[apple/security.git] / OSX / sec / Security / Tool / keychain_util.c

/*
 * Copyright (c) 2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


#include <stdio.h>
#include <AssertMacros.h>
#include <utilities/SecCFWrappers.h>
#include <ACMDefs.h>
#include <ACMAclDefs.h>
#include <libaks_acl_cf_keys.h>

#include "security.h"
#include "keychain_util.h"
#include "SecAccessControlPriv.h"

static CFStringRef createStringForValue(CFTypeRef value)
{
    CFStringRef result = NULL;
    if (CFDataGetTypeID() == CFGetTypeID(value)) {
        CFMutableStringRef stringData = CFStringCreateMutable(kCFAllocatorDefault, 0);
        CFStringAppend(stringData, CFSTR("<"));
        const UInt8 *dataPtr = CFDataGetBytePtr(value);
        for (int i = 0; i < CFDataGetLength(value); ++i) {
            CFStringAppendFormat(stringData, NULL, CFSTR("%02x"), dataPtr[i]);
        }
        CFStringAppend(stringData, CFSTR(">"));
        result = stringData;
    } else if (CFBooleanGetTypeID() == CFGetTypeID(value)) {
        if (CFEqual(value, kCFBooleanTrue))
            result = CFStringCreateWithCString(kCFAllocatorDefault, "true", kCFStringEncodingUTF8);
        else
            result = CFStringCreateWithCString(kCFAllocatorDefault, "false", kCFStringEncodingUTF8);
    } else if (CFNumberGetTypeID() == CFGetTypeID(value))
        result = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@"), value);
    else if (CFStringGetTypeID() == CFGetTypeID(value))
        result = CFStringCreateCopy(kCFAllocatorDefault, value);
    else
        result = CFStringCreateWithCString(kCFAllocatorDefault, "unrecognized value", kCFStringEncodingUTF8);

    return result;
}

static CFStringRef createStringForKofn(CFDictionaryRef kofn)
{
    CFMutableStringRef result = NULL;
    if (kofn != NULL && CFDictionaryGetTypeID() == CFGetTypeID(kofn))
    {
        result = CFStringCreateMutable(kCFAllocatorDefault, 0);
        CFDictionaryForEach(kofn, ^(const void *key, const void *value) {

            CFStringAppend(result, key);
            CFStringAppend(result, CFSTR("("));

            CFStringRef valueString = createStringForKofn(value) ?: createStringForValue(value);
            CFStringAppend(result, valueString);
            CFStringAppend(result, CFSTR(")"));
            CFReleaseSafe(valueString);
        });
    }

    return result;
}

static CFStringRef createStringForOps(CFDictionaryRef constraints)
{
    CFMutableStringRef result = NULL;
    if (constraints != NULL)
    {
        result = CFStringCreateMutable(kCFAllocatorDefault, 0);
        CFDictionaryForEach(constraints, ^(const void *key, const void *value) {
            if (CFStringGetLength(result) > 0)
                CFStringAppend(result, CFSTR(";"));
            CFStringAppend(result, key);
            CFStringAppend(result, CFSTR("("));
            CFStringRef valueString = createStringForKofn(value) ?: createStringForValue(value);
            CFStringAppend(result, valueString);
            CFStringAppend(result, CFSTR(")"));
            CFReleaseSafe(valueString);
        });
    }

    return result;
}

void
display_sac_line(SecAccessControlRef sac, CFMutableStringRef line)
{
    CFTypeRef protection = SecAccessControlGetProtection(sac);
    if (CFStringGetTypeID() == CFGetTypeID(protection))
        CFStringAppend(line, protection);

    CFDictionaryRef constraints = SecAccessControlGetConstraints(sac);
    CFStringRef constraintsString = createStringForOps(constraints);
    if (constraintsString) {
        CFStringAppend(line, CFSTR(";"));
        CFStringAppend(line, constraintsString);
    }
    CFReleaseSafe(constraintsString);
}

bool
keychain_query_parse_cstring(CFMutableDictionaryRef q, const char *query) {
    CFStringRef s;
    s = CFStringCreateWithCStringNoCopy(0, query, kCFStringEncodingUTF8, kCFAllocatorNull);
    bool result = keychain_query_parse_string(q, s);
    CFRelease(s);
    return result;
}

/* Parse a string of the form attr=value,attr=value,attr=value */
bool
keychain_query_parse_string(CFMutableDictionaryRef q, CFStringRef s) {
    bool inkey = true;
    bool escaped = false;
    bool error = false;
    CFStringRef key = NULL;
    CFMutableStringRef str = CFStringCreateMutable(0, 0);
    CFRange rng = { .location = 0, .length = CFStringGetLength(s) };
    CFCharacterSetRef cs_key = CFCharacterSetCreateWithCharactersInString(0, CFSTR("=\\"));
    CFCharacterSetRef cs_value = CFCharacterSetCreateWithCharactersInString(0, CFSTR(",\\"));
    while (rng.length) {
        CFRange r;
        CFStringRef sub;
        bool complete = false;
        if (escaped) {
            r.location = rng.location;
            r.length = 1;
            sub = CFStringCreateWithSubstring(0, s, r);
            escaped = false;
        } else if (CFStringFindCharacterFromSet(s, inkey ? cs_key : cs_value, rng, 0, &r)) {
            if (CFStringGetCharacterAtIndex(s, r.location) == '\\') {
                escaped = true;
            } else {
                complete = true;
            }
            CFIndex next = r.location + 1;
            r.length = r.location - rng.location;
            r.location = rng.location;
            sub = CFStringCreateWithSubstring(0, s, r);
            rng.length -= next - rng.location;
            rng.location = next;
        } else {
            sub = CFStringCreateWithSubstring(0, s, rng);
            rng.location += rng.length;
            rng.length = 0;
            complete = true;
        }
        CFStringAppend(str, sub);
        CFRelease(sub);
        
        if (complete) {
            CFStringRef value = CFStringCreateCopy(0, str);
            CFStringReplaceAll(str, CFSTR(""));
            if (inkey) {
                key = value;
            } else {
                if(key && CFStringCompare(key, kSecAttrAccessControl, kCFCompareCaseInsensitive) == kCFCompareEqualTo) {
                    SecAccessControlRef sac = keychain_query_parse_sac(value);
                    if(sac) {
                        CFDictionarySetValue(q, key, sac);
                    } else {
                        fprintf(stderr, "SecItemCopyMatching returned unexpected results:");
                        error = true;
                    }
                } else {
                    CFDictionarySetValue(q, key, value);
                }
                CFReleaseNull(value);
                CFReleaseNull(key);
            }
            inkey = !inkey;
        }
        if(error)
            break;
    }
    if (key) {
        /* Dangeling key value is true?. */
        CFDictionarySetValue(q, key, kCFBooleanTrue);
        CFReleaseNull(key);
    }
    CFRelease(str);
    CFRelease(cs_key);
    CFRelease(cs_value);
    return error == false;
}

static uint32_t findLeft(CFStringRef s, uint32_t off)
{
    for (int i = off; i < CFStringGetLength(s); ++i) {
        if (CFStringGetCharacterAtIndex(s, i) == '(')
            return i;
    }

    return 0;
}

static uint32_t findRight(CFStringRef s, uint32_t off)
{
    int bracersCount = 0;
    for (int i = off; i < CFStringGetLength(s); ++i) {
        if (CFStringGetCharacterAtIndex(s, i) == '(')
            ++bracersCount;

        if (CFStringGetCharacterAtIndex(s, i) == ')') {
            --bracersCount;
            if (bracersCount == 0) {
                return i;
            }
        }
    }

    return 0;
}

static bool parseKeyAndValue(CFStringRef string, CFTypeRef *key, CFTypeRef *value);

CF_RETURNS_RETAINED
static CFTypeRef parseValue(CFStringRef string)
{
    CFTypeRef result = NULL, key = NULL, value = NULL;
    CFMutableDictionaryRef resultDictionary = NULL;
    CFStringRef subString = NULL;

