MYCrypto: MYParsedCertificate.m@a06e44b9b898 (annotated)

jens@17	1	//
jens@17	2	// MYParsedCertificate.m
jens@17	3	// MYCrypto
jens@17	4	//
jens@17	5	// Created by Jens Alfke on 6/2/09.
jens@17	6	// Copyright 2009 Jens Alfke. All rights reserved.
jens@17	7	//
jens@17	8
jens@17	9	// References:
jens@17	10	// <http://en.wikipedia.org/wiki/X.509>
jens@17	11	// <http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt>
jens@17	12
jens@17	13
jens@17	14	#import "MYParsedCertificate.h"
jens@17	15	#import "MYASN1Object.h"
jens@17	16	#import "MYOID.h"
jens@17	17	#import "MYBERParser.h"
jens@17	18	#import "MYDEREncoder.h"
jens@17	19	#import "MYPublicKey.h"
jens@17	20	#import "MYCertificate.h"
jens@17	21	#import "MYErrorUtils.h"
jens@17	22
jens@17	23
jens@17	24	static id $atIf(NSArray *array, NSUInteger index) {
jens@17	25	return index < array.count ?[array objectAtIndex: index] :nil;
jens@17	26	}
jens@17	27
jens@17	28
jens@17	29	@implementation MYParsedCertificate
jens@17	30
jens@17	31
jens@17	32	static MYOID kRSAAlgorithmID, kRSAWithSHA1AlgorithmID;
jens@17	33
jens@17	34
jens@17	35	+ (void) initialize {
jens@17	36	if (!kRSAAlgorithmID) {
jens@17	37	UInt32 components[7] = {1, 2, 840, 113549, 1, 1, 1,};
jens@17	38	kRSAAlgorithmID = [[MYOID alloc] initWithComponents: components count: 7];
jens@17	39	}
jens@17	40	if (!kRSAWithSHA1AlgorithmID) {
jens@17	41	UInt32 components[7] = {1, 2, 840, 113549, 1, 1, 5};
jens@17	42	kRSAWithSHA1AlgorithmID = [[MYOID alloc] initWithComponents: components count: 7];
jens@17	43	}
jens@17	44	}
jens@17	45
jens@17	46	+ (MYOID*) RSAAlgorithmID {return kRSAAlgorithmID;}
jens@17	47	+ (MYOID*) RSAWithSHA1AlgorithmID {return kRSAWithSHA1AlgorithmID;}
jens@17	48
jens@17	49
jens@17	50	+ (NSString*) validate: (id)root {
jens@17	51	NSArray *top = $castIf(NSArray,root);
jens@17	52	if (top.count < 3)
jens@17	53	return @"Too few top-level components";
jens@17	54	NSArray *info = $castIf(NSArray, [top objectAtIndex: 0]);
jens@17	55	if (info.count < 7)
jens@17	56	return @"Too few identity components";
jens@17	57	MYASN1Object *version = $castIf(MYASN1Object, [info objectAtIndex: 0]);
jens@17	58	if (!version \|\| version.tag != 0)
jens@17	59	return @"Missing or invalid version";
jens@17	60	NSArray *versionComps = $castIf(NSArray, version.components);
jens@17	61	if (!versionComps \|\| versionComps.count != 1)
jens@17	62	return @"Invalid version";
jens@17	63	NSNumber *versionNum = $castIf(NSNumber, [versionComps objectAtIndex: 0]);
jens@17	64	if (!versionNum \|\| versionNum.intValue < 0 \|\| versionNum.intValue > 2)
jens@17	65	return @"Unrecognized version number";
jens@17	66	return nil;
jens@17	67	}
jens@17	68
jens@17	69
jens@17	70	- (id) initWithCertificateData: (NSData)data error: (NSError*)outError;
jens@17	71	{
jens@17	72	self = [super init];
jens@17	73	if (self != nil) {
jens@17	74	if (outError) *outError = nil;
jens@17	75	id root = MYBERParse(data,outError);
jens@17	76	NSString *errorMsg = [[self class] validate: root];
jens@17	77	if (errorMsg) {
jens@17	78	if (!*outError)
jens@17	79	*outError = MYError(2, MYASN1ErrorDomain, @"Invalid certificate: %@", errorMsg);
jens@17	80	[self release];
jens@17	81	return nil;
jens@17	82	}
jens@17	83	_root = [root retain];
jens@17	84	_data = [data copy];
jens@17	85	}
jens@17	86	return self;
jens@17	87	}
jens@17	88
jens@17	89	- (void) dealloc
jens@17	90	{
jens@17	91
jens@17	92	[_root release];
jens@17	93	[_issuer release];
jens@17	94	[super dealloc];
jens@17	95	}
jens@17	96
jens@17	97
jens@17	98	@synthesize issuer=_issuer;
jens@17	99
jens@17	100
jens@17	101	- (NSArray*) info {return $castIf(NSArray,$atIf(_root,0));}
jens@17	102
jens@17	103	- (BOOL) isSelfSigned {
jens@17	104	id issuer = $atIf(self.info,3);
jens@17	105	id subject = $atIf(self.info,5);
jens@17	106	return $equal(issuer,subject);
jens@17	107	}
jens@17	108
jens@17	109	- (MYPublicKey*) subjectPublicKey {
jens@17	110	NSArray *keyInfo = $cast(NSArray, $atIf(self.info, 6));
jens@17	111	MYOID *keyAlgorithmID = $castIf(MYOID, $atIf($castIf(NSArray,$atIf(keyInfo,0)), 0));
jens@17	112	if (!$equal(keyAlgorithmID, kRSAAlgorithmID))
jens@17	113	return nil;
jens@17	114	MYBitString *keyData = $cast(MYBitString, $atIf(keyInfo, 1));
jens@17	115	if (!keyData) return nil;
jens@17	116	return [[[MYPublicKey alloc] initWithKeyData: keyData.bits] autorelease];
jens@17	117	/*
jens@17	118	NSArray *keyParts = $castIf(NSArray, MYBERParse(keyData, nil));
jens@17	119	if (!keyParts) return nil;
jens@17	120	MYBitString *modulus = $castIf(MYBitString, $atIf(keyParts,0));
jens@17	121	int exponent = [$castIf(NSNumber, $atIf(keyParts,1)) intValue];
jens@17	122	if (!modulus \|\| exponent<3) return nil;
jens@17	123	*/
jens@17	124	}
jens@17	125
jens@17	126	- (MYPublicKey*) issuerPublicKey {
jens@17	127	if (_issuer)
jens@17	128	return _issuer.publicKey;
jens@17	129	else if (self.isSelfSigned)
jens@17	130	return self.subjectPublicKey;
jens@17	131	else
jens@17	132	return nil;
jens@17	133	}
jens@17	134
jens@17	135
jens@17	136	- (NSData*) signedData {
jens@17	137	// The root object is a sequence; we want to extract the 1st object of that sequence.
