X-Git-Url: https://git.saurik.com/apple/ipsec.git/blobdiff_plain/e8d9021d008d9729f3dfcdc16bb03a990513b007..e627a751fc4d26304657fc20440abb72632b1e6e:/ipsec-tools/racoon/crypto_cssm.c diff --git a/ipsec-tools/racoon/crypto_cssm.c b/ipsec-tools/racoon/crypto_cssm.c index 6e501cf..008ba51 100644 --- a/ipsec-tools/racoon/crypto_cssm.c +++ b/ipsec-tools/racoon/crypto_cssm.c @@ -27,115 +27,109 @@ * Framework and CSSM */ +#include "config.h" + #include #include #include -#include +#include #include - -#include -#if TARGET_OS_EMBEDDED #include +#include +#include +#ifndef HAVE_OPENSSL #include #include #include #else #include #include -#include -#include -#include -#include - +#include #include #include #include #include #endif - #include +#if !TARGET_OS_EMBEDDED +#include +#include +#include +#include #include +#endif #include "plog.h" #include "debug.h" #include "misc.h" #include "oakley.h" +#include "gcmalloc.h" #include "crypto_cssm.h" -#if TARGET_OS_EMBEDDED + static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef); -#else -static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef); -#endif -#if !TARGET_OS_EMBEDDED -static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef); -static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef); -#endif + static SecPolicyRef crypto_cssm_x509cert_get_SecPolicyRef (CFStringRef hostname) { - OSStatus status; SecPolicyRef policyRef = NULL; -#if !TARGET_OS_EMBEDDED - CSSM_OID ourPolicyOID = CSSMOID_APPLE_TP_IP_SEC; + CFDictionaryRef properties = NULL; + const void *key[] = { kSecPolicyName }; + const void *value[] = { hostname }; - // get our policy object - status = FindPolicy(&ourPolicyOID, &policyRef); - if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); - } -#else if (hostname) { - policyRef = SecPolicyCreateIPSec(FALSE, hostname); - if (policyRef == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to create a SSL policyRef.\n"); + properties = CFDictionaryCreate(NULL, key, value, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if (properties == NULL) { + plog(ASL_LEVEL_ERR, + "unable to create dictionary for policy properties.\n"); } } -#endif + policyRef = SecPolicyCreateWithProperties(kSecPolicyAppleIPsec, properties); + if (properties) + CFRelease(properties); return policyRef; } SecCertificateRef -crypto_cssm_x509cert_get_SecCertificateRef (vchar_t *cert) +crypto_cssm_x509cert_CreateSecCertificateRef (vchar_t *cert) { - OSStatus status; SecCertificateRef certRef = NULL; -#if !TARGET_OS_EMBEDDED - CSSM_DATA certData; - // create cert ref - certData.Length = cert->l; - certData.Data = (uint8 *)cert->v; - status = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER, - &certRef); - if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); - } -#else - CFDataRef cert_data = CFDataCreateWithBytesNoCopy(NULL, cert->v, cert->l, kCFAllocatorNull); + CFDataRef cert_data = CFDataCreateWithBytesNoCopy(NULL, (uint8_t*)cert->v, cert->l, kCFAllocatorNull); if (cert_data) { certRef = SecCertificateCreateWithData(NULL, cert_data); CFRelease(cert_data); } -#endif + if (certRef == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to create a certRef.\n"); + plog(ASL_LEVEL_ERR, + "unable to get a certifcate reference.\n"); } return certRef; } -static cert_status_t +/* HACK!!! - temporary until this prototype gets moved */ +extern CFDataRef SecCertificateCopySubjectSequence( SecCertificateRef certificate); + +CFDataRef +crypto_cssm_CopySubjectSequence(SecCertificateRef certRef) +{ + CFDataRef subject = NULL; + + subject = SecCertificateCopySubjectSequence(certRef); + return subject; + +} + + +cert_status_t crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef) { cert_status_t certStatus = CERT_STATUS_OK; -#if TARGET_OS_EMBEDDED +#ifndef HAVE_OPENSSL CFAbsoluteTime timeNow = 0; CFAbsoluteTime notvalidbeforedate = 0; CFAbsoluteTime notvalidafterdate = 0; @@ -143,63 +137,57 @@ crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef) CFDateRef notvalidbeforedatedata = NULL; CFDateRef notvalidafterdatedata = NULL; CFArrayRef certProparray = NULL; - CFDictionaryRef propDict = NULL; - const void *datevalue = NULL; - const void *labelvalue = NULL; - CFGregorianDate gregoriandate; - CFIndex count; - CFIndex i; - - if ((certProparray = SecCertificateCopyProperties(certificateRef))){ - if ((count = CFArrayGetCount( certProparray ))){ - for( i = 0; i < count; i++) { - if ((propDict = CFArrayGetValueAtIndex(certProparray, i))) { - if ( CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyValue, (const void**)&datevalue)){ - /* get kSecPropertyKeyLabel */ - if ( (datevalue) && (CFDictionaryGetValueIfPresent(propDict, kSecPropertyKeyLabel, (const void**)&labelvalue))){ - if ( (labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid Before"), 0) == kCFCompareEqualTo)){ - if ( notvalidbeforedate = CFDateGetAbsoluteTime(datevalue)) { - if (notvalidbeforedatedata) { - CFRelease(notvalidbeforedatedata); - } - notvalidbeforedatedata = CFDateCreate(NULL, notvalidbeforedate); - } - }else if ((labelvalue) && (CFStringCompare( (CFStringRef)labelvalue, CFSTR("Not Valid After"), 0 ) == kCFCompareEqualTo)){ - if ( notvalidafterdate = CFDateGetAbsoluteTime(datevalue)) { - if (notvalidafterdatedata) { - CFRelease(notvalidafterdatedata); - } - notvalidafterdatedata = CFDateCreate(NULL, notvalidafterdate); - } - } - } - } + + if ((timeNow = CFAbsoluteTimeGetCurrent())) { + if (SecCertificateIsValid(certificateRef, timeNow)) { + plog(ASL_LEVEL_NOTICE, "Certificate expiration date is OK\n"); + certStatus = CERT_STATUS_OK; + } else { + nowcfdatedata = CFDateCreate( NULL, timeNow); + + if ((notvalidbeforedate = SecCertificateNotValidBefore(certificateRef))) { + notvalidbeforedatedata = CFDateCreate(NULL, notvalidbeforedate); + } + + if ((notvalidafterdate = SecCertificateNotValidAfter(certificateRef))) { + notvalidafterdatedata = CFDateCreate(NULL, notvalidafterdate); + } + + int year = 0; + int month = 0; + int day = 0; + int hour = 0; + int minute = 0; + CFCalendarRef calendar = CFCalendarCreateWithIdentifier(kCFAllocatorDefault, kCFGregorianCalendar); + if (calendar) + { + if (notvalidbeforedate) { + CFCalendarDecomposeAbsoluteTime(calendar, notvalidbeforedate, "yMdHm", &year, &month, &day, &hour, &minute); + plog(ASL_LEVEL_DEBUG, "Certificate not valid before yr %d, mon %d, days %d, hours %d, min %d\n", year, month, day, hour, minute); } - } - } - } - if ( (timeNow = CFAbsoluteTimeGetCurrent()) && (nowcfdatedata = CFDateCreate( NULL, timeNow))){ - if ( notvalidbeforedatedata ){ - gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidbeforedate, NULL); - plog(LLV_DEBUG, LOCATION, NULL, - "cert not valid before yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); - gregoriandate = CFAbsoluteTimeGetGregorianDate(notvalidafterdate, NULL); - plog(LLV_DEBUG, LOCATION, NULL, - "cert not valid after yr %d, mon %d, days %d, hours %d, min %d\n", gregoriandate.year, gregoriandate.month, gregoriandate.day, gregoriandate.hour, gregoriandate.minute); - if ( CFDateCompare( nowcfdatedata, notvalidbeforedatedata, NULL ) == kCFCompareLessThan){ - plog(LLV_ERROR, LOCATION, NULL, - "current time before valid time\n"); - certStatus = CERT_STATUS_PREMATURE; - } else if (notvalidafterdatedata && (CFDateCompare( nowcfdatedata, notvalidafterdatedata, NULL ) == kCFCompareGreaterThan)){ - plog(LLV_ERROR, LOCATION, NULL, - "current time after valid time\n"); - certStatus = CERT_STATUS_EXPIRED; - }else { - plog(LLV_INFO, LOCATION, NULL, "certificate expiration date OK\n"); - certStatus = CERT_STATUS_OK; + if (notvalidafterdate) { + CFCalendarDecomposeAbsoluteTime(calendar, notvalidafterdate, "yMdHm", &year, &month, &day, &hour, &minute); + plog(ASL_LEVEL_DEBUG, "Certificate not valid after yr %d, mon %d, days %d, hours %d, min %d\n", year, month, day, hour, minute); + } + CFRelease(calendar); + } + + if (nowcfdatedata != NULL) { + if (notvalidbeforedatedata && CFDateCompare(nowcfdatedata, notvalidbeforedatedata, NULL) == kCFCompareLessThan){ + plog(ASL_LEVEL_ERR, + "current time before valid time\n"); + certStatus = CERT_STATUS_PREMATURE; + } else if (notvalidafterdatedata && (CFDateCompare( nowcfdatedata, notvalidafterdatedata, NULL ) == kCFCompareGreaterThan)){ + plog(ASL_LEVEL_ERR, + "current time after valid time\n"); + certStatus = CERT_STATUS_EXPIRED; + } } } + } else { + plog(ASL_LEVEL_ERR, "CFAbsoluteTimeGetCurrent() failed"); + certStatus = CERT_STATUS_INVALID; } if (notvalidbeforedatedata) @@ -217,11 +205,7 @@ crypto_cssm_check_x509cert_dates (SecCertificateRef certificateRef) /* * Verify cert using security framework */ -#if TARGET_OS_EMBEDDED int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname, SecKeyRef *publicKeyRef) -#else -int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef hostname) -#endif { cert_t *p; cert_status_t certStatus = 0; @@ -239,8 +223,8 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef // find the total number of certs for (p = certchain; p; p = p->chain, n++); if (n> 1) { - plog(LLV_DEBUG2, LOCATION, NULL, - "%s: checking chain of %d certificates.\n", __FUNCTION__, n); + plog(ASL_LEVEL_DEBUG, + "%s: checking chain of %d certificates.\n", __FUNCTION__, (int)n); } certArraySiz = n * sizeof(CFTypeRef); @@ -249,12 +233,12 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef return -1; } bzero(certArrayRef, certArraySiz); - if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_get_SecCertificateRef(&hostcert->cert))) { + if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_CreateSecCertificateRef(&hostcert->cert))) { /* don't overwrite any pending status */ if (!hostcert->status) { hostcert->status = crypto_cssm_check_x509cert_dates(certArrayRef[certArrayRefNumValues]); if (hostcert->status) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "host certificate failed date verification: %d.\n", hostcert->status); certStatus = hostcert->status; } @@ -263,12 +247,12 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef } for (p = certchain; p && certArrayRefNumValues < n; p = p->chain) { if (p != hostcert) { - if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_get_SecCertificateRef(&p->cert))) { + if ((certArrayRef[certArrayRefNumValues] = crypto_cssm_x509cert_CreateSecCertificateRef(&p->cert))) { /* don't overwrite any pending status */ if (!p->status) { p->status = crypto_cssm_check_x509cert_dates(certArrayRef[certArrayRefNumValues]); if (p->status) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "other certificate in chain failed date verification: %d.\n", p->status); if (!certStatus) { certStatus = p->status; @@ -281,11 +265,7 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef } // evaluate cert -#if TARGET_OS_EMBEDDED status = EvaluateCert(certArrayRef, certArrayRefNumValues, policyRef, publicKeyRef); -#else - status = EvaluateCert(certArrayRef, certArrayRefNumValues, policyRef); -#endif while (certArrayRefNumValues) { CFRelease(certArrayRef[--certArrayRefNumValues]); @@ -296,8 +276,8 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef CFRelease(policyRef); if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); + plog(ASL_LEVEL_ERR, + "check_x509cert error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } else if (certStatus == CERT_STATUS_PREMATURE || certStatus == CERT_STATUS_EXPIRED) { status = -1; @@ -306,12 +286,11 @@ int crypto_cssm_check_x509cert (cert_t *hostcert, cert_t *certchain, CFStringRef } -#if TARGET_OS_EMBEDDED -int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature) + +int crypto_cssm_verify_x509sign(SecKeyRef publicKeyRef, vchar_t *hash, vchar_t *signature, Boolean useSHA1) { - return SecKeyRawVerify(publicKeyRef, kSecPaddingPKCS1, hash->v, hash->l, signature->v, signature->l); + return SecKeyRawVerify(publicKeyRef, useSHA1 ? kSecPaddingPKCS1SHA1 : kSecPaddingPKCS1, (uint8_t*)hash->v, hash->l, (uint8_t*)signature->v, signature->l); } -#endif /* * Encrypt a hash via CSSM using the private key in the keychain @@ -325,132 +304,24 @@ vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash) SecKeyRef privateKeyRef = NULL; vchar_t *sig = NULL; -#if !TARGET_OS_EMBEDDED - CSSM_SIZE bytesEncrypted = 0; - SecCertificateRef certificateRef = NULL; - SecIdentitySearchRef idSearchRef = NULL; - SecKeychainRef keychainRef = NULL; - const CSSM_KEY *cssmKey = NULL; - CSSM_CSP_HANDLE cspHandle = nil; - CSSM_CC_HANDLE cssmContextHandle = nil; - const CSSM_ACCESS_CREDENTIALS *credentials = NULL; - CSSM_DATA clearData; - CSSM_DATA cipherData; - CSSM_DATA remData; - CSSM_CONTEXT_ATTRIBUTE newAttr; - - remData.Length = 0; - remData.Data = 0; - - if (persistentCertRef) { - // get cert from keychain - status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef); - if (status != noErr) - goto end; - - // get keychain ref where cert is contained - status = SecKeychainItemCopyKeychain((SecKeychainItemRef)certificateRef, &keychainRef); - if (status != noErr) - goto end; - - // get identity from the certificate - status = SecIdentityCreateWithCertificate(keychainRef, certificateRef, &identityRef); - if (status != noErr) - goto end; - - } else { - - // copy system keychain - status = CopySystemKeychain(&keychainRef); - if (status != noErr) - goto end; - - // serach for first identity in system keychain - status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef); - if (status != noErr) - goto end; - - status = SecIdentitySearchCopyNext(idSearchRef, &identityRef); - if (status != noErr) - goto end; - - // get certificate from identity - status = SecIdentityCopyCertificate(identityRef, &certificateRef); - if (status != noErr) - goto end; - } - - // get private key from identity - status = SecIdentityCopyPrivateKey(identityRef, &privateKeyRef); - if (status != noErr) - goto end; - - // get CSSM_KEY pointer from key ref - status = SecKeyGetCSSMKey(privateKeyRef, &cssmKey); - if (status != noErr) - goto end; - - // get CSSM CSP handle - status = SecKeychainGetCSPHandle(keychainRef, &cspHandle); - if (status != noErr) - goto end; - - // create CSSM credentials to unlock private key for encryption - no UI to be used - status = SecKeyGetCredentials(privateKeyRef, CSSM_ACL_AUTHORIZATION_ENCRYPT, - kSecCredentialTypeNoUI, &credentials); - if (status != noErr) - goto end; - - // create asymmetric context for encryption - status = CSSM_CSP_CreateAsymmetricContext(cspHandle, CSSM_ALGID_RSA, credentials, cssmKey, - CSSM_PADDING_PKCS1, &cssmContextHandle); - if (status != noErr) - goto end; - - // add mode attribute to use private key for encryption - newAttr.AttributeType = CSSM_ATTRIBUTE_MODE; - newAttr.AttributeLength = sizeof(uint32); - newAttr.Attribute.Data = (CSSM_DATA_PTR)CSSM_ALGMODE_PRIVATE_KEY; - status = CSSM_UpdateContextAttributes(cssmContextHandle, 1, &newAttr); - if(status != noErr) - goto end; - - // and finally - encrypt data - clearData.Length = hash->l; - clearData.Data = (uint8 *)hash->v; - cipherData.Length = 0; - cipherData.Data = NULL; - status = CSSM_EncryptData(cssmContextHandle, &clearData, 1, &cipherData, 1, &bytesEncrypted, - &remData); - if (status != noErr) - goto end; - - if (remData.Length != 0) { // something didn't go right - should be zero - status = -1; - plog(LLV_ERROR, LOCATION, NULL, - "unencrypted data remaining after encrypting hash.