secTrustTime.cpp   [plain text]

/*
 * secTrustTime.cpp - measure performance of SecTrust and TP cert verify
 */
 
#include <stdlib.h>
#include <strings.h>
#include <stdio.h>
#include <unistd.h>
#include <CoreFoundation/CoreFoundation.h>
#include <Security/Security.h>
#include <Security/TrustSettingsSchema.h>
#include <security_cdsa_utils/cuFileIo.h>
#include <utilLib/common.h>
#include <clAppUtils/clutils.h>
#include <clAppUtils/tpUtils.h>

#define LOOPS_DEF			100

const char *certFiles[] = {
	"keybank_v3.100.cer", "keybank_v3.101.cer", "keybank_v3.102.cer"
};

#define NUM_CERTS (sizeof(certFiles) / sizeof(certFiles[0]))

static void usage(char **argv)
{
	printf("usage: %s [options]\n", argv[0]);
	printf("Options:\n");
	printf("  -l loops        -- loops; default %d; 0=forever\n", LOOPS_DEF);
	printf("  -k              -- open and hold keychains\n");
	printf("  -t              -- TP, not SecTrust\n");
	printf("  -T              -- TP, no Trust Settings\n");
	printf("  -n              -- don't include root in cert chain\n");
	printf("  -K              -- set empty KC list\n");
	/* etc. */
	exit(1);
}

static SecCertificateRef readCertFile(
	const char *fileName)
{
	unsigned char *cp = NULL;
	unsigned len = 0;
	CSSM_DATA certData;
	OSStatus ortn;

	if(readFile(fileName, &cp, &len)) {
		printf("***Error reading file %s\n", fileName);
		return NULL;
	}
	certData.Length = len;
	certData.Data = cp;
	SecCertificateRef certRef;

	ortn = SecCertificateCreateFromData(&certData, 
			CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER, &certRef);
	if(ortn) {
		cssmPerror("SecCertificateCreateFromData", ortn);
		return NULL;
	}
	free(cp);
	return certRef;
}

/* perfrom one cert chain evaluation using SecTrust */
static OSStatus doEval(
	CFArrayRef certArray,
	SecPolicyRef policyRef,
	CFArrayRef kcList)
{
	OSStatus ortn;
	SecTrustRef trustRef;

	ortn = SecTrustCreateWithCertificates(certArray, policyRef, &trustRef);
	if(ortn) {
		cssmPerror("SecTrustCreateWithCertificates", ortn);
		return ortn;
	}
	if(kcList) {
		ortn = SecTrustSetKeychains(trustRef, kcList);
		if(ortn) {
			cssmPerror("SecTrustCreateWithCertificates", ortn);
			return ortn;
		}
	}
	SecTrustResultType secTrustResult;
	ortn = SecTrustEvaluate(trustRef, &secTrustResult);
	if(ortn) {
		cssmPerror("SecTrustEvaluate", ortn);
		return ortn;
	}
	switch(secTrustResult) {
		case kSecTrustResultProceed:
		case kSecTrustResultUnspecified:
			break;
		default:
			printf("***Unexpected SecTrustResultType (%d)\n", (int)secTrustResult);
			ortn = -1;
	}
	CFRelease(trustRef);
	return ortn;
}

/* cached CSSM anchors - simulate old SecTrustGetCSSMAnchorCertificates() */ 
static CFArrayRef cachedRootArray = NULL;
static CSSM_DATA *cachedAnchors = NULL;
static unsigned cachedNumAnchors = 0;

static OSStatus getAnchors(
	CSSM_DATA **anchors,	/* RETURNED */
	unsigned *numAnchors)	/* RETURNED */
{
	if(cachedRootArray == NULL) {
		/* fetch, once */
		OSStatus ortn = getSystemAnchors(&cachedRootArray, &cachedAnchors, 
			&cachedNumAnchors);
		if(ortn) {
			return ortn;
		}
	}
	*anchors = cachedAnchors;
	*numAnchors = cachedNumAnchors;
	return noErr;
}

/* perfrom one cert chain evaluation using CSSM_TP_CertGroupVerify */
static CSSM_RETURN doTpEval(
	CSSM_TP_HANDLE tpHand,
	CSSM_CL_HANDLE clHand,
	CSSM_CSP_HANDLE cspHand,
	CSSM_DATA_PTR certs,
	uint32 numCerts,
	bool useTrustSettings)
{
	CSSM_FIELD policyId;

	policyId.FieldOid = CSSMOID_APPLE_X509_BASIC;
	policyId.FieldValue.Data = NULL;
	policyId.FieldValue.Length = 0;

	CSSM_TP_CALLERAUTH_CONTEXT		authCtx;
	memset(&authCtx, 0, sizeof(CSSM_TP_CALLERAUTH_CONTEXT));
	authCtx.Policy.NumberOfPolicyIds = 1;
	authCtx.Policy.PolicyIds = &policyId;	
	authCtx.VerificationAbortOn = CSSM_TP_STOP_ON_POLICY;
	if(!useTrustSettings) {
		OSStatus ortn = getAnchors(&authCtx.AnchorCerts, 
			&authCtx.NumberOfAnchorCerts);
		if(ortn) {
			return ortn;
		}
	}
	CSSM_APPLE_TP_ACTION_DATA tpAction;
	tpAction.Version = CSSM_APPLE_TP_ACTION_VERSION;
	if(useTrustSettings) {
		tpAction.ActionFlags = CSSM_TP_ACTION_TRUST_SETTINGS;
	}
	else {
		tpAction.ActionFlags = 0;
	}

	CSSM_TP_VERIFY_CONTEXT vfyCtx;
	memset(&vfyCtx, 0, sizeof(CSSM_TP_VERIFY_CONTEXT));
	vfyCtx.ActionData.Data   = (uint8 *)&tpAction;
	vfyCtx.ActionData.Length = sizeof(tpAction);
	vfyCtx.Action = CSSM_TP_ACTION_DEFAULT;
	vfyCtx.Cred = &authCtx;

	CSSM_CERTGROUP cssmCerts;
	cssmCerts.CertType = CSSM_CERT_X_509v3;
	cssmCerts.CertEncoding = CSSM_CERT_ENCODING_DER;
	cssmCerts.NumCerts = numCerts;
	cssmCerts.GroupList.CertList = certs;
	cssmCerts.CertGroupType = CSSM_CERTGROUP_DATA;

	CSSM_RETURN crtn = CSSM_TP_CertGroupVerify(tpHand, clHand, cspHand,
		&cssmCerts,
		&vfyCtx,
		NULL);		/* no results */
	if(crtn) {
		cssmPerror("CSSM_TP_CertGroupVerify", crtn);
	}
	return crtn;
}
	
int main(int argc, char **argv)
{
	unsigned dex;
	CSSM_RETURN crtn;

	/* common SecTrust args */
	CFMutableArrayRef 	kcList = NULL;
	CFMutableArrayRef 	certArray = NULL;
	SecPolicyRef      	policyRef = NULL;
	unsigned			numCerts = NUM_CERTS;
	CFArrayRef			emptyKCList = NULL;

	/* common TP args */
	CSSM_TP_HANDLE tpHand;
	CSSM_CL_HANDLE clHand;
	CSSM_CSP_HANDLE cspHand;
	CSSM_DATA cssmCerts[NUM_CERTS];

	/* user-spec'd variables */
	unsigned loops = LOOPS_DEF;
	bool holdKeychains = false;		/* hold references to KC list during operation */
	bool useTp = false;				/* TP, not SecTrust */
	bool useTrustSettings = true;	/* TP w/TrustSettings; false = old school TP way */
	bool noRoot = false;			/* don't include root in chain to be verified */
	bool emptyList = false;			/* SecTrust only: specify empty KC list */

	extern char *optarg;
	int arg;
	while ((arg = getopt(argc, argv, "l:ktTnKh")) != -1) {
		switch (arg) {
			case 'l':
				loops = atoi(optarg);
				break;
			case 'k':
				holdKeychains = true;
				break;
			case 't':
				useTp = true;
				break;
			case 'T':
				useTp = true;
				useTrustSettings = false;
				break;
			case 'n':
				numCerts--;
				noRoot = true;
				break;
			case 'K':
				emptyList = true;
				emptyKCList = CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
				break;
			case 'h':
				usage(argv);
		}
	}
	if(optind != argc) {
		usage(argv);
	}
	
	/* gather certs to verify */
	certArray = CFArrayCreateMutable(NULL, 3, &kCFTypeArrayCallBacks);
	for(dex=0; dex<numCerts; dex++) {
		SecCertificateRef certRef = readCertFile(certFiles[dex]);
		if(certRef == NULL) {
			exit(1);
		}
		CFArrayInsertValueAtIndex(certArray, dex, certRef);
		CFRelease(certRef);
	}

	/* prepare for one method or another */
	if(useTp) {
		for(dex=0; dex<numCerts; dex++) {
			crtn = SecCertificateGetData(
				(SecCertificateRef)CFArrayGetValueAtIndex(certArray, dex),
					&cssmCerts[dex]);
			if(crtn) {
				cssmPerror("SecCertificateGetData", crtn);
				exit(1);
			}
		}
		tpHand  = tpStartup();
		clHand  = clStartup();
		cspHand = cspStartup();
	}
	else {
		/* cook up reusable policy object */
		SecPolicySearchRef	policySearch = NULL;
		OSStatus ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
			&CSSMOID_APPLE_X509_BASIC,
			NULL,				// policy opts
			&policySearch);
		if(ortn) {
			cssmPerror("SecPolicySearchCreate", ortn);
			exit(1);
		}
		ortn = SecPolicySearchCopyNext(policySearch, &policyRef);
		if(ortn) {
			cssmPerror("SecPolicySearchCopyNext", ortn);
			exit(1);
		}
		CFRelease(policySearch);

		if(holdKeychains) {
			/* the standard keychains */
			ortn = SecKeychainCopySearchList((CFArrayRef *)&kcList);
			if(ortn) {
				cssmPerror("SecKeychainCopySearchList", ortn);
				exit(1);
			}

			/* plus the ones TrustSettings needs */
			SecKeychainRef rootKc;
			ortn = SecKeychainOpen(SYSTEM_ROOT_STORE_PATH, &rootKc);
			if(ortn) {
				cssmPerror("SecKeychainOpen", ortn);
				exit(1);
			}
			CFArrayAppendValue(kcList, rootKc);
			CFRelease(rootKc);
		}
	}

	CFAbsoluteTime startTimeFirst;
	CFAbsoluteTime endTimeFirst;
	CFAbsoluteTime startTimeMulti;
	CFAbsoluteTime endTimeMulti;

	/* print a banner describing current test parameters */
	printf("Starting test: mode = ");
	if(useTp) {
		if(useTrustSettings) {
			printf("TP w/TrustSettings");
		}
		else {
			printf("TP w/o TrustSettings");
		}
	}
	else {
		printf("SecTrust");
		if(holdKeychains) {
			printf("; hold KC refs");
		}
		if(emptyList) {
			printf("; empty KC list");
		}
	}
	if(noRoot) {
		printf("; no root in input certs\n");
	}
	else {
		printf("\n");
	}

	/* GO */
	startTimeFirst = CFAbsoluteTimeGetCurrent();
	if(useTp) {
		if(doTpEval(tpHand, clHand, cspHand, cssmCerts, numCerts,
				useTrustSettings)) {
			exit(1);
		}
		endTimeFirst = CFAbsoluteTimeGetCurrent();

		startTimeMulti = CFAbsoluteTimeGetCurrent();
		for(dex=0; dex<loops; dex++) {
			if(doTpEval(tpHand, clHand, cspHand, cssmCerts, numCerts,
					useTrustSettings)) {
				exit(1);
			}
		}
	}
	else {
		if(doEval(certArray, policyRef, emptyKCList)) {
			exit(1);
		}
		endTimeFirst = CFAbsoluteTimeGetCurrent();

		startTimeMulti = CFAbsoluteTimeGetCurrent();
		for(dex=0; dex<loops; dex++) {
			if(doEval(certArray, policyRef, emptyKCList)) {
				exit(1);
			}
		}
	}
	endTimeMulti = CFAbsoluteTimeGetCurrent();
	CFTimeInterval elapsed = endTimeMulti - startTimeMulti;

	printf("First eval = %4.1f ms\n", (endTimeFirst - startTimeFirst) * 1000.0);
	printf("Next evals = %4.2f ms/op (%f s total for %u loops)\n",
		elapsed * 1000.0 / loops, elapsed, loops);

	return 0;
}