    uint32_t left = findLeft(string, 0);
    if (left > 0) {
        uint32_t offset = 0;
        resultDictionary = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
        for (;;) {
            uint32_t right = findRight(string, left);
            if (!right)
                break;
            CFAssignRetained(subString, CFStringCreateWithSubstring(kCFAllocatorDefault, string, CFRangeMake(offset, (right + 1) - offset)));
            require_quiet(parseKeyAndValue(subString, &key, &value), out);
            CFDictionarySetValue(resultDictionary, key, value);
            offset = right + 1;
            left = findLeft(string, offset);
            if (!left)
                break;
        }
        result = CFRetain(resultDictionary);
    } else if (CFStringGetCharacterAtIndex(string, 0) == '<' && CFStringGetCharacterAtIndex(string, CFStringGetLength(string) - 1) == '>') {
        CFMutableDataRef data = CFDataCreateMutable(kCFAllocatorDefault, 0);
        if (CFStringGetLength(string) > 2) {
            CFAssignRetained(subString, CFStringCreateWithSubstring(kCFAllocatorDefault, string, CFRangeMake(1, CFStringGetLength(string) - 2)));
            const char *asciiString = CFStringGetCStringPtr(subString, kCFStringEncodingASCII);
            uint8_t byte;
            for(uint32_t i = 0; i < strlen(asciiString); i += 2) {
                sscanf(&asciiString[i], "%02hhx", &byte);
                CFDataAppendBytes(data, &byte, sizeof(byte));
            }
        }
        result = data;
    } else if (CFStringCompare(string, CFSTR("true"), 0) == kCFCompareEqualTo) {
        CFRetainAssign(result, kCFBooleanTrue);
    } else if (CFStringCompare(string, CFSTR("false"), 0) == kCFCompareEqualTo) {
        CFRetainAssign(result, kCFBooleanFalse);
    } else if (CFStringCompare(string, CFSTR(kACMPolicyDeviceOwnerAuthentication), 0) == kCFCompareEqualTo) {
        CFRetainAssign(result, CFSTR(kACMPolicyDeviceOwnerAuthentication));
    } else {
        CFLocaleRef currentLocale = CFLocaleCopyCurrent();
        CFNumberFormatterRef formaterRef = CFNumberFormatterCreate(kCFAllocatorDefault, currentLocale, kCFNumberFormatterDecimalStyle);
        result = CFNumberFormatterCreateNumberFromString(kCFAllocatorDefault, formaterRef, string, NULL, kCFNumberFormatterParseIntegersOnly);
        CFReleaseSafe(currentLocale);
        CFReleaseSafe(formaterRef);
    }

    if (!result)
        fprintf(stderr, "Failed to parse value: %s\n", CFStringGetCStringPtr(string, kCFStringEncodingUTF8));

out:
    CFReleaseSafe(key);
    CFReleaseSafe(value);
    CFReleaseSafe(subString);
    CFReleaseSafe(resultDictionary);

    return result;
}

static bool parseKeyAndValue(CFStringRef string, CFTypeRef *key, CFTypeRef *value)
{
    bool ok = false;
    CFStringRef keyString = NULL;
    CFStringRef valueString = NULL;
    CFTypeRef parsedValue = NULL;

    uint32_t left = findLeft(string, 0);
    require_action_quiet(left != 0, out, fprintf(stderr, "Failed to find '(' in: %s\n", CFStringGetCStringPtr(string, kCFStringEncodingUTF8)));
    uint32_t right = findRight(string, left);
    require_action_quiet(right != 0, out, fprintf(stderr, "Failed to find ')' in: %s\n", CFStringGetCStringPtr(string, kCFStringEncodingUTF8)));
    require_action_quiet(right == ((uint32_t)CFStringGetLength(string) - 1), out, fprintf(stderr, "Failed to find ')' in: %s\n", CFStringGetCStringPtr(string, kCFStringEncodingUTF8)));

    keyString  = CFStringCreateWithSubstring(kCFAllocatorDefault, string, CFRangeMake(0, left));
    valueString = CFStringCreateWithSubstring(kCFAllocatorDefault, string, CFRangeMake(left + 1, right - left - 1));
    require_quiet(parsedValue = parseValue(valueString), out);
    CFRetainAssign(*key, keyString);
    CFRetainAssign(*value, parsedValue);
    ok = true;

out:
    CFReleaseSafe(parsedValue);
    CFReleaseSafe(keyString);
    CFReleaseSafe(valueString);

    return ok;
}

SecAccessControlRef
keychain_query_parse_sac(CFStringRef s) {
    SecAccessControlRef sac = NULL, result = NULL;
    CFTypeRef key = NULL, value = NULL;
    CFArrayRef tokens = CFStringCreateArrayBySeparatingStrings(NULL, s, CFSTR(";"));

    // process protection part
    CFStringRef protection = CFArrayGetValueAtIndex(tokens, 0);
    
    CFErrorRef error = NULL;
    require_quiet(sac = SecAccessControlCreate(kCFAllocatorDefault, &error), out);
    require_quiet(SecAccessControlSetProtection(sac, protection, &error), out);

