestGetResult\n");
	ortn = SecCertificateRequestGetResult(certReq, keychain, &estTime, &certRef);
	if(ortn) {
		cssmPerror("SecCertificateRequestGetResult", ortn);
	}
	else {
		printf("...SecCertificateRequestGetResult succeeded; estTime %d; cert %s\n",
			(int)estTime, certRef ? "OBTAINED" : "NOT OBTAINED");
	}
	if(certRef) {
		CFRelease(certRef);
	}
	if(certReq) {
		CFRelease(certReq);
	}
	return ortn;
}

/* 
 * Do an "is there a pending request for this user?" poll.
 * That function - via SecCertificateFindRequest() always returns an error;
 * *we* only return an error if the result is something other than the
 * expected two results:
 * CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING
 * CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING
 */
static OSStatus dotMacPostPendingReqPoll(
	const char *userName, 
	const char *password, 
	const char *hostName)
{
	SecCertificateRequestAttribute		attrs[MAX_ATTRS];
	SecCertificateRequestAttribute		*attrp = attrs;
	SecCertificateRequestAttributeList	attrList;
	uint8								oneBit = 1;

	attrList.count = 0;
	attrList.attr = attrs;
	
	/* user name, required */
	attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_USERNAME;
	attrp->value.Data = (uint8 *)userName;
	attrp->value.Length = strlen(userName);
	attrp++;
	attrList.count++;
	
	/* password, required */
	attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_PASSWORD;
	attrp->value.Data = (uint8 *)password;
	attrp->value.Length = strlen(password);
	attrp++;
	attrList.count++;

	/* the "poll the server" indicator */
	attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_IS_PENDING;
	/* true ::= any nonzero data  */
	attrp->value.Data = &oneBit;
	attrp->value.Length = 1;
	attrp++;
	attrList.count++;

	/* options */

	if(hostName) {
		attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_HOSTNAME;
		attrp->value.Data = (uint8 *)hostName;
		attrp->value.Length = strlen(hostName);
		attrp++;
		attrList.count++;
	}

	/* policy, not technically needed; use this one by convention */
	const CSSM_OID *policy = &CSSMOID_DOTMAC_CERT_REQ_IDENTITY;

	OSStatus ortn;
	SecCertificateRequestRef certReq = NULL;
	
	printf("...calling SecCertificateFindRequest\n");
	ortn = SecCertificateFindRequest(policy, 
		CSSM_CERT_X_509v3, 
		CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
		NULL, NULL,			// no keys needed
		&attrList,
		&certReq);
		
	switch(ortn) {
		case CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING:
			printf("...result: REQ_IS_PENDING\n");
			ortn = noErr;
			break;
		case CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING:
			printf("...result: NO_REQ_PENDING\n");
			ortn = noErr;
			break;
		case noErr:
			/* should never happen */
			printf("...UNEXPECTED SUCCESS on SecCertificateFindRequest\n");
			ortn = internalComponentErr;
			if(certReq != NULL) {
				/* Somehow, it got created */
				CFRelease(certReq);
			}
			break;
		default:
			cssmPerror("SecCertificateFindRequest", ortn);
			break;
	}
	return ortn;
}

/* 
 * Post a .mac cert request, with a small number of options. 
 */
static OSStatus dotMacPostCertRequest(
	/* required fields */
	const char			*userName,		// REQUIRED, C string
	const char			*password,		// REQUIRED, C string
	SecKeyRef			privKey,		// REQUIRED
	SecKeyRef			pubKey,
	CertRequestType		requestType,
	bool				renew,			// false: new cert
										// true : renew existing
	bool				async,			// false: wait for result
										// true : just post request and return
	/* optional fields */
	const char			*hostName,		// C string
	SecKeychainRef		keychain)		// destination of created cert (if !async) 
{

	/* the main job here is bundling up the arguments in an array of OID/value pairs */
	SecCertificateRequestAttribute		attrs[MAX_ATTRS];
	SecCertificateRequestAttribute		*attrp = attrs;
	SecCertificateRequestAttributeList	attrList;
	uint8								oneBit = 1;
	
	attrList.count = 0;
	attrList.attr = attrs;
	
	/* user name */
	attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_USERNAME;
	attrp->value.Data = (uint8 *)userName;
	attrp->value.Length = strlen(userName);
	attrp++;
	attrList.count++;
	
	/* password */
	attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_PASSWORD;
	attrp->value.Data = (uint8 *)password;
	attrp->value.Length = strlen(password);
	attrp++;
	attrList.count++;
	
	/* options */

	if(hostName) {
		attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_HOSTNAME;
		attrp->value.Data = (uint8 *)hostName;
		attrp->value.Length = strlen(hostName);
		attrp++;
		attrList.count++;
	}
	
	if(renew) {
		attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_RENEW;
		/* true ::= any nonzero data  */
		attrp->value.Data = &oneBit;
		attrp->value.Length = 1;
		attrp++;
		attrList.count++;
	}
	
	if(async) {
		attrp->oid = CSSMOID_DOTMAC_CERT_REQ_VALUE_ASYNC;
		/* true ::= any nonzero data  */
		attrp->value.Data = &oneBit;
		attrp->value.Length = 1;
		attrp++;
		attrList.count++;
	}

	/* map CertRequestType to a policy OID */
	const CSSM_OID *policy;
	switch(requestType) {
		case CRT_Identity:
			policy = &CSSMOID_DOTMAC_CERT_REQ_IDENTITY;
			break;
		case CRT_EmailSign:
			policy = &CSSMOID_DOTMAC_CERT_REQ_EMAIL_SIGN;
			break;
		case CRT_EmailEncrypt:
			policy = &CSSMOID_DOTMAC_CERT_REQ_EMAIL_ENCRYPT;
			break;
		default:
			printf("GAK! Bad cert type.\n");
			return -1;
	}
	OSStatus ortn;
	SecCertificateRequestRef certReq = NULL;
	
	ortn = SecCertificateRequestCreate(policy, 
		CSSM_CERT_X_509v3, 
		CSSM_TP_AUTHORITY_REQUEST_CERTISSUE,
		privKey,
		pubKey,
		&attrList,
		&certReq);
	if(ortn) {
		cssmPerror("SecCertificateRequestCreate", ortn);
		return ortn;
	}
	
	printf("...submitting request to .mac server\n");
	sint32 estTime = 0;
	ortn = SecCertificateRequestSubmit(certReq, &estTime);
	switch(ortn) {
		case CSSMERR_APPLE_DOTMAC_REQ_REDIRECT:
		{
			/* 
			 * A special case; the server is redirecting the calling app to 
			 * a URL which we fetch and report like so:
			 */
			CSSM_DATA url = {0, NULL};
			ortn = SecCertificateRequestGetData(certReq, &url);
			if(ortn) {
				cssmPerror("SecCertificateRequestGetData", ortn);
				printf("***APPLE_DOTMAC_REQ_REDIRECT obtained but no URL availalble.\n");
			}
			else {
				printf("***APPLE_DOTMAC_REQ_REDIRECT obtained; redirect URL is: ");
				printString(&url);
				printf("\n");
			}
			break;
		}
		
		case CSSM_OK:
			printf("...cert request submitted; estimatedTime %d.\n", (int)estTime);
			break;
		default:
			cssmPerror("SecCertificateRequestSubmit", ortn);
			break;
	}
	if(ortn || async) {
		/* we're done */
		CFRelease(certReq);
		return ortn;
	}
	
	/* 
	 * Running synchronously, and the submit succeeded. Try to get a result.
	 * In the real world this would be polled, every so often....
	 */
	SecCertificateRef certRef = NULL;
	printf("...attempting to get result of cert request...\n");
	ortn = SecCertificateRequestGetResult(certReq, keychain, &estTime, &certRef);
	if(ortn) {
		cssmPerror("SecCertificateRequestGetResult", ortn);
	}
	else {
		printf("...SecCertificateRequestGetResult succeeded; estTime %d; cert %s\n",
			(int)estTime, certRef ? "OBTAINED" : "NOT OBTAINED");
	}
	if(certRef) {
		CFRelease(certRef);
		CFRelease(certReq);
	}
	return ortn;
}

#define ALWAYS_DO_SUBMIT		0


int main(int argc, char **argv)
{
	SecKeyRef		pubKeyRef = NULL;
	SecKeyRef		privKeyRef = NULL;
	SecKeychainRef	kcRef = NULL;
	OSStatus		ortn;
	
	/* user-spec'd variables */
	bool			genKeys = true;			/* true: generate; false: pick 'em */
	char			*keychainName = NULL;
	char			*userName = USER_DEFAULT;
	char			*password = PWD_DEFAULT;
	char			*hostName = NULL;		/* leave as the default! = HOST_DEFAULT; */	
	/* 
	 * WARNING: doing a renew operation requires that you delete your *current* 
	 * .mac cert from the destination keychain. The DB attrs of the old and new certs
	 * are the same!
	 */
	bool			doRenew = false;
	CertRequestType reqType = CRT_Identity;
	bool			doPause = false;
	bool			async = false;
	bool			doSearch = false;		/* false: post cert request 
											 * true : search for existing request, get 
											 *   status for it */
	bool			loop = false;
	bool			doPendingReqPoll = false;

	if(argc < 2) {
		usage(argv);
	}
	switch(argv[1][0]) {
		case 'i':
			reqType = CRT_Identity;
			break;
		case 's':
			reqType = CRT_EmailSign;
			break;
		case 'e':
			reqType = CRT_EmailEncrypt;
			break;
		case 'I':
			doSearch = true;
			reqType = CRT_Identity;
			break;
		case 'S':
			doSearch = true;
			reqType = CRT_EmailSign;
			break;
		case 'E':
			doSearch = true;
			reqType = CRT_EmailEncrypt;
			break;
		case 'p':
			doPendingReqPoll = true;
			break;
		default:
			usage(argv);
	}

	extern char *optarg;
	extern int optind;
	optind = 2;
	int arg;
	while ((arg = getopt(argc, argv, "u:Z:pk:rMH:al")) != -1) {
		switch (arg) {
			case 'u':
				userName = optarg;
				break;
			case 'Z':
				password = optarg;
				break;
			case 'p':
				genKeys = false;
				break;
			case 'k':
				keychainName = optarg;
				break;
			case 'r':
				doRenew = true;
				break;
			case 'M':
				doPause = true;
				break;
			case 'H':
				hostName = optarg;
				break;
			case 'a':
				async = true;
				break;
			case 'l':
				loop = true;
				break;
			case 'h':
			default:
				usage(argv);
		}
	}
	if(optind != argc) {
		usage(argv);
	}
	
	if(doPause) {
		fpurge(stdin);
		printf("Pausing for MallocDebug attach; CR to continue: ");
		getchar();
	}
	
	if(keychainName != NULL) {
		/* pick a keychain (optional) */
		ortn = SecKeychainOpen(keychainName, &kcRef);
		if(ortn) {
			cssmPerror("SecKeychainOpen", ortn);
			exit(1);
		}
		
		/* make sure it's there since a successful SecKeychainOpen proves nothing */
		SecKeychainStatus kcStat;
		ortn = SecKeychainGetStatus(kcRef, &kcStat);
		if(ortn) {
			cssmPerror("SecKeychainGetStatus", ortn);
			exit(1);
		}
	}
	
	if((!doSearch || ALWAYS_DO_SUBMIT) && !doPendingReqPoll) {
		/* get a key pair, somehow */
		if(genKeys) {
			ortn = genKeyPair(kcRef, &pubKeyRef, &privKeyRef);
		}
		else {
			ortn = keyPicker(kcRef, &pubKeyRef, &privKeyRef);
		}
		if(ortn) {
			printf("Can't proceed without a keypair. Aborting.\n");
			exit(1);
		}
	}
	
	/* go */
	do {
		if(doSearch) {
			#if ALWAYS_DO_SUBMIT
			/* debug only */
			dotMacPostCertRequest(userName, password, privKeyRef, pubKeyRef,
				reqType, doRenew, async, hostName, kcRef);
			#endif
			
			/* end */
			ortn = dotMacGetPendingRequest(userName, password, reqType, hostName, kcRef);
		}
		else if(doPendingReqPoll) {
			ortn = dotMacPostPendingReqPoll(userName, password, hostName);
		}
		else {
			ortn = dotMacPostCertRequest(userName, password, privKeyRef, pubKeyRef,
				reqType, doRenew, async, hostName, kcRef);
		}
		if(doPause) {
			fpurge(stdin);
			printf("Pausing for MallocDebug attach; CR to continue: ");
			getchar();
		}
	} while(loop);
	if(privKeyRef) {
		CFRelease(privKeyRef);
	}
	if(pubKeyRef) {
		CFRelease(pubKeyRef);
	}
	if(kcRef) {
		CFRelease(kcRef);
	}

	if(doPause) {
		fpurge(stdin);
		printf("Pausing at end of test for MallocDebug attach; CR to continue: ");
		getchar();
	}

	return ortn;
}