[apple/security.git] / libsecurity_keychain / lib / SecAccess.cpp

/*
 * Copyright (c) 2002-2004,2013 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

#include <SecBase.h>
#include <Security/SecAccess.h>
#include <Security/SecAccessPriv.h>
#include <Security/SecTrustedApplication.h>
#include <Security/SecTrustedApplicationPriv.h>
#include <security_keychain/Access.h>
#include "SecBridge.h"
#include <sys/param.h>

#undef secdebug
#include <utilities/SecCFWrappers.h>


/* No restrictions. Permission to perform all operations on
   the resource or available to an ACL owner.  */


CFTypeRef kSecACLAuthorizationAny = (CFTypeRef)(CFSTR("ACLAuthorizationAny"));

CFTypeRef kSecACLAuthorizationLogin = (CFTypeRef)(CFSTR("ACLAuthorizationLogin"));
CFTypeRef kSecACLAuthorizationGenKey = (CFTypeRef)(CFSTR("ACLAuthorizationGenKey"));
CFTypeRef kSecACLAuthorizationDelete = (CFTypeRef)(CFSTR("ACLAuthorizationDelete"));
CFTypeRef kSecACLAuthorizationExportWrapped = (CFTypeRef)(CFSTR("ACLAuthorizationExportWrapped"));
CFTypeRef kSecACLAuthorizationExportClear = (CFTypeRef)(CFSTR("ACLAuthorizationExportClear"));
CFTypeRef kSecACLAuthorizationImportWrapