newCmsTool.cpp   [plain text]

/*
 * cmstool.cpp - manipulate CMS messages, CMSEncoder/CMSDecoder version
 */
 
#include <Security/Security.h>
#include <security_cdsa_utils/cuFileIo.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <utilLib/common.h>
#include <security_cdsa_utils/cuFileIo.h>
#include <security_cdsa_utils/cuPrintCert.h>
#include <clAppUtils/identPicker.h>
#include <clAppUtils/sslAppUtils.h>
#include <security_cdsa_utils/cuOidParser.h>
#include <CoreFoundation/CoreFoundation.h>
#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>

#include <Security/SecTrustPriv.h>		/* SecTrustGetCssmResultCode */
#include <Security/SecIdentityPriv.h>	/* SecIdentityCreateWithCertificate */
#include <Security/CMSEncoder.h>
#include <Security/CMSDecoder.h>
#include <Security/CMSPrivate.h>

#include <Security/SecCertificate.h>
#include <Security/oidsattr.h>

#define CFRELEASE(cfr)	if(cfr != NULL) { CFRelease(cfr); }

static SecKeychainRef keychain_open(const char *name);

static void usage(char **argv)
{
    printf("Usage: %s cmd [option ...]\n", argv[0]);
	printf("cmd values:\n");
	printf("   sign                 -- create signedData\n");
	printf("   envel                -- create envelopedData\n");
	printf("   signEnv              -- create nested EnvelopedData(signedData(data))\n");
	printf("   certs                -- create certs-only CMS msg\n");
	printf("   parse                -- parse a CMS message file\n");
	printf("Input/output options:\n");
	printf("   -i infile\n");
	printf("   -o outfile\n");
	printf("   -D detachedContent   -- detached content (parse only)\n");
	printf("   -d detached          -- infile contains detached content (sign only)\n");
	printf("   -f certFileBase      -- dump all certs to certFileBase\n");
	printf("Signer and recipient options:\n");
	printf("   -k keychain          -- Keychain to search for certs\n");
	printf("   -p                   -- Use identity picker\n");
	printf("   -r recipient         -- add recipient (via email address) of enveloped data\n");
	printf("   -R recipCertFile     -- add recipient (via cert from file) of enveloped data\n");
	printf("   -S signerEmail       -- add signer email address\n");
	printf("   -C cert              -- add (general) signedData cert\n"); 
	printf("Misc. options:\n");
	printf("   -e eContentType      -- a(uthData)|r(keyData)\n");
	printf("   -m                   -- multi updates; default is one-shot\n");
	printf("   -1 (one)             -- custom encoder/decoder\n");
	printf("   -2                   -- fetch SecCmsMessageRef\n");
	printf("   -c                   -- parse signer certs\n");
	printf("   -a [ceEt]            -- Signed Attributes: c=SmimeCaps,\n");
	printf("                           e=EncrPrefs, E=MSEncrPrefs, t=signingTime\n");
	printf("   -A anchorFile        -- Verify certs using specified anchor cert\n");
	printf("   -M                   -- Do SecTrustEvaluate manually\n");
	printf("   -t certChainMode     -- none|signer|chain|chainWithRoot; default is chain\n");
	printf("   -l                   -- loop & pause for malloc debug\n");
	printf("   -q                   -- quiet\n");
	printf("   -Z                   -- silent, no output at all except for errors\n");
	printf("Verification options:\n");
	printf("   -v sign|encr|signEnv -- verify message is signed/encrypted/both\n");
	printf("   -s numSigners        -- verify msg has specified number of signers\n");
	printf("   -E eContentType      -- verify a(authData)|r(keyData)|d(data)\n");
	printf("   -N numCerts          -- verify number of certs\n");
	exit(1);
}

/* high level op */
typedef enum {
	CTO_Sign,
	CTO_Envelop,
	CTO_SignEnvelop,
	CTO_CertsOnly,
	CTO_Parse
} CT_Op;

/* to verify */
typedef enum {
	CTV_None,
	CTV_Sign,
	CTV_Envelop,
	CTV_SignEnvelop
} CT_Vfy;

/* additional OIDS to specify as eContentType */
#define OID_PKINIT	0x2B, 6, 1, 5, 2, 3
#define OID_PKINIT_LEN	6

static const uint8	OID_PKINIT_AUTH_DATA[]	    = {OID_PKINIT, 1};
static const uint8	OID_PKINIT_DH_KEY_DATA[]    = {OID_PKINIT, 2};
static const uint8	OID_PKINIT_RKEY_DATA[]	    = {OID_PKINIT, 3};
static const uint8	OID_PKINIT_KP_CLIENTAUTH[]  = {OID_PKINIT, 3};
static const uint8	OID_PKINIT_KPKDC[]			= {OID_PKINIT, 5};

static const CSSM_OID	CSSMOID_PKINIT_AUTH_DATA = 
	{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_AUTH_DATA};
static const CSSM_OID	CSSMOID_PKINIT_DH_KEY_DATA =
	{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_DH_KEY_DATA};
static const CSSM_OID	CSSMOID_PKINIT_RKEY_DATA = 
	{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_RKEY_DATA};
static const CSSM_OID	CSSMOID_PKINIT_KP_CLIENTAUTH =
	{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_KP_CLIENTAUTH};
static const CSSM_OID	CSSMOID_PKINIT_KPKDC = 
	{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_KPKDC};

/*
 * Find a cert in specified keychain or keychain list matching specified 
 * email address. We happen to know that the email address is stored with the 
 * kSecAlias attribute. 
 */
static OSStatus findCert(
	const char *emailAddress,
	CFTypeRef kcArArray,			// kc, array, or even NULL
	SecCertificateRef *cert)
{
	OSStatus					ortn;
	SecKeychainSearchRef		srch;
	SecKeychainAttributeList	attrList;
	SecKeychainAttribute		attr;
	
	attr.tag = kSecAlias;
	attr.length = strlen(emailAddress);
	attr.data = (void *)emailAddress;
	attrList.count = 1;
	attrList.attr = &attr;
	
	ortn = SecKeychainSearchCreateFromAttributes(kcArArray,
		kSecCertificateItemClass,
		&attrList,
		&srch);
	if(ortn) {
		cssmPerror("SecKeychainSearchCreateFromAttributes", ortn);
		return ortn;
	}
	
	ortn = SecKeychainSearchCopyNext(srch, (SecKeychainItemRef *)cert);
	if(ortn) {
		printf("***No certs found matching recipient %s. Aborting.\n",
			emailAddress);
		return ortn;
	}
	CFRelease(srch);
	return noErr;
}