    CFIndex tokensCnt = CFArrayGetCount(tokens);
    for(CFIndex i = 1; i < tokensCnt; ++i) {
        require_action_quiet(parseKeyAndValue(CFArrayGetValueAtIndex(tokens, i), &key, &value), out, fprintf(stderr, "Error constructing SecAccessConstraint object\n") );

        if (CFEqual(key, CFSTR(kACMKeyAclParamRequirePasscode)))
            SecAccessControlSetRequirePassword(sac, CFEqual(value, kCFBooleanTrue)?true:false);
        else
            SecAccessControlAddConstraintForOperation(sac, key, value, NULL);
    }

    SecAccessConstraintRef constraintForDelete = SecAccessControlGetConstraint(sac, kAKSKeyOpDelete);
    if (!constraintForDelete) {
        if(!SecAccessControlAddConstraintForOperation(sac, kAKSKeyOpDelete, kCFBooleanTrue, &error)) {
            fprintf(stderr, "adding delete operation to sac object failed \n");
        }
    }

    SecAccessConstraintRef constraintForEncrypt = SecAccessControlGetConstraint(sac, kAKSKeyOpEncrypt);
    if (!constraintForEncrypt) {
        if(!SecAccessControlAddConstraintForOperation(sac, kAKSKeyOpEncrypt, kCFBooleanTrue, &error)) {
            fprintf(stderr, "adding encrypt operation to sac object failed \n");
        }
    }

    CFRetainAssign(result, sac);

out:
    CFReleaseSafe(tokens);
    CFReleaseSafe(key);
    CFReleaseSafe(value);
    CFReleaseSafe(sac);