jens@17	138	const UInt8 *certStart = _data.bytes;
jens@17	139	const UInt8 *start = MYBERGetContents(_data, nil);
jens@17	140	if (!start) return nil;
jens@17	141	size_t length = MYBERGetLength([NSData dataWithBytesNoCopy: (void*)start
jens@17	142	length: _data.length - (start-certStart)
jens@17	143	freeWhenDone: NO],
jens@17	144	NULL);
jens@17	145	if (length==0)
jens@17	146	return nil;
jens@17	147	return [NSData dataWithBytes: start length: (start + length - certStart)];
jens@17	148	}
jens@17	149
jens@17	150	- (MYOID*) signatureAlgorithmID {
jens@17	151	return $castIf(MYOID, $atIf($castIf(NSArray,$atIf(_root,1)), 0));
jens@17	152	}
jens@17	153
jens@17	154	- (NSData*) signature {
jens@17	155	id signature = $atIf(_root,2);
jens@17	156	if ([signature isKindOfClass: [MYBitString class]])
jens@17	157	signature = [signature bits];
jens@17	158	return $castIf(NSData,signature);
jens@17	159	}
jens@17	160
jens@17	161	- (BOOL) validateSignature {
jens@17	162	if (!$equal(self.signatureAlgorithmID, [MYParsedCertificate RSAWithSHA1AlgorithmID]))
jens@17	163	return NO;
jens@17	164	NSData *signedData = self.signedData;
jens@17	165	NSData *signature = self.signature;
jens@17	166	MYPublicKey *pubKey = self.issuerPublicKey;
jens@17	167	if (!signature \|\| !pubKey) return NO;
jens@17	168	return [pubKey verifySignature: signature ofData: signedData];
jens@17	169	}
jens@17	170
jens@17	171
jens@17	172	@end
jens@17	173
jens@17	174
jens@17	175
jens@17	176
jens@17	177	TestCase(ParsedCert) {
jens@17	178	auto void testCert(NSString *filename, BOOL selfSigned);
jens@17	179	testCert(@"../../Tests/selfsigned.cer", YES);
jens@17	180	testCert(@"../../Tests/iphonedev.cer", NO);
jens@17	181	auto void testCert(NSString *filename, BOOL selfSigned) {
jens@17	182	Log(@"--- Creating MYParsedCertificate from %@", filename);
jens@17	183	NSData *certData = [NSData dataWithContentsOfFile: filename];
jens@17	184	//Log(@"Cert Data =\n%@", certData);
jens@17	185	NSError *error = nil;
jens@17	186	MYParsedCertificate *pcert = [[MYParsedCertificate alloc] initWithCertificateData: certData
jens@17	187	error: &error];
jens@17	188	CAssertNil(error);
jens@17	189	CAssert(pcert != nil);
jens@17	190
jens@17	191	CAssertEq(pcert.isSelfSigned, selfSigned);
jens@17	192
jens@17	193	NSData *signedData = pcert.signedData;
jens@17	194	//Log(@"Signed Data = (length=%x)\n%@", signedData.length, signedData);
jens@17	195	CAssertEqual(signedData, [certData subdataWithRange: NSMakeRange(4,signedData.length)]);
jens@17	196
jens@17	197	Log(@"AlgID = %@", pcert.signatureAlgorithmID);
jens@17	198	Log(@"Signature = %@", pcert.signature);
jens@17	199	CAssertEqual(pcert.signatureAlgorithmID, [MYParsedCertificate RSAWithSHA1AlgorithmID]);
jens@17	200	CAssert(pcert.signature != nil);
jens@17	201	Log(@"Subject Public Key = %@", pcert.subjectPublicKey);
jens@17	202	CAssert(pcert.subjectPublicKey);
jens@17	203	if (selfSigned) {
jens@17	204	Log(@"Issuer Public Key = %@", pcert.issuerPublicKey);
jens@17	205	CAssert(pcert.issuerPublicKey);
jens@17	206
jens@17	207	CAssert(pcert.validateSignature);
jens@17	208	}
jens@17	209	}
jens@17	210	}
jens@17	211
jens@17	212
jens@17	213
jens@17	214	/* Parsed form of selfsigned.cer:
jens@17	215
jens@17	216	Sequence: <-- top
jens@17	217	Sequence: <-- info
jens@17	218	MYASN1Object[2/0]: <-- version (int, constructed)
jens@17	219	2
jens@17	220	1 <-- serial number
jens@17	221	Sequence:
jens@17	222	{1 2 840 113549 1 1 1} <-- algorithm ID
jens@17	223	Sequence: <-- issuer
jens@17	224	Set:
jens@17	225	Sequence:
jens@17	226	{2 5 4 4}
jens@17	227	Widdershins
jens@17	228	Set:
jens@17	229	Sequence:
jens@17	230	{1 2 840 113549 1 9 1}
jens@17	231	waldo@example.com
jens@17	232	Set:
jens@17	233	Sequence:
jens@17	234	{2 5 4 3}
jens@17	235	waldo
jens@17	236	Set:
jens@17	237	Sequence:
jens@17	238	{2 5 4 42}
jens@17	239	Waldo
jens@17	240	Set:
jens@17	241	Sequence:
jens@17	242	{2 5 4 13}
jens@17	243	Just a fictitious person
jens@17	244	Sequence: <--validity
jens@17	245	2009-04-12 21:54:35 -0700
jens@17	246	2010-04-13 21:54:35 -0700
jens@17	247	Sequence: <-- subject
jens@17	248	Set:
jens@17	249	Sequence:
jens@17	250	{2 5 4 4}
jens@17	251	Widdershins
jens@17	252	Set:
jens@17	253	Sequence:
jens@17	254	{1 2 840 113549 1 9 1}
jens@17	255	waldo@example.com
jens@17	256	Set:
jens@17	257	Sequence:
jens@17	258	{2 5 4 3}
jens@17	259	waldo
jens@17	260	Set:
jens@17	261	Sequence:
jens@17	262	{2 5 4 42}
jens@17	263	Waldo
jens@17	264	Set:
jens@17	265	Sequence:
jens@17	266	{2 5 4 13}
jens@17	267	Just a fictitious person
jens@17	268	Sequence: <-- public key info
jens@17	269	Sequence:
jens@17	270	{1 2 840 113549 1 1 1} <-- algorithm ID (RSA)
jens@17	271	<null>
jens@17	272	MYBitString<3082010a 02820101 0095713c 360badf2 d8575ebd 278fa26b a2e6d05e 1eb04eaa 9fa6f11b fd341556 038b3077 525c7adb f5aedf3b 249b08e6 7f77af26 7ff2feb8 5f4ccb96 5269dbd2 f01f19b6 55fc4ea3 a85f2ede 11ff80f8 fc23e662 f263f685 06a9ec07 f7ee4249 af184f21 2d9253d8 7f6f7cbc 96e6ba5c abc8f4e7 3bf6100b 06dcf3ee 999d4170 f5dd005d a24a54a1 3edaddd5 0675409d 6728a387 5fa71898 ebf7d93d 4af8742d f9a0e9ad 6dc21cfa fc2d1967 e692575b 56e5376c 8cf008e8 a442d787 6843a92e 9501b144 8a75adef 5e804fec 6d09740d 1ea8442e 67fac3be c5ea3af5 d95d9f95 2c507711 01c45942 28ad1410 23525324 62848476 d987d3c7 d65f9057 daf1e853 77020301 0001> <-- DER-encoded key
jens@17	273	MYASN1Object[2/3]:
jens@17	274	Sequence:
jens@17	275	Sequence:
jens@17	276	{2 5 29 15}
jens@17	277	<030202fc>
jens@17	278	Sequence:
jens@17	279	{2 5 29 37}
jens@17	280	<301a0608 2b060105 05070301 06082b06 01050507 03020604 551d2500>
jens@17	281	Sequence:
jens@17	282	{1 2 840 113549 1 1 5}
jens@17	283	<null>
jens@17	284	MYBitString<79c8e789 50a11fcb 7398f5fe 0cfa2595 b2476f53 62dfbea2 70ae3a8b fdaf5a57 39be6101 fc5e0929 e57a0b2b 41e3ab52 f78ef1b5 ecc8848c da7f42aa b57c3df4 df4125a9 db4e6388 197c2a1c e326c1a5 5203b4ef da057b91 4abc43aa 3eeee6aa fe4303c3 0f000175 16b916b5 72f8b74f c682a06f 920e3bbf a16cdad8 fce3f184 adccc61e 8d3b44e5 8bd103f0 46310f6a 992f240a b290354c 04c519c9 22276df6 310ccb8e 942e38f6 555ca40b 71482e52 146a9988 f021c2c0 2d285db5 59d48eaf 7b20559f 068ea1a0 f07fbaee 29284ada 28bf8344 f435f30f 6263f0c9 9c4920ce a1b7c6c0 9cfa3bbb af5a0fee 5b0e94eb 9c57d28b 1bb9c977 be53e4bb b675ffaa>
jens@17	285	*/

author	Jens Alfke <jens@mooseyard.com>
	Wed Jun 03 17:22:42 2009 -0700 (2009-06-03)
changeset 18	a06e44b9b898
child 19	f6c91b9da05b
permissions	-rw-r--r--