/* create a SecCertificateRef from a file */
static SecCertificateRef readCertFile(
	const char *fileName)
{
	unsigned char *certData = NULL;
	unsigned certDataLen;
	SecCertificateRef rtnCert = NULL;
	
	if(readFile(fileName, &certData, &certDataLen)) {
		printf("***Error reading %s. Aborting.\n", fileName);
		return NULL;
	}
	CSSM_DATA cssmCert = {certDataLen, (uint8 *)certData};
	OSStatus ortn = SecCertificateCreateFromData(&cssmCert, 
		CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER,
		&rtnCert);
	if(ortn) {
		cssmPerror("SecCertificateCreateFromData", ortn);
		printf("***Error creating cert fromn %s. Aborting.\n", fileName);
	}
	free(certData);
	return rtnCert;
}

static int dumpCertFiles(
	CFArrayRef allCerts,
	const char *fileBase,
	bool quiet)
{
	char fileName[200];
	
	if(allCerts == NULL) {
		printf("...no certs to write.\n");
		return 0;
	}
	CFIndex numCerts = CFArrayGetCount(allCerts);
	if(numCerts == 0) {
		printf("...no certs to write.\n");
		return 0;
	}
	for(CFIndex dex=0; dex<numCerts; dex++) {
		SecCertificateRef secCert = 
			(SecCertificateRef)CFArrayGetValueAtIndex(allCerts, dex);
		CSSM_DATA certData;
		OSStatus ortn;
		
		ortn = SecCertificateGetData(secCert, &certData);
		if(ortn) {
			cssmPerror("SecCertificateGetData", ortn);
			return -1;
		}	
		sprintf(fileName, "%s_%u.cer", fileBase, (unsigned)dex);
		if(writeFile(fileName, certData.Data, certData.Length)) {
			printf("***Error writing cert data to %s. Aborting.\n", fileName);
			return 1;
		}
		else if(!quiet) {
			printf("...wrote %u bytes to %s.\n",
				(unsigned)certData.Length, fileName);
		}
	}
	return 0;
}

/*
 * Do a random number of random-sized updates on a CMSEncoder.
 */
static OSStatus updateEncoder(
	CMSEncoderRef cmsEncoder,
	const unsigned char *inData,
	unsigned inDataLen)
{
	unsigned toMove = inDataLen;
	unsigned thisMove;
	
	while(toMove != 0) {
		thisMove = genRand(1, toMove);
		OSStatus ortn = CMSEncoderUpdateContent(cmsEncoder, inData, thisMove);
		if(ortn) {
			cssmPerror("CMSEncoderUpdateContent", ortn);
			return ortn;
		}
		toMove -= thisMove;
		inData += thisMove;
	}
	return noErr;
}

/*
 * Do a random number of random-sized updates on a CMSDecoder.
 */
static OSStatus updateDecoder(
	CMSDecoderRef cmsDecoder,
	const unsigned char *inData,
	unsigned inDataLen)
{
	unsigned toMove = inDataLen;
	unsigned thisMove;
	
	while(toMove != 0) {
		thisMove = genRand(1, toMove);
		OSStatus ortn = CMSDecoderUpdateMessage(cmsDecoder, inData, thisMove);
		if(ortn) {
			cssmPerror("CMSDecoderUpdateMessage", ortn);
			return ortn;
		}
		toMove -= thisMove;
		inData += thisMove;
	}
	return noErr;
}

#define TRUST_STRING_MAX	128

static OSStatus evalSecTrust(
	SecTrustRef			secTrust,
	CFMutableArrayRef	anchorArray,		// optional
	char				*trustStr,			// caller-mallocd, TRUST_STRING_MAX chars
	bool				quiet)
{
	OSStatus ortn;
	SecTrustResultType			secTrustResult;
	
	if(anchorArray) {
		ortn  = SecTrustSetAnchorCertificates(secTrust, anchorArray);
		if(ortn) {
			/* should never happen */
			cssmPerror("SecTrustSetAnchorCertificates", ortn);
			return ortn;
		}
	}
	ortn = SecTrustEvaluate(secTrust, &secTrustResult);
	if(ortn) {
		/* should never happen */
		cssmPerror("SecTrustEvaluate", ortn);
		return ortn;
	}
	switch(secTrustResult) {
		case kSecTrustResultUnspecified:
			/* cert chain valid, no special UserTrust assignments */
		case kSecTrustResultProceed:
			/* cert chain valid AND user explicitly trusts this */
			sprintf(trustStr, "Successful\n");
			return noErr;
		case kSecTrustResultDeny:
		case kSecTrustResultConfirm:
			/*
			 * Cert chain may well have verified OK, but user has flagged
			 * one of these certs as untrustable.
			 */
			sprintf(trustStr, "Not trusted per user-specified Trust level\n");
			/* bogus return code I know */
			return errSecInvalidTrustSetting;
		default:
		{
			/* get low-level TP error */
			OSStatus tpStatus;
			ortn = SecTrustGetCssmResultCode(secTrust, &tpStatus);
			if(ortn) {
				cssmPerror("SecTrustGetCssmResultCode", ortn);
				return ortn;
			}
			switch(tpStatus) {
				case CSSMERR_TP_INVALID_ANCHOR_CERT: 
					sprintf(trustStr, "Untrusted root\n");
					break;
				case CSSMERR_TP_NOT_TRUSTED:
					/* no root, not even in implicit SSL roots */
					sprintf(trustStr, "No root cert found\n");
					break;
				case CSSMERR_TP_CERT_EXPIRED:
					sprintf(trustStr, "Expired cert\n");
					break;
				case CSSMERR_TP_CERT_NOT_VALID_YET:
					sprintf(trustStr, "Cert not valid yet\n");
					break;
				default:
					sprintf(trustStr, "Other cert failure (%s)",
						cssmErrToStr(tpStatus));
					break;
			}
			return tpStatus;
		}
	} 	/* SecTrustEvaluate error */
	/* NOT REACHED */
}

static OSStatus doParse(
	const unsigned char *data,
	unsigned			dataLen,
	const unsigned char *detachedContent,
	unsigned			detachedContentLen,
	bool				multiUpdate,
	CT_Vfy				vfyOp,
	const CSSM_OID		*eContentVfy,	// optional to verify
	int					numSignersVfy,	// optional (>=0) to verify
	int					numCertsVfy,	// optionjal (>= 0) to verify
	bool				parseSignerCert,
	const char			*certFileBase,	// optionally write certs here
	bool				customDecoder,	// invoke CMSDecoderSetDecoder()
	bool				manTrustEval,	// evaluate SecTrust ourself
	CFMutableArrayRef	anchorArray,	// optional, and only for manTrustEval
	bool				quiet,
	CFDataRef			*outData)		// RETURNED 
{
	if((data == NULL) || (dataLen == 0)) {
		fprintf(stderr, "***Parse requires input file. Aborting.\n");
		return paramErr;
	}
	
	CMSDecoderRef cmsDecoder;
	size_t numSigners;
	Boolean isEncrypted;
	CFArrayRef allCerts = NULL;
	unsigned signerDex;
	SecPolicyRef policy = NULL;
	SecPolicySearchRef policySearch = NULL;
	CFIndex numCerts = 0;
	int addDetachedAfterDecode = 0;
	SecArenaPoolRef arena = NULL;
	