    return result;
}
Commit	Line	Data
5c19dc3a A	1	/*
	2	* Copyright (c) 2014 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	#include <stdio.h>
	26	#include <AssertMacros.h>
	27	#include <utilities/SecCFWrappers.h>
	28	#include <ACMDefs.h>
	29	#include <ACMAclDefs.h>
	30	#include <libaks_acl_cf_keys.h>
	31
	32	#include "security.h"
	33	#include "keychain_util.h"
	34	#include "SecAccessControlPriv.h"
	35
	36	static CFStringRef createStringForValue(CFTypeRef value)
	37	{
	38	CFStringRef result = NULL;
	39	if (CFDataGetTypeID() == CFGetTypeID(value)) {
	40	CFMutableStringRef stringData = CFStringCreateMutable(kCFAllocatorDefault, 0);
	41	CFStringAppend(stringData, CFSTR("<"));
	42	const UInt8 *dataPtr = CFDataGetBytePtr(value);
	43	for (int i = 0; i < CFDataGetLength(value); ++i) {
	44	CFStringAppendFormat(stringData, NULL, CFSTR("%02x"), dataPtr[i]);
	45	}
	46	CFStringAppend(stringData, CFSTR(">"));
	47	result = stringData;
	48	} else if (CFBooleanGetTypeID() == CFGetTypeID(value)) {
	49	if (CFEqual(value, kCFBooleanTrue))
	50	result = CFStringCreateWithCString(kCFAllocatorDefault, "true", kCFStringEncodingUTF8);
	51	else
	52	result = CFStringCreateWithCString(kCFAllocatorDefault, "false", kCFStringEncodingUTF8);
	53	} else if (CFNumberGetTypeID() == CFGetTypeID(value))
	54	result = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@"), value);
	55	else if (CFStringGetTypeID() == CFGetTypeID(value))
	56	result = CFStringCreateCopy(kCFAllocatorDefault, value);
	57	else
	58	result = CFStringCreateWithCString(kCFAllocatorDefault, "unrecognized value", kCFStringEncodingUTF8);
	59
	60	return result;
	61	}
	62
	63	static CFStringRef createStringForKofn(CFDictionaryRef kofn)
	64	{
65	CFMutableStringRef result = NULL;
66	if (kofn != NULL && CFDictionaryGetTypeID() == CFGetTypeID(kofn))
67	{
68	result = CFStringCreateMutable(kCFAllocatorDefault, 0);
69	CFDictionaryForEach(kofn, ^(const void key, const void value) {
70
71	CFStringAppend(result, key);
72	CFStringAppend(result, CFSTR("("));
73
74	CFStringRef valueString = createStringForKofn(value) ?: createStringForValue(value);
75	CFStringAppend(result, valueString);
76	CFStringAppend(result, CFSTR(")"));
77	CFReleaseSafe(valueString);
78	});
79	}
80
81	return result;
82	}
83
84	static CFStringRef createStringForOps(CFDictionaryRef constraints)
85	{
86	CFMutableStringRef result = NULL;
87	if (constraints != NULL)
88	{
89	result = CFStringCreateMutable(kCFAllocatorDefault, 0);
90	CFDictionaryForEach(constraints, ^(const void key, const void value) {
91	if (CFStringGetLength(result) > 0)
92	CFStringAppend(result, CFSTR(";"));
93	CFStringAppend(result, key);
94	CFStringAppend(result, CFSTR("("));
95	CFStringRef valueString = createStringForKofn(value) ?: createStringForValue(value);
96	CFStringAppend(result, valueString);
97	CFStringAppend(result, CFSTR(")"));
98	CFReleaseSafe(valueString);
99	});
100	}
101
102	return result;
103	}
104
105	void
106	display_sac_line(SecAccessControlRef sac, CFMutableStringRef line)
107	{
108	CFTypeRef protection = SecAccessControlGetProtection(sac);
109	if (CFStringGetTypeID() == CFGetTypeID(protection))
110	CFStringAppend(line, protection);
111
112	CFDictionaryRef constraints = SecAccessControlGetConstraints(sac);
113	CFStringRef constraintsString = createStringForOps(constraints);
114	if (constraintsString) {
115	CFStringAppend(line, CFSTR(";"));
116	CFStringAppend(line, constraintsString);
117	}
118	CFReleaseSafe(constraintsString);
119	}
120
121	bool
122	keychain_query_parse_cstring(CFMutableDictionaryRef q, const char *query) {
123	CFStringRef s;
124	s = CFStringCreateWithCStringNoCopy(0, query, kCFStringEncodingUTF8, kCFAllocatorNull);
125	bool result = keychain_query_parse_string(q, s);
126	CFRelease(s);
127	return result;
128	}
129
130	/* Parse a string of the form attr=value,attr=value,attr=value */
131	bool
132	keychain_query_parse_string(CFMutableDictionaryRef q, CFStringRef s) {
133	bool inkey = true;
134	bool escaped = false;
135	bool error = false;
136	CFStringRef key = NULL;
137	CFMutableStringRef str = CFStringCreateMutable(0, 0);
138	CFRange rng = { .location = 0, .length = CFStringGetLength(s) };
139	CFCharacterSetRef cs_key = CFCharacterSetCreateWithCharactersInString(0, CFSTR("=\\"));
