anchorTest.cpp   [plain text]

/*
 * anchorTest.cpp - test cert encode/decode using known good system
 *                  anchors
 */
#include <stdio.h>
#include <string.h>
#include <Security/cssm.h>
#include <Security/x509defs.h>
#include <Security/oidsattr.h>
#include <Security/oidscert.h>
#include <Security/certextensions.h>
#include <Security/SecTrust.h>
#include <Security/SecTrustSettingsPriv.h>
#include <security_cdsa_utils/cuOidParser.h>
#include <security_cdsa_utils/cuPrintCert.h>
#include <utilLib/common.h>
#include <utilLib/cspwrap.h>
#include <security_cdsa_utils/cuFileIo.h>
#include <clAppUtils/clutils.h>
#include <clAppUtils/certVerify.h>
#include <clAppUtils/tpUtils.h>
#include <Security/SecAsn1Coder.h>
#include <Security/X509Templates.h>

#define ENC_TBS_BLOB	"encodedTbs.der"
#define DEC_TBS_BLOB	"decodedTbs.der"

static void usage(char **argv)
{
	printf("Usage: %s [options]\n", argv[0]);
	printf("Options:\n");
	printf("  w    -- writeBlobs\n");
	printf("  e    -- allow expired roots\n");
	printf("  t    -- use Trust Settings\n");
	printf("  q    -- quiet\n");
	printf("  v    -- verbose\n");
	exit(1);
}

/*
 * Certs for which we skip the "compare TBS blob" test, enumerated by 
 * DER-encoded issuer name.
 *
 * Get this formatted data from the extractCertFields program. 
 *
 * All of these have non-standard KeyUsage encoding (legal but it's
 * not the same as ours or everyone else's).
 */
/*
   Country         : HU
   Locality        : Budapest
   Org             : NetLock Halozatbiztonsagi Kft.
   OrgUnit         : Tanusitvanykiadok
   Common Name     : NetLock Expressz (Class C) Tanusitvanykiado 
 */
static const uint8 anchor_46_derIssuer_bytes[] = {
   0x30,  0x81,  0x9b,  0x31,  0x0b,  0x30,  0x09,  0x06,  
   0x03,  0x55,  0x04,  0x06,  0x13,  0x02,  0x48,  0x55,  
   0x31,  0x11,  0x30,  0x0f,  0x06,  0x03,  0x55,  0x04,  
   0x07,  0x13,  0x08,  0x42,  0x75,  0x64,  0x61,  0x70,  
   0x65,  0x73,  0x74,  0x31,  0x27,  0x30,  0x25,  0x06,  
   0x03,  0x55,  0x04,  0x0a,  0x13,  0x1e,  0x4e,  0x65,  
   0x74,  0x4c,  0x6f,  0x63,  0x6b,  0x20,  0x48,  0x61,  
   0x6c,  0x6f,  0x7a,  0x61,  0x74,  0x62,  0x69,  0x7a,  
   0x74,  0x6f,  0x6e,  0x73,  0x61,  0x67,  0x69,  0x20,  
   0x4b,  0x66,  0x74,  0x2e,  0x31,  0x1a,  0x30,  0x18,  
   0x06,  0x03,  0x55,  0x04,  0x0b,  0x13,  0x11,  0x54,  
   0x61,  0x6e,  0x75,  0x73,  0x69,  0x74,  0x76,  0x61,  
   0x6e,  0x79,  0x6b,  0x69,  0x61,  0x64,  0x6f,  0x6b,  
   0x31,  0x34,  0x30,  0x32,  0x06,  0x03,  0x55,  0x04,  
   0x03,  0x13,  0x2b,  0x4e,  0x65,  0x74,  0x4c,  0x6f,  
   0x63,  0x6b,  0x20,  0x45,  0x78,  0x70,  0x72,  0x65,  
   0x73,  0x73,  0x7a,  0x20,  0x28,  0x43,  0x6c,  0x61,  
   0x73,  0x73,  0x20,  0x43,  0x29,  0x20,  0x54,  0x61,  
   0x6e,  0x75,  0x73,  0x69,  0x74,  0x76,  0x61,  0x6e,  
   0x79,  0x6b,  0x69,  0x61,  0x64,  0x6f
};
static const CSSM_DATA anchor_46_derIssuer = { 158, (uint8 *)anchor_46_derIssuer_bytes };

/*
   Country         : HU
   State           : Hungary
   Locality        : Budapest
   Org             : NetLock Halozatbiztonsagi Kft.
   OrgUnit         : Tanusitvanykiadok
   Common Name     : NetLock Kozjegyzoi (Class A) Tanusitvanykiado
*/
static const uint8 anchor_53_derIssuer_bytes[] = {
   0x30,  0x81,  0xaf,  0x31,  0x0b,  0x30,  0x09,  0x06,  
   0x03,  0x55,  0x04,  0x06,  0x13,  0x02,  0x48,  0x55,  
   0x31,  0x10,  0x30,  0x0e,  0x06,  0x03,  0x55,  0x04,  
   0x08,  0x13,  0x07,  0x48,  0x75,  0x6e,  0x67,  0x61,  
   0x72,  0x79,  0x31,  0x11,  0x30,  0x0f,  0x06,  0x03,  
   0x55,  0x04,  0x07,  0x13,  0x08,  0x42,  0x75,  0x64,  
   0x61,  0x70,  0x65,  0x73,  0x74,  0x31,  0x27,  0x30,  
   0x25,  0x06,  0x03,  0x55,  0x04,  0x0a,  0x13,  0x1e,  
   0x4e,  0x65,  0x74,  0x4c,  0x6f,  0x63,  0x6b,  0x20,  
   0x48,  0x61,  0x6c,  0x6f,  0x7a,  0x61,  0x74,  0x62,  
   0x69,  0x7a,  0x74,  0x6f,  0x6e,  0x73,  0x61,  0x67,  
   0x69,  0x20,  0x4b,  0x66,  0x74,  0x2e,  0x31,  0x1a,  
   0x30,  0x18,  0x06,  0x03,  0x55,  0x04,  0x0b,  0x13,  
   0x11,  0x54,  0x61,  0x6e,  0x75,  0x73,  0x69,  0x74,  
   0x76,  0x61,  0x6e,  0x79,  0x6b,  0x69,  0x61,  0x64,  
   0x6f,  0x6b,  0x31,  0x36,  0x30,  0x34,  0x06,  0x03,  
   0x55,  0x04,  0x03,  0x13,  0x2d,  0x4e,  0x65,  0x74,  
   0x4c,  0x6f,  0x63,  0x6b,  0x20,  0x4b,  0x6f,  0x7a,  
   0x6a,  0x65,  0x67,  0x79,  0x7a,  0x6f,  0x69,  0x20,  
   0x28,  0x43,  0x6c,  0x61,  0x73,  0x73,  0x20,  0x41,  
   0x29,  0x20,  0x54,  0x61,  0x6e,  0x75,  0x73,  0x69,  
   0x74,  0x76,  0x61,  0x6e,  0x79,  0x6b,  0x69,  0x61,  
   0x64,  0x6f
};
static const CSSM_DATA anchor_53_derIssuer = { 178, (uint8 *)anchor_53_derIssuer_bytes };

/*
   Country         : HU
   Locality        : Budapest
   Org             : NetLock Halozatbiztonsagi Kft.
   OrgUnit         : Tanusitvanykiadok
   Common Name     : NetLock Uzleti (Class B) Tanusitvanykiado
*/
static const uint8 anchor_60_derIssuer_bytes[] = {
   0x30,  0x81,  0x99,  0x31,  0x0b,  0x30,  0x09,  0x06,  
   0x03,  0x55,  0x04,  0x06,  0x13,  0x02,  0x48,  0x55,  
   0x31,  0x11,  0x30,  0x0f,  0x06,  0x03,  0x55,  0x04,  
   0x07,  0x13,  0x08,  0x42,  0x75,  0x64,  0x61,  0x70,  
   0x65,  0x73,  0x74,  0x31,  0x27,  0x30,  0x25,  0x06,  
   0x03,  0x55,  0x04,  0x0a,  0x13,  0x1e,  0x4e,  0x65,  
   0x74,  0x4c,  0x6f,  0x63,  0x6b,  0x20,  0x48,  0x61,  
   0x6c,  0x6f,  0x7a,  0x61,  0x74,  0x62,  0x69,  0x7a,  
   0x74,  0x6f,  0x6e,  0x73,  0x61,  0x67,  0x69,  0x20,  
   0x4b,  0x66,  0x74,  0x2e,  0x31,  0x1a,  0x30,  0x18,  
   0x06,  0x03,  0x55,  0x04,  0x0b,  0x13,  0x11,  0x54,  
   0x61,  0x6e,  0x75,  0x73,  0x69,  0x74,  0x76,  0x61,  
   0x6e,  0x79,  0x6b,  0x69,  0x61,  0x64,  0x6f,  0x6b,  
   0x31,  0x32,  0x30,  0x30,  0x06,  0x03,  0x55,  0x04,  
   0x03,  0x13,  0x29,  0x4e,  0x65,  0x74,  0x4c,  0x6f,  
   0x63,  0x6b,  0x20,  0x55,  0x7a,  0x6c,  0x65,  0x74,  
   0x69,  0x20,  0x28,  0x43,  0x6c,  0x61,  0x73,  0x73,  
   0x20,  0x42,  0x29,  0x20,  0x54,  0x61,  0x6e,  0x75,  
   0x73,  0x69,  0x74,  0x76,  0x61,  0x6e,  0x79,  0x6b,  
   0x69,  0x61,  0x64,  0x6f
};
static const CSSM_DATA anchor_60_derIssuer = { 156, (uint8 *)anchor_60_derIssuer_bytes };

/*
 Country         : TR
 Locality        : Ankara
 Org             : (c) 2005 TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş.
 Common Name     : TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
 Serial Number   : 01
 Not Before      : 10:27:17 May 13, 2005
 Not After       : 10:27:17 Mar 22, 2015
*/
static const uint8 turk1_derIssuer_bytes[] = {
	0x30,  0x81,  0xb7,  0x31,  0x3f,  0x30,  0x3d,  0x06,  
	0x03,  0x55,  0x04,  0x03,  0x0c,  0x36,  0x54,  0xc3,  
	0x9c,  0x52,  0x4b,  0x54,  0x52,  0x55,  0x53,  0x54,  
	0x20,  0x45,  0x6c,  0x65,  0x6b,  0x74,  0x72,  0x6f,  
	0x6e,  0x69,  0x6b,  0x20,  0x53,  0x65,  0x72,  0x74,  
	0x69,  0x66,  0x69,  0x6b,  0x61,  0x20,  0x48,  0x69,  
	0x7a,  0x6d,  0x65,  0x74,  0x20,  0x53,  0x61,  0xc4,  
	0x9f,  0x6c,  0x61,  0x79,  0xc4,  0xb1,  0x63,  0xc4,  
	0xb1,  0x73,  0xc4,  0xb1,  0x31,  0x0b,  0x30,  0x09,  
	0x06,  0x03,  0x55,  0x04,  0x06,  0x0c,  0x02,  0x54,  
	0x52,  0x31,  0x0f,  0x30,  0x0d,  0x06,  0x03,  0x55,  
	0x04,  0x07,  0x0c,  0x06,  0x41,  0x4e,  0x4b,  0x41,  
	0x52,  0x41,  0x31,  0x56,  0x30,  0x54,  0x06,  0x03,  
	0x55,  0x04,  0x0a,  0x0c,  0x4d,  0x28,  0x63,  0x29,  
	0x20,  0x32,  0x30,  0x30,  0x35,  0x20,  0x54,  0xc3,  
	0x9c,  0x52,  0x4b,  0x54,  0x52,  0x55,  0x53,  0x54,  
	0x20,  0x42,  0x69,  0x6c,  0x67,  0x69,  0x20,  0xc4,  
	0xb0,  0x6c,  0x65,  0x74,  0x69,  0xc5,  0x9f,  0x69,  
	0x6d,  0x20,  0x76,  0x65,  0x20,  0x42,  0x69,  0x6c,  
	0x69,  0xc5,  0x9f,  0x69,  0x6d,  0x20,  0x47,  0xc3,  
	0xbc,  0x76,  0x65,  0x6e,  0x6c,  0x69,  0xc4,  0x9f,  
	0x69,  0x20,  0x48,  0x69,  0x7a,  0x6d,  0x65,  0x74,  
	0x6c,  0x65,  0x72,  0x69,  0x20,  0x41,  0x2e,  0xc5,  
	0x9e,  0x2e
};
static const CSSM_DATA turk1_derIssuer = { 186, (uint8 *)turk1_derIssuer_bytes };

/*
 Country         : TR
 Locality        : Ankara
 Org             : TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005
 Common Name     : TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı 
 Serial Number   : 01
 Not Before      : 10:07:57 Nov 7, 2005
 Not After       : 10:07:57 Sep 16, 2015
*/
static const uint8 turk2_derIssuer_bytes[] = {
	0x30,  0x81,  0xbe,  0x31,  0x3f,  0x30,  0x3d,  0x06,  
	0x03,  0x55,  0x04,  0x03,  0x0c,  0x36,  0x54,  0xc3,  
	0x9c,  0x52,  0x4b,  0x54,  0x52,  0x55,  0x53,  0x54,  
	0x20,  0x45,  0x6c,  0x65,  0x6b,  0x74,  0x72,  0x6f,  
	0x6e,  0x69,  0x6b,  0x20,  0x53,  0x65,  0x72,  0x74,  
	0x69,  0x66,  0x69,  0x6b,  0x61,  0x20,  0x48,  0x69,  
	0x7a,  0x6d,  0x65,  0x74,  0x20,  0x53,  0x61,  0xc4,  
	0x9f,  0x6c,  0x61,  0x79,  0xc4,  0xb1,  0x63,  0xc4,  
	0xb1,  0x73,  0xc4,  0xb1,  0x31,  0x0b,  0x30,  0x09,  
	0x06,  0x03,  0x55,  0x04,  0x06,  0x13,  0x02,  0x54,  
	0x52,  0x31,  0x0f,  0x30,  0x0d,  0x06,  0x03,  0x55,  
	0x04,  0x07,  0x0c,  0x06,  0x41,  0x6e,  0x6b,  0x61,  
	0x72,  0x61,  0x31,  0x5d,  0x30,  0x5b,  0x06,  0x03,  
	0x55,  0x04,  0x0a,  0x0c,  0x54,  0x54,  0xc3,  0x9c,  
	0x52,  0x4b,  0x54,  0x52,  0x55,  0x53,  0x54,  0x20,  
	0x42,  0x69,  0x6c,  0x67,  0x69,  0x20,  0xc4,  0xb0,  
	0x6c,  0x65,  0x74,  0x69,  0xc5,  0x9f,  0x69,  0x6d,  
	0x20,  0x76,  0x65,  0x20,  0x42,  0x69,  0x6c,  0x69,  
	0xc5,  0x9f,  0x69,  0x6d,  0x20,  0x47,  0xc3,  0xbc,  
	0x76,  0x65,  0x6e,  0x6c,  0x69,  0xc4,  0x9f,  0x69,  
	0x20,  0x48,  0x69,  0x7a,  0x6d,  0x65,  0x74,  0x6c,  
	0x65,  0x72,  0x69,  0x20,  0x41,  0x2e,  0xc5,  0x9e,  
	0x2e,  0x20,  0x28,  0x63,  0x29,  0x20,  0x4b,  0x61,  
	0x73,  0xc4,  0xb1,  0x6d,  0x20,  0x32,  0x30,  0x30,  
	0x35
};
static const CSSM_DATA turk2_derIssuer = { 193, (uint8 *)turk2_derIssuer_bytes };

/*
 Country         : TR
 Locality        : Ankara
 Org             : TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007
 Common Name     : TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı 
 Serial Number   : 01
 Not Before      : 18:37:19 Dec 25, 2007
 Not After       : 18:37:19 Dec 22, 2017
*/
static const uint8 turk3_derIssuer_bytes[] = {
	0x30,  0x81,  0xbf,  0x31,  0x3f,  0x30,  0x3d,  0x06,  
	0x03,  0x55,  0x04,  0x03,  0x0c,  0x36,  0x54,  0xc3,  
	0x9c,  0x52,  0x4b,  0x54,  0x52,  0x55,  0x53,  0x54,  
	0x20,  0x45,  0x6c,  0x65,  0x6b,  0x74,  0x72,  0x6f,  
	0x6e,  0x69,  0x6b,  0x20,  0x53,  0x65,  0x72,  0x74,  
	0x69,  0x66,  0x69,  0x6b,  0x61,  0x20,  0x48,  0x69,  
	0x7a,  0x6d,  0x65,  0x74,  0x20,  0x53,  0x61,  0xc4,  
	0x9f,  0x6c,  0x61,  0x79,  0xc4,  0xb1,  0x63,  0xc4,  
	0xb1,  0x73,  0xc4,  0xb1,  0x31,  0x0b,  0x30,  0x09,  
	0x06,  0x03,  0x55,  0x04,  0x06,  0x13,  0x02,  0x54,  
	0x52,  0x31,  0x0f,  0x30,  0x0d,  0x06,  0x03,  0x55,  
	0x04,  0x07,  0x0c,  0x06,  0x41,  0x6e,  0x6b,  0x61,  
	0x72,  0x61,  0x31,  0x5e,  0x30,  0x5c,  0x06,  0x03,  
	0x55,  0x04,  0x0a,  0x0c,  0x55,  0x54,  0xc3,  0x9c,  
	0x52,  0x4b,  0x54,  0x52,  0x55,  0x53,  0x54,  0x20,  
	0x42,  0x69,  0x6c,  0x67,  0x69,  0x20,  0xc4,  0xb0,  
	0x6c,  0x65,  0x74,  0x69,  0xc5,  0x9f,  0x69,  0x6d,  
	0x20,  0x76,  0x65,  0x20,  0x42,  0x69,  0x6c,  0x69,  
	0xc5,  0x9f,  0x69,  0x6d,  0x20,  0x47,  0xc3,  0xbc,  
	0x76,  0x65,  0x6e,  0x6c,  0x69,  0xc4,  0x9f,  0x69,  
	0x20,  0x48,  0x69,  0x7a,  0x6d,  0x65,  0x74,  0x6c,  
	0x65,  0x72,  0x69,  0x20,  0x41,  0x2e,  0xc5,  0x9e,  
	0x2e,  0x20,  0x28,  0x63,  0x29,  0x20,  0x41,  0x72,  
	0x61,  0x6c,  0xc4,  0xb1,  0x6b,  0x20,  0x32,  0x30,  
	0x30,  0x37
};
static const CSSM_DATA turk3_derIssuer = { 194, (uint8 *)turk3_derIssuer_bytes };

/*
Cert File Name: globalSignRoot.cer
   Country         : BE
   Org             : GlobalSign nv-sa
   OrgUnit         : Root CA
   Common Name     : GlobalSign Root CA
*/
static const uint8 globalSignRoot_derIssuer_bytes[] = {
   0x30,  0x57,  0x31,  0x0b,  0x30,  0x09,  0x06,  0x03,  
   0x55,  0x04,  0x06,  0x13,  0x02,  0x42,  0x45,  0x31,  
   0x19,  0x30,  0x17,  0x06,  0x03,  0x55,  0x04,  0x0a,  
   0x13,  0x10,  0x47,  0x6c,  0x6f,  0x62,  0x61,  0x6c,  
   0x53,  0x69,  0x67,  0x6e,  0x20,  0x6e,  0x76,  0x2d,  
   0x73,  0x61,  0x31,  0x10,  0x30,  0x0e,  0x06,  0x03,  
   0x55,  0x04,  0x0b,  0x13,  0x07,  0x52,  0x6f,  0x6f,  
   0x74,  0x20,  0x43,  0x41,  0x31,  0x1b,  0x30,  0x19,  
   0x06,  0x03,  0x55,  0x04,  0x03,  0x13,  0x12,  0x47,  
   0x6c,  0x6f,  0x62,  0x61,  0x6c,  0x53,  0x69,  0x67,  
   0x6e,  0x20,  0x52,  0x6f,  0x6f,  0x74,  0x20,  0x43,  
   0x41
};
static const CSSM_DATA globalSignRoot_derIssuer = { 89, (uint8 *)globalSignRoot_derIssuer_bytes };

/***********************
Cert File Name: swisssign.der
Subject Name       :
   Country         : CH
   Org             : SwissSign
   Common Name     : SwissSign CA (RSA IK May 6 1999 18:00:58)
   Email addrs     : ca@SwissSign.com
   
 This one has a bogus AuthorityKeyId, with a value of {0x30, 0} inside the octet string. 
 ***********************/
static const uint8 swisssign_derIssuer_bytes[] = {
   0x30,  0x76,  0x31,  0x0b,  0x30,  0x09,  0x06,  0x03,  
   0x55,  0x04,  0x06,  0x13,  0x02,  0x43,  0x48,  0x31,  
   0x12,  0x30,  0x10,  0x06,  0x03,  0x55,  0x04,  0x0a,  
   0x13,  0x09,  0x53,  0x77,  0x69,  0x73,  0x73,  0x53,  
   0x69,  0x67,  0x6e,  0x31,  0x32,  0x30,  0x30,  0x06,  
   0x03,  0x55,  0x04,  0x03,  0x13,  0x29,  0x53,  0x77,  
   0x69,  0x73,  0x73,  0x53,  0x69,  0x67,  0x6e,  0x20,  
   0x43,  0x41,  0x20,  0x28,  0x52,  0x53,  0x41,  0x20,  
   0x49,  0x4b,  0x20,  0x4d,  0x61,  0x79,  0x20,  0x36,  
   0x20,  0x31,  0x39,  0x39,  0x39,  0x20,  0x31,  0x38,  
   0x3a,  0x30,  0x30,  0x3a,  0x35,  0x38,  0x29,  0x31,  
   0x1f,  0x30,  0x1d,  0x06,  0x09,  0x2a,  0x86,  0x48,  
   0x86,  0xf7,  0x0d,  0x01,  0x09,  0x01,  0x16,  0x10,  
   0x63,  0x61,  0x40,  0x53,  0x77,  0x69,  0x73,  0x73,  
   0x53,  0x69,  0x67,  0x6e,  0x2e,  0x63,  0x6f,  0x6d
   
};
static const CSSM_DATA swisssign_derIssuer = { 120, (uint8 *)swisssign_derIssuer_bytes };

/*
 * Simple class to hold arrays of fields.
 */
class FieldArray {
public:
	/*
	 * Create from existing field array obtained from
	 * CSSM_CL_CertGetAllFields(). We'll do the CSSM_CL_FreeFields()
	 * in our destructor.
	 */
	FieldArray(
		CSSM_FIELD 		*fields, 
		uint32 			numFields,
		CSSM_CL_HANDLE 	clHand);
	
	/*
	 * Create empty array of specified size. We don't own the fields 
	 * themselves.
	 */
	FieldArray(
		uint32 			size);
	
	~FieldArray();
	
	/*
	 * Append a field - no realloc!
	 */
	void appendField(CSSM_FIELD &field);
	
	/* get specified field */
	CSSM_FIELD &fieldAt(uint32 index);
	
	/* get nth occurence of field matching specified OID */
	int  fieldForOid(
		const CSSM_OID	&oid,
		unsigned		n,			// n == 0 --> first one
		CSSM_FIELD		*&found);	// RETURNED
		
	CSSM_FIELD	*mFields;
	uint32		mNumFields;		// sizeof of *fields
	uint32		mMallocdSize;	// if NULL, read-only
	CSSM_CL_HANDLE	mClHand;
};

FieldArray::FieldArray(
	CSSM_FIELD *fields, 
	uint32 numFields,
	CSSM_CL_HANDLE clHand)
{
	mFields = fields;
	mNumFields = numFields;
	mMallocdSize = 0;
	mClHand = clHand;
}

FieldArray::FieldArray(
	uint32 size)
{
	unsigned len = sizeof(CSSM_FIELD) * size;
	mFields = (CSSM_FIELD_PTR)malloc(len);
	memset(mFields, 0, len);
	mNumFields = 0;
	mMallocdSize = size;
	mClHand = 0;
}

FieldArray::~FieldArray()
{
	if(mMallocdSize != 0) {
		/* 
		 * Just free the array of fields we mallocd, not the fields 
		 * themselves
		 */
		free(mFields);
	}
	else {
		/* The CL mallocd these fields, tell it to free the whole thing */
		CSSM_RETURN crtn = CSSM_CL_FreeFields(mClHand, 
			mNumFields, &mFields);
		if(crtn) {
			printError("CSSM_CL_FreeFields", crtn);
		}
	}
	mFields = NULL;
	mNumFields = 0;
	mMallocdSize = 0;
}

void FieldArray::appendField(
	CSSM_FIELD &field)
{
	if(mMallocdSize == 0) {
		printf("***Attempt to append to a read-only FieldArray\n");
		exit(1);
	}
	if(mNumFields >= mMallocdSize) {
		printf("***Attempt to append past present size of FieldArray\n");
		exit(1);
	}
	mFields[mNumFields] = field;
	mNumFields++;
}

CSSM_FIELD &FieldArray::fieldAt(
	uint32 index)
{
	if(index >= mNumFields) {
		printf("***Attempt to access past present size of FieldArray\n");
		exit(1);
	}
	return mFields[index];
}