	/* 
	 * Four different return codes:
	 * -- ortn used for function returns; if nonzero, bail immediately and goto errOut
	 * -- ourRtn is manually set per the output of CMSDecoderCopySignerStatus and 
	 *    evalSecTrust
	 * -- trustRtn is the output of manual SecTrustEvaluate (via evalSecTrust())
	 * -- vfyErr indicates mismatch in caller-specified error params
	 *
	 * All four have to be zero fgor us to return zero.
	 */
	OSStatus ourRtn = noErr;
	OSStatus ortn = noErr;
	OSStatus trustRtn = noErr;
	int vfyErr = 0;
	
	ortn = CMSDecoderCreate(&cmsDecoder);
	if(ortn) {
		cssmPerror("CMSDecoderCreate", ortn);
		return ortn;
	}
	
	/* subsequent errors to errOut: */
	
	if(detachedContent != NULL) {
		/* 
		 * We can add detached content either before or after the 
		 * update/finalize; to test and verify, flip a coin to decide 
		 * when to do it.
		 */
		addDetachedAfterDecode = genRand(0, 1);
		if(!addDetachedAfterDecode) {
			CFDataRef cfDetach = CFDataCreate(NULL, detachedContent, detachedContentLen);
			ortn = CMSDecoderSetDetachedContent(cmsDecoder, cfDetach);
			CFRelease(cfDetach);
			if(ortn) {
				cssmPerror("CMSDecoderSetDetachedContent", ortn);
				goto errOut;
			}
		}
	}
	
	if(customDecoder) {
		/* Create a decoder; we don't have to free it, but we do have to free the
		 * arena pool */
		SecCmsDecoderRef coder = NULL;
		
		ortn = SecArenaPoolCreate(1024, &arena);
		if(ortn) {
			cssmPerror("SecArenaPoolCreate", ortn);
			goto errOut;
		}
		ortn = SecCmsDecoderCreate(arena, 
			NULL, NULL, NULL, NULL, NULL, NULL, &coder);
		if(ortn) {
			cssmPerror("SecCmsDecoderCreate", ortn);
			goto errOut;
		}
		ortn = CMSDecoderSetDecoder(cmsDecoder, coder);
		if(ortn) {
			cssmPerror("CMSDecoderSetDecoder", ortn);
			goto errOut;
		}
		else if(!quiet) {
			printf("...set up custom SecCmsDecoderRef\n");
		}
	}
	if(multiUpdate) {
		ortn = updateDecoder(cmsDecoder, data, dataLen);
		if(ortn) {
			goto errOut;
		}
	}
	else {
		ortn = CMSDecoderUpdateMessage(cmsDecoder, data, dataLen);
		if(ortn) {
			cssmPerror("CMSDecoderUpdateMessage", ortn);
			goto errOut;
		}
	}
	ortn = CMSDecoderFinalizeMessage(cmsDecoder);
	if(ortn) {
		cssmPerror("CMSDecoderFinalizeMessage", ortn);
		goto errOut;
	}
	if(addDetachedAfterDecode) {
		CFDataRef cfDetach = CFDataCreate(NULL, detachedContent, detachedContentLen);
		ortn = CMSDecoderSetDetachedContent(cmsDecoder, cfDetach);
		CFRelease(cfDetach);
		if(ortn) {
			cssmPerror("CMSDecoderSetDetachedContent", ortn);
			goto errOut;
		}
	}
	ortn = CMSDecoderGetNumSigners(cmsDecoder, &numSigners);
	if(ortn) {
		cssmPerror("CMSDecoderGetNumSigners", ortn);
		goto errOut;
	}
	ortn = CMSDecoderIsContentEncrypted(cmsDecoder, &isEncrypted);
	if(ortn) {
		cssmPerror("CMSDecoderIsContentEncrypted", ortn);
		goto errOut;
	}
	ortn = CMSDecoderCopyAllCerts(cmsDecoder, &allCerts);
	if(ortn) {
		cssmPerror("CMSDecoderCopyAllCerts", ortn);
		goto errOut;
	}
	if(allCerts) {
		numCerts = CFArrayGetCount(allCerts);
	}
	
	/* optional verify of expected message type */
	switch(vfyOp) {
		case CTV_None:
			break;
		case CTV_Sign: 
			if((numSigners == 0) && (allCerts == NULL)) {
				fprintf(stderr, "***Expected SignedData, but no signersFound\n");
				vfyErr = 1;
				/* but keep going */
			}
			if(isEncrypted) {
				fprintf(stderr, "***Expected SignedData, but msg IS encrypted\n");
				vfyErr = 1;
			}
			break;
		case CTV_SignEnvelop:
			if(numSigners == 0) {
				fprintf(stderr, "***Expected Signed&Enveloped, but no signersFound\n");
				vfyErr = 1;
			}
			if(!isEncrypted) {
				fprintf(stderr, "***Expected Signed&Enveloped, but msg not encrypted\n");
				vfyErr = 1;
			}
			break;
		case CTV_Envelop:
			if(numSigners != 0) {
				fprintf(stderr, "***Expected EnvelopedData, but signers found\n");
				vfyErr = 1;
			}
			if(!isEncrypted) {
				fprintf(stderr, "***Expected EnvelopedData, but msg not encrypted\n");
				vfyErr = 1;
			}
			break;
	}

	if(numSignersVfy >= 0) {
		if((unsigned)numSignersVfy != numSigners) {
			fprintf(stderr, "***Expected %d signers; found %lu\n",
				numSignersVfy, numSigners);
			vfyErr = 1;
		}
	}
	if(numCertsVfy >= 0) {
		if((int)numCerts != numCertsVfy) {
			fprintf(stderr, "***Expected %d certs; found %d\n",
				numCertsVfy, (int)numCerts);
			vfyErr = 1;
		}
	}
	if(!quiet) {
		fprintf(stderr, "=== CMS message info ===\n");
		fprintf(stderr, "   Num Signers      : %lu\n", (unsigned long)numSigners);
		fprintf(stderr, "   Encrypted        : %s\n", isEncrypted ? "true" : "false");
		fprintf(stderr, "   Num Certs        : %lu\n", 
			allCerts ? (unsigned long)CFArrayGetCount(allCerts) : 0);
	}
	
	if((certFileBase != NULL) & (allCerts != NULL)) {
		dumpCertFiles(allCerts, certFileBase, quiet);
	}


	if(numSigners) {
		CSSM_OID eContentType = {0, NULL};
		CFDataRef eContentData = NULL;
		OidParser oidParser;
		char str[OID_PARSER_STRING_SIZE];
		
		ortn = CMSDecoderCopyEncapsulatedContentType(cmsDecoder, &eContentData);
		if(ortn) {
			cssmPerror("CMSDecoderCopyEncapsulatedContentType", ortn);
			goto errOut;
		}
		if(eContentData != NULL) {
			eContentType.Data = (uint8 *)CFDataGetBytePtr(eContentData);
			eContentType.Length = CFDataGetLength(eContentData);
		}
		if(!quiet) {
			/* can't use stderr - oidparser is fixed w/stdout */
			printf("   eContentType     : ");
			if(eContentType.Data == NULL) {
				printf("***NONE FOUND***\n");
			}
			else if(eContentType.Length == 0) {
				printf("***EMPTY***\n");
			}
			else {
				oidParser.oidParse(eContentType.Data, eContentType.Length, str);
				printf("%s\n", str);
			}
		}
		
		if(eContentVfy != NULL) {
			if(eContentType.Data == NULL) {
				fprintf(stderr, "***Tried to verify eContentType, but none found\n");
				vfyErr = 1;
			}
			else if(!appCompareCssmData(eContentVfy, &eContentType)) {
				fprintf(stderr, "***eContentType verify error\n");
				fprintf(stderr, "   Expected: ");
				oidParser.oidParse(eContentVfy->Data, eContentVfy->Length, str);
				printf("%s\n", str);
				fprintf(stderr, "   Found   : ");
				oidParser.oidParse(eContentType.Data, eContentType.Length, str);
				printf("%s\n", str);
				vfyErr = 1;
			}
		}
		CFRELEASE(eContentData);
		
		/* get a policy for cert evaluation */
		ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
			&CSSMOID_APPLE_X509_BASIC,
			NULL,
			&policySearch);
		if(ortn) {
			cssmPerror("SecPolicySearchCreate", ortn);
			goto errOut;
		}
		ortn = SecPolicySearchCopyNext(policySearch, &policy);
		if(ortn) {
			cssmPerror("SecPolicySearchCopyNext", ortn);
			goto errOut;
		}
	}
	for(signerDex=0; signerDex<numSigners; signerDex++) {
		CMSSignerStatus		signerStatus = kCMSSignerInvalidIndex;
		SecCertificateRef	signerCert;
		CFStringRef			signerEmailAddress;
		SecTrustRef			secTrust;
		OSStatus			certVerifyResultCode;
		char				trustStr[TRUST_STRING_MAX];
		
		ortn = CMSDecoderCopySignerStatus(cmsDecoder, signerDex,
			policy, 
			manTrustEval ? FALSE : TRUE,	/* evaluateSecTrust */
			&signerStatus,
			&secTrust,
			&certVerifyResultCode);
		if(ortn) {
			cssmPerror("CMSDecoderCopySignerStatus", ortn);
			goto errOut;
		}
		if(ourRtn == noErr) {
			if((signerStatus != kCMSSignerValid) ||
			   (certVerifyResultCode != CSSM_OK)) {
				ourRtn = -1;
			}
		}
		ortn = CMSDecoderCopySignerEmailAddress(cmsDecoder, signerDex, 
			&signerEmailAddress);
		if(ortn) {
			cssmPerror("CMSDecoderCopySignerEmailAddress", ortn);
			goto errOut;
		}
		ortn = CMSDecoderCopySignerCert(cmsDecoder, signerDex, 
			&signerCert);
		if(ortn) {
			cssmPerror("CMSDecoderCopySignerCertificate", ortn);
			goto errOut;
		}
		if(manTrustEval) {
			trustRtn = evalSecTrust(secTrust, anchorArray, trustStr, quiet);
		}
		
		/* display nothing here if quiet true and status is copacetic */
		if(!quiet || (signerStatus != kCMSSignerValid) || (trustRtn != noErr)) {
			fprintf(stderr, "   Signer %u:\n", signerDex);
			fprintf(stderr, "      signerStatus  : ");
			switch(signerStatus) {
				case kCMSSignerUnsigned: 
					fprintf(stderr, "kCMSSignerUnsigned\n"); break;
				case kCMSSignerValid: 
					fprintf(stderr, "kCMSSignerValid\n"); break;
				case kCMSSignerNeedsDetachedContent: 
					fprintf(stderr, "kCMSSignerNeedsDetachedContent\n"); break;
				case kCMSSignerInvalidSignature: 
					fprintf(stderr, "kCMSSignerInvalidSignature\n"); break;
				case kCMSSignerInvalidCert: 
					fprintf(stderr, "kCMSSignerInvalidCert\n"); break;
				case kCMSSignerInvalidIndex: 
					fprintf(stderr, "kCMSSignerInvalidIndex\n"); break;
			}
			if(manTrustEval) {
				fprintf(stderr, "      Trust Eval    : %s\n", trustStr);
			}
			fprintf(stderr, "      emailAddrs    : ");
			if(signerEmailAddress == NULL) {
				fprintf(stderr, "<<none found>>\n");
			}
			else {
				char emailStr[1000];
				if(!CFStringGetCString(signerEmailAddress, 
						emailStr, 1000, kCFStringEncodingASCII)) {
					fprintf(stderr, "<<<Error converting email address to C string>>>\n");
				}
				else {
					fprintf(stderr, "%s\n", emailStr);
				}
			}
			
			fprintf(stderr, "      vfyResult     : %s\n",
				certVerifyResultCode ? 
					cssmErrToStr(certVerifyResultCode) : "Success");
		
			/* TBD: optionally manually verify the SecTrust object */
			
			if(parseSignerCert) {
				
				if(signerCert == NULL) {
					fprintf(stderr, "      <<<Unable to obtain signer cert>>>\n");
				}
				else {
					CSSM_DATA certData;
					ortn = SecCertificateGetData(signerCert, &certData);
					if(ortn) {
						fprintf(stderr, "      <<<Unable to obtain signer cert>>>\n");
						cssmPerror("SecCertificateGetData", ortn);
					}
					else {
						printf("========== Signer Cert==========\n\n");
						printCert(certData.Data, certData.Length, CSSM_FALSE);
						printf("========== End Signer Cert==========\n\n");
					}
				}
			}	/* parseSignerCert */
		}	/* displaying per-signer info */
		
		CFRELEASE(signerCert); 
		signerCert = NULL;
		CFRELEASE(signerEmailAddress); 
		signerEmailAddress = NULL;
		CFRELEASE(secTrust); 
		secTrust = NULL;
	}	/* for signerDex */
	
	if(ortn == noErr) {
		ortn = CMSDecoderCopyContent(cmsDecoder, outData);
		if(ortn) {
			cssmPerror("CMSDecoderCopyContent", ortn);
		}
	}

errOut:
	CFRelease(cmsDecoder);
	if(arena != NULL) {
		SecArenaPoolFree(arena, false);
	}