140	CFCharacterSetRef cs_value = CFCharacterSetCreateWithCharactersInString(0, CFSTR(",\\"));
141	while (rng.length) {
142	CFRange r;
143	CFStringRef sub;
144	bool complete = false;
145	if (escaped) {
146	r.location = rng.location;
147	r.length = 1;
148	sub = CFStringCreateWithSubstring(0, s, r);
149	escaped = false;
150	} else if (CFStringFindCharacterFromSet(s, inkey ? cs_key : cs_value, rng, 0, &r)) {
151	if (CFStringGetCharacterAtIndex(s, r.location) == '\\') {
152	escaped = true;
153	} else {
154	complete = true;
155	}
156	CFIndex next = r.location + 1;
157	r.length = r.location - rng.location;
158	r.location = rng.location;
159	sub = CFStringCreateWithSubstring(0, s, r);
160	rng.length -= next - rng.location;
161	rng.location = next;
162	} else {
163	sub = CFStringCreateWithSubstring(0, s, rng);
164	rng.location += rng.length;
165	rng.length = 0;
166	complete = true;
167	}
168	CFStringAppend(str, sub);
169	CFRelease(sub);
170
171	if (complete) {
172	CFStringRef value = CFStringCreateCopy(0, str);
173	CFStringReplaceAll(str, CFSTR(""));
174	if (inkey) {
175	key = value;
176	} else {
177	if(key && CFStringCompare(key, kSecAttrAccessControl, kCFCompareCaseInsensitive) == kCFCompareEqualTo) {
178	SecAccessControlRef sac = keychain_query_parse_sac(value);
179	if(sac) {
180	CFDictionarySetValue(q, key, sac);
181	} else {
182	fprintf(stderr, "SecItemCopyMatching returned unexpected results:");
183	error = true;
184	}
185	} else {
186	CFDictionarySetValue(q, key, value);
187	}
188	CFReleaseNull(value);
189	CFReleaseNull(key);
190	}
191	inkey = !inkey;
192	}
193	if(error)
194	break;
195	}
196	if (key) {
197	/* Dangeling key value is true?. */
198	CFDictionarySetValue(q, key, kCFBooleanTrue);
199	CFReleaseNull(key);
200	}
201	CFRelease(str);
202	CFRelease(cs_key);
203	CFRelease(cs_value);
204	return error == false;
205	}
206
207	static uint32_t findLeft(CFStringRef s, uint32_t off)
208	{
209	for (int i = off; i < CFStringGetLength(s); ++i) {
210	if (CFStringGetCharacterAtIndex(s, i) == '(')
211	return i;
212	}
213
214	return 0;
215	}
216
217	static uint32_t findRight(CFStringRef s, uint32_t off)
218	{
219	int bracersCount = 0;
220	for (int i = off; i < CFStringGetLength(s); ++i) {
221	if (CFStringGetCharacterAtIndex(s, i) == '(')
222	++bracersCount;
223
224	if (CFStringGetCharacterAtIndex(s, i) == ')') {
225	--bracersCount;
226	if (bracersCount == 0) {
227	return i;
228	}
229	}
230	}
231
232	return 0;
233	}
234
235	static bool parseKeyAndValue(CFStringRef string, CFTypeRef key, CFTypeRef value);
236
237	CF_RETURNS_RETAINED
238	static CFTypeRef parseValue(CFStringRef string)
239	{
240	CFTypeRef result = NULL, key = NULL, value = NULL;
241	CFMutableDictionaryRef resultDictionary = NULL;
242	CFStringRef subString = NULL;
243
244	uint32_t left = findLeft(string, 0);
245	if (left > 0) {
246	uint32_t offset = 0;
247	resultDictionary = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
248	for (;;) {
249	uint32_t right = findRight(string, left);
250	if (!right)
251	break;
252	CFAssignRetained(subString, CFStringCreateWithSubstring(kCFAllocatorDefault, string, CFRangeMake(offset, (right + 1) - offset)));
253	require_quiet(parseKeyAndValue(subString, &key, &value), out);
254	CFDictionarySetValue(resultDictionary, key, value);
255	offset = right + 1;
256	left = findLeft(string, offset);
257	if (!left)
258	break;
259	}
260	result = CFRetain(resultDictionary);
261	} else if (CFStringGetCharacterAtIndex(string, 0) == '<' && CFStringGetCharacterAtIndex(string, CFStringGetLength(string) - 1) == '>') {
262	CFMutableDataRef data = CFDataCreateMutable(kCFAllocatorDefault, 0);
263	if (CFStringGetLength(string) > 2) {
264	CFAssignRetained(subString, CFStringCreateWithSubstring(kCFAllocatorDefault, string, CFRangeMake(1, CFStringGetLength(string) - 2)));
265	const char *asciiString = CFStringGetCStringPtr(subString, kCFStringEncodingASCII);
266	uint8_t byte;
267	for(uint32_t i = 0; i < strlen(asciiString); i += 2) {
268	sscanf(&asciiString[i], "%02hhx", &byte);
269	CFDataAppendBytes(data, &byte, sizeof(byte));
270	}
271	}
272	result = data;
273	} else if (CFStringCompare(string, CFSTR("true"), 0) == kCFCompareEqualTo) {