/* get nth occurence of field matching specified OID */
/* returns nonzero on error */
int FieldArray::fieldForOid(
	const CSSM_OID	&oid,
	unsigned		n,			// n == 0 --> first one
	CSSM_FIELD		*&found)	// RETURNED
{
	unsigned foundDex = 0;
	for(unsigned dex=0; dex<mNumFields; dex++) {
		CSSM_FIELD &field = mFields[dex];
		if(appCompareCssmData(&field.FieldOid, &oid)) {
			if(foundDex == n) {
				found = &field;
				return 0;
			}
			foundDex++;
		}
	}
	printf("FieldArray::fieldForOid field not found\n");
	return 1;
}

/*
 * How many items in a NULL-terminated array of pointers?
 */
static unsigned nssArraySize(
	const void **array)
{
    unsigned count = 0;
    if (array) {
		while (*array++) {
			count++;
		}
    }
    return count;
}

static void doPrintCert(
	const CSSM_DATA &cert)
{
	printCert(cert.Data, cert.Length, CSSM_TRUE);
}

/*
 * The extensions whose presence causes us to skip the "compare
 * encoded and original TBS" test.
 */
#define USE_SKIPPED_EXTENS		1
#if		USE_SKIPPED_EXTENS
static const CSSM_OID *skippedExtens[] = {	// %%% FIXME: this is a workaround for <rdar://8265523>; shouldn't need to skip!
	&CSSMOID_PolicyMappings,
	&CSSMOID_PolicyConstraints
};
#define NUM_SKIPPED_EXTENS	\
	(sizeof(skippedExtens) / sizeof(skippedExtens[0]))
#endif	/* USE_SKIPPED_EXTENS */

static const CSSM_DATA *skippedCerts[] = {
	&anchor_46_derIssuer,
	&anchor_53_derIssuer,
	&anchor_60_derIssuer,
	&turk1_derIssuer,
	&turk2_derIssuer,
	&turk3_derIssuer,
	&globalSignRoot_derIssuer,
	&swisssign_derIssuer
};
#define NUM_SKIPPED_CERTS	(sizeof(skippedCerts) / sizeof(skippedCerts[0]))

static bool skipThisCert(
	const NSS_TBSCertificate &tbs)
{
	/* search by extension - currently unused */
	unsigned dex;
	#if USE_SKIPPED_EXTENS
	unsigned numExtens = nssArraySize((const void **)tbs.extensions);
	/* skip this section if that's empty - compiler warning causes failure */
	for(dex=0; dex<numExtens; dex++) {
		NSS_CertExtension *exten = tbs.extensions[dex];
		CSSM_OID *oid = &exten->extnId;
		for(unsigned skipDex=0; skipDex<NUM_SKIPPED_EXTENS; skipDex++) {
			if(appCompareCssmData(skippedExtens[skipDex], oid)) {
				return true;
			}
		}
	}
	#endif	/* USE_SKIPPED_EXTENS */
	
	/* search by specific issuer */
	for(dex=0; dex<NUM_SKIPPED_CERTS; dex++) {
		if(appCompareCssmData(skippedCerts[dex], &tbs.derIssuer)) {
			return true;
		}
	}
	return false;
}

/*
 * Given a field OID, figure out what WE think this field is.
 */
 
/* the field types we grok */
typedef enum {
	FT_Unknown,		// probably means we're out of sync with the CL
	FT_Normal,		// standard component of TBS
	FT_ReadOnly,	// Read only, don't use to create template
	FT_NotTBS,		// part of top-level cert, don't use to create TBS
	FT_ExtenParsed,	// extension the CL SHOULD HAVE parsed
	FT_ExtenUnknown	// extension the CL should NOT have parsed		
} FieldType;

/* map OID --> FieldType */
typedef struct {
	const CSSM_OID	*oid;
	FieldType		type;
} FieldOidType;

/* 
 * The CL-specific mapping table. 
 * This has to change whenever the CL is modified to add or delete
 * an extension or field!
 * For newbies, a tip: this basically has to stay in sync with the 
 * fieldFuncTable array in Security/AppleX509CL/CertFields.cpp. 
 */
FieldOidType knownFields[] = {
	{ 	&CSSMOID_X509V1Version, FT_Normal },
	{ 	&CSSMOID_X509V1SerialNumber, FT_Normal },
	{ 	&CSSMOID_X509V1IssuerNameCStruct, FT_Normal },
	{ 	&CSSMOID_X509V1SubjectNameCStruct, FT_Normal },
	{	&CSSMOID_X509V1SignatureAlgorithmTBS, FT_Normal },
	{	&CSSMOID_X509V1SignatureAlgorithm, FT_NotTBS },
	{	&CSSMOID_X509V1ValidityNotBefore, FT_Normal },
	{	&CSSMOID_X509V1ValidityNotAfter, FT_Normal },
	{	&CSSMOID_X509V1CertificateIssuerUniqueId, FT_Normal },
	{	&CSSMOID_X509V1CertificateSubjectUniqueId, FT_Normal },
	/* only one of these two can be set - use the SubjectPublicKeyInfo
	 * version */
	{	&CSSMOID_X509V1SubjectPublicKeyCStruct, FT_Normal },
	{	&CSSMOID_CSSMKeyStruct, FT_ReadOnly },
	{	&CSSMOID_X509V1Signature, FT_NotTBS },
	{   &CSSMOID_X509V1IssuerName, FT_ReadOnly },		// DER encoded
	{   &CSSMOID_X509V1SubjectName, FT_ReadOnly },		// DER encoded
	{   &CSSMOID_X509V1IssuerNameStd, FT_ReadOnly },	// DER encoded
	{   &CSSMOID_X509V1SubjectNameStd,FT_ReadOnly },	// DER encoded
		
	/* Extensions */
	{	&CSSMOID_KeyUsage, FT_ExtenParsed },
	{   &CSSMOID_BasicConstraints, FT_ExtenParsed },
	{	&CSSMOID_ExtendedKeyUsage, FT_ExtenParsed } ,
	{	&CSSMOID_SubjectKeyIdentifier, FT_ExtenParsed } ,
	{	&CSSMOID_AuthorityKeyIdentifier, FT_ExtenParsed } ,
	{	&CSSMOID_SubjectAltName, FT_ExtenParsed } ,
	{	&CSSMOID_IssuerAltName, FT_ExtenParsed } ,
	{	&CSSMOID_CertificatePolicies, FT_ExtenParsed } ,
	{	&CSSMOID_NetscapeCertType, FT_ExtenParsed } ,
	{	&CSSMOID_CrlDistributionPoints, FT_ExtenParsed },
	{   &CSSMOID_AuthorityInfoAccess, FT_ExtenParsed },
	{   &CSSMOID_SubjectInfoAccess, FT_ExtenParsed },
	{   &CSSMOID_X509V3CertificateExtensionCStruct, FT_ExtenUnknown },
	{   &CSSMOID_QC_Statements, FT_ExtenParsed },
	{	&CSSMOID_NameConstraints, FT_ExtenParsed },
	{	&CSSMOID_PolicyMappings, FT_ExtenParsed },
	{	&CSSMOID_PolicyConstraints, FT_ExtenParsed },
//	{	&CSSMOID_InhibitAnyPolicy, FT_ExtenParsed } //%%% FIXME: CSSMOID_InhibitAnyPolicy not exported!?
};
#define NUM_KNOWN_FIELDS (sizeof(knownFields) / sizeof(knownFields[0]))

static FieldType typeForOid(
	const CSSM_OID &oid)
{
	for(unsigned dex=0; dex<NUM_KNOWN_FIELDS; dex++) {
		FieldOidType &ft = knownFields[dex];
		if(appCompareCssmData(&oid, ft.oid)) {
			return ft.type;
		}
	}
	/* not found */
	return FT_Unknown;
}

static const char *fieldTypeStr(
	FieldType type)
{
	switch(type) {
		case FT_Unknown:		return "FT_Unknown";
		case FT_Normal: 		return "FT_Normal";
		case FT_ReadOnly: 		return "FT_ReadOnly";
		case FT_NotTBS: 		return "FT_NotTBS";
		case FT_ExtenParsed: 	return "FT_ExtenParsed";
		case FT_ExtenUnknown: 	return "FT_ExtenUnknown";
		default:
			printf("***BRRZAP!\n");
			exit(1);
	}
}

static const uint8 emptyAuthKeyId[2] = {0x30, 0};

/*
 * Extensions come in two flavors - parsed and not. However the 
 * CL will give us an unparsed version for extensions it normally 
 * understands but failed to decode. Detect that, and basic
 * extension formatting screwups, here.
 */
static int vfyExtens(
	FieldArray &extenFields,
	const CSSM_DATA &cert,		// for error display only 
	CSSM_BOOL quiet)	
{
	for(unsigned dex=0; dex<extenFields.mNumFields; dex++) {
		CSSM_FIELD &extenField = extenFields.fieldAt(dex);
		FieldType type = typeForOid(extenField.FieldOid);
		FieldType expectType;
		
		/* first verify well-formed extension field */
		CSSM_DATA &fieldValue = extenField.FieldValue;
		CSSM_X509_EXTENSION *exten = (CSSM_X509_EXTENSION *)fieldValue.Data;
		if((exten == NULL) || 
				(fieldValue.Length != sizeof(CSSM_X509_EXTENSION))) {
			doPrintCert(cert);
			printf("***Malformed CSSM_X509_EXTENSION\n");
			if(testError(quiet)) {
				return 1;
			}
			/* well let's limp along */
			continue;
		}

		/* currently (since Radar 3593624), these are both always valid */
		if((exten->BERvalue.Data == NULL) || 
		   (exten->value.parsedValue == NULL)) {  /* actually, one of three variants */
			printf("***Malformed CSSM_X509_EXTENSION (1)\n");
			return 1;
		}
		
		switch(exten->format) {
			case CSSM_X509_DATAFORMAT_ENCODED:
				if(type != FT_ExtenUnknown) {
					doPrintCert(cert);
					printf("***Entension format ENCODED, expected PARSED\n");
					if(testError(quiet)) {
						return 1;
					}
				}
				
				/* 
				 * Now make sure that the underlying extension ID isn't
				 * one that the CL was SUPPOSED to parse 
				 */
				// %%% FIXME: need to investigate why these are not fully parsed: <rdar://8265523>
				if(appCompareCssmData(&exten->extnId, &CSSMOID_PolicyConstraints)) {
					printf("...skipping policyConstraints extension per <rdar://8265523> (fix me!)\n");
					break;
				}
				if(appCompareCssmData(&exten->extnId, &CSSMOID_PolicyMappings)) {
					printf("...skipping policyMappings extension per <rdar://8265523> (fix me!)\n");
					break;
				}
				
				expectType = typeForOid(exten->extnId);
				if(expectType != FT_Unknown) {
					/* 
					 * Swisscom root has an authorityKeyId extension with an illegal value, 
					 * data inside the octet string is <30 00>, no context-specific wrapper
					 * or tag. 
					 * Instead of a hopeless complaint about that cert, let's just tolerate it 
					 * like this...
					 */
					if(appCompareCssmData(&exten->extnId, &CSSMOID_AuthorityKeyIdentifier) &&
					   (exten->BERvalue.Length == 2) &&
					   !memcmp(emptyAuthKeyId, exten->BERvalue.Data, 2)) {
						printf("...skipping bogus swisssign AuthorityKeyId\n");
						break;
					}
					doPrintCert(cert);
					printf("***underlying exten type %s, expect Unknown\n",
						fieldTypeStr(expectType));
					if(testError(quiet)) {
						return 1;
					}
				}
				break;
				
			case CSSM_X509_DATAFORMAT_PARSED:
				if(type != FT_ExtenParsed) {
					doPrintCert(cert);
					printf("***Entension format PARSED, expected ENCODED\n");
					if(testError(quiet)) {
						return 1;
					}
				}
				if(exten->value.parsedValue == NULL) {
					doPrintCert(cert);
					printf("***Parsed extension with NULL parsedValue\n");
					if(testError(quiet)) {
						return 1;
					}
				}
				break;
				
			default:
				doPrintCert(cert);
				printf("***Unknown Entension format %u\n",
					exten->format);
				if(testError(quiet)) {
					return 1;
				}
				break;
				