	CFRELEASE(allCerts);
	CFRELEASE(policySearch);
	CFRELEASE(policy);
	if(ourRtn) {
		return ourRtn;
	}
	else if(trustRtn) {
		return trustRtn;
	}
	else if(vfyErr) {
		return vfyErr;
	}
	else {
		return ortn;
	}
}

static OSStatus doSign(
	CFTypeRef			signerOrArray,
	const unsigned char *inData,
	unsigned			inDataLen,
	bool				multiUpdate,
	bool				detachedContent,
	const CSSM_OID		*eContentType,	// OPTIONAL 
	CMSSignedAttributes	attrs,
	CFTypeRef			otherCerts,		// OPTIONAL
	bool				customCoder,
	bool				getCmsMsg,
	CMSCertificateChainMode chainMode,
	bool				quiet,
	CFDataRef			*outData)		// RETURNED
{
	if((inData == NULL) || (inDataLen == 0) || (outData == NULL)) {	
		fprintf(stderr, "***Sign requires input file. Aborting.\n");
		return paramErr;
	}
	if(signerOrArray == NULL) {
		fprintf(stderr, "***Sign requires a signing identity. Aborting.\n");
		return paramErr;
	}
	
	OSStatus ortn;
	CMSEncoderRef cmsEncoder = NULL;
	SecCmsMessageRef msg = NULL;		/* for optional CMSEncoderGetCmsMessage */
	SecArenaPoolRef arena = NULL;
	CSSM_DATA encoderOut = {0, NULL};
	
	if(multiUpdate || otherCerts || getCmsMsg || customCoder ||
			(chainMode != kCMSCertificateChain)) {
		/* one-shot encode doesn't support otherCerts or chainOptions*/
		
		ortn = CMSEncoderCreate(&cmsEncoder);
		if(ortn) {
			cssmPerror("CMSEncoderCreate", ortn);
			return ortn;
		}
		/* subsequent errors to errOut: */
		if(signerOrArray != NULL) {
			ortn = CMSEncoderAddSigners(cmsEncoder, signerOrArray);
			if(ortn) {
				goto errOut;
			}
		}
		if(eContentType) {
			ortn = CMSEncoderSetEncapsulatedContentType(cmsEncoder, eContentType);
			if(ortn) {
				goto errOut;
			}
		}
		if(detachedContent) {
			ortn = CMSEncoderSetHasDetachedContent(cmsEncoder, detachedContent);
			if(ortn) {
				goto errOut;
			}
		}
		if(otherCerts) {
			ortn = CMSEncoderAddSupportingCerts(cmsEncoder, otherCerts);
			if(ortn) {
				goto errOut;
			}
		}
		if(attrs) {
			ortn = CMSEncoderAddSignedAttributes(cmsEncoder, attrs);
			if(ortn) {
				goto errOut;
			}
		}
		if(chainMode != kCMSCertificateChain) {
			ortn = CMSEncoderSetCertificateChainMode(cmsEncoder, chainMode);
			if(ortn) {
				goto errOut;
			}
		}
		if(getCmsMsg || customCoder) {
			/* 
			 * We just want to trigger the state transition 
			 * that we know should happen. We also might need
			 * the msg to create a custom coder. 
			 */
			ortn = CMSEncoderGetCmsMessage(cmsEncoder, &msg);
			if(ortn) {
				cssmPerror("CMSEncoderGetCmsMessage", ortn);
				goto errOut;
			}
		}
		
		if(customCoder) {
			SecCmsEncoderRef coder = NULL;
			ortn = SecArenaPoolCreate(1024, &arena);
			if(ortn) {
				cssmPerror("SecArenaPoolCreate", ortn);
				goto errOut;
			}
			ortn = SecCmsEncoderCreate(msg, 
				NULL, NULL,		// no callback 
				&encoderOut,	// data goes here
				arena,	
				NULL, NULL,		// no password callback (right?) 
				NULL, NULL,		// decrypt key callback
				NULL, NULL,		// detached digests
				&coder);
			if(ortn) {
				cssmPerror("SecCmsEncoderCreate", ortn);
				goto errOut;
			}
			ortn = CMSEncoderSetEncoder(cmsEncoder, coder);
			if(ortn) {
				cssmPerror("CMSEncoderSetEncoder", ortn);
				goto errOut;
			}
			else if(!quiet) {
				printf("...set up custom SecCmsEncoderRef\n");
			}
		}
		/* random number of random-sized updates */
		ortn = updateEncoder(cmsEncoder, inData, inDataLen);
		if(ortn) {
			goto errOut;
		}

		ortn = CMSEncoderCopyEncodedContent(cmsEncoder, outData);
		if(ortn) {
			cssmPerror("CMSEncoderCopyEncodedContent", ortn);
		}
		if(customCoder) {
			/* we have the data right here */
			*outData = 	CFDataCreate(NULL,
				(const UInt8 *)encoderOut.Data,	encoderOut.Length);
		}
	}
	else {
		ortn = CMSEncode(signerOrArray, 
			NULL,			/* recipients */
			eContentType,
			detachedContent,
			attrs,
			inData, inDataLen,
			outData);
		if(ortn) {
			printf("***CMSEncode returned %ld\n", (long)ortn);
			cssmPerror("CMSEncode", ortn);
		}
	}
errOut:
	if(cmsEncoder) {
		CFRelease(cmsEncoder);
	}
	if(arena) {
		SecArenaPoolFree(arena, false);
	}
	return ortn;
}

static OSStatus doEncrypt(
	CFTypeRef			recipOrArray,
	const unsigned char *inData,
	unsigned			inDataLen,
	bool				multiUpdate,
	CFDataRef			*outData)		// RETURNED
{
	if((inData == NULL) || (inDataLen == 0) || (outData == NULL)) {	
		fprintf(stderr, "***Encrypt requires input file. Aborting.\n");
		return paramErr;
	}
	if(recipOrArray == NULL) {
		fprintf(stderr, "***Encrypt requires a recipient certificate. Aborting.\n");
		return paramErr;
	}
	
	OSStatus ortn;
	CMSEncoderRef cmsEncoder = NULL;
	
	if(multiUpdate) {
		ortn = CMSEncoderCreate(&cmsEncoder);
		if(ortn) {
			cssmPerror("CMSEncoderCreate", ortn);
			return ortn;
		}
		/* subsequent errors to errOut: */
		ortn = CMSEncoderAddRecipients(cmsEncoder, recipOrArray);
		if(ortn) {
			goto errOut;
		}
		
		/* random number of random-sized updates */
		ortn = updateEncoder(cmsEncoder, inData, inDataLen);
		if(ortn) {
			goto errOut;
		}
		ortn = CMSEncoderCopyEncodedContent(cmsEncoder, outData);
		if(ortn) {
			cssmPerror("CMSEncoderCopyEncodedContent", ortn);
		}
	}
	else {
		/* one-shot */
		ortn = CMSEncode(NULL,	/* signers */
			recipOrArray,		
			NULL,				/* eContentType */
			FALSE,				/* detachedContent */
			kCMSAttrNone,
			inData, inDataLen,
			outData);
		if(ortn) {
			printf("***CMSEncode returned %ld\n", (long)ortn);
			cssmPerror("CMSEncode", ortn);
		}
	}
errOut:
	if(cmsEncoder) {
		CFRelease(cmsEncoder);
	}
	return ortn;
}

