[apple/security.git] / OSX / libsecurity_keychain / lib / SecAccess.cpp

/*
 * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

#include <Security/SecBase.h>
#include <Security/SecAccess.h>
#include <Security/SecAccessPriv.h>
#include <Security/SecTrustedApplication.h>
#include <Security/SecTrustedApplicationPriv.h>
#include <security_keychain/Access.h>
#include <security_utilities/casts.h>
#include <utilities/SecCFRelease.h>
#include "SecBridge.h"
#include <sys/param.h>

#include <utilities/SecCFWrappers.h>

#include "LegacyAPICounts.h"

/* No restrictions. Permission to perform all operations on
   the resource or available to an ACL owner.  */


const CFStringRef kSecACLAuthorizationAny = CFSTR("ACLAuthorizationAny");

const CFStringRef kSecACLAuthorizationLogin = CFSTR("ACLAuthorizationLogin");
const CFStringRef kSecACLAuthorizationGenKey = CFSTR("ACLAuthorizationGenKey");
const CFStringRef kSecACLAuthorizationDelete = CFSTR("ACLAuthorizationDelete");
const CFStringRef kSecACLAuthorizationExportWrapped = CFSTR("ACLAuthorizationExportWrapped");
const CFStringRef kSecACLAuthorizationExportClear = CFSTR("ACLAuthorizationExportClear");
const CFStringRef kSecACLAuthorizationImportWrapped = CFSTR("ACLAuthorizationImportWrapped");
const CFStringRef kSecACLAuthorizationImportClear = CFSTR("ACLAuthorizationImportClear");
const CFStringRef kSecACLAuthorizationSign = CFSTR("ACLAuthorizationSign");
const CFStringRef kSecACLAuthorizationEncrypt = CFSTR("ACLAuthorizationEncrypt");
const CFStringRef kSecACLAuthorizationDecrypt = CFSTR("ACLAuthorizationDecrypt");
const CFStringRef kSecACLAuthorizationMAC = CFSTR("ACLAuthorizationMAC");
const CFStringRef kSecACLAuthorizationDerive = CFSTR("ACLAuthorizationDerive");

/* Defined authorization tag values for Keychain */


const CFStringRef kSecACLAuthorizationKeychainCreate = CFSTR("ACLAuthorizationKeychainCreate");
const CFStringRef kSecACLAuthorizationKeychainDelete = CFSTR("ACLAuthorizationKeychainDelete");
const CFStringRef kSecACLAuthorizationKeychainItemRead = CFSTR("ACLAuthorizationKeychainItemRead");
const CFStringRef kSecACLAuthorizationKeychainItemInsert = CFSTR("ACLAuthorizationKeychainItemInsert");
const CFStringRef kSecACLAuthorizationKeychainItemModify = CFSTR("ACLAuthorizationKeychainItemModify");
const CFStringRef kSecACLAuthorizationKeychainItemDelete = CFSTR("ACLAuthorizationKeychainItemDelete");

const CFStringRef kSecACLAuthorizationChangeACL = CFSTR("ACLAuthorizationChangeACL");
const CFStringRef kSecACLAuthorizationChangeOwner = CFSTR("ACLAuthorizationChangeOwner");
const CFStringRef kSecACLAuthorizationPartitionID = CFSTR("ACLAuthorizationPartitionID");
const CFStringRef kSecACLAuthorizationIntegrity = CFSTR("ACLAuthorizationIntegrity");


static CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName);

static CFStringRef gKeys[] =
{
	kSecACLAuthorizationAny,
	kSecACLAuthorizationLogin,
	kSecACLAuthorizationGenKey,
	kSecACLAuthorizationDelete,
	kSecACLAuthorizationExportWrapped,
	kSecACLAuthorizationExportClear,
	kSecACLAuthorizationImportWrapped,
	kSecACLAuthorizationImportClear,
	kSecACLAuthorizationSign,
	kSecACLAuthorizationEncrypt,
	kSecACLAuthorizationDecrypt,
	kSecACLAuthorizationMAC,
	kSecACLAuthorizationDerive,

	/* Defined authorization tag values for Keychain */
	kSecACLAuthorizationKeychainCreate,
	kSecACLAuthorizationKeychainDelete,
	kSecACLAuthorizationKeychainItemRead,
	kSecACLAuthorizationKeychainItemInsert,
	kSecACLAuthorizationKeychainItemModify,
	kSecACLAuthorizationKeychainItemDelete,

	kSecACLAuthorizationChangeACL,
	kSecACLAuthorizationChangeOwner,
    kSecACLAuthorizationPartitionID,
    kSecACLAuthorizationIntegrity
};

static sint32 gValues[] =
{
	CSSM_ACL_AUTHORIZATION_ANY,
	CSSM_ACL_AUTHORIZATION_LOGIN,
	CSSM_ACL_AUTHORIZATION_GENKEY,
	CSSM_ACL_AUTHORIZATION_DELETE,
	CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED,
	CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR,
	CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED,
	CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR,
	CSSM_ACL_AUTHORIZATION_SIGN,
	CSSM_ACL_AUTHORIZATION_ENCRYPT,
	CSSM_ACL_AUTHORIZATION_DECRYPT,
	CSSM_ACL_AUTHORIZATION_MAC,
	CSSM_ACL_AUTHORIZATION_DERIVE,
	CSSM_ACL_AUTHORIZATION_DBS_CREATE,
	CSSM_ACL_AUTHORIZATION_DBS_DELETE,
	CSSM_ACL_AUTHORIZATION_DB_READ,
	CSSM_ACL_AUTHORIZATION_DB_INSERT,
	CSSM_ACL_AUTHORIZATION_DB_MODIFY,
	CSSM_ACL_AUTHORIZATION_DB_DELETE,
	CSSM_ACL_AUTHORIZATION_CHANGE_ACL,
	CSSM_ACL_AUTHORIZATION_CHANGE_OWNER,
    CSSM_ACL_AUTHORIZATION_PARTITION_ID,
    CSSM_ACL_AUTHORIZATION_INTEGRITY
};

static
CFDictionaryRef CreateStringToNumDictionary()
{
	int numItems = (sizeof(gValues) / sizeof(sint32));
	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);

	for (int iCnt = 0; iCnt < numItems; iCnt++)
	{
		sint32 aNumber = gValues[iCnt];
		CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);

		CFStringRef aString = gKeys[iCnt];
		CFDictionaryAddValue(tempDict, aString, aNum);
		CFRelease(aNum);
	}

	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	CFRelease(tempDict);
	return result;

}

static
CFDictionaryRef CreateNumToStringDictionary()
{
	int numItems = (sizeof(gValues) / sizeof(sint32));

	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);

	for (int iCnt = 0; iCnt < numItems; iCnt++)
	{
		sint32 aNumber = gValues[iCnt];
		CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);

		CFStringRef aString = gKeys[iCnt];
		CFDictionaryAddValue(tempDict, aNum, aString);
		CFRelease(aNum);

	}

	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	CFRelease(tempDict);
	return result;
}


/* TODO: This should be in some header */
sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr);
sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr)
{
	if (NULL == aclStr)
	{
#ifndef NDEBUG
		CFShow(CFSTR("GetACLAuthorizationTagFromString aclStr is NULL"));
#endif
		return 0;
	}

	static CFDictionaryRef gACLMapping = NULL;

	if (NULL == gACLMapping)
	{
		gACLMapping = CreateStringToNumDictionary();
	}

	sint32 result = 0;
	CFNumberRef valueResult = (CFNumberRef)CFDictionaryGetValue(gACLMapping, aclStr);
	if (NULL != valueResult)
	{
		if (!CFNumberGetValue(valueResult, kCFNumberSInt32Type, &result))
		{
			return 0;
		}

	}
	else
	{
		return 0;
	}

	return result;

}

/* TODO: This should be in some header */
CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag);
CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag)
{
	static CFDictionaryRef gTagMapping = NULL;
	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tag);

	if (NULL == gTagMapping)
	{
		gTagMapping = CreateNumToStringDictionary();
	}

	CFStringRef result = (CFStringRef)kSecACLAuthorizationAny;

	if (NULL != gTagMapping && CFDictionaryContainsKey(gTagMapping, aNum))
	{
		result = (CFStringRef)CFDictionaryGetValue(gTagMapping, aNum);
	}
    CFReleaseSafe(aNum);
	return result;
}

//
// CF boilerplate
//
CFTypeID SecAccessGetTypeID(void)
{
	BEGIN_SECAPI
	return gTypes().Access.typeID;
	END_SECAPI1(_kCFRuntimeNotATypeID)
}


//
// API bridge calls
//
/*!
 *	Create a new SecAccessRef that is set to the default configuration
 *	of a (newly created) security object.
 */
OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedList, SecAccessRef *accessRef)
{
	BEGIN_SECAPI
	Required(descriptor);
	SecPointer<Access> access;
	if (trustedList) {
		CFIndex length = CFArrayGetCount(trustedList);
		ACL::ApplicationList trusted;
		for (CFIndex n = 0; n < length; n++)
			trusted.push_back(TrustedApplication::required(
				SecTrustedApplicationRef(CFArrayGetValueAtIndex(trustedList, n))));
		access = new Access(cfString(descriptor), trusted);
	} else {
		access = new Access(cfString(descriptor));
	}
	Required(accessRef) = access->handle();
	END_SECAPI
}


/*!
 */
OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner,
	uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls,
	SecAccessRef *accessRef)
{
	BEGIN_SECAPI
	Required(accessRef);	// preflight
	SecPointer<Access> access = new Access(Required(owner), aclCount, &Required(acls));
	*accessRef = access->handle();
	END_SECAPI
}

SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef acls, CFErrorRef *error)
{
	COUNTLEGACYAPI
	SecAccessRef result = NULL;

	CSSM_ACL_PROCESS_SUBJECT_SELECTOR selector =
	{
		CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION,	// selector version
		int_cast<UInt32, uint16>(ownerType),
		userId,
		groupId
	};

	CSSM_LIST_ELEMENT subject2 = { NULL, 0 };
	subject2.Element.Word.Data = (UInt8 *)&selector;
	subject2.Element.Word.Length = sizeof(selector);
	CSSM_LIST_ELEMENT subject1 =
	{
		&subject2, CSSM_ACL_SUBJECT_TYPE_PROCESS, CSSM_LIST_ELEMENT_WORDID
	};

	CFIndex numAcls = 0;

	if (NULL != acls)
	{
		numAcls = CFArrayGetCount(acls);
	}

#ifndef NDEBUG
	CFStringRef debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
		CFSTR("SecAccessCreateWithOwnerAndACL: processing %d acls"), (int)numAcls);
	CFShow(debugStr);
	CFRelease(debugStr);
#endif

	std::vector<CSSM_ACL_AUTHORIZATION_TAG> rights(numAcls);

	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	{
		CFStringRef aclStr = (CFStringRef)CFArrayGetValueAtIndex(acls, iCnt);

#ifndef NDEBUG
		debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
			CFSTR("SecAccessCreateWithOwnerAndACL: acls[%d] = %@"), (int)iCnt, aclStr);

		CFShow(debugStr);
		CFRelease(debugStr);
#endif

		CSSM_ACL_AUTHORIZATION_TAG aTag = GetACLAuthorizationTagFromString(aclStr);

#ifndef NDEBUG
		debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
			CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, aTag);

		CFShow(debugStr);
		CFRelease(debugStr);
#endif

		rights[iCnt] = aTag;
	}


	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	{
#ifndef NDEBUG
		debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
			CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d]  = %d"), (int)iCnt, rights[iCnt]);

		CFShow(debugStr);
		CFRelease(debugStr);
#endif


	}

	CSSM_ACL_OWNER_PROTOTYPE owner =
	{
		// TypedSubject
		{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
		// Delegate
		false
	};


	// ACL entries (any number, just one here)
	CSSM_ACL_ENTRY_INFO acl_rights[] =
	{
		{
			// prototype
			{
				// TypedSubject
				{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
				false,	// Delegate
				// rights for this entry
				{ (uint32)numAcls, rights.data() },
				// rest is defaulted
			}
		}
	};

	OSStatus err = SecAccessCreateFromOwnerAndACL(&owner,
		sizeof(acl_rights) / sizeof(acl_rights[0]), acl_rights, &result);

	if (errSecSuccess != err)
	{
		result = NULL;
		if (NULL != error)
		{
			*error  = CFErrorCreate(kCFAllocatorDefault, CFSTR("FIX ME"), err, NULL);
   		}
	}
	return result;
}


/*!
 */
OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef,
	CSSM_ACL_OWNER_PROTOTYPE_PTR *owner,
	uint32 *aclCount, CSSM_ACL_ENTRY_INFO_PTR *acls)
{
	BEGIN_SECAPI
	Access::required(accessRef)->copyOwnerAndAcl(
		Required(owner), Required(aclCount), Required(acls));
	END_SECAPI
}

OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t* userId, gid_t* groupId, SecAccessOwnerType* ownerType, CFArrayRef* aclList)
{
	COUNTLEGACYAPI
	CSSM_ACL_OWNER_PROTOTYPE_PTR owner = NULL;
	CSSM_ACL_ENTRY_INFO_PTR acls = NULL;
	uint32 aclCount = 0;
	OSStatus result = SecAccessGetOwnerAndACL(accessRef, &owner, &aclCount, &acls);
	if (errSecSuccess != result )
	{
		return result;
	}

	if (NULL != owner)
	{
		CSSM_LIST_ELEMENT_PTR listHead = owner->TypedSubject.Head;
		if (listHead != NULL && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
		{
			CSSM_LIST_ELEMENT_PTR nextElement = listHead->NextElement;
			if (listHead->WordID == CSSM_ACL_SUBJECT_TYPE_PROCESS && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
			{
				// nextElement contains the required data
				CSSM_ACL_PROCESS_SUBJECT_SELECTOR* selectorPtr = (CSSM_ACL_PROCESS_SUBJECT_SELECTOR*)nextElement->Element.Word.Data;
				if (NULL != selectorPtr)
				{
					if (NULL != userId)
					{
						*userId = (uid_t)selectorPtr->uid;
					}

					if (NULL != groupId)
					{
						*groupId = (gid_t)selectorPtr->gid;
					}

					if (NULL != ownerType)
					{
						*ownerType = (SecAccessOwnerType)selectorPtr->mask;
					}
				}
			}

		}

	}

	if (NULL != aclList)
	{
#ifndef NDEBUG
		CFShow(CFSTR("SecAccessCopyOwnerAndACL: processing the ACL list"));
#endif

		CFMutableArrayRef stringArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
		CSSM_ACL_OWNER_PROTOTYPE_PTR protoPtr = NULL;
		uint32 numAcls = 0L;
		CSSM_ACL_ENTRY_INFO_PTR aclEntry = NULL;

		result = SecAccessGetOwnerAndACL(accessRef, &protoPtr, &numAcls, &aclEntry);
		if (errSecSuccess == result)
		{
#ifndef NDEBUG
			CFStringRef tempStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SecAccessCopyOwnerAndACL: numAcls = %d"), numAcls);
			CFShow(tempStr);
			CFRelease(tempStr);
#endif

			for (uint32 iCnt = 0; iCnt < numAcls; iCnt++)
			{
				CSSM_ACL_ENTRY_PROTOTYPE prototype = aclEntry[iCnt].EntryPublicInfo;
				CSSM_AUTHORIZATIONGROUP authGroup = prototype.Authorization;
				int numAuthTags = (int)authGroup.NumberOfAuthTags;

				for (int jCnt = 0; jCnt < numAuthTags; jCnt++)
				{

					sint32 aTag = authGroup.AuthTags[jCnt];
					CFStringRef aString = GetAuthStringFromACLAuthorizationTag(aTag);

					CFArrayAppendValue(stringArray, aString);
				}
			}
		}

		if (NULL != stringArray)
		{
			if (0 < CFArrayGetCount(stringArray))
			{
				*aclList = CFArrayCreateCopy(kCFAllocatorDefault, stringArray);
			}
			CFRelease(stringArray);
		}
	}

	return result;
}

/*!
 */
OSStatus SecAccessCopyACLList(SecAccessRef accessRef,
	CFArrayRef *aclList)
{
	BEGIN_SECAPI
	Required(aclList) = Access::required(accessRef)->copySecACLs();
	END_SECAPI
}


/*!
 */
OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef,
	CSSM_ACL_AUTHORIZATION_TAG action,
	CFArrayRef *aclList)
{
	BEGIN_SECAPI
	Required(aclList) = Access::required(accessRef)->copySecACLs(action);
	END_SECAPI
}

CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag)
{
	COUNTLEGACYAPI
	CFArrayRef result = NULL;
	CSSM_ACL_AUTHORIZATION_TAG tag = GetACLAuthorizationTagFromString((CFStringRef)authorizationTag);
	OSStatus err = SecAccessCopySelectedACLList(accessRef, tag, &result);
	if (errSecSuccess != err)
	{
		result = NULL;
	}
	return result;
}

CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName)
{
	CFStringRef errorString = nil;
    CFURLRef bundleURL,trustedAppsURL = NULL;
    CFBundleRef secBundle = NULL;
	CFPropertyListRef trustedAppsPlist = NULL;
	CFDataRef xmlDataRef = NULL;
	SInt32 errorCode;
    CFArrayRef trustedAppList = NULL;
	CFMutableStringRef trustedAppListFileNameWithoutExtension = NULL;
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
427c49bc	3	*
b1ab9ed8	4	* @APPLE_LICENSE_HEADER_START@
d8f41ccd	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
d8f41ccd	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
d8f41ccd	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
b54c578e	24	#include <Security/SecBase.h>
b1ab9ed8 A	25	#include <Security/SecAccess.h>
b1ab9ed8 A	26	#include <Security/SecAccessPriv.h>
427c49bc A	27	#include <Security/SecTrustedApplication.h>
427c49bc A	28	#include <Security/SecTrustedApplicationPriv.h>
b1ab9ed8	29	#include <security_keychain/Access.h>
6b200bc3 A	30	#include <security_utilities/casts.h>
6b200bc3 A	31	#include <utilities/SecCFRelease.h>
b1ab9ed8 A	32	#include "SecBridge.h"
	33	#include <sys/param.h>
	34
427c49bc A	35	#include <utilities/SecCFWrappers.h>
427c49bc A	36
d64be36e	37	#include "LegacyAPICounts.h"
427c49bc	38
b1ab9ed8 A	39	/* No restrictions. Permission to perform all operations on
	40	the resource or available to an ACL owner. */
	41
	42
5c19dc3a A	43	const CFStringRef kSecACLAuthorizationAny = CFSTR("ACLAuthorizationAny");
	44
	45	const CFStringRef kSecACLAuthorizationLogin = CFSTR("ACLAuthorizationLogin");
	46	const CFStringRef kSecACLAuthorizationGenKey = CFSTR("ACLAuthorizationGenKey");
	47	const CFStringRef kSecACLAuthorizationDelete = CFSTR("ACLAuthorizationDelete");
	48	const CFStringRef kSecACLAuthorizationExportWrapped = CFSTR("ACLAuthorizationExportWrapped");
	49	const CFStringRef kSecACLAuthorizationExportClear = CFSTR("ACLAuthorizationExportClear");
	50	const CFStringRef kSecACLAuthorizationImportWrapped = CFSTR("ACLAuthorizationImportWrapped");
	51	const CFStringRef kSecACLAuthorizationImportClear = CFSTR("ACLAuthorizationImportClear");
	52	const CFStringRef kSecACLAuthorizationSign = CFSTR("ACLAuthorizationSign");
	53	const CFStringRef kSecACLAuthorizationEncrypt = CFSTR("ACLAuthorizationEncrypt");
	54	const CFStringRef kSecACLAuthorizationDecrypt = CFSTR("ACLAuthorizationDecrypt");
	55	const CFStringRef kSecACLAuthorizationMAC = CFSTR("ACLAuthorizationMAC");
	56	const CFStringRef kSecACLAuthorizationDerive = CFSTR("ACLAuthorizationDerive");
b1ab9ed8 A	57
	58	/* Defined authorization tag values for Keychain */
	59
	60
427c49bc	61
5c19dc3a A	62	const CFStringRef kSecACLAuthorizationKeychainCreate = CFSTR("ACLAuthorizationKeychainCreate");
	63	const CFStringRef kSecACLAuthorizationKeychainDelete = CFSTR("ACLAuthorizationKeychainDelete");
	64	const CFStringRef kSecACLAuthorizationKeychainItemRead = CFSTR("ACLAuthorizationKeychainItemRead");
	65	const CFStringRef kSecACLAuthorizationKeychainItemInsert = CFSTR("ACLAuthorizationKeychainItemInsert");
	66	const CFStringRef kSecACLAuthorizationKeychainItemModify = CFSTR("ACLAuthorizationKeychainItemModify");
	67	const CFStringRef kSecACLAuthorizationKeychainItemDelete = CFSTR("ACLAuthorizationKeychainItemDelete");
b1ab9ed8	68
5c19dc3a A	69	const CFStringRef kSecACLAuthorizationChangeACL = CFSTR("ACLAuthorizationChangeACL");
5c19dc3a A	70	const CFStringRef kSecACLAuthorizationChangeOwner = CFSTR("ACLAuthorizationChangeOwner");
e3d460c9 A	71	const CFStringRef kSecACLAuthorizationPartitionID = CFSTR("ACLAuthorizationPartitionID");
e3d460c9 A	72	const CFStringRef kSecACLAuthorizationIntegrity = CFSTR("ACLAuthorizationIntegrity");
b1ab9ed8 A	73
	74
	75	static CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName);
	76
427c49bc	77	static CFStringRef gKeys[] =
b1ab9ed8	78	{
5c19dc3a A	79	kSecACLAuthorizationAny,
	80	kSecACLAuthorizationLogin,
	81	kSecACLAuthorizationGenKey,
	82	kSecACLAuthorizationDelete,
	83	kSecACLAuthorizationExportWrapped,
	84	kSecACLAuthorizationExportClear,
	85	kSecACLAuthorizationImportWrapped,
	86	kSecACLAuthorizationImportClear,
	87	kSecACLAuthorizationSign,
	88	kSecACLAuthorizationEncrypt,
	89	kSecACLAuthorizationDecrypt,
	90	kSecACLAuthorizationMAC,
	91	kSecACLAuthorizationDerive,
b1ab9ed8 A	92
b1ab9ed8 A	93	/* Defined authorization tag values for Keychain */
5c19dc3a A	94	kSecACLAuthorizationKeychainCreate,
	95	kSecACLAuthorizationKeychainDelete,
	96	kSecACLAuthorizationKeychainItemRead,
	97	kSecACLAuthorizationKeychainItemInsert,
	98	kSecACLAuthorizationKeychainItemModify,
	99	kSecACLAuthorizationKeychainItemDelete,
	100
	101	kSecACLAuthorizationChangeACL,
e3d460c9 A	102	kSecACLAuthorizationChangeOwner,