		}	/* switch(exten.format) */
	}
	return 0;
}

/*
 * Here's the hard part.
 * Given a raw cert and its components in two FieldArrays, crate a TBS
 * cert from scratch from those fields and ensure that the result 
 * is the same as the raw TBS field in the original cert. 
 */
static int buildTbs(
	CSSM_CL_HANDLE	clHand,
	const CSSM_DATA	&rawCert,
	FieldArray		&allFields,		// on entry, standard fields
	FieldArray		&extenFields,	// extensions only 
	CSSM_BOOL		quiet,
	CSSM_BOOL		verbose,
	CSSM_BOOL		writeBlobs)
{
	/*
	 * First do raw BER-decode in two ways - one to get the 
	 * extensions as they actuallly appear in the cert, and one
	 * to get the raw undecoded TBS.
	 */
	SecAsn1CoderRef coder;
	OSStatus ortn = SecAsn1CoderCreate(&coder);
	if(ortn) {
		cssmPerror("SecAsn1CoderCreate", ortn);
		return testError(quiet);
	}
	
	NSS_SignedCertOrCRL signedCert;	// with TBS as ASN_ANY
	memset(&signedCert, 0, sizeof(signedCert));
	if(SecAsn1DecodeData(coder, &rawCert, kSecAsn1SignedCertOrCRLTemplate,
			&signedCert)) {
		doPrintCert(rawCert);
		printf("***Error decoding cert to kSecAsn1SignedCertOrCRL\n");
		return testError(quiet);
	}
	
	NSS_Certificate fullCert;		// fully decoded
	memset(&fullCert, 0, sizeof(fullCert));
	if(SecAsn1DecodeData(coder, &rawCert, kSecAsn1SignedCertTemplate,
			&fullCert)) {
		doPrintCert(rawCert);
		printf("***Error decoding cert to kSecAsn1Certificate\n");
		return testError(quiet);
	}
	 
	NSS_TBSCertificate &tbs = fullCert.tbs;
	unsigned numExtens = nssArraySize((const void **)tbs.extensions);
	if(numExtens != extenFields.mNumFields) {
		/* The CL told us the wrong number of extensions */
		doPrintCert(rawCert);
		printf("***NSS says %u extens, CL says %u\n", numExtens,
			(unsigned)extenFields.mNumFields);
		return testError(quiet);
	}
	
	if(skipThisCert(tbs)) {
		if(verbose) {
			printf("   ...skipping TBS blob check\n");
		}
		SecAsn1CoderRelease(coder);
		return 0;
	}	
	
	/*
	 * The CL returns extension fields in an order which differs from
	 * the order of the extensions in the actual cert (because it
	 * does a table-based lookup, field by field, when doing a 
	 * CSSM_CL_CertGetAllFields()). We have to add the extensions
	 * from extenFields to allFields in the order they appear in 
	 * OUR decoded fullCert.
	 */
	unsigned numUnknowns = 0;
	for(unsigned dex=0; dex<numExtens; dex++) {
		NSS_CertExtension *exten = tbs.extensions[dex];
		CSSM_OID &oid = exten->extnId;
		FieldType type = typeForOid(oid);
		CSSM_FIELD *found = NULL;
		int rtn;
		switch(type) {
			case FT_ExtenParsed:
				/* 
				 * look for this exact extension
				 * NOTE we're assuming that only one copy of 
				 * each specific parsed extension exists. The 
				 * 509 spec does't specifically require this but
				 * I've never seen a case of multiple extensions
				 * of the same type in one cert. 
				 */
				rtn = extenFields.fieldForOid(oid, 0, found);
				break;
			case FT_Unknown:
				/* search for nth unparsed exten field */
				rtn = extenFields.fieldForOid(
					CSSMOID_X509V3CertificateExtensionCStruct,
					numUnknowns++,
					found);
				break;
			default:
				/* caller was already supposed to check this */
				doPrintCert(rawCert);
				printf("***HEY! buildTBS was given a bogus extension!\n");
				return 1;
		}
		if(rtn) {
			doPrintCert(rawCert);
			printf("***buildTBS could not find extension in CL's fields\n");
			return testError(quiet);
		}
		
		allFields.appendField(*found);
	}	/* processing extensions */
	
	/* 
	 * OK, the field array in allFields is ready to go down to 
	 * the CL.
	 */
	CSSM_RETURN crtn;
	CSSM_DATA clTbs = {0, NULL};
	crtn = CSSM_CL_CertCreateTemplate(clHand,
		allFields.mNumFields,
		allFields.mFields,
		&clTbs);
	if(crtn) {
		doPrintCert(rawCert);
		printError("CSSM_CL_CertCreateTemplate", crtn);
		return testError(quiet);
	}
	
	/*
	 * The moment of truth. Is that template identical to the 
	 * raw undecoded TBS blob we got by decoding a NSS_SignedCertOrCRL?
	 */
	int ourRtn = 0;
	if(!appCompareCssmData(&clTbs, &signedCert.tbsBlob)) {
		doPrintCert(rawCert);
		printf("***Encoded TBS does not match decoded TBS.\n");
		if(writeBlobs) {
			writeFile(ENC_TBS_BLOB, clTbs.Data, clTbs.Length);
			writeFile(DEC_TBS_BLOB, signedCert.tbsBlob.Data, 
				signedCert.tbsBlob.Length);
			printf("...wrote TBS blobs to %s and %s\n",
				ENC_TBS_BLOB, DEC_TBS_BLOB);
		}
		ourRtn = testError(quiet);
	}
	CSSM_FREE(clTbs.Data);
	SecAsn1CoderRelease(coder);
	return ourRtn;
}

/* verify root with itself using TP */
static int verifyRoot(
	CSSM_TP_HANDLE  tpHand,
	CSSM_CL_HANDLE	clHand,
	CSSM_CSP_HANDLE cspHand,
	const CSSM_DATA	&cert,
	CSSM_BOOL		allowExpired,
	CSSM_BOOL		useTrustSettings,
	CSSM_BOOL		quiet)
{
	BlobList blobs;
	blobs.addBlob(cert, CSSM_TRUE);
	int i;
	
	const char *certStatus;
	if(useTrustSettings) {
		/*
		 * CSSM_CERT_STATUS_IS_IN_INPUT_CERTS 
		 * CSSM_CERT_STATUS_IS_ROOT
		 * CSSM_CERT_STATUS_TRUST_SETTINGS_FOUND_SYSTEM
		 * CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST
		 */
		certStatus = "0:0x314";  
	}
	else {
		/*
		 * CSSM_CERT_STATUS_IS_IN_INPUT_CERTS (new since radar 3855635 was fixed)
		 * CSSM_CERT_STATUS_IS_IN_ANCHORS
		 * CSSM_CERT_STATUS_IS_ROOT
		 */
		certStatus = "0:0x1C";  
	}