\n"); - goto end; - } - - // alloc buffer for result - sig = vmalloc(0); - if (sig == NULL) - goto end; - - sig->l = cipherData.Length; - sig->v = (caddr_t)cipherData.Data; - -#else CFDictionaryRef persistFind = NULL; - const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef }; - const void *values_persist[] = { kCFBooleanTrue, persistentCertRef }; - - #define SIG_BUF_SIZE 1024 + const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef, kSecClass, +#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE + kSecUseSystemKeychain, +#endif + }; + const void *values_persist[] = { kCFBooleanTrue, persistentCertRef, kSecClassIdentity, +#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE + kCFBooleanTrue, +#endif + }; + +#define SIG_BUF_SIZE 1024 /* find identity by persistent ref */ persistFind = CFDictionaryCreate(NULL, keys_persist, values_persist, - (sizeof(keys_persist) / sizeof(*keys_persist)), NULL, NULL); + (sizeof(keys_persist) / sizeof(*keys_persist)), NULL, NULL); if (persistFind == NULL) goto end; @@ -467,10 +338,8 @@ vchar_t* crypto_cssm_getsign(CFDataRef persistentCertRef, vchar_t* hash) if (sig == NULL) goto end; - status = SecKeyRawSign(privateKeyRef, kSecPaddingPKCS1, hash->v, - hash->l, sig->v, &sig->l); - -#endif + status = SecKeyRawSign(privateKeyRef, kSecPaddingPKCS1, (uint8_t*)hash->v, + hash->l, (uint8_t*)sig->v, &sig->l); end: @@ -479,19 +348,8 @@ end: if (privateKeyRef) CFRelease(privateKeyRef); -#if !TARGET_OS_EMBEDDED - if (certificateRef) - CFRelease(certificateRef); - if (keychainRef) - CFRelease(keychainRef); - if (idSearchRef) - CFRelease(idSearchRef); - if (cssmContextHandle) - CSSM_DeleteContext(cssmContextHandle); -#else if (persistFind) CFRelease(persistFind); -#endif if (status != noErr) { if (sig) { @@ -501,8 +359,8 @@ end: } if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); + plog(ASL_LEVEL_ERR, + "getsign error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } return sig; @@ -519,77 +377,28 @@ vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, OSStatus status = -1; vchar_t *cert = NULL; + SecCertificateRef certificateRef = NULL; + CFDictionaryRef persistFind = NULL; + size_t dataLen; + CFDataRef certData = NULL; SecIdentityRef identityRef = NULL; - SecCertificateRef certificateRef = NULL; - -#if !TARGET_OS_EMBEDDED - CSSM_DATA cssmData; - SecIdentitySearchRef idSearchRef = NULL; - SecKeychainRef keychainRef = NULL; - - // get cert ref - if (persistentCertRef) { - status = SecKeychainItemCopyFromPersistentReference(persistentCertRef, (SecKeychainItemRef*)&certificateRef); - if (status != noErr) - goto end; - } else { - // copy system keychain - status = CopySystemKeychain(&keychainRef); - if (status != noErr) - goto end; - - // find first identity in system keychain - status = SecIdentitySearchCreate(keychainRef, CSSM_KEYUSE_SIGN, &idSearchRef); - if (status != noErr) - goto end; - - status = SecIdentitySearchCopyNext(idSearchRef, &identityRef); - if (status != noErr) - goto end; - - // get certificate from identity - status = SecIdentityCopyCertificate(identityRef, &certificateRef); - if (status != noErr) - goto end; - - } - - // get certificate data - cssmData.Length = 0; - cssmData.Data = NULL; - status = SecCertificateGetData(certificateRef, &cssmData); - if (status != noErr) - goto end; - - if (cssmData.Length == 0) - goto end; - - cert = vmalloc(cssmData.Length); - if (cert == NULL) - goto end; - - // cssmData struct just points to the data - // data must be copied to be returned - memcpy(cert->v, cssmData.Data, cssmData.Length); - - // verify expiry or missing fields - if (certStatus) { - *certStatus = CERT_STATUS_OK; - } -#else - - CFDictionaryRef persistFind = NULL; - const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef }; - const void *values_persist[] = { kCFBooleanTrue, persistentCertRef }; - size_t dataLen; - CFDataRef certData = NULL; + const void *keys_persist[] = { kSecReturnRef, kSecValuePersistentRef, kSecClass, +#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE + kSecUseSystemKeychain, +#endif + }; + const void *values_persist[] = { kCFBooleanTrue, persistentCertRef, kSecClassIdentity, +#if TARGET_OS_EMBEDDED || TARGET_OS_IPHONE + kCFBooleanTrue, +#endif + }; /* find identity by persistent ref */ persistFind = CFDictionaryCreate(NULL, keys_persist, values_persist, (sizeof(keys_persist) / sizeof(*keys_persist)), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); if (persistFind == NULL) goto end; - + status = SecItemCopyMatching(persistFind, (CFTypeRef *)&identityRef); if (status != noErr) goto end; @@ -610,96 +419,48 @@ vchar_t* crypto_cssm_get_x509cert(CFDataRef persistentCertRef, if (cert == NULL) goto end; - CFDataGetBytes(certData, CFRangeMake(0, dataLen), cert->v); + CFDataGetBytes(certData, CFRangeMake(0, dataLen), (uint8_t*)cert->v); // verify expiry or missing fields if (certStatus) { *certStatus = crypto_cssm_check_x509cert_dates(certificateRef); } - -#endif end: + if (identityRef) + CFRelease(identityRef); if (certificateRef) CFRelease(certificateRef); - if (identityRef) - CFRelease(identityRef); -#if !TARGET_OS_EMBEDDED - if (idSearchRef) - CFRelease(idSearchRef); - if (keychainRef) - CFRelease(keychainRef); -#else if (persistFind) CFRelease(persistFind); if (certData) CFRelease(certData); -#endif if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); + plog(ASL_LEVEL_ERR, + "get_x509cert error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } return cert; } -#if !TARGET_OS_EMBEDDED -/* - * Find a policy ref by OID - */ -static OSStatus FindPolicy(const CSSM_OID *policyOID, SecPolicyRef *policyRef) -{ - - OSStatus status; - SecPolicySearchRef searchRef = nil; - - status = SecPolicySearchCreate(CSSM_CERT_X_509v3, policyOID, NULL, &searchRef); - if (status != noErr) - goto end; - - status = SecPolicySearchCopyNext(searchRef, policyRef); - -end: - if (searchRef) - CFRelease(searchRef); - - if (status != noErr) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); - status = -1; - } - return status; -} -#endif - /* * Evaluate the trust of a cert using the policy provided */ -#if TARGET_OS_EMBEDDED static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef, SecKeyRef *publicKeyRef) -#else -static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCertArrayNumValues, CFTypeRef policyRef) - -#endif { OSStatus status; SecTrustRef trustRef = 0; SecTrustResultType evalResult; -#if TARGET_OS_EMBEDDED CFArrayRef errorStrings; -#else - CSSM_TP_APPLE_EVIDENCE_INFO *statusChain; - CFArrayRef certChain; -#endif CFArrayRef cfCertRef = CFArrayCreate((CFAllocatorRef) NULL, (void*)evalCertArray, evalCertArrayNumValues, &kCFTypeArrayCallBacks); if (!cfCertRef) { - plog(LLV_ERROR, LOCATION, NULL, + plog(ASL_LEVEL_ERR, "unable to create CFArray.\n"); return -1; } @@ -713,40 +474,35 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCert goto end; if (evalResult != kSecTrustResultProceed && evalResult != kSecTrustResultUnspecified) { - plog(LLV_ERROR, LOCATION, NULL, "Error evaluating certificate.\n"); + plog(ASL_LEVEL_ERR, "Error evaluating certificate.\n"); switch (evalResult) { case kSecTrustResultInvalid: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultInvalid.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultInvalid.\n"); break; case kSecTrustResultProceed: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultProceed.\n"); - break; - case kSecTrustResultConfirm: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultConfirm.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultProceed.\n"); break; case kSecTrustResultDeny: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultDeny.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultDeny.\n"); break; case kSecTrustResultUnspecified: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultUnspecified.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultUnspecified.\n"); break; case kSecTrustResultRecoverableTrustFailure: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultRecoverableTrustFailure.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultRecoverableTrustFailure.\n"); break; case kSecTrustResultFatalTrustFailure: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultFatalTrustFailure.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultFatalTrustFailure.\n"); break; case kSecTrustResultOtherError: - plog(LLV_DEBUG, LOCATION, NULL, "eval result = kSecTrustResultOtherError.\n"); + plog(ASL_LEVEL_DEBUG, "eval result = kSecTrustResultOtherError.\n"); break; default: - plog(LLV_DEBUG, LOCATION, NULL, "eval result unknown: value = %d.\n", (int)evalResult); + plog(ASL_LEVEL_DEBUG, "eval result unknown: value = %d.\n", (int)evalResult); break; } - -#if TARGET_OS_EMBEDDED errorStrings = SecTrustCopyProperties(trustRef); if (errorStrings) { @@ -755,7 +511,7 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCert const char *str; CFIndex count, maxcount = CFArrayGetCount(errorStrings); - plog(LLV_ERROR, LOCATION, NULL, "---------------Returned error strings: ---------------.\n"); + plog(ASL_LEVEL_ERR, "---------------Returned error strings: ---------------.\n"); for (count = 0; count < maxcount; count++) { dict = CFArrayGetValueAtIndex(errorStrings, count); if (dict && (CFGetTypeID(dict) == CFDictionaryGetTypeID())) { @@ -763,42 +519,26 @@ static OSStatus EvaluateCert(SecCertificateRef evalCertArray[], CFIndex evalCert if (val && (CFGetTypeID(val) == CFStringGetTypeID())) { str = CFStringGetCStringPtr(val, kCFStringEncodingMacRoman); if (str) - plog(LLV_ERROR, LOCATION, NULL, "type = %s.\n", str); + plog(ASL_LEVEL_ERR, "type = %s.\n", str); } val = CFDictionaryGetValue(dict, kSecPropertyKeyValue); if (val && (CFGetTypeID(val) == CFStringGetTypeID())) { str = CFStringGetCStringPtr(val, kCFStringEncodingMacRoman); if (str) - plog(LLV_ERROR, LOCATION, NULL, "value = %s.\n", str); + plog(ASL_LEVEL_ERR, "value = %s.\n", str); } } } - plog(LLV_ERROR, LOCATION, NULL, "-----------------------------------------------------.\n"); + plog(ASL_LEVEL_ERR, "-----------------------------------------------------.\n"); CFRelease(errorStrings); } - -#else - SecTrustGetResult(trustRef, &evalResult, &certChain, &statusChain); - plog(LLV_ERROR, LOCATION, NULL, "Cert status bits = 0x%x.\n", statusChain->StatusBits); - plog(LLV_ERROR, LOCATION, NULL, "Cert status NumStatusCodes = 0x%x.\n", statusChain->NumStatusCodes); - { - int i; - for (i = 0; i < statusChain->NumStatusCodes; i++) - plog(LLV_ERROR, LOCATION, NULL, "Cert status code i = 0x%x %d.\n", *(statusChain->StatusCodes + i), *(statusChain->StatusCodes + i)); - } - plog(LLV_ERROR, LOCATION, NULL, "Cert status Index = %d.\n", statusChain->Index); - CFRelease(certChain); -#endif - + status = -1; goto end; } - -#if TARGET_OS_EMBEDDED /* get and return the public key */ *publicKeyRef = SecTrustCopyPublicKey(trustRef); -#endif end: if (cfCertRef) @@ -807,40 +547,13 @@ end: CFRelease(trustRef); if (status != noErr && status != -1) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); + plog(ASL_LEVEL_ERR, + "EvaluateCert error %d %s.\n", (int)status, GetSecurityErrorString(status)); status = -1; } return status; } -#if !TARGET_OS_EMBEDDED -/* - * Copy the system keychain - */ -static OSStatus CopySystemKeychain(SecKeychainRef *keychainRef) -{ - - OSStatus status; - - status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainSystem); - if (status != noErr) - goto end; - - status = SecKeychainCopyDomainDefault(kSecPreferencesDomainSystem, keychainRef); - -end: - - if (status != noErr) { - plog(LLV_ERROR, LOCATION, NULL, - "error %d %s.\n", status, GetSecurityErrorString(status)); - status = -1; - } - return status; - -} -#endif - /* * Return string representation of Security-related OSStatus. */ @@ -850,17 +563,22 @@ GetSecurityErrorString(OSStatus err) switch(err) { case noErr: return "noErr"; - case memFullErr: - return "memFullErr"; - case paramErr: - return "paramErr"; - case unimpErr: - return "unimpErr"; /* SecBase.h: */ case errSecNotAvailable: return "errSecNotAvailable"; + #if !TARGET_OS_EMBEDDED + case memFullErr: + return "memFullErr"; + case paramErr: + return "paramErr"; + case unimpErr: + return "unimpErr"; +#endif + +#ifndef HAVE_OPENSSL + /* SecBase.h: */ case errSecReadOnly: return "errSecReadOnly"; case errSecAuthFailed: