[apple/security.git] / OSX / libsecurity_keychain / lib / TrustSettings.cpp

/*
 * Copyright (c) 2005,2011-2015 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

/*
 * TrustSettings.h - class to manage cert trust settings.
 *
 */

#include "TrustSettings.h"
#include "TrustSettingsSchema.h"
#include "SecTrustSettings.h"
#include "TrustSettingsUtils.h"
#include "TrustKeychains.h"
#include "Certificate.h"
#include "cssmdatetime.h"
#include <Security/SecBase.h>
#include "SecTrustedApplicationPriv.h"
#include <security_utilities/errors.h>
#include <security_utilities/debugging.h>
#include <security_utilities/logging.h>
#include <security_utilities/cfutilities.h>
#include <security_utilities/alloc.h>
#include <Security/cssmapplePriv.h>
#include <Security/oidscert.h>
#include <Security/SecCertificatePriv.h>
#include <Security/SecPolicyPriv.h>
#include <security_keychain/KCCursor.h>
#include <security_ocspd/ocspdClient.h>
#include <CoreFoundation/CoreFoundation.h>
#include <assert.h>
#include <Security/Authorization.h>
#include <sys/stat.h>

#define trustSettingsDbg(args...)		secdebug("trustSettings", ## args)
#define trustSettingsEvalDbg(args...)	secdebug("trustSettingsEval", ## args)

/*
 * Common error return for "malformed TrustSettings record"
 */
#define errSecInvalidTrustedRootRecord	errSecInvalidTrustSettings

using namespace KeychainCore;

#pragma mark --- Static functions ---

/*
 * Comparator atoms to determine if an app's specified usage
 * matches an individual trust setting. Each returns true on a match, false
 * if the trust setting does not match the app's spec.
 *
 * A match fails iff:
 *
 * -- the app has specified a field, and the cert has a spec for that
 *    field, and the two specs do not match;
 *
 * OR
 *
 * -- the cert has a spec for the field and the app hasn't specified the field
 */
static bool tsCheckPolicy(
	const CSSM_OID *appPolicy,
	CFDataRef certPolicy)
{
	if(certPolicy != NULL) {
		if(appPolicy == NULL) {
			trustSettingsEvalDbg("tsCheckPolicy: certPolicy, !appPolicy");
			return false;
		}
		unsigned cLen = (unsigned)CFDataGetLength(certPolicy);
		const UInt8 *cData = CFDataGetBytePtr(certPolicy);
		if((cLen != appPolicy->Length) || memcmp(appPolicy->Data, cData, cLen)) {
			trustSettingsEvalDbg("tsCheckPolicy: policy mismatch");
			return false;
		}
	}
	return true;
}

/*
 * This one's slightly different: the match is for *this* app, not one
 * specified by the app.
 */
static bool tsCheckApp(
	CFDataRef certApp)
{
	if(certApp != NULL) {
		SecTrustedApplicationRef appRef;
		OSStatus ortn;
		ortn = SecTrustedApplicationCreateWithExternalRepresentation(certApp, &appRef);
		if(ortn) {
			trustSettingsDbg("tsCheckApp: bad trustedApp data\n");
			return false;
		}
		ortn = SecTrustedApplicationValidateWithPath(appRef, NULL);
		if(ortn) {
			/* Not this app */
			return false;
		}
	}

	return true;
}

static bool tsCheckKeyUse(
	SecTrustSettingsKeyUsage appKeyUse,
	CFNumberRef certKeyUse)
{
	if(certKeyUse != NULL) {
		SInt32 certUse;
		CFNumberGetValue(certKeyUse, kCFNumberSInt32Type, &certUse);
		SecTrustSettingsKeyUsage cku = (SecTrustSettingsKeyUsage)certUse;
		if(cku == kSecTrustSettingsKeyUseAny) {
			/* explicitly allows anything */
			return true;
		}
		/* cert specification must be a superset of app's intended use */
		if(appKeyUse == 0) {
			trustSettingsEvalDbg("tsCheckKeyUse: certKeyUsage, !appKeyUsage");
			return false;
		}

		if((cku & appKeyUse) != appKeyUse) {
			trustSettingsEvalDbg("tsCheckKeyUse: keyUse mismatch");
			return false;
		}
	}
	return true;
}

static bool tsCheckPolicyStr(
	const char *appPolicyStr,
	CFStringRef certPolicyStr)
{
	if(certPolicyStr != NULL) {
		if(appPolicyStr == NULL) {
			trustSettingsEvalDbg("tsCheckPolicyStr: certPolicyStr, !appPolicyStr");
			return false;
		}
		/* Let CF do the string compare */
		CFStringRef cfPolicyStr = CFStringCreateWithCString(NULL, appPolicyStr,
			kCFStringEncodingUTF8);
		if(cfPolicyStr == NULL) {
			/* I really don't see how this can happen */
			trustSettingsEvalDbg("tsCheckPolicyStr: policyStr string conversion error");
			return false;
		}

		// Some trust setting strings were created with a NULL character at the
		// end, which was included in the length. Strip those off before compare

		CFMutableStringRef certPolicyStrNoNULL = CFStringCreateMutableCopy(NULL, 0, certPolicyStr);
		if (certPolicyStrNoNULL == NULL) {
			/* I really don't see how this can happen either */
			trustSettingsEvalDbg("tsCheckPolicyStr: policyStr string conversion error 2");
			return false;
		}

		CFStringFindAndReplace(certPolicyStrNoNULL, CFSTR("\00"),
			CFSTR(""), CFRangeMake(0, CFStringGetLength(certPolicyStrNoNULL)), kCFCompareBackwards);

		CFComparisonResult res = CFStringCompare(cfPolicyStr, certPolicyStrNoNULL, 0);
		CFRelease(cfPolicyStr);
		CFRelease(certPolicyStrNoNULL);
		if(res != kCFCompareEqualTo) {
			trustSettingsEvalDbg("tsCheckPolicyStr: policyStr mismatch");
			return false;
		}
	}
	return true;
}

/*
 * Determine if a cert's trust settings dictionary satisfies the specified
 * usage constraints. Returns true if so.
 * Only certs with a SecTrustSettingsResult of kSecTrustSettingsResultTrustRoot
 * or kSecTrustSettingsResultTrustAsRoot will match.
 */
static bool qualifyUsageWithCertDict(
	CFDictionaryRef			certDict,
	const CSSM_OID			*policyOID,		/* optional */
	const char				*policyStr,		/* optional */
	SecTrustSettingsKeyUsage keyUsage,	/* optional; default = any (actually "all" here) */
	bool					onlyRoots)
{
	/* this array is optional */
	CFArrayRef trustSettings = (CFArrayRef)CFDictionaryGetValue(certDict,
		kTrustRecordTrustSettings);
	CFIndex numSpecs = 0;
	if(trustSettings != NULL) {
		numSpecs = CFArrayGetCount(trustSettings);
	}
	if(numSpecs == 0) {
		/*
		 * Trivial case: cert has no trust settings, indicating that
		 * it's used for everything.
		 */
		trustSettingsEvalDbg("qualifyUsageWithCertDict: no trust settings");
		return true;
	}
	for(CFIndex addDex=0; addDex<numSpecs; addDex++) {
		CFDictionaryRef tsDict = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings,
			addDex);

		/* per-cert specs: all optional */
		CFDataRef   certPolicy     = (CFDataRef)CFDictionaryGetValue(tsDict,
										kSecTrustSettingsPolicy);
		CFDataRef   certApp        = (CFDataRef)CFDictionaryGetValue(tsDict,
										kSecTrustSettingsApplication);
		CFStringRef certPolicyStr  = (CFStringRef)CFDictionaryGetValue(tsDict,
										kSecTrustSettingsPolicyString);
		CFNumberRef certKeyUsage   = (CFNumberRef)CFDictionaryGetValue(tsDict,
										kSecTrustSettingsKeyUsage);
		CFNumberRef certResultType = (CFNumberRef)CFDictionaryGetValue(tsDict,
										kSecTrustSettingsResult);

		if(!tsCheckPolicy(policyOID, certPolicy)) {
			continue;
		}
		if(!tsCheckApp(certApp)) {
			continue;
		}
		if(!tsCheckKeyUse(keyUsage, certKeyUsage)) {
			continue;
		}
		if(!tsCheckPolicyStr(policyStr, certPolicyStr)) {
			continue;
		}

		/*
		 * This is a match, take whatever SecTrustSettingsResult is here,
		 * including the default if not specified.
		 */
		SecTrustSettingsResult resultType = kSecTrustSettingsResultTrustRoot;
		if(certResultType) {
			SInt32 s;
			CFNumberGetValue(certResultType, kCFNumberSInt32Type, &s);
			resultType = (SecTrustSettingsResult)s;
		}
		switch(resultType) {
			case kSecTrustSettingsResultTrustRoot:
				trustSettingsEvalDbg("qualifyUsageWithCertDict: TrustRoot MATCH");
				return true;
			case kSecTrustSettingsResultTrustAsRoot:
				if(onlyRoots) {
					trustSettingsEvalDbg("qualifyUsageWithCertDict: TrustAsRoot but not root");
					return false;
				}
				trustSettingsEvalDbg("qualifyUsageWithCertDict: TrustAsRoot MATCH");
				return true;
			default:
				trustSettingsEvalDbg("qualifyUsageWithCertDict: bad resultType "
					"(%lu)", (unsigned long)resultType);
				return false;
		}
	}
	trustSettingsEvalDbg("qualifyUsageWithCertDict: NO MATCH");
	return false;
}

/*
 * Create initial top-level dictionary when constructing a new TrustSettings.
 */
static CFMutableDictionaryRef tsInitialDict()
{
	CFMutableDictionaryRef dict = CFDictionaryCreateMutable(NULL,
		kSecTrustRecordNumTopDictKeys,
		&kCFTypeDictionaryKeyCallBacks,	&kCFTypeDictionaryValueCallBacks);

	/* the dictionary of per-cert entries */
	CFMutableDictionaryRef trustDict = CFDictionaryCreateMutable(NULL, 0,
		&kCFTypeDictionaryKeyCallBacks,	&kCFTypeDictionaryValueCallBacks);
	CFDictionaryAddValue(dict, kTrustRecordTrustList, trustDict);
	CFRelease(trustDict);

	SInt32 vers = kSecTrustRecordVersionCurrent;
	CFNumberRef cfVers = CFNumberCreate(NULL, kCFNumberSInt32Type, &vers);
	CFDictionaryAddValue(dict, kTrustRecordVersion, cfVers);
	CFRelease(cfVers);
	return dict;
}

/*
 * Set the modification date of a per-cert dictionary to current time.
 */
static void tsSetModDate(
	CFMutableDictionaryRef dict)
{
	CFDateRef modDate;

	modDate = CFDateCreate(NULL, CFAbsoluteTimeGetCurrent());
	CFDictionarySetValue(dict, kTrustRecordModDate, modDate);
	CFRelease(modDate);
}

/* make sure a presumed CFNumber can be converted to a 32-bit number */
static
bool tsIsGoodCfNum(CFNumberRef cfn, SInt32 *num = NULL)
{
	if(cfn == NULL) {
		/* by convention */
		if(num) {
			*num = 0;
		}
		return true;
	}
	if(CFGetTypeID(cfn) != CFNumberGetTypeID()) {
		return false;
	}

	SInt32 s;
	if(!CFNumberGetValue(cfn, kCFNumberSInt32Type, &s)) {
		return false;
	}
	else {
		if(num) {
			*num = s;
		}
		return true;
	}
}

TrustSettings::TrustSettings(SecTrustSettingsDomain domain)
		: mPropList(NULL),
		  mTrustDict(NULL),
		  mDictVersion(0),
		  mDomain(domain),
		  mDirty(false)
{
}


#pragma mark --- Public methods ---

/*
 * Normal constructor, from disk.
 * If create is true, the absence of an on-disk TrustSettings file
 * results in the creation of a new empty TrustSettings. If create is
 * false and no on-disk TrustSettings exists, errSecNoTrustSettings is
 * thrown.
 * If trim is true, the components of the on-disk TrustSettings not
 * needed for cert evaluation are discarded. This is for TrustSettings
 * that will be cached in memory long-term.
 */
OSStatus TrustSettings::CreateTrustSettings(
	SecTrustSettingsDomain	domain,
	bool					create,
	bool					trim,
	TrustSettings*&			ts)
{
	TrustSettings* t = new TrustSettings(domain);

	Allocator &alloc = Allocator::standard();
	CSSM_DATA fileData = {0, NULL};
	OSStatus ortn = errSecSuccess;
	struct stat sb;
	const char *path;

	/* get trust settings from file, one way or another */
	switch(domain) {
		case kSecTrustSettingsDomainAdmin:
			/*
 			 * Quickie optimization: if it's not there, don't try to
			 * get it from ocspd. This is possible because the name of the
			 * admin file is hard coded, but the per-user files aren't.
			 */
			path = TRUST_SETTINGS_PATH "/" ADMIN_TRUST_SETTINGS;
			if(stat(path, &sb)) {
				trustSettingsDbg("TrustSettings: no admin record; skipping");
				ortn = errSecNoTrustSettings;
				break;
			}
			/* else drop thru, get it from ocspd */
		case kSecTrustSettingsDomainUser:
			/* get settings from ocspd */
			ortn = ocspdTrustSettingsRead(alloc, domain, fileData);
			break;
		case kSecTrustSettingsDomainSystem:
			/* immutable; it's safe for us to read this directly */
			if(tsReadFile(SYSTEM_TRUST_SETTINGS_PATH, alloc, fileData)) {
				ortn = errSecNoTrustSettings;
			}
			break;
		default:
			delete t;
			return errSecParam;
	}
	if(ortn) {
		if(create) {
			trustSettingsDbg("TrustSettings: creating new record for domain %d",
				(int)domain);
			t->mPropList = tsInitialDict();
			t->mDirty = true;
		}
		else {
			trustSettingsDbg("TrustSettings: record not found for domain %d",
				(int)domain);
			delete t;
			return ortn;
		}
	}
	else {
		CFRef<CFDataRef> propList(CFDataCreate(NULL, fileData.Data, fileData.Length));
		t->initFromData(propList);
		alloc.free(fileData.Data);
	}
	t->validatePropList(trim);

	ts = t;
	return errSecSuccess;
}

/*
 * Create from external data, obtained by createExternal().
 * If externalData is NULL, we'll create an empty mTrustDict.
 */
OSStatus TrustSettings::CreateTrustSettings(
	SecTrustSettingsDomain				domain,
	CFDataRef							externalData,
	TrustSettings*&						ts)
{
	switch(domain) {
		case kSecTrustSettingsDomainUser:
		case kSecTrustSettingsDomainAdmin:
		case kSecTrustSettingsDomainMemory:
			break;
		case kSecTrustSettingsDomainSystem:		/* no can do, that implies writing to it */
		default:
			return errSecParam;
	}

	TrustSettings* t = new TrustSettings(domain);

	if(externalData != NULL) {
		t->initFromData(externalData);
	}
	else {
		t->mPropList = tsInitialDict();
	}
	t->validatePropList(TRIM_NO);		/* never trim this */
	t->mDirty = true;

	ts = t;
	return errSecSuccess;
}


TrustSettings::~TrustSettings()
{
	trustSettingsDbg("TrustSettings(domain %d) destructor", (int)mDomain);
	CFRELEASE(mPropList);		/* may be null if trimmed */
	CFRELEASE(mTrustDict);		/* normally always non-NULL */

}

/* common code to init mPropList from raw data */
void TrustSettings::initFromData(
	CFDataRef	trustSettingsData)
{
	CFStringRef errStr = NULL;

	mPropList = (CFMutableDictionaryRef)CFPropertyListCreateFromXMLData(
		NULL,
		trustSettingsData,
		kCFPropertyListMutableContainersAndLeaves,
		&errStr);
	if(mPropList == NULL) {
		trustSettingsDbg("TrustSettings::initFromData decode err (%s)",
			errStr ? CFStringGetCStringPtr(errStr, kCFStringEncodingUTF8) : "<no err>");
		if(errStr != NULL) {
			CFRelease(errStr);
		}
		MacOSError::throwMe(errSecInvalidTrustSettings);
	}
}

/*
 * Flush property list data out to disk if dirty.
 */
void TrustSettings::flushToDisk()
{
	if(!mDirty) {
		trustSettingsDbg("flushToDisk, domain %d, !dirty!", (int)mDomain);
		return;
	}
	if(mPropList == NULL) {
		trustSettingsDbg("flushToDisk, domain %d, trimmed!", (int)mDomain);
		assert(0);
		MacOSError::throwMe(errSecInternalComponent);
	}
	switch(mDomain) {
		case kSecTrustSettingsDomainSystem:
		case kSecTrustSettingsDomainMemory:
		/* caller shouldn't even try this */
		default:
			trustSettingsDbg("flushToDisk, bad domain (%d)", (int)mDomain);
			MacOSError::throwMe(errSecInternalComponent);
		case kSecTrustSettingsDomainUser:
		case kSecTrustSettingsDomainAdmin:
			break;
	}

	/*
	 * Optimization: if there are no certs in the mTrustDict dictionary,
	 * we tell ocspd to *remove* the settings for the specified domain.
	 * Having *no* settings uses less memory and is faster than having
	 * an empty settings file, especially for the admin domain, where we
	 * can avoid
	 * an RPC if the settings file is simply not there.
	 */
	CFRef<CFDataRef> xmlData;
	CSSM_DATA cssmXmlData = {0, NULL};
	CFIndex numCerts = CFDictionaryGetCount(mTrustDict);
	if(numCerts) {
		xmlData.take(CFPropertyListCreateXMLData(NULL, mPropList));
		if(!xmlData) {
			/* we've been very careful; this should never happen */
			trustSettingsDbg("flushToDisk, domain %d: error converting to XML", (int)mDomain);
			MacOSError::throwMe(errSecInternalComponent);
		}
		cssmXmlData.Data = (uint8 *)CFDataGetBytePtr(xmlData);
		cssmXmlData.Length = CFDataGetLength(xmlData);
	}
	else {
		trustSettingsDbg("flushToDisk, domain %d: DELETING trust settings", (int)mDomain);
	}

	/* cook up auth stuff so ocspd can act on our behalf */
	AuthorizationRef authRef;
	OSStatus ortn;
	ortn = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment,
			0, &authRef);
	if(ortn) {
		trustSettingsDbg("flushToDisk, domain %d: AuthorizationCreate returned %ld",
			(int)mDomain, (long)ortn);
		MacOSError::throwMe(errSecInternalComponent);
	}
	AuthorizationExternalForm authExt;
	CSSM_DATA authBlob = {sizeof(authExt), (uint8 *)&authExt};
	ortn = AuthorizationMakeExternalForm(authRef, &authExt);
	if(ortn) {
		trustSettingsDbg("flushToDisk, domain %d: AuthorizationMakeExternalForm returned %ld",
			(int)mDomain, (long)ortn);
		ortn = errSecInternalComponent;
		goto errOut;
	}

	ortn = ocspdTrustSettingsWrite(mDomain, authBlob, cssmXmlData);
	if(ortn) {
		trustSettingsDbg("flushToDisk, domain %d: ocspdTrustSettingsWrite returned %ld",
			(int)mDomain, (long)ortn);
		goto errOut;
	}
	trustSettingsDbg("flushToDisk, domain %d: wrote to disk", (int)mDomain);
	mDirty = false;
errOut:
	AuthorizationFree(authRef, 0);
	if(ortn) {
		MacOSError::throwMe(ortn);
	}
}

/*
 * Obtain external representation of TrustSettings data.
 */
CFDataRef TrustSettings::createExternal()
{
	assert(mPropList);
	CFDataRef xmlData = CFPropertyListCreateXMLData(NULL, mPropList);
	if(xmlData == NULL) {
		trustSettingsDbg("createExternal, domain %d: error converting to XML",
			(int)mDomain);
		MacOSError::throwMe(errSecInternalComponent);
	}
	return xmlData;
}

/*
 * Evaluate specified cert. Returns true if we found a record for the cert
 * matching specified constraints.
 * Note that a true return with a value of kSecTrustSettingsResultUnspecified for
 * the resultType means that a cert isn't to be trusted or untrusted
 * per se; it just means that we only found allowedErrors entries.
 *
 * Found "allows errors" values are added to the incoming allowedErrors
 * array which is reallocd as needed (and which may be NULL or non-NULL on
 * entry).
 */
bool TrustSettings::evaluateCert(
	CFStringRef				certHashStr,
	const CSSM_OID			*policyOID,			/* optional */
	const char				*policyStr,			/* optional */
	SecTrustSettingsKeyUsage keyUsage,			/* optional */
	bool					isRootCert,			/* for checking default setting */
	CSSM_RETURN				**allowedErrors,	/* IN/OUT; reallocd as needed */
	uint32					*numAllowedErrors,	/* IN/OUT */
	SecTrustSettingsResult	*resultType,		/* RETURNED */
	bool					*foundAnyEntry)		/* RETURNED */
{
	assert(mTrustDict != NULL);

	/* get trust settings dictionary for this cert */
	CFDictionaryRef certDict = findDictionaryForCertHash(certHashStr);
	if((certDict == NULL) && isRootCert) {
		/* No? How about default root setting for this domain? */
		certDict = findDictionaryForCertHash(kSecTrustRecordDefaultRootCert);
	}
#if CERT_HASH_DEBUG
	/* @@@ debug only @@@ */
	/* print certificate hash and found dictionary reference */
	const size_t maxHashStrLen = 512;
	char *buf = (char*)malloc(maxHashStrLen);
	if (buf) {
		if (!CFStringGetCString(certHashStr, buf, (CFIndex)maxHashStrLen, kCFStringEncodingUTF8)) {
			buf[0]='\0';
		}
		trustSettingsEvalDbg("evaluateCert for \"%s\", found dict %p", buf, certDict);
		free(buf);
	}
#endif

	if(certDict == NULL) {
		*foundAnyEntry = false;
		return false;
	}
	*foundAnyEntry = true;

	/* to-be-returned array of allowed errors */
	CSSM_RETURN *allowedErrs = *allowedErrors;
	uint32 numAllowedErrs = *numAllowedErrors;

	/* this means "we found something other than allowedErrors" if true */
	bool foundSettings = false;

	/* to be returned in *resultType if it ends up something other than Invalid */
	SecTrustSettingsResult returnedResult = kSecTrustSettingsResultInvalid;

	/*
	 * Note since we validated the entire mPropList in our constructor, and we're careful
	 * about what we put into it, we don't bother typechecking its contents here.
	 * Also note that the kTrustRecordTrustSettings entry is optional.
	 */
	CFArrayRef trustSettings = (CFArrayRef)CFDictionaryGetValue(certDict,
			kTrustRecordTrustSettings);
	CFIndex numSpecs = 0;
	if(trustSettings != NULL) {
		numSpecs = CFArrayGetCount(trustSettings);
	}
	if(numSpecs == 0) {
		/*
		 * Trivial case: cert has no trust settings, indicating that
		 * it's used for everything.
		 */
		trustSettingsEvalDbg("evaluateCert: no trust settings");
		/* the default... */
		*resultType = kSecTrustSettingsResultTrustRoot;
		return true;
	}

	/*
	 * The decidedly nontrivial part: grind thru all of the cert's trust
	 * settings, see if the cert matches the caller's specified usage.
	 */
	for(CFIndex addDex=0; addDex<numSpecs; addDex++) {
		CFDictionaryRef tsDict = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings,
			addDex);

		/* per-cert specs: all optional */
		CFDataRef   certPolicy     = (CFDataRef)CFDictionaryGetValue(tsDict,
										kSecTrustSettingsPolicy);
		CFDataRef   certApp        = (CFDataRef)CFDictionaryGetValue(tsDict,
										kSecTrustSettingsApplication);
		CFStringRef certPolicyStr  = (CFStringRef)CFDictionaryGetValue(tsDict,
										kSecTrustSettingsPolicyString);
		CFNumberRef certKeyUsage   = (CFNumberRef)CFDictionaryGetValue(tsDict,
										kSecTrustSettingsKeyUsage);
		CFNumberRef certResultType = (CFNumberRef)CFDictionaryGetValue(tsDict,
										kSecTrustSettingsResult);
		CFNumberRef certAllowedErr = (CFNumberRef)CFDictionaryGetValue(tsDict,
										kSecTrustSettingsAllowedError);

		/* now, skip if we find a constraint that doesn't match intended use */
		if(!tsCheckPolicy(policyOID, certPolicy)) {
			continue;
		}
		if(!tsCheckApp(certApp)) {
			continue;
		}
		if(!tsCheckKeyUse(keyUsage, certKeyUsage)) {
			continue;
		}
		if(!tsCheckPolicyStr(policyStr, certPolicyStr)) {
			continue;
		}

		trustSettingsEvalDbg("evaluateCert: MATCH");
		foundSettings = true;

		if(certAllowedErr) {
			/* note we already validated this value */
			SInt32 s;
			CFNumberGetValue(certAllowedErr, kCFNumberSInt32Type, &s);
			allowedErrs = (CSSM_RETURN *)::realloc(allowedErrs,
				++numAllowedErrs * sizeof(CSSM_RETURN));
			allowedErrs[numAllowedErrs-1] = (CSSM_RETURN) s;
		}

		/*
		 * We found a match, but we only return the current result type
		 * to caller if we haven't already returned something other than
		 * kSecTrustSettingsResultUnspecified. Once we find a valid result type,
		 * we keep on searching, but only for additional allowed errors.
		 */
		switch(returnedResult) {
			/* found match but no valid resultType yet */
			case kSecTrustSettingsResultUnspecified:
			/* haven't been thru here */
			case kSecTrustSettingsResultInvalid:
				if(certResultType) {
					/* note we already validated this */
					SInt32 s;
					CFNumberGetValue(certResultType, kCFNumberSInt32Type, &s);
					returnedResult = (SecTrustSettingsResult)s;
				}
				else {
					/* default is "copacetic" */
					returnedResult = kSecTrustSettingsResultTrustRoot;
				}
				break;
			default:
				/* we already have a definitive resultType, don't change it */
				break;
		}
	}	/* for each dictionary in trustSettings */

	*allowedErrors = allowedErrs;
	*numAllowedErrors = numAllowedErrs;
	if(returnedResult != kSecTrustSettingsResultInvalid) {
		*resultType = returnedResult;
	}
	return foundSettings;
}


/*
 * Find all certs in specified keychain list which have entries in this trust record.
 * Certs already in the array are not added.
 */
void TrustSettings::findCerts(
	StorageManager::KeychainList	&keychains,
	CFMutableArrayRef				certArray)
{
	findQualifiedCerts(keychains,
		true,		/* findAll */
		false,		/* onlyRoots */
		NULL, NULL, kSecTrustSettingsKeyUseAny,
		certArray);
}

void TrustSettings::findQualifiedCerts(
	StorageManager::KeychainList	&keychains,
	/*
	 * If findAll is true, all certs are returned and the subsequent
	 * qualifiers are ignored
	 */
	bool							findAll,
	/* if true, only return root (self-signed) certs */
	bool							onlyRoots,
	const CSSM_OID					*policyOID,			/* optional */
	const char						*policyString,		/* optional */
	SecTrustSettingsKeyUsage		keyUsage,			/* optional */
	CFMutableArrayRef				certArray)			/* certs appended here */
{
	StLock<Mutex> _(SecTrustKeychainsGetMutex());

	/*
	 * a set, hopefully with a good hash function for CFData, to keep track of what's
	 * been added to the outgoing array.
	 */
	CFRef<CFMutableSetRef> certSet(CFSetCreateMutable(NULL, 0, &kCFTypeSetCallBacks));

	/* search: all certs, no attributes */
	KCCursor cursor(keychains, CSSM_DL_DB_RECORD_X509_CERTIFICATE, NULL);
	Item certItem;
	bool found;
	do {
		found = cursor->next(certItem);
		if(!found) {
			break;
		}
	#if !SECTRUST_OSX
		CFRef<SecCertificateRef> certRef((SecCertificateRef)certItem->handle());
	#else
		/* must convert to unified SecCertificateRef */
		SecPointer<Certificate> certificate(static_cast<Certificate *>(&*certItem));
		CssmData certCssmData = certificate->data();
		if (!(certCssmData.Data && certCssmData.Length)) {
			continue;
		}
		CFRef<CFDataRef> cfDataRef(CFDataCreate(NULL, certCssmData.Data, certCssmData.Length));
		CFRef<SecCertificateRef> certRef(SecCertificateCreateWithData(NULL, cfDataRef));
	#endif

		/* do we have an entry for this cert? */
		CFDictionaryRef certDict = findDictionaryForCert(certRef);
		if(certDict == NULL) {
			continue;
		}

		if(!findAll) {
			/* qualify */
			if(!qualifyUsageWithCertDict(certDict, policyOID,
					policyString, keyUsage, onlyRoots)) {
				continue;
			}
		}

		/* see if we already have this one - get in CFData form */
		CSSM_DATA certData;
		OSStatus ortn = SecCertificateGetData(certRef, &certData);
		if(ortn) {
			trustSettingsEvalDbg("findQualifiedCerts: SecCertificateGetData error");
			continue;
		}
		CFRef<CFDataRef> cfData(CFDataCreate(NULL, certData.Data, certData.Length));
		CFDataRef cfd = cfData;
		if(CFSetContainsValue(certSet, cfd)) {
			trustSettingsEvalDbg("findQualifiedCerts: dup cert");
			continue;
		}
		else {
			/* add to the tracking set, which owns the CFData now */
			CFSetAddValue(certSet, cfd);
			/* and add the SecCert to caller's array, which owns that now */
			CFArrayAppendValue(certArray, certRef);
		}
	} while(found);
}

/*
 * Obtain trust settings for the specified cert. Returned settings array
 * is in the public API form; caller must release. Returns NULL
 * (does not throw) if the cert is not present in this TrustRecord.
 */
CFArrayRef TrustSettings::copyTrustSettings(
	SecCertificateRef	certRef)
{
	CFDictionaryRef certDict = NULL;

	/* find the on-disk usage constraints for this cert */
	certDict = findDictionaryForCert(certRef);
	if(certDict == NULL) {
		trustSettingsDbg("copyTrustSettings: dictionary not found");
		return NULL;
	}
	CFArrayRef diskTrustSettings = (CFArrayRef)CFDictionaryGetValue(certDict,
		kTrustRecordTrustSettings);
	CFIndex numSpecs = 0;
	if(diskTrustSettings != NULL) {
		/* this field is optional */
		numSpecs = CFArrayGetCount(diskTrustSettings);
	}

	/*
	 * Convert to API-style array of dictionaries.
	 * We give the caller an array even if it's empty.
	 */
	CFRef<CFMutableArrayRef> outArray(CFArrayCreateMutable(NULL, numSpecs,
		&kCFTypeArrayCallBacks));
	for(CFIndex dex=0; dex<numSpecs; dex++) {
		CFDictionaryRef diskTsDict =
			(CFDictionaryRef)CFArrayGetValueAtIndex(diskTrustSettings, dex);
		/* already validated... */
		assert(CFGetTypeID(diskTsDict) == CFDictionaryGetTypeID());

		CFDataRef   certPolicy = (CFDataRef)  CFDictionaryGetValue(diskTsDict, kSecTrustSettingsPolicy);
		CFDataRef   certApp    = (CFDataRef)  CFDictionaryGetValue(diskTsDict, kSecTrustSettingsApplication);
		CFStringRef policyStr  = (CFStringRef)CFDictionaryGetValue(diskTsDict, kSecTrustSettingsPolicyString);
		CFNumberRef allowedErr = (CFNumberRef)CFDictionaryGetValue(diskTsDict, kSecTrustSettingsAllowedError);
		CFNumberRef resultType = (CFNumberRef)CFDictionaryGetValue(diskTsDict, kSecTrustSettingsResult);
		CFNumberRef keyUsage   = (CFNumberRef)CFDictionaryGetValue(diskTsDict, kSecTrustSettingsKeyUsage);

		if((certPolicy == NULL) &&
		   (certApp == NULL) &&
		   (policyStr == NULL) &&
		   (allowedErr == NULL) &&
		   (resultType == NULL) &&
		   (keyUsage == NULL)) {
			/* weird but legal */
			continue;
		}
		CFRef<CFMutableDictionaryRef> outTsDict(CFDictionaryCreateMutable(NULL,
			0,			// capacity
			&kCFTypeDictionaryKeyCallBacks,
			&kCFTypeDictionaryValueCallBacks));

		if(certPolicy != NULL) {
			/* convert OID as CFDataRef to SecPolicyRef */
			SecPolicyRef policyRef = NULL;
			CSSM_OID policyOid = { CFDataGetLength(certPolicy),
				(uint8 *)CFDataGetBytePtr(certPolicy) };
			OSStatus ortn = SecPolicyCopy(CSSM_CERT_X_509v3, &policyOid, &policyRef);
			if(ortn) {
				trustSettingsDbg("copyTrustSettings: OID conversion error");
				abort("Bad Policy OID in trusted root list", errSecInvalidTrustedRootRecord);
			}
			CFDictionaryAddValue(outTsDict, kSecTrustSettingsPolicy, policyRef);
			CFRelease(policyRef);			// owned by dictionary
		}

		if(certApp != NULL) {
			/* convert app as CFDataRef to SecTrustedApplicationRef */
			SecTrustedApplicationRef appRef;
			OSStatus ortn = SecTrustedApplicationCreateWithExternalRepresentation(certApp, &appRef);
			if(ortn) {
				trustSettingsDbg("copyTrustSettings: App conversion error");
				abort("Bad application data in trusted root list", errSecInvalidTrustedRootRecord);
			}
			CFDictionaryAddValue(outTsDict, kSecTrustSettingsApplication, appRef);
			CFRelease(appRef);			// owned by dictionary
		}

		/* remaining 4 are trivial */
		if(policyStr != NULL) {
			/*
			 * copy, since policyStr is in our mutable dictionary and could change out from
			 * under the caller
			 */
			CFStringRef str = CFStringCreateCopy(NULL, policyStr);
			CFDictionaryAddValue(outTsDict, kSecTrustSettingsPolicyString, str);
			CFRelease(str);			// owned by dictionary
		}
		if(allowedErr != NULL) {
			/* there is no mutable CFNumber, so.... */
			CFDictionaryAddValue(outTsDict, kSecTrustSettingsAllowedError, allowedErr);
		}
		if(resultType != NULL) {
			CFDictionaryAddValue(outTsDict, kSecTrustSettingsResult, resultType);
		}
		if(keyUsage != NULL) {
			CFDictionaryAddValue(outTsDict, kSecTrustSettingsKeyUsage, keyUsage);
		}
		CFArrayAppendValue(outArray, outTsDict);
		/* outTsDict autoreleases; owned by outArray now */
	}
	CFRetain(outArray);		// now that it's good to go....
	return outArray;
}

CFDateRef TrustSettings::copyModDate(
	SecCertificateRef	certRef)
{
	CFDictionaryRef certDict = NULL;

	/* find the on-disk usage constraints dictionary for this cert */
	certDict = findDictionaryForCert(certRef);
	if(certDict == NULL) {
		trustSettingsDbg("copyModDate: dictionary not found");
		return NULL;
	}
	CFDateRef modDate = (CFDateRef)CFDictionaryGetValue(certDict, kTrustRecordModDate);
	if(modDate == NULL) {
		return NULL;
	}

	/* this only works becuase there is no mutable CFDateRef */
	CFRetain(modDate);
	return modDate;
}

/*
 * Modify cert's trust settings, or add a new cert to the record.
 */
void TrustSettings::setTrustSettings(
	SecCertificateRef	certRef,
	CFTypeRef			trustSettingsDictOrArray)
{
	/* to validate, we need to know if the cert is self-signed */
	OSStatus ortn;
	Boolean isSelfSigned = false;

	if(certRef == kSecTrustSettingsDefaultRootCertSetting) {
		/*
 		 * Validate settings as if this were root, specifically,
		 * kSecTrustSettingsResultTrustRoot (explicitly or by
		 * default) is OK.
		 */
		isSelfSigned = true;
	}
	else {
		ortn = SecCertificateIsSelfSigned(certRef, &isSelfSigned);
		if(ortn) {
			MacOSError::throwMe(ortn);
		}
	}

	/* caller's app/policy spec OK? */
	CFRef<CFArrayRef> trustSettings(validateApiTrustSettings(
		trustSettingsDictOrArray, isSelfSigned));

	/* caller is responsible for ensuring these */
	assert(mPropList != NULL);
	assert(mDomain != kSecTrustSettingsDomainSystem);

	/* extract issuer and serial number from the cert, if it's a cert */
	CFRef<CFDataRef> issuer;
	CFRef<CFDataRef> serial;
	if(certRef != kSecTrustSettingsDefaultRootCertSetting) {
		copyIssuerAndSerial(certRef, issuer.take(), serial.take());
	}
	else {
		UInt8 dummy;
		issuer = CFDataCreate(NULL, &dummy, 0);
		serial = CFDataCreate(NULL, &dummy, 0);
	}

	/* SHA1 digest as string */
	CFRef<CFStringRef> certHashStr(SecTrustSettingsCertHashStrFromCert(certRef));
	if(!certHashStr) {
		trustSettingsDbg("TrustSettings::setTrustSettings: CertHashStrFromCert error");
		MacOSError::throwMe(errSecItemNotFound);
	}

	/*
	 * Find entry for this cert, if present.
	 */
	CFMutableDictionaryRef certDict =
		(CFMutableDictionaryRef)findDictionaryForCertHash(certHashStr);
	if(certDict == NULL) {
		/* create new dictionary */
		certDict = CFDictionaryCreateMutable(NULL, kSecTrustRecordNumCertDictKeys,
			&kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
		if(certDict == NULL) {
			MacOSError::throwMe(errSecAllocate);
		}
		CFDictionaryAddValue(certDict, kTrustRecordIssuer, issuer);
		CFDictionaryAddValue(certDict, kTrustRecordSerialNumber, serial);
		if(CFArrayGetCount(trustSettings) != 0) {
			/* skip this if the settings array is empty */
			CFDictionaryAddValue(certDict, kTrustRecordTrustSettings, trustSettings);
		}
		tsSetModDate(certDict);

		/* add this new cert dictionary to top-level mTrustDict */
		CFDictionaryAddValue(mTrustDict, static_cast<CFStringRef>(certHashStr), certDict);

		/* mTrustDict owns the dictionary now */
		CFRelease(certDict);
	}
	else {
		/* update */
		tsSetModDate(certDict);
		if(CFArrayGetCount(trustSettings) != 0) {
			CFDictionarySetValue(certDict, kTrustRecordTrustSettings, trustSettings);
		}
		else {
			/* empty settings array: remove from dictionary */
			CFDictionaryRemoveValue(certDict, kTrustRecordTrustSettings);
		}
	}
	mDirty = true;
}

/*
 * Delete a certificate's trust settings.
 */
void TrustSettings::deleteTrustSettings(
	SecCertificateRef	certRef)
{
	CFDictionaryRef certDict = NULL;

	/* caller is responsible for ensuring these */
	assert(mPropList != NULL);
	assert(mDomain != kSecTrustSettingsDomainSystem);

	/* SHA1 digest as string */
	CFRef<CFStringRef> certHashStr(SecTrustSettingsCertHashStrFromCert(certRef));
	if(!certHashStr) {
		MacOSError::throwMe(errSecItemNotFound);
	}

	/* present in top-level mTrustDict? */
	certDict = findDictionaryForCertHash(certHashStr);
	if(certDict != NULL) {
		CFDictionaryRemoveValue(mTrustDict, static_cast<CFStringRef>(certHashStr));
		mDirty = true;
	}
	else {
		/*
		 * Throwing this error is the only reason we don't blindly do
		 * a CFDictionaryRemoveValue() without first doing
		 * findDictionaryForCertHash().
		 */
		trustSettingsDbg("TrustSettings::deleteRoot: cert dictionary not found");
		MacOSError::throwMe(errSecItemNotFound);
	}
}

#pragma mark --- Private methods ---

/*
 * Find a given cert's entry in the top-level mTrustDict. Return the
 * entry as a dictionary. Returned dictionary is not refcounted.
 * The mutability of the returned dictionary is the same as the mutability
 * of the underlying StickRecord::mPropList, which the caller is just
 * going to have to know (and cast accordingly if a mutable dictionary
 * is needed).
 */
CFDictionaryRef TrustSettings::findDictionaryForCert(
	SecCertificateRef	certRef)
{
	CFRef<CFStringRef> certHashStr(SecTrustSettingsCertHashStrFromCert(certRef));
	if (certHashStr.get() == NULL)
	{
		return NULL;
	}

	return findDictionaryForCertHash(static_cast<CFStringRef>(certHashStr));
}

/*
 * Find entry in mTrustDict given cert hash string.
 */
CFDictionaryRef TrustSettings::findDictionaryForCertHash(
	CFStringRef		certHashStr)
{
	assert(mTrustDict != NULL);
	return (CFDictionaryRef)CFDictionaryGetValue(mTrustDict, certHashStr);
}

/*
 * Validate incoming trust settings, which may be NULL, a dictionary, or
 * an array of dictionaries. Convert from the API-style dictionaries
 * to the internal style suitable for writing to disk as part of
 * mPropList.
 *
 * We return a refcounted CFArray in any case if the incoming parameter is good.
 */
CFArrayRef TrustSettings::validateApiTrustSettings(
	CFTypeRef trustSettingsDictOrArray,
	Boolean isSelfSigned)
{
	CFArrayRef tmpInArray = NULL;

	if(trustSettingsDictOrArray == NULL) {
#if SECTRUST_OSX
#warning STU: temporarily unblocking build
#else
		/* trivial case, only valid for roots */
		if(!isSelfSigned) {
			trustSettingsDbg("validateApiUsageConstraints: !isSelfSigned, no settings");
			MacOSError::throwMe(errSecParam);
		}
#endif
		return CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
	}
	else if(CFGetTypeID(trustSettingsDictOrArray) == CFDictionaryGetTypeID()) {
		/* array-ize it */
		tmpInArray = CFArrayCreate(NULL, &trustSettingsDictOrArray, 1,
			&kCFTypeArrayCallBacks);
	}
	else if(CFGetTypeID(trustSettingsDictOrArray) == CFArrayGetTypeID()) {
		/* as is, refcount - we'll release later */
		tmpInArray = (CFArrayRef)trustSettingsDictOrArray;
		CFRetain(tmpInArray);
	}
	else {
		trustSettingsDbg("validateApiUsageConstraints: bad trustSettingsDictOrArray");
		MacOSError::throwMe(errSecParam);
	}

	CFIndex numSpecs = CFArrayGetCount(tmpInArray);
	CFMutableArrayRef outArray = CFArrayCreateMutable(NULL, numSpecs, &kCFTypeArrayCallBacks);
	CSSM_OID oid;
	OSStatus ortn = errSecSuccess;
	SecPolicyRef certPolicy;
	SecTrustedApplicationRef certApp;

	/* convert */
	for(CFIndex dex=0; dex<numSpecs; dex++) {
		CFDataRef   oidData = NULL;
		CFDataRef   appData = NULL;
		CFStringRef policyStr = NULL;
		CFNumberRef allowedErr = NULL;
		CFNumberRef resultType = NULL;
		CFNumberRef keyUsage = NULL;
		SInt32 resultNum;
		SecTrustSettingsResult result;

		/* each element is a dictionary */
		CFDictionaryRef ucDict = (CFDictionaryRef)CFArrayGetValueAtIndex(tmpInArray, dex);
		if(CFGetTypeID(ucDict) != CFDictionaryGetTypeID()) {
			trustSettingsDbg("validateAppPolicyArray: malformed usageConstraint dictionary");
			ortn = errSecParam;
			break;
		}

		/* policy - optional */
		certPolicy = (SecPolicyRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicy);
		if(certPolicy != NULL) {
			if(CFGetTypeID(certPolicy) != SecPolicyGetTypeID()) {
				trustSettingsDbg("validateAppPolicyArray: malformed certPolicy");
				ortn = errSecParam;
				break;
			}
			ortn = SecPolicyGetOID(certPolicy, &oid);
			if(ortn) {
				trustSettingsDbg("validateAppPolicyArray: SecPolicyGetOID error");
				break;
			}
			oidData = CFDataCreate(NULL, oid.Data, oid.Length);
		}

		/* application - optional */
		certApp = (SecTrustedApplicationRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsApplication);
		if(certApp != NULL) {
			if(CFGetTypeID(certApp) != SecTrustedApplicationGetTypeID()) {
				trustSettingsDbg("validateAppPolicyArray: malformed certApp");
				ortn = errSecParam;
				break;
			}
			ortn = SecTrustedApplicationCopyExternalRepresentation(certApp, &appData);
			if(ortn) {
				trustSettingsDbg("validateAppPolicyArray: "
					"SecTrustedApplicationCopyExternalRepresentation error");
				break;
			}
		}

		policyStr  = (CFStringRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicyString);
		if(policyStr != NULL) {
			if(CFGetTypeID(policyStr) != CFStringGetTypeID()) {
				trustSettingsDbg("validateAppPolicyArray: malformed policyStr");
				ortn = errSecParam;
				break;
			}
		}
		allowedErr = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsAllowedError);
		if(!tsIsGoodCfNum(allowedErr)) {
			trustSettingsDbg("validateAppPolicyArray: malformed allowedErr");
			ortn = errSecParam;
			break;
		}
		resultType = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsResult);
		if(!tsIsGoodCfNum(resultType, &resultNum)) {
			trustSettingsDbg("validateAppPolicyArray: malformed resultType");
			ortn = errSecParam;
			break;
		}
		result = resultNum;
		/* validate result later */

		keyUsage   = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsKeyUsage);
		if(!tsIsGoodCfNum(keyUsage)) {
			trustSettingsDbg("validateAppPolicyArray: malformed keyUsage");
			ortn = errSecParam;
			break;
		}

		if(!oidData && !appData && !policyStr &&
		   !allowedErr && !resultType && !keyUsage) {
			/* nothing here - weird, but legal - skip it */
			continue;
		}

		/* create dictionary for this usageConstraint */
		CFMutableDictionaryRef outDict = CFDictionaryCreateMutable(NULL,
			2,
			&kCFTypeDictionaryKeyCallBacks,
			&kCFTypeDictionaryValueCallBacks);
		if(oidData) {
			CFDictionaryAddValue(outDict, kSecTrustSettingsPolicy, oidData);
			CFRelease(oidData);			// owned by dictionary
		}
		if(appData) {
			CFDictionaryAddValue(outDict, kSecTrustSettingsApplication, appData);
			CFRelease(appData);			// owned by dictionary
		}
		if(policyStr) {
			CFDictionaryAddValue(outDict, kSecTrustSettingsPolicyString, policyStr);
			/* still owned by ucDict */
		}
		if(allowedErr) {
			CFDictionaryAddValue(outDict, kSecTrustSettingsAllowedError, allowedErr);
		}
#if SECTRUST_OSX
#warning STU: temporarily unblocking build
		ortn = errSecSuccess;
#else
		if(resultType) {
			/* let's be really picky on this one */
			switch(result) {
				case kSecTrustSettingsResultInvalid:
					ortn = errSecParam;
					break;
				case kSecTrustSettingsResultTrustRoot:
					if(!isSelfSigned) {
						trustSettingsDbg("validateAppPolicyArray: TrustRoot, !isSelfSigned");
						ortn = errSecParam;
					}
					break;
				case kSecTrustSettingsResultTrustAsRoot:
					if(isSelfSigned) {
						trustSettingsDbg("validateAppPolicyArray: TrustAsRoot, isSelfSigned");
						ortn = errSecParam;
					}
					break;
				case kSecTrustSettingsResultDeny:
				case kSecTrustSettingsResultUnspecified:
					break;
				default:
					trustSettingsDbg("validateAppPolicyArray: bogus resultType");
					ortn = errSecParam;
					break;
			}
			if(ortn) {
				break;
			}
			CFDictionaryAddValue(outDict, kSecTrustSettingsResult, resultType);
		}
		else {
			/* no resultType; default of TrustRoot only valid for root */
			if(!isSelfSigned) {
				trustSettingsDbg("validateAppPolicyArray: default result, !isSelfSigned");
				ortn = errSecParam;
				break;
			}
		}
#endif
		if(keyUsage) {
			CFDictionaryAddValue(outDict, kSecTrustSettingsKeyUsage, keyUsage);
		}

		/* append dictionary to output */
		CFArrayAppendValue(outArray, outDict);
		/* array owns the dictionary now */
		CFRelease(outDict);

	}	/* for each usage constraint dictionary */

	CFRelease(tmpInArray);
	if(ortn) {
		CFRelease(outArray);
		MacOSError::throwMe(ortn);
	}
	return outArray;
}

/*
 * Validate an trust settings array obtained from disk.
 * Returns true if OK, else returns false.
 */
bool TrustSettings::validateTrustSettingsArray(
	CFArrayRef trustSettings)
{
	CFIndex numSpecs = CFArrayGetCount(trustSettings);
	for(CFIndex dex=0; dex<numSpecs; dex++) {
		CFDictionaryRef ucDict = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings,
			dex);
		if(CFGetTypeID(ucDict) != CFDictionaryGetTypeID()) {
			trustSettingsDbg("validateAppPolicyArray: malformed app/policy dictionary");
			return false;
		}
		CFDataRef certPolicy = (CFDataRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicy);
		if((certPolicy != NULL) && (CFGetTypeID(certPolicy) != CFDataGetTypeID())) {
			trustSettingsDbg("validateAppPolicyArray: malformed certPolicy");
			return false;
		}
		CFDataRef certApp = (CFDataRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsApplication);
		if((certApp != NULL) && (CFGetTypeID(certApp) != CFDataGetTypeID())) {
			trustSettingsDbg("validateAppPolicyArray: malformed certApp");
			return false;
		}
		CFStringRef policyStr = (CFStringRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicyString);
		if((policyStr != NULL) && (CFGetTypeID(policyStr) != CFStringGetTypeID())) {
			trustSettingsDbg("validateAppPolicyArray: malformed policyStr");
			return false;
		}
		CFNumberRef cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsAllowedError);
		if(!tsIsGoodCfNum(cfNum)) {
			trustSettingsDbg("validateAppPolicyArray: malformed allowedErr");
			return false;
		}
		cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsResult);
		if(!tsIsGoodCfNum(cfNum)) {
			trustSettingsDbg("validateAppPolicyArray: malformed resultType");
			return false;
		}
		cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsKeyUsage);
		if(!tsIsGoodCfNum(cfNum)) {
			trustSettingsDbg("validateAppPolicyArray: malformed keyUsage");
			return false;
		}
	}	/* for each usageConstraint dictionary */
	return true;
}

/*
 * Validate mPropList after it's read from disk or supplied as an external
 * representation. Allows subsequent use of mTrustDict to proceed with
 * relative impunity.
 */
void TrustSettings::validatePropList(bool trim)
{
	/* top level dictionary */
	if(!mPropList) {
		trustSettingsDbg("TrustSettings::validatePropList missing mPropList");
		abort("missing propList", errSecInvalidTrustedRootRecord);
	}

	if(CFGetTypeID(mPropList) != CFDictionaryGetTypeID()) {
		trustSettingsDbg("TrustSettings::validatePropList: malformed mPropList");
		abort("malformed propList", errSecInvalidTrustedRootRecord);
	}

	/* That dictionary has two entries */
	CFNumberRef cfVers = (CFNumberRef)CFDictionaryGetValue(mPropList, kTrustRecordVersion);
	if((cfVers == NULL) || (CFGetTypeID(cfVers) != CFNumberGetTypeID())) {
		trustSettingsDbg("TrustSettings::validatePropList: malformed version");
		abort("malformed version", errSecInvalidTrustedRootRecord);
	}
	if(!CFNumberGetValue(cfVers, kCFNumberSInt32Type, &mDictVersion)) {
		trustSettingsDbg("TrustSettings::validatePropList: malformed version");
		abort("malformed version", errSecInvalidTrustedRootRecord);
	}
	if((mDictVersion > kSecTrustRecordVersionCurrent) ||
	   (mDictVersion == kSecTrustRecordVersionInvalid)) {
		trustSettingsDbg("TrustSettings::validatePropList: incompatible version");
		abort("incompatible version", errSecInvalidTrustedRootRecord);
	}
	/* other backwards-compatibility handling done later, if needed, per mDictVersion */

	mTrustDict = (CFMutableDictionaryRef)CFDictionaryGetValue(mPropList, kTrustRecordTrustList);
	if(mTrustDict != NULL) {
		CFRetain(mTrustDict);
	}
	if((mTrustDict == NULL) || (CFGetTypeID(mTrustDict) != CFDictionaryGetTypeID())) {
		trustSettingsDbg("TrustSettings::validatePropList: malformed mTrustDict");
		abort("malformed TrustArray", errSecInvalidTrustedRootRecord);
	}

	/* grind through the per-cert entries */
	CFIndex numCerts = CFDictionaryGetCount(mTrustDict);
	const void *dictKeys[numCerts];
	const void *dictValues[numCerts];
	CFDictionaryGetKeysAndValues(mTrustDict, dictKeys, dictValues);

	for(CFIndex dex=0; dex<numCerts; dex++) {
		/* get per-cert dictionary */
		CFMutableDictionaryRef certDict = (CFMutableDictionaryRef)dictValues[dex];
		if((certDict == NULL) || (CFGetTypeID(certDict) != CFDictionaryGetTypeID())) {
			trustSettingsDbg("TrustSettings::validatePropList: malformed certDict");
			abort("malformed certDict", errSecInvalidTrustedRootRecord);
		}

		/*
		 * That dictionary has exactly four entries.
		 * If we're trimming, all we need is the actual trust settings.
		 */

		/* issuer */
		CFDataRef cfd = (CFDataRef)CFDictionaryGetValue(certDict, kTrustRecordIssuer);
		if(cfd == NULL) {
			trustSettingsDbg("TrustSettings::validatePropList: missing issuer");
			abort("missing issuer", errSecInvalidTrustedRootRecord);
		}
		if(CFGetTypeID(cfd) != CFDataGetTypeID()) {
			trustSettingsDbg("TrustSettings::validatePropList: malformed issuer");
			abort("malformed issuer", errSecInvalidTrustedRootRecord);
		}
		if(trim) {
			CFDictionaryRemoveValue(certDict, kTrustRecordIssuer);
		}

		/* serial number */
		cfd = (CFDataRef)CFDictionaryGetValue(certDict, kTrustRecordSerialNumber);
		if(cfd == NULL) {
			trustSettingsDbg("TrustSettings::validatePropList: missing serial number");
			abort("missing serial number", errSecInvalidTrustedRootRecord);
		}
		if(CFGetTypeID(cfd) != CFDataGetTypeID()) {
			trustSettingsDbg("TrustSettings::validatePropList: malformed serial number");
			abort("malformed serial number", errSecInvalidTrustedRootRecord);
		}
		if(trim) {
			CFDictionaryRemoveValue(certDict, kTrustRecordSerialNumber);
		}

		/* modification date */
		CFDateRef modDate = (CFDateRef)CFDictionaryGetValue(certDict, kTrustRecordModDate);
		if(modDate == NULL) {
			trustSettingsDbg("TrustSettings::validatePropList: missing modDate");
			abort("missing modDate", errSecInvalidTrustedRootRecord);
		}
		if(CFGetTypeID(modDate) != CFDateGetTypeID()) {
			trustSettingsDbg("TrustSettings::validatePropList: malformed modDate");
			abort("malformed modDate", errSecInvalidTrustedRootRecord);
		}
		if(trim) {
			CFDictionaryRemoveValue(certDict, kTrustRecordModDate);
		}

		/* the actual trust settings */
		CFArrayRef trustSettings = (CFArrayRef)CFDictionaryGetValue(certDict,
				kTrustRecordTrustSettings);
		if(trustSettings == NULL) {
			/* optional; this cert's entry is good */
			continue;
		}
		if(CFGetTypeID(trustSettings) != CFArrayGetTypeID()) {
			trustSettingsDbg("TrustSettings::validatePropList: malformed useConstraint"
				"array");
			abort("malformed useConstraint array", errSecInvalidTrustedRootRecord);
		}

		/* Now validate the usageConstraint array contents */
		if(!validateTrustSettingsArray(trustSettings)) {
			abort("malformed useConstraint array", errSecInvalidTrustedRootRecord);
		}
	} /* for each cert dictionary  in top-level array */

	if(trim) {
		/* we don't need the top-level dictionary any more */
		CFRelease(mPropList);
		mPropList = NULL;
	}
}

/*
 * Obtain non-normalized issuer and serial number for specified cert, both
 * returned as CFDataRefs owned by caller.
 */
void TrustSettings::copyIssuerAndSerial(
	SecCertificateRef	certRef,
	CFDataRef			*issuer,		/* optional, RETURNED */
	CFDataRef			*serial)		/* RETURNED */
{
#if SECTRUST_OSX
	CFRef<SecCertificateRef> certificate = SecCertificateCreateItemImplInstance(certRef);
#else
	CFRef<SecCertificateRef> certificate = (SecCertificateRef) ((certRef) ? CFRetain(certRef) : NULL);
#endif

	SecPointer<Certificate> cert = Certificate::required(certificate);
	CSSM_DATA_PTR fieldVal;

	if(issuer != NULL) {
		fieldVal = cert->copyFirstFieldValue(CSSMOID_X509V1IssuerNameStd);
		*issuer = CFDataCreate(NULL, fieldVal->Data, fieldVal->Length);
		cert->releaseFieldValue(CSSMOID_X509V1IssuerNameStd, fieldVal);
	}

	fieldVal = cert->copyFirstFieldValue(CSSMOID_X509V1SerialNumber);
	*serial = CFDataCreate(NULL, fieldVal->Data, fieldVal->Length);
	cert->releaseFieldValue(CSSMOID_X509V1SerialNumber, fieldVal);
}

void TrustSettings::abort(
	const char *why,
	OSStatus err)
{
	Syslog::error("TrustSettings: %s", why);
	MacOSError::throwMe(err);
}