	/* try one with allowExpiredRoot false, then true on error and if so 
	 * enabled to make sure we know what's going wrong */
	CSSM_BOOL expireEnable = CSSM_FALSE;
	for(int dex=0; dex<2; dex++) {
		i = certVerifySimple(tpHand, clHand, cspHand,
			blobs,		// certs
			blobs,		// and roots
			CSSM_FALSE, // useSystemAnchors
			CSSM_TRUE,  // leaf is CA
			expireEnable,
			CVP_Basic,
			NULL,		// SSL host
			CSSM_FALSE, // SSL client
			NULL,		// sender email
			0,			// key use
			NULL,		// expected error str
			0, NULL,	// per-cert errors
			1, &certStatus,	// per-cert status
			useTrustSettings,
			quiet, 
			CSSM_FALSE);	// verbose
		if(i == 0) {
			/* success */
			if(dex == 1) {
				printf("...warning: expired root detected. Be aware.\n");
			}
			return 0;
		}
		if(!allowExpired) {
			/* no second chance */
			return i;
		}
		expireEnable = CSSM_TRUE;
		if(useTrustSettings) {
			/* now expect EXPIRED, IS_ROOT, IS_IN_INPUT_CERTS, TRUST_SETTINGS_FOUND_SYSTEM,
			 * CSSM_CERT_STATUS_TRUST_SETTINGS_TRUST */
			certStatus = "0:0x315";	
		}
		else {
			/* now expect EXPIRED, IS_ROOT, IS_IN_ANCHORS, IS_IN_INPUT_CERTS */
			certStatus = "0:0x1d";	
		}
	}
	return i;
}


static int doTest(
	CSSM_CL_HANDLE	clHand,
	CSSM_TP_HANDLE  tpHand,
	CSSM_CSP_HANDLE cspHand,
	const CSSM_DATA	&cert,
	CSSM_BOOL		allowExpired,
	CSSM_BOOL		quiet,
	CSSM_BOOL		verbose,
	CSSM_BOOL		writeBlobs,
	CSSM_BOOL		useTrustSettings)
{
	/* first see if this anchor self-verifies. */
	if(verifyRoot(tpHand, clHand, cspHand, cert, allowExpired, 
			useTrustSettings, quiet)) {
		doPrintCert(cert);
		printf("***This anchor does not self-verify!\n");
		return testError(quiet);
	}
	
	/* have the CL parse it to the best of its ability */
	CSSM_FIELD_PTR certFields;
	uint32 numFields;
	CSSM_RETURN crtn = CSSM_CL_CertGetAllFields(clHand, &cert, &numFields, 
		&certFields);
	if(crtn) {
		printError("CSSM_CL_CertGetAllFields", crtn);
		doPrintCert(cert);
		printf("***The CL can not parse this anchor!\n");
		return testError(quiet);
	}

	/* save, this object does the free fields when it goes out of scope */
	FieldArray parsed(certFields, numFields, clHand);
	
	/* 
	 * We're going to build a TBSCert from these received fields.
	 * Extensions need to be processed specially because they 
	 * come back from the CL ordered differently than they appear
	 * in the cert. 
	 *
	 * First make two buckets for making copies of incoming fields.
	 */
	FieldArray forCreate(numFields);	// for creating template
	FieldArray extenFields(numFields);
	
	for(unsigned dex=0; dex<numFields; dex++) {
		CSSM_FIELD &parsedField = parsed.fieldAt(dex);
		FieldType type = typeForOid(parsedField.FieldOid);
		switch(type) {
			case FT_Normal:
				forCreate.appendField(parsedField);
				break;
			case FT_ReadOnly:
			case FT_NotTBS:
				/* ignore */
				break;
			case FT_ExtenParsed:
			case FT_ExtenUnknown:
				/* extensions, save and process later */
				extenFields.appendField(parsedField);
				break;
			default:
				doPrintCert(cert);
				printf("***This anchor contains an unknown field!\n");
				if(testError(quiet)) {
					return 1;
				}
				/* well let's limp along */
				forCreate.appendField(parsedField);
				break;
		}
	}
	
	/* basic extension verification */
	if(vfyExtens(extenFields, cert, quiet)) {
		return 1;
	}
	return buildTbs(clHand, cert, forCreate, extenFields, quiet, 
		verbose, writeBlobs);
}

int main(int argc, char **argv)
{
	CSSM_BOOL quiet = CSSM_FALSE;
	CSSM_BOOL verbose = CSSM_FALSE;
	CSSM_BOOL writeBlobs = CSSM_FALSE;
	CSSM_BOOL allowExpired = CSSM_FALSE;
	CSSM_BOOL useTrustSettings = CSSM_FALSE;

	for(int arg=1; arg<argc; arg++) {
		switch(argv[arg][0]) {
			case 'q':
				quiet = CSSM_TRUE;
				break;
			case 'v':
				verbose = CSSM_TRUE;
				break;
			case 'w':
				writeBlobs = CSSM_TRUE;
				break;
			case 't':
				useTrustSettings = CSSM_TRUE;
				break;
			case 'e':
				allowExpired = CSSM_TRUE;
				break;
			default:
				usage(argv);
		}
	}
	
	printf("Starting anchorTest; args: ");
	for(int i=1; i<argc; i++) {
		printf("%s ", argv[i]);
	}
	printf("\n");

	/* get system anchors only; convert to CSSM */
	CFArrayRef cfAnchors;
	OSStatus ortn;
	CSSM_DATA *anchors;
	unsigned numAnchors;
	ortn = getSystemAnchors(&cfAnchors, &anchors, &numAnchors);
	if(ortn) {
		exit(1);
	}
	if(numAnchors < 50) {
		printf("***Hey! I can only find %u anchors; there should be way more than that.\n",
			numAnchors);
		exit(1);
	}

	CSSM_CL_HANDLE clHand = clStartup();
	CSSM_TP_HANDLE tpHand = tpStartup();
	CSSM_CSP_HANDLE cspHand = cspStartup();
	if((clHand == 0) || (tpHand == 0) || (cspHand == 0)) {
		return 0;
	}

	int rtn = 0;
	for(unsigned dex=0; dex<numAnchors; dex++) {
		if(!quiet) {
			printf("...anchor %u\n", dex);
		}
		rtn = doTest(clHand, tpHand, cspHand, anchors[dex], allowExpired,
			quiet, verbose, writeBlobs, useTrustSettings);
		if(rtn) {
			break;
		}
	}
	if(rtn == 0) {
		if(!quiet) {
			printf("...%s success.\n", argv[0]);
		}
	}
	return rtn;
}