	103	kSecACLAuthorizationPartitionID,
	104	kSecACLAuthorizationIntegrity
b1ab9ed8 A	105	};
	106
	107	static sint32 gValues[] =
	108	{
	109	CSSM_ACL_AUTHORIZATION_ANY,
	110	CSSM_ACL_AUTHORIZATION_LOGIN,
	111	CSSM_ACL_AUTHORIZATION_GENKEY,
	112	CSSM_ACL_AUTHORIZATION_DELETE,
	113	CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED,
	114	CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR,
	115	CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED,
	116	CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR,
	117	CSSM_ACL_AUTHORIZATION_SIGN,
	118	CSSM_ACL_AUTHORIZATION_ENCRYPT,
	119	CSSM_ACL_AUTHORIZATION_DECRYPT,
	120	CSSM_ACL_AUTHORIZATION_MAC,
	121	CSSM_ACL_AUTHORIZATION_DERIVE,
	122	CSSM_ACL_AUTHORIZATION_DBS_CREATE,
	123	CSSM_ACL_AUTHORIZATION_DBS_DELETE,
	124	CSSM_ACL_AUTHORIZATION_DB_READ,
	125	CSSM_ACL_AUTHORIZATION_DB_INSERT,
	126	CSSM_ACL_AUTHORIZATION_DB_MODIFY,
	127	CSSM_ACL_AUTHORIZATION_DB_DELETE,
	128	CSSM_ACL_AUTHORIZATION_CHANGE_ACL,
e3d460c9 A	129	CSSM_ACL_AUTHORIZATION_CHANGE_OWNER,
	130	CSSM_ACL_AUTHORIZATION_PARTITION_ID,
	131	CSSM_ACL_AUTHORIZATION_INTEGRITY
b1ab9ed8 A	132	};
b1ab9ed8 A	133
427c49bc	134	static
b1ab9ed8 A	135	CFDictionaryRef CreateStringToNumDictionary()
	136	{
	137	int numItems = (sizeof(gValues) / sizeof(sint32));
427c49bc A	138	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
427c49bc A	139
b1ab9ed8 A	140	for (int iCnt = 0; iCnt < numItems; iCnt++)
	141	{
	142	sint32 aNumber = gValues[iCnt];
	143	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);
427c49bc	144
b1ab9ed8 A	145	CFStringRef aString = gKeys[iCnt];
b1ab9ed8 A	146	CFDictionaryAddValue(tempDict, aString, aNum);
427c49bc	147	CFRelease(aNum);
b1ab9ed8	148	}
427c49bc	149
b1ab9ed8 A	150	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	151	CFRelease(tempDict);
	152	return result;
427c49bc	153
b1ab9ed8 A	154	}
b1ab9ed8 A	155
427c49bc	156	static
b1ab9ed8 A	157	CFDictionaryRef CreateNumToStringDictionary()
	158	{
	159	int numItems = (sizeof(gValues) / sizeof(sint32));
427c49bc A	160
	161	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
	162
b1ab9ed8 A	163	for (int iCnt = 0; iCnt < numItems; iCnt++)
	164	{
	165	sint32 aNumber = gValues[iCnt];
427c49bc A	166	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);
427c49bc A	167
b1ab9ed8 A	168	CFStringRef aString = gKeys[iCnt];
	169	CFDictionaryAddValue(tempDict, aNum, aString);
	170	CFRelease(aNum);
427c49bc	171
b1ab9ed8	172	}
427c49bc	173
b1ab9ed8 A	174	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	175	CFRelease(tempDict);
	176	return result;
	177	}
	178
	179
427c49bc A	180	/* TODO: This should be in some header */
427c49bc A	181	sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr);
b1ab9ed8 A	182	sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr)
	183	{
	184	if (NULL == aclStr)
	185	{
	186	#ifndef NDEBUG
	187	CFShow(CFSTR("GetACLAuthorizationTagFromString aclStr is NULL"));
	188	#endif
	189	return 0;
	190	}
427c49bc	191
b1ab9ed8	192	static CFDictionaryRef gACLMapping = NULL;
427c49bc	193
b1ab9ed8 A	194	if (NULL == gACLMapping)
	195	{
	196	gACLMapping = CreateStringToNumDictionary();
	197	}
427c49bc	198
b1ab9ed8 A	199	sint32 result = 0;
	200	CFNumberRef valueResult = (CFNumberRef)CFDictionaryGetValue(gACLMapping, aclStr);
	201	if (NULL != valueResult)
	202	{
	203	if (!CFNumberGetValue(valueResult, kCFNumberSInt32Type, &result))
	204	{
	205	return 0;
	206	}
427c49bc	207
b1ab9ed8 A	208	}
	209	else
	210	{
	211	return 0;
	212	}
427c49bc	213
b1ab9ed8	214	return result;
427c49bc	215
b1ab9ed8 A	216	}
b1ab9ed8 A	217
427c49bc A	218	/* TODO: This should be in some header */
427c49bc A	219	CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag);
b1ab9ed8 A	220	CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag)
	221	{
	222	static CFDictionaryRef gTagMapping = NULL;
	223	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tag);
427c49bc	224
b1ab9ed8 A	225	if (NULL == gTagMapping)
	226	{
	227	gTagMapping = CreateNumToStringDictionary();
	228	}
427c49bc	229
b1ab9ed8	230	CFStringRef result = (CFStringRef)kSecACLAuthorizationAny;
427c49bc	231
b1ab9ed8 A	232	if (NULL != gTagMapping && CFDictionaryContainsKey(gTagMapping, aNum))
	233	{
	234	result = (CFStringRef)CFDictionaryGetValue(gTagMapping, aNum);
	235	}
6b200bc3	236	CFReleaseSafe(aNum);
b1ab9ed8 A	237	return result;
	238	}
	239
	240	//
	241	// CF boilerplate
	242	//
	243	CFTypeID SecAccessGetTypeID(void)
	244	{
	245	BEGIN_SECAPI
	246	return gTypes().Access.typeID;
	247	END_SECAPI1(_kCFRuntimeNotATypeID)
	248	}
	249
	250
	251	//
	252	// API bridge calls
	253	//
	254	/*!
	255	* Create a new SecAccessRef that is set to the default configuration
	256	* of a (newly created) security object.
	257	*/
