MercurialMYCrypto / file revision
summary | shortlog | changelog | graph | tags | branches | files | changeset | file | latest | revisions | annotate | diff | raw
MYParsedCertificate.m
author Jens Alfke <jens@mooseyard.com>
Wed Jun 03 17:22:42 2009 -0700 (2009-06-03)
changeset 18 a06e44b9b898
child 19 f6c91b9da05b
permissions -rw-r--r--
Fixed DEREncoder test case to use the test self-signed cert, not the iphone dev cert, which doesn't pass the test case yet. 
     1 //

     2 //  MYParsedCertificate.m

     3 //  MYCrypto

     4 //

     5 //  Created by Jens Alfke on 6/2/09.

     6 //  Copyright 2009 Jens Alfke. All rights reserved.

     7 //

     8 

     9 // References:

    10 // <http://en.wikipedia.org/wiki/X.509>

    11 // <http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt>

    12 

    13 

    14 #import "MYParsedCertificate.h"

    15 #import "MYASN1Object.h"

    16 #import "MYOID.h"

    17 #import "MYBERParser.h"

    18 #import "MYDEREncoder.h"

    19 #import "MYPublicKey.h"

    20 #import "MYCertificate.h"

    21 #import "MYErrorUtils.h"

    22 

    23 

    24 static id $atIf(NSArray *array, NSUInteger index) {

    25     return index < array.count ?[array objectAtIndex: index] :nil;

    26 }

    27 

    28 

    29 @implementation MYParsedCertificate

    30 

    31 

    32 static MYOID *kRSAAlgorithmID, *kRSAWithSHA1AlgorithmID;

    33 

    34 

    35 + (void) initialize {

    36     if (!kRSAAlgorithmID) {

    37         UInt32 components[7] = {1, 2, 840, 113549, 1, 1, 1,};

    38         kRSAAlgorithmID = [[MYOID alloc] initWithComponents: components count: 7];

    39     }

    40     if (!kRSAWithSHA1AlgorithmID) {

    41         UInt32 components[7] = {1, 2, 840, 113549, 1, 1, 5};

    42         kRSAWithSHA1AlgorithmID = [[MYOID alloc] initWithComponents: components count: 7];

    43     }

    44 }

    45 

    46 + (MYOID*) RSAAlgorithmID           {return kRSAAlgorithmID;}

    47 + (MYOID*) RSAWithSHA1AlgorithmID   {return kRSAWithSHA1AlgorithmID;}

    48 

    49 

    50 + (NSString*) validate: (id)root {

    51     NSArray *top = $castIf(NSArray,root);

    52     if (top.count < 3)

    53         return @"Too few top-level components";

    54     NSArray *info = $castIf(NSArray, [top objectAtIndex: 0]);

    55     if (info.count < 7)

    56         return @"Too few identity components";

    57     MYASN1Object *version = $castIf(MYASN1Object, [info objectAtIndex: 0]);

    58     if (!version || version.tag != 0)

    59         return @"Missing or invalid version";

    60     NSArray *versionComps = $castIf(NSArray, version.components);

    61     if (!versionComps || versionComps.count != 1)

    62         return @"Invalid version";

    63     NSNumber *versionNum = $castIf(NSNumber, [versionComps objectAtIndex: 0]);

    64     if (!versionNum || versionNum.intValue < 0 || versionNum.intValue > 2)

    65         return @"Unrecognized version number";

    66     return nil;

    67 }

    68 

    69 

    70 - (id) initWithCertificateData: (NSData*)data error: (NSError**)outError;

    71 {

    72     self = [super init];

    73     if (self != nil) {

    74         if (outError) *outError = nil;

    75         id root = MYBERParse(data,outError);

    76         NSString *errorMsg = [[self class] validate: root];

    77         if (errorMsg) {

    78             if (!*outError)

    79                 *outError = MYError(2, MYASN1ErrorDomain, @"Invalid certificate: %@", errorMsg);

    80             [self release];

    81             return nil;

    82         }

    83         _root = [root retain];

    84         _data = [data copy];

    85     }

    86     return self;

    87 }

    88 

    89 - (void) dealloc

    90 {

    91     

    92     [_root release];

    93     [_issuer release];

    94     [super dealloc];

    95 }

    96 

    97 

    98 @synthesize issuer=_issuer;

    99 

   100 

   101 - (NSArray*) info    {return $castIf(NSArray,$atIf(_root,0));}

   102 

   103 - (BOOL) isSelfSigned {

   104     id issuer  = $atIf(self.info,3);

   105     id subject = $atIf(self.info,5);

   106     return $equal(issuer,subject);

   107 }

   108 

   109 - (MYPublicKey*) subjectPublicKey {

   110     NSArray *keyInfo = $cast(NSArray, $atIf(self.info, 6));

   111     MYOID *keyAlgorithmID = $castIf(MYOID, $atIf($castIf(NSArray,$atIf(keyInfo,0)), 0));

   112     if (!$equal(keyAlgorithmID, kRSAAlgorithmID))

   113         return nil;

   114     MYBitString *keyData = $cast(MYBitString, $atIf(keyInfo, 1));

   115     if (!keyData) return nil;

   116     return [[[MYPublicKey alloc] initWithKeyData: keyData.bits] autorelease];

   117     /*

   118     NSArray *keyParts = $castIf(NSArray, MYBERParse(keyData, nil));

   119     if (!keyParts) return nil;

   120     MYBitString *modulus = $castIf(MYBitString, $atIf(keyParts,0));

   121     int exponent = [$castIf(NSNumber, $atIf(keyParts,1)) intValue];

   122     if (!modulus || exponent<3) return nil;

   123     */

   124 }

   125 

   126 - (MYPublicKey*) issuerPublicKey {

   127     if (_issuer)

   128         return _issuer.publicKey;

   129     else if (self.isSelfSigned)

   130         return self.subjectPublicKey;

   131     else

   132         return nil;

   133 }

   134 

   135 

   136 - (NSData*) signedData {

   137     // The root object is a sequence; we want to extract the 1st object of that sequence.

   138     const UInt8 *certStart = _data.bytes;

   139     const UInt8 *start = MYBERGetContents(_data, nil);

   140     if (!start) return nil;

   141     size_t length = MYBERGetLength([NSData dataWithBytesNoCopy: (void*)start

   142                                                         length: _data.length - (start-certStart)

   143                                                   freeWhenDone: NO],

   144                                    NULL);

   145     if (length==0)

   146         return nil;

   147     return [NSData dataWithBytes: start length: (start + length - certStart)];

   148 }

   149 

   150 - (MYOID*) signatureAlgorithmID {

   151     return $castIf(MYOID, $atIf($castIf(NSArray,$atIf(_root,1)), 0));

   152 }

   153 

   154 - (NSData*) signature {

   155     id signature = $atIf(_root,2);

   156     if ([signature isKindOfClass: [MYBitString class]])

   157         signature = [signature bits];

   158     return $castIf(NSData,signature);

   159 }

   160 

   161 - (BOOL) validateSignature {

   162     if (!$equal(self.signatureAlgorithmID, [MYParsedCertificate RSAWithSHA1AlgorithmID]))

   163         return NO;

   164     NSData *signedData = self.signedData;

   165     NSData *signature = self.signature;

   166     MYPublicKey *pubKey = self.issuerPublicKey;

   167     if (!signature || !pubKey) return NO;

   168     return [pubKey verifySignature: signature ofData: signedData];

   169 }

   170 

   171 

   172 @end

   173 

   174 

   175 

   176 

   177 TestCase(ParsedCert) {

   178     auto void testCert(NSString *filename, BOOL selfSigned);

   179     testCert(@"../../Tests/selfsigned.cer", YES);

   180     testCert(@"../../Tests/iphonedev.cer", NO);

   181     auto void testCert(NSString *filename, BOOL selfSigned) {

   182         Log(@"--- Creating MYParsedCertificate from %@", filename);

   183         NSData *certData = [NSData dataWithContentsOfFile: filename];

   184         //Log(@"Cert Data =\n%@", certData);

   185         NSError *error = nil;

   186         MYParsedCertificate *pcert = [[MYParsedCertificate alloc] initWithCertificateData: certData 

   187                                                                                     error: &error];

   188         CAssertNil(error);

   189         CAssert(pcert != nil);

   190         

   191         CAssertEq(pcert.isSelfSigned, selfSigned);

   192         

   193         NSData *signedData = pcert.signedData;

   194         //Log(@"Signed Data = (length=%x)\n%@", signedData.length, signedData);

   195         CAssertEqual(signedData, [certData subdataWithRange: NSMakeRange(4,signedData.length)]);

   196         

   197         Log(@"AlgID = %@", pcert.signatureAlgorithmID);

   198         Log(@"Signature = %@", pcert.signature);

   199         CAssertEqual(pcert.signatureAlgorithmID, [MYParsedCertificate RSAWithSHA1AlgorithmID]);

   200         CAssert(pcert.signature != nil);

   201         Log(@"Subject Public Key = %@", pcert.subjectPublicKey);

   202         CAssert(pcert.subjectPublicKey);

   203         if (selfSigned) {

   204             Log(@"Issuer Public Key = %@", pcert.issuerPublicKey);

   205             CAssert(pcert.issuerPublicKey);

   206             

   207             CAssert(pcert.validateSignature);

   208         }

   209     }

   210 }    

   211 

   212 

   213 

   214 /* Parsed form of selfsigned.cer:

   215  

   216 Sequence:                           <-- top

   217     Sequence:                       <-- info

   218         MYASN1Object[2/0]:          <-- version (int, constructed)

   219             2

   220         1                           <-- serial number

   221         Sequence:

   222             {1 2 840 113549 1 1 1}  <-- algorithm ID

   223         Sequence:                   <-- issuer

   224             Set:

   225                 Sequence:

   226                     {2 5 4 4}

   227                     Widdershins

   228             Set:

   229                 Sequence:

   230                     {1 2 840 113549 1 9 1}

   231                     waldo@example.com

   232             Set:

   233                 Sequence:

   234                     {2 5 4 3}

   235                     waldo

   236             Set:

   237                 Sequence:

   238                     {2 5 4 42}

   239                     Waldo

   240             Set:

   241                 Sequence:

   242                     {2 5 4 13}

   243                     Just a fictitious person

   244         Sequence:                       <--validity

   245             2009-04-12 21:54:35 -0700

   246             2010-04-13 21:54:35 -0700

   247         Sequence:                       <-- subject

   248             Set:

   249                 Sequence:

   250                     {2 5 4 4}

   251                     Widdershins

   252             Set:

   253                 Sequence:

   254                     {1 2 840 113549 1 9 1}

   255                     waldo@example.com

   256             Set:

   257                 Sequence:

   258                     {2 5 4 3}

   259                     waldo

   260             Set:

   261                 Sequence:

   262                     {2 5 4 42}

   263                     Waldo

   264             Set:

   265                 Sequence:

   266                     {2 5 4 13}

   267                     Just a fictitious person

   268         Sequence:                               <-- public key info

   269             Sequence:

   270                 {1 2 840 113549 1 1 1}          <-- algorithm ID (RSA)

   271                 <null>

   272             MYBitString<3082010a 02820101 0095713c 360badf2 d8575ebd 278fa26b a2e6d05e 1eb04eaa 9fa6f11b fd341556 038b3077 525c7adb f5aedf3b 249b08e6 7f77af26 7ff2feb8 5f4ccb96 5269dbd2 f01f19b6 55fc4ea3 a85f2ede 11ff80f8 fc23e662 f263f685 06a9ec07 f7ee4249 af184f21 2d9253d8 7f6f7cbc 96e6ba5c abc8f4e7 3bf6100b 06dcf3ee 999d4170 f5dd005d a24a54a1 3edaddd5 0675409d 6728a387 5fa71898 ebf7d93d 4af8742d f9a0e9ad 6dc21cfa fc2d1967 e692575b 56e5376c 8cf008e8 a442d787 6843a92e 9501b144 8a75adef 5e804fec 6d09740d 1ea8442e 67fac3be c5ea3af5 d95d9f95 2c507711 01c45942 28ad1410 23525324 62848476 d987d3c7 d65f9057 daf1e853 77020301 0001>        <-- DER-encoded key

   273         MYASN1Object[2/3]:

   274             Sequence:

   275                 Sequence:

   276                     {2 5 29 15}

   277                     <030202fc>

   278                 Sequence:

   279                     {2 5 29 37}

   280                     <301a0608 2b060105 05070301 06082b06 01050507 03020604 551d2500>

   281     Sequence:

   282         {1 2 840 113549 1 1 5}

   283         <null>

   284     MYBitString<79c8e789 50a11fcb 7398f5fe 0cfa2595 b2476f53 62dfbea2 70ae3a8b fdaf5a57 39be6101 fc5e0929 e57a0b2b 41e3ab52 f78ef1b5 ecc8848c da7f42aa b57c3df4 df4125a9 db4e6388 197c2a1c e326c1a5 5203b4ef da057b91 4abc43aa 3eeee6aa fe4303c3 0f000175 16b916b5 72f8b74f c682a06f 920e3bbf a16cdad8 fce3f184 adccc61e 8d3b44e5 8bd103f0 46310f6a 992f240a b290354c 04c519c9 22276df6 310ccb8e 942e38f6 555ca40b 71482e52 146a9988 f021c2c0 2d285db5 59d48eaf 7b20559f 068ea1a0 f07fbaee 29284ada 28bf8344 f435f30f 6263f0c9 9c4920ce a1b7c6c0 9cfa3bbb af5a0fee 5b0e94eb 9c57d28b 1bb9c977 be53e4bb b675ffaa>

   285 */
MYCrypto