274	CFRetainAssign(result, kCFBooleanTrue);
275	} else if (CFStringCompare(string, CFSTR("false"), 0) == kCFCompareEqualTo) {
276	CFRetainAssign(result, kCFBooleanFalse);
277	} else if (CFStringCompare(string, CFSTR(kACMPolicyDeviceOwnerAuthentication), 0) == kCFCompareEqualTo) {
278	CFRetainAssign(result, CFSTR(kACMPolicyDeviceOwnerAuthentication));
279	} else {
280	CFLocaleRef currentLocale = CFLocaleCopyCurrent();
281	CFNumberFormatterRef formaterRef = CFNumberFormatterCreate(kCFAllocatorDefault, currentLocale, kCFNumberFormatterDecimalStyle);
282	result = CFNumberFormatterCreateNumberFromString(kCFAllocatorDefault, formaterRef, string, NULL, kCFNumberFormatterParseIntegersOnly);
283	CFReleaseSafe(currentLocale);
284	CFReleaseSafe(formaterRef);
285	}
286
287	if (!result)
288	fprintf(stderr, "Failed to parse value: %s\n", CFStringGetCStringPtr(string, kCFStringEncodingUTF8));
289
290	out:
291	CFReleaseSafe(key);
292	CFReleaseSafe(value);
293	CFReleaseSafe(subString);
294	CFReleaseSafe(resultDictionary);
295
296	return result;
297	}
298
299	static bool parseKeyAndValue(CFStringRef string, CFTypeRef key, CFTypeRef value)
300	{
301	bool ok = false;
302	CFStringRef keyString = NULL;
303	CFStringRef valueString = NULL;
304	CFTypeRef parsedValue = NULL;
305
306	uint32_t left = findLeft(string, 0);
307	require_action_quiet(left != 0, out, fprintf(stderr, "Failed to find '(' in: %s\n", CFStringGetCStringPtr(string, kCFStringEncodingUTF8)));
308	uint32_t right = findRight(string, left);
309	require_action_quiet(right != 0, out, fprintf(stderr, "Failed to find ')' in: %s\n", CFStringGetCStringPtr(string, kCFStringEncodingUTF8)));
310	require_action_quiet(right == ((uint32_t)CFStringGetLength(string) - 1), out, fprintf(stderr, "Failed to find ')' in: %s\n", CFStringGetCStringPtr(string, kCFStringEncodingUTF8)));
311
312	keyString = CFStringCreateWithSubstring(kCFAllocatorDefault, string, CFRangeMake(0, left));
313	valueString = CFStringCreateWithSubstring(kCFAllocatorDefault, string, CFRangeMake(left + 1, right - left - 1));
314	require_quiet(parsedValue = parseValue(valueString), out);
315	CFRetainAssign(*key, keyString);
316	CFRetainAssign(*value, parsedValue);
317	ok = true;
318
319	out:
320	CFReleaseSafe(parsedValue);
321	CFReleaseSafe(keyString);
322	CFReleaseSafe(valueString);
323
324	return ok;
325	}
326
327	SecAccessControlRef
328	keychain_query_parse_sac(CFStringRef s) {
329	SecAccessControlRef sac = NULL, result = NULL;
330	CFTypeRef key = NULL, value = NULL;
331	CFArrayRef tokens = CFStringCreateArrayBySeparatingStrings(NULL, s, CFSTR(";"));
332
333	// process protection part
334	CFStringRef protection = CFArrayGetValueAtIndex(tokens, 0);
335
336	CFErrorRef error = NULL;
337	require_quiet(sac = SecAccessControlCreate(kCFAllocatorDefault, &error), out);
338	require_quiet(SecAccessControlSetProtection(sac, protection, &error), out);
339
340	CFIndex tokensCnt = CFArrayGetCount(tokens);
341	for(CFIndex i = 1; i < tokensCnt; ++i) {
342	require_action_quiet(parseKeyAndValue(CFArrayGetValueAtIndex(tokens, i), &key, &value), out, fprintf(stderr, "Error constructing SecAccessConstraint object\n") );
343
344	if (CFEqual(key, CFSTR(kACMKeyAclParamRequirePasscode)))
345	SecAccessControlSetRequirePassword(sac, CFEqual(value, kCFBooleanTrue)?true:false);
346	else
347	SecAccessControlAddConstraintForOperation(sac, key, value, NULL);
348	}
349
350	SecAccessConstraintRef constraintForDelete = SecAccessControlGetConstraint(sac, kAKSKeyOpDelete);
351	if (!constraintForDelete) {
352	if(!SecAccessControlAddConstraintForOperation(sac, kAKSKeyOpDelete, kCFBooleanTrue, &error)) {
353	fprintf(stderr, "adding delete operation to sac object failed \n");
354	}
355	}
356
357	SecAccessConstraintRef constraintForEncrypt = SecAccessControlGetConstraint(sac, kAKSKeyOpEncrypt);
358	if (!constraintForEncrypt) {
359	if(!SecAccessControlAddConstraintForOperation(sac, kAKSKeyOpEncrypt, kCFBooleanTrue, &error)) {
360	fprintf(stderr, "adding encrypt operation to sac object failed \n");
361	}
362	}
363
364	CFRetainAssign(result, sac);
365
366	out:
367	CFReleaseSafe(tokens);
368	CFReleaseSafe(key);
369	CFReleaseSafe(value);
370	CFReleaseSafe(sac);
371
372	return result;
373	}