	258	OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedList, SecAccessRef *accessRef)
	259	{
	260	BEGIN_SECAPI
	261	Required(descriptor);
	262	SecPointer<Access> access;
	263	if (trustedList) {
	264	CFIndex length = CFArrayGetCount(trustedList);
	265	ACL::ApplicationList trusted;
	266	for (CFIndex n = 0; n < length; n++)
	267	trusted.push_back(TrustedApplication::required(
	268	SecTrustedApplicationRef(CFArrayGetValueAtIndex(trustedList, n))));
	269	access = new Access(cfString(descriptor), trusted);
	270	} else {
	271	access = new Access(cfString(descriptor));
	272	}
	273	Required(accessRef) = access->handle();
	274	END_SECAPI
	275	}
	276
	277
	278	/*!
	279	*/
	280	OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner,
	281	uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls,
	282	SecAccessRef *accessRef)
	283	{
	284	BEGIN_SECAPI
	285	Required(accessRef); // preflight
	286	SecPointer<Access> access = new Access(Required(owner), aclCount, &Required(acls));
	287	*accessRef = access->handle();
	288	END_SECAPI
	289	}
	290
	291	SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef acls, CFErrorRef *error)
	292	{
d64be36e	293	COUNTLEGACYAPI
b1ab9ed8	294	SecAccessRef result = NULL;
427c49bc A	295
427c49bc A	296	CSSM_ACL_PROCESS_SUBJECT_SELECTOR selector =
b1ab9ed8 A	297	{
b1ab9ed8 A	298	CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION, // selector version
6b200bc3	299	int_cast<UInt32, uint16>(ownerType),
427c49bc A	300	userId,
427c49bc A	301	groupId
b1ab9ed8	302	};
427c49bc	303
b1ab9ed8 A	304	CSSM_LIST_ELEMENT subject2 = { NULL, 0 };
	305	subject2.Element.Word.Data = (UInt8 *)&selector;
	306	subject2.Element.Word.Length = sizeof(selector);
427c49bc	307	CSSM_LIST_ELEMENT subject1 =
b1ab9ed8 A	308	{
	309	&subject2, CSSM_ACL_SUBJECT_TYPE_PROCESS, CSSM_LIST_ELEMENT_WORDID
	310	};
427c49bc	311
b1ab9ed8	312	CFIndex numAcls = 0;
427c49bc	313
b1ab9ed8 A	314	if (NULL != acls)
	315	{
	316	numAcls = CFArrayGetCount(acls);
427c49bc A	317	}
427c49bc A	318
b1ab9ed8	319	#ifndef NDEBUG
427c49bc A	320	CFStringRef debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
427c49bc A	321	CFSTR("SecAccessCreateWithOwnerAndACL: processing %d acls"), (int)numAcls);
b1ab9ed8 A	322	CFShow(debugStr);
	323	CFRelease(debugStr);
	324	#endif
427c49bc	325
dbe77505	326	std::vector<CSSM_ACL_AUTHORIZATION_TAG> rights(numAcls);
427c49bc	327
b1ab9ed8 A	328	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	329	{
	330	CFStringRef aclStr = (CFStringRef)CFArrayGetValueAtIndex(acls, iCnt);
427c49bc	331
b1ab9ed8	332	#ifndef NDEBUG
427c49bc A	333	debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
	334	CFSTR("SecAccessCreateWithOwnerAndACL: acls[%d] = %@"), (int)iCnt, aclStr);
	335
b1ab9ed8 A	336	CFShow(debugStr);
	337	CFRelease(debugStr);
	338	#endif
427c49bc	339
b1ab9ed8	340	CSSM_ACL_AUTHORIZATION_TAG aTag = GetACLAuthorizationTagFromString(aclStr);
427c49bc	341
b1ab9ed8	342	#ifndef NDEBUG
427c49bc A	343	debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
	344	CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, aTag);
	345
b1ab9ed8 A	346	CFShow(debugStr);
	347	CFRelease(debugStr);
	348	#endif
427c49bc	349
b1ab9ed8 A	350	rights[iCnt] = aTag;
b1ab9ed8 A	351	}
427c49bc A	352
427c49bc A	353
b1ab9ed8 A	354	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	355	{
	356	#ifndef NDEBUG
427c49bc A	357	debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
	358	CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, rights[iCnt]);
	359
b1ab9ed8 A	360	CFShow(debugStr);
	361	CFRelease(debugStr);
	362	#endif
427c49bc	363
b1ab9ed8 A	364
b1ab9ed8 A	365	}
427c49bc A	366
427c49bc A	367	CSSM_ACL_OWNER_PROTOTYPE owner =
b1ab9ed8 A	368	{
	369	// TypedSubject
	370	{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
	371	// Delegate
	372	false
	373	};
427c49bc A	374
427c49bc A	375
b1ab9ed8	376	// ACL entries (any number, just one here)
427c49bc	377	CSSM_ACL_ENTRY_INFO acl_rights[] =
b1ab9ed8 A	378	{
	379	{
	380	// prototype
	381	{
	382	// TypedSubject
	383	{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
	384	false, // Delegate
	385	// rights for this entry
dbe77505	386	{ (uint32)numAcls, rights.data() },
b1ab9ed8 A	387	// rest is defaulted
	388	}
	389	}
	390	};
427c49bc A	391
427c49bc A	392	OSStatus err = SecAccessCreateFromOwnerAndACL(&owner,
b1ab9ed8	393	sizeof(acl_rights) / sizeof(acl_rights[0]), acl_rights, &result);
427c49bc A	394
427c49bc A	395	if (errSecSuccess != err)
b1ab9ed8 A	396	{
	397	result = NULL;
	398	if (NULL != error)
	399	{
	400	*error = CFErrorCreate(kCFAllocatorDefault, CFSTR("FIX ME"), err, NULL);
	401	}
	402	}
427c49bc	403	return result;
b1ab9ed8 A	404	}
	405
	406
	407	/*!
	408	*/
	409	OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef,
	410	CSSM_ACL_OWNER_PROTOTYPE_PTR *owner,
	411	uint32 aclCount, CSSM_ACL_ENTRY_INFO_PTR acls)
	412	{
	413	BEGIN_SECAPI
	414	Access::required(accessRef)->copyOwnerAndAcl(
	415	Required(owner), Required(aclCount), Required(acls));
	416	END_SECAPI
	417	}
	418
	419	OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t* userId, gid_t* groupId, SecAccessOwnerType* ownerType, CFArrayRef* aclList)
	420	{
d64be36e	421	COUNTLEGACYAPI
b1ab9ed8 A	422	CSSM_ACL_OWNER_PROTOTYPE_PTR owner = NULL;
	423	CSSM_ACL_ENTRY_INFO_PTR acls = NULL;
	424	uint32 aclCount = 0;
	425	OSStatus result = SecAccessGetOwnerAndACL(accessRef, &owner, &aclCount, &acls);
427c49bc	426	if (errSecSuccess != result )
b1ab9ed8 A	427	{
	428	return result;
	429	}
427c49bc	430
b1ab9ed8 A	431	if (NULL != owner)
	432	{
	433	CSSM_LIST_ELEMENT_PTR listHead = owner->TypedSubject.Head;
	434	if (listHead != NULL && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
	435	{
	436	CSSM_LIST_ELEMENT_PTR nextElement = listHead->NextElement;
	437	if (listHead->WordID == CSSM_ACL_SUBJECT_TYPE_PROCESS && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
	438	{
	439	// nextElement contains the required data
	440	CSSM_ACL_PROCESS_SUBJECT_SELECTOR* selectorPtr = (CSSM_ACL_PROCESS_SUBJECT_SELECTOR*)nextElement->Element.Word.Data;
	441	if (NULL != selectorPtr)
	442	{
	443	if (NULL != userId)
	444	{
	445	*userId = (uid_t)selectorPtr->uid;
	446	}
427c49bc	447
b1ab9ed8 A	448	if (NULL != groupId)
	449	{
	450	*groupId = (gid_t)selectorPtr->gid;
	451	}
427c49bc	452
b1ab9ed8 A	453	if (NULL != ownerType)
	454	{
	455	*ownerType = (SecAccessOwnerType)selectorPtr->mask;
	456	}
	457	}
	458	}
427c49bc	459
b1ab9ed8	460	}
427c49bc	461
b1ab9ed8	462	}
427c49bc	463
b1ab9ed8 A	464	if (NULL != aclList)
	465	{
	466	#ifndef NDEBUG
	467	CFShow(CFSTR("SecAccessCopyOwnerAndACL: processing the ACL list"));
	468	#endif
	469
	470	CFMutableArrayRef stringArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
	471	CSSM_ACL_OWNER_PROTOTYPE_PTR protoPtr = NULL;
	472	uint32 numAcls = 0L;
	473	CSSM_ACL_ENTRY_INFO_PTR aclEntry = NULL;
427c49bc	474
b1ab9ed8	475	result = SecAccessGetOwnerAndACL(accessRef, &protoPtr, &numAcls, &aclEntry);
427c49bc	476	if (errSecSuccess == result)
b1ab9ed8 A	477	{
	478	#ifndef NDEBUG
	479	CFStringRef tempStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SecAccessCopyOwnerAndACL: numAcls = %d"), numAcls);
	480	CFShow(tempStr);
	481	CFRelease(tempStr);
	482	#endif
	483
	484	for (uint32 iCnt = 0; iCnt < numAcls; iCnt++)
	485	{
	486	CSSM_ACL_ENTRY_PROTOTYPE prototype = aclEntry[iCnt].EntryPublicInfo;
	487	CSSM_AUTHORIZATIONGROUP authGroup = prototype.Authorization;
	488	int numAuthTags = (int)authGroup.NumberOfAuthTags;
427c49bc	489
b1ab9ed8 A	490	for (int jCnt = 0; jCnt < numAuthTags; jCnt++)
b1ab9ed8 A	491	{
427c49bc	492
b1ab9ed8 A	493	sint32 aTag = authGroup.AuthTags[jCnt];
b1ab9ed8 A	494	CFStringRef aString = GetAuthStringFromACLAuthorizationTag(aTag);
427c49bc	495
b1ab9ed8 A	496	CFArrayAppendValue(stringArray, aString);
	497	}
	498	}
	499	}
427c49bc	500
b1ab9ed8 A	501	if (NULL != stringArray)
	502	{
	503	if (0 < CFArrayGetCount(stringArray))
	504	{
	505	*aclList = CFArrayCreateCopy(kCFAllocatorDefault, stringArray);
	506	}
	507	CFRelease(stringArray);
	508	}
	509	}
427c49bc A	510
427c49bc A	511	return result;
b1ab9ed8 A	512	}
	513
	514	/*!
	515	*/
	516	OSStatus SecAccessCopyACLList(SecAccessRef accessRef,
	517	CFArrayRef *aclList)
	518	{
	519	BEGIN_SECAPI
	520	Required(aclList) = Access::required(accessRef)->copySecACLs();
	521	END_SECAPI
	522	}
	523
	524
	525	/*!
	526	*/
	527	OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef,
	528	CSSM_ACL_AUTHORIZATION_TAG action,
	529	CFArrayRef *aclList)
	530	{
	531	BEGIN_SECAPI
	532	Required(aclList) = Access::required(accessRef)->copySecACLs(action);
	533	END_SECAPI
	534	}
	535
	536	CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag)
	537	{
d64be36e	538	COUNTLEGACYAPI
b1ab9ed8 A	539	CFArrayRef result = NULL;
	540	CSSM_ACL_AUTHORIZATION_TAG tag = GetACLAuthorizationTagFromString((CFStringRef)authorizationTag);
	541	OSStatus err = SecAccessCopySelectedACLList(accessRef, tag, &result);
427c49bc	542	if (errSecSuccess != err)
b1ab9ed8 A	543	{
	544	result = NULL;
	545	}
	546	return result;
	547	}
	548
	549	CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName)
	550	{
	551	CFStringRef errorString = nil;
	552	CFURLRef bundleURL,trustedAppsURL = NULL;
	553	CFBundleRef secBundle = NULL;
	554	CFPropertyListRef trustedAppsPlist = NULL;
	555	CFDataRef xmlDataRef = NULL;
	556	SInt32 errorCode;
	557	CFArrayRef trustedAppList = NULL;
	558	CFMutableStringRef trustedAppListFileNameWithoutExtension = NULL;
	559
	560