/* create nested message: msg = EnvelopedData(SignedData(inData)) */
static OSStatus doSignEncrypt(
	CFTypeRef			recipOrArray,	// encryption recipients
	CFTypeRef			signerOrArray,	// signers
	const CSSM_OID		*eContentType,	// OPTIONAL - for signedData
	CMSSignedAttributes	attrs,
	const unsigned char *inData,
	unsigned			inDataLen,
	bool				multiUpdate,
	CFTypeRef			otherCerts,		// OPTIONAL
	CFDataRef			*outData)		// RETURNED
{
	if((inData == NULL) || (inDataLen == 0) || (outData == NULL)) {	
		fprintf(stderr, "***Sign/Encrypt requires input file. Aborting.\n");
		return paramErr;
	}
	if(recipOrArray == NULL) {
		fprintf(stderr, "***Sign/Encrypt requires a recipient certificate. Aborting.\n");
		return paramErr;
	}
	if(signerOrArray == NULL) {
		fprintf(stderr, "***Sign/Encrypt requires a signer Identity. Aborting.\n");
		return paramErr;
	}
	
	OSStatus ortn;
	CMSEncoderRef cmsEncoder = NULL;
	
	if(multiUpdate || otherCerts) {
		ortn = CMSEncoderCreate(&cmsEncoder);
		if(ortn) {
			cssmPerror("CMSEncoderCreate", ortn);
			return ortn;
		}
		/* subsequent errors to errOut: */
		ortn = CMSEncoderAddRecipients(cmsEncoder, recipOrArray);
		if(ortn) {
			goto errOut;
		}
		ortn = CMSEncoderAddSigners(cmsEncoder, signerOrArray);
		if(ortn) {
			goto errOut;
		}
		if(eContentType) {
			ortn = CMSEncoderSetEncapsulatedContentType(cmsEncoder, eContentType);
			if(ortn) {
				goto errOut;
			}
		}
		if(otherCerts) {
			ortn = CMSEncoderAddSupportingCerts(cmsEncoder, otherCerts);
			if(ortn) {
				goto errOut;
			}
		}
		if(attrs) {
			ortn = CMSEncoderAddSignedAttributes(cmsEncoder, attrs);
			if(ortn) {
				goto errOut;
			}
		}

		/* random number of random-sized updates */
		ortn = updateEncoder(cmsEncoder, inData, inDataLen);
		if(ortn) {
			goto errOut;
		}
		ortn = CMSEncoderCopyEncodedContent(cmsEncoder, outData);
		if(ortn) {
			cssmPerror("CMSEncoderCopyEncodedContent", ortn);
		}
	}
	else {
		ortn = CMSEncode(signerOrArray,	
			recipOrArray,		
			eContentType,	
			FALSE,				/* detachedContent */
			attrs,
			inData, inDataLen,
			outData);
		if(ortn) {
			printf("***CMSEncode returned %ld\n", (long)ortn);
			cssmPerror("CMSEncode", ortn);
		}
	}
	
errOut:
	if(cmsEncoder) {
		CFRelease(cmsEncoder);
	}
	return ortn;
}

/*
 * Create a CMS message containing only certs.
 */
static OSStatus makeCertBag(
	CFTypeRef	certsOrArray,
	CFDataRef	*outData)
{
	if(certsOrArray == NULL) {
		printf("***Need some certs to generate this type of message.\n");
		return -1;
	}
	
	OSStatus ortn;
	CMSEncoderRef cmsEncoder = NULL;
	
	ortn = CMSEncoderCreate(&cmsEncoder);
	if(ortn) {
		cssmPerror("CMSEncoderCreate", ortn);
		return ortn;
	}
	/* subsequent errors to errOut: */
	ortn = CMSEncoderAddSupportingCerts(cmsEncoder, certsOrArray);
	if(ortn) {
		goto errOut;
	}
	ortn = CMSEncoderCopyEncodedContent(cmsEncoder, outData);
	if(ortn) {
		cssmPerror("CMSEncoderCopyEncodedContent", ortn);
	}
errOut:
	CFRelease(cmsEncoder);
	return ortn;
}

/*
 * Support maintanance of single item or array of them.
 *
 * Given new incoming 'newThing':
 *   if both *thingArray and *currThing are NULL
 *		*currThing = newThing;
 *		done;
 *   create *thingArray;
 *   add *currThing to *thingArray if present;
 *   add newThing to *thingArray;
 */
static void addThing(
	CFTypeRef newThing,
	CFTypeRef *currThing,
	CFMutableArrayRef *thingArray)
{
	if((*currThing == NULL) && (*thingArray == NULL)) {
		/* first occurrence of a thing */
		*currThing = newThing;
		return;
	}
	
	/* at least two things - prepare array */
	if(*thingArray == NULL) {
		*thingArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
	}
	if(*currThing != NULL) {
		/* move current thing to array */
		CFArrayAppendValue(*thingArray, *currThing);
		CFRelease(*currThing);
		*currThing = NULL;
	}
	CFArrayAppendValue(*thingArray, newThing);
	CFRelease(newThing);
}

int main(int argc, char **argv)
{
	if(argc < 2) {
		usage(argv);
	}
	
	CT_Op op;
	bool needId = false;
	if(!strcmp(argv[1], "sign")) {
		op = CTO_Sign;
		needId = true;
	}
	else if(!strcmp(argv[1], "envel")) {
		op = CTO_Envelop;
	}
	else if(!strcmp(argv[1], "signEnv")) {
		op = CTO_SignEnvelop;
		needId = true;
	}
	else if(!strcmp(argv[1], "certs")) {
		op = CTO_CertsOnly;
	}	
	else if(!strcmp(argv[1], "parse")) {
		op = CTO_Parse;
	}
	else {
		fprintf(stderr, "***Unrecognized cmd.\n");
		usage(argv);
	}

	extern int optind;
	extern char *optarg;
	int arg;
	OSStatus ortn;
	
	/* optional args */
	char *inFileName = NULL;
	char *outFileName = NULL;
	bool detachedContent = false;
	char *detachedFile = NULL;
	bool useIdPicker = false;
	bool quiet = false;
	bool silent = false;
	bool parseSignerCert = false;
	const CSSM_OID *eContentType = NULL;
	bool multiUpdate = false;
	bool loopPause = false;
	char *certFileBase = NULL;
	CMSSignedAttributes signedAttrs = 0;
	char *anchorFile = NULL;
	bool manTrustEval = false;
	CMSCertificateChainMode chainMode = kCMSCertificateChain;

	/* for verification, usually in quiet/script mode */
	CT_Vfy vfyOp = CTV_None;
	const CSSM_OID *eContentVfy = NULL;
	int numSignersVfy = -1;
	int numCertsVfy = -1;
	
	/* for verifying functions in CMSPrivate.h */
	bool customCoder = false;
	bool fetchSecCmsMsg = false;
	
	/* 
	 * Signer/recipient items and arrays - use one item if possible, 
	 * else array (to test both paths)
	 */
	SecIdentityRef signerId = NULL;
	CFMutableArrayRef signerArray = NULL;
	SecCertificateRef recipCert = NULL;
	CFMutableArrayRef recipArray = NULL;
	SecCertificateRef generalCert = NULL;
	CFMutableArrayRef generalCertArray = NULL;
	SecKeychainRef kcRef = NULL;
	CFMutableArrayRef anchorArray = NULL;
	
	optind = 2;
	while ((arg = getopt(argc, argv, "i:o:k:pr:R:dD:e:mlqcv:s:E:S:C:f:N:a:A:M12t:Z")) != -1) {
		switch (arg) {
			case 'i':
				inFileName = optarg;
				break;
			case 'o':
				outFileName = optarg;
				break;
			case 'k':
				kcRef = keychain_open(optarg);
				if(!kcRef) {
				//	cssmPerror("SecKeychainOpen", ortn);
					exit(1);
				}
				break;
			case 'p':
				useIdPicker = true;
				break;
			case 'r':
			{
				SecCertificateRef newCert = NULL;
				char *recipient = optarg;
				ortn = findCert(recipient, kcRef, &newCert);
				if(ortn) {
					exit(1);
				}
				addThing(newCert, (CFTypeRef *)&recipCert, &recipArray);
				break;
			}
			case 'R':
			{
				SecCertificateRef certRef = readCertFile(optarg);
				if(certRef == NULL) {
					exit(1);
				}
				addThing(certRef, (CFTypeRef *)&recipCert, &recipArray);
				break;
			}
			case 'S':
			{
				SecIdentityRef newId = NULL;
				SecCertificateRef newCert = NULL;
				char *signerEmail = optarg;
				
				/* 
				 * first find the cert, optionally in the keychain already 
				 * specified via -k
				 */
				ortn = findCert(signerEmail, kcRef, &newCert);
				if(ortn) {
					exit(1);
				}
				
				/* map cert to an identity */
				ortn = SecIdentityCreateWithCertificate(kcRef, newCert, &newId);
				if(ortn) {
					cssmPerror("SecIdentityCreateWithCertificate", ortn);
					exit(1);
				}
				
				addThing(newId, (CFTypeRef *)&signerId, &signerArray);
				CFRelease(newCert);
				break;
			}
			case 'C':
			{
				SecCertificateRef newCert = readCertFile(optarg);
				if(newCert == NULL) {
					exit(1);
				}
				addThing(newCert, (CFTypeRef *)&generalCert, &generalCertArray);
				break;
			}	
			case 'c':
				parseSignerCert = true;
				break;
			case 'v':
				if(!strcmp(optarg, "sign")) {
					vfyOp = CTV_Sign;
				}
				else if(!strcmp(optarg, "encr")) {
					vfyOp = CTV_Envelop;
				}
				else if(!strcmp(optarg, "signEnv")) {
					vfyOp = CTV_SignEnvelop;
				}
				else {
					usage(argv);
				}
				break;
			case 'e':
				switch(optarg[0]) {
					case 'a':
						eContentType = &CSSMOID_PKINIT_AUTH_DATA;
						break;
					case 'r':
						eContentType = &CSSMOID_PKINIT_RKEY_DATA;
						break;
					default:
						usage(argv);
				}
				break;
			case 'E':
				switch(optarg[0]) {
					case 'a':
						eContentVfy = &CSSMOID_PKINIT_AUTH_DATA;
						break;
					case 'r':
						eContentVfy = &CSSMOID_PKINIT_RKEY_DATA;
						break;
					case 'd':
						eContentVfy = &CSSMOID_PKCS7_Data;
						break;
					default:
						usage(argv);
				}
				break;
			case 'd':
				if(op != CTO_Sign) {
					printf("-d only valid for op sign\n");
					exit(1);
				}
				detachedContent = true;
				break;
			case 'D':
				if(op != CTO_Parse) {
					printf("-D only valid for op sign\n");
					exit(1);
				}
				detachedFile = optarg;
				break;
			case 'l':
				loopPause = true;
				break;
			case 'm':
				multiUpdate = true;
				break;
			case 's':
				numSignersVfy = atoi(optarg);
				break;
			case 'f':
				certFileBase = optarg;
				break;
			case 'N':
				numCertsVfy = atoi(optarg);
				break;
			case '1':
				customCoder = true;
				break;
			case '2':
				fetchSecCmsMsg = true;
				break;
			case 'a':
				for(; *optarg; optarg++) {
					switch(*optarg) {
						case 'c':
							signedAttrs |= kCMSAttrSmimeCapabilities;
							break;
						case 'e':
							signedAttrs |= kCMSAttrSmimeEncryptionKeyPrefs;
							break;
						case 'E':
							signedAttrs |= kCMSAttrSmimeMSEncryptionKeyPrefs;
							break;
						case 't':
							signedAttrs |= kCMSAttrSigningTime;
							break;
						default:
							usage(argv);
					}
				}
				break;
			case 'A':
				anchorFile = optarg;
				break;
			case 'M':
				manTrustEval = true;
				break;
			case 't':
				if(!strcmp(optarg, "none")) {
					chainMode = kCMSCertificateNone;
				}
				else if(!strcmp(optarg, "signer")) {
					chainMode = kCMSCertificateSignerOnly;
				}
				else if(!strcmp(optarg, "chain")) {
					chainMode = kCMSCertificateChain;
				}
				else if(!strcmp(optarg, "chainWithRoot")) {
					chainMode = kCMSCertificateChainWithRoot;
				}
				else {
					printf("***Bogus cert chain spec***\n");
					usage(argv);
				}
				break;
			case 'q':
				quiet = true;
				break;
			case 'Z':
				quiet = true;
				silent = true;
				break;
			default:
			case '?':
				usage(argv);
		}
	}
	if(optind != argc) {
		/* getopt does not return '?' */
		usage(argv);
	}
	
	unsigned char *inData = NULL;
	unsigned inDataLen = 0;
	unsigned char *detachedData = NULL;
	unsigned detachedDataLen = 0;
	CFDataRef outData = NULL;
	CFIndex byteCount = 0; 
	if(!silent) {
		testStartBanner((char *)"newCmsTool", argc, argv);
	}
	
	if(inFileName) {
		if(readFile(inFileName, &inData, &inDataLen)) {
			fprintf(stderr, "***Error reading infile %s. Aborting.\n", inFileName);
			exit(1);
		}
	}
	if(detachedFile) {
		if(readFile(detachedFile, &detachedData, &detachedDataLen)) {
			fprintf(stderr, "***Error reading detachedFile %s. Aborting.\n", detachedFile);
			exit(1);
		}
	}
	
	/* signer IDs */
	if(useIdPicker) {
		ortn = sslSimpleIdentPicker(kcRef, &signerId);
		if(ortn) {
			fprintf(stderr, "***Error obtaining identity via picker. Aborting.\n");
			exit(1);
		}
	}
	if(anchorFile) {
		SecCertificateRef secCert = readCertFile(anchorFile);
		if(secCert == NULL) {
			exit(1);
		}
		anchorArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
		CFArrayAppendValue(anchorArray, secCert);
		CFRelease(secCert);
	}
	
	/* 
	 * In order for signed blobs to contain a full cert chain, and to find
	 * certs matching a specific recipient cert email address, the keychain 
	 * containing intermediates must be in the user's keychain search list 
	 * (or, alternatively, the intermedaite certs must be added manually).
	 * To alleviate the burden on test scripts, we'll ensure that an optionally 
	 * specified keychain is in factin the search list when we sign a message 
	 * here. 
	 * Careful - make sure to ALWAYS restore the search list!
	 */
	CFArrayRef originalSearchList = NULL;
	if(kcRef != NULL) {
		ortn = SecKeychainCopySearchList(&originalSearchList);
		if(ortn) {
			cssmPerror("SecKeychainCopySearchList", ortn);
			exit(1);
		}
		CFMutableArrayRef newList = CFArrayCreateMutableCopy(
			NULL, 0, originalSearchList);
		CFArrayAppendValue(newList, kcRef);
		ortn = SecKeychainSetSearchList(newList);
		if(ortn) {
			cssmPerror("SecKeychainSetSearchList", ortn);
			exit(1);
		}
		/* DO NOT EXIT WITHOUT RESTORING TO originalSearchList */
	}
	do {
		switch(op) {
			case CTO_Sign:
				ortn = doSign((signerArray != NULL) ? 
						(CFTypeRef)signerArray : (CFTypeRef)signerId, 
					inData, inDataLen, 
					multiUpdate, detachedContent, eContentType, signedAttrs, 
					(generalCertArray != NULL) ?
						(CFTypeRef)generalCertArray : (CFTypeRef)generalCert,
					customCoder, fetchSecCmsMsg, chainMode, quiet,
					&outData);
				break;
			case CTO_Envelop:
				ortn = doEncrypt(recipArray ? 
						(CFTypeRef)recipArray : (CFTypeRef)recipCert,
					inData, inDataLen, 
					multiUpdate, &outData);
				break;
			case CTO_SignEnvelop:
				ortn = doSignEncrypt(recipArray ?
						(CFTypeRef)recipArray : (CFTypeRef)recipCert, 
					signerArray ? 
						(CFTypeRef)signerArray : (CFTypeRef)signerId, 
					eContentType, signedAttrs,
					inData, inDataLen, multiUpdate, 
					(generalCertArray != NULL) ?
						(CFTypeRef)generalCertArray : (CFTypeRef)generalCert,
					&outData);
				break;
			case CTO_CertsOnly:
				ortn = makeCertBag((generalCertArray != NULL) ?
						(CFTypeRef)generalCertArray : (CFTypeRef)generalCert,
						&outData);
				break;
			case CTO_Parse:
				ortn = doParse(inData, inDataLen, 
					detachedData, detachedDataLen,
					multiUpdate, 
					vfyOp, eContentVfy, numSignersVfy, numCertsVfy,
					parseSignerCert, certFileBase, customCoder, 
					manTrustEval, anchorArray,
					quiet, &outData);
				break;
		}
		
		if(loopPause) {
			if(outData) {
				printf("...generated %u bytes of data.\n",
					(unsigned)CFDataGetLength(outData));
			}
			fpurge(stdin);
			printf("q to quit, anything else to loop again: ");
			char resp = getchar();
			if(resp == 'q') {
				break;
			}
			else {
				CFRELEASE(outData);
				outData = NULL;
			}
		}
	} while (loopPause);
	
	if(originalSearchList) {
		ortn = SecKeychainSetSearchList(originalSearchList);
		if(ortn) {
			cssmPerror("SecKeychainSetSearchList", ortn);
			/* keep going */
		}
	}
	
	if(ortn) {
		goto errOut;
	}
	
	byteCount = outData ? CFDataGetLength(outData) : 0;
	if(outData && outFileName) {
		if(writeFile(outFileName, CFDataGetBytePtr(outData), byteCount)) {
			fprintf(stderr, "***Error writing to %s.\n", outFileName);
			ortn = -1;
		}
		else {
			if(!quiet) {
				fprintf(stderr, "...wrote %u bytes to %s.\n", 
					(unsigned)byteCount, outFileName);
			}
		}
	}
	else if(byteCount) {
		fprintf(stderr, "...generated %u bytes but no place to write it.\n", 
			(unsigned)byteCount);
	}
	else if(outFileName) {
		fprintf(stderr, "...nothing to write to file %s.\n", outFileName);
		/* assume this is an error, caller wanted something */
		ortn = -1;
	}
errOut:
	return ortn;
}

/*
	From SecurityTool/keychain_utilites.cpp
	This properly supports dynamic keychains, i.e. smartcards
*/

SecKeychainRef keychain_open(const char *name)
{
	SecKeychainRef keychain = NULL;
	OSStatus result;
	
//	check_obsolete_keychain(name);
	if (name && name[0] != '/')
	{
		CFArrayRef dynamic = NULL;
		result = SecKeychainCopyDomainSearchList(
												 kSecPreferencesDomainDynamic, &dynamic);
		if (result)
		{
			//	cssmPerror("SecKeychainOpen", ortn);
		//	sec_error("SecKeychainCopyDomainSearchList %s: %s", 
		//			  name, sec_errstr(result));
			cssmPerror("SecKeychainCopyDomainSearchList", result);
			return NULL;
		}
		else
		{
			uint32_t i;
			uint32_t count = dynamic ? CFArrayGetCount(dynamic) : 0;
			
			for (i = 0; i < count; ++i)
			{
				char pathName[PATH_MAX];
				UInt32 ioPathLength = sizeof(pathName);
				bzero(pathName, ioPathLength);
				keychain = (SecKeychainRef)CFArrayGetValueAtIndex(dynamic, i);
				result = SecKeychainGetPath(keychain, &ioPathLength, pathName);
				if (result)
				{
				//	sec_error("SecKeychainGetPath %s: %s",  name, sec_errstr(result));
					cssmPerror("SecKeychainCopyDomainSearchList", result);
					return NULL;
				}
				if (!strncmp(pathName, name, ioPathLength))
				{
					CFRetain(keychain);
					CFRelease(dynamic);
					return keychain;
				}
			}
			CFRelease(dynamic);
		}
	}
	
	result = SecKeychainOpen(name, &keychain);
	if (result)
	{
	//	sec_error("SecKeychainOpen %s: %s", name, sec_errstr(result));
		cssmPerror("SecKeychainOpen", result);
	}
	
	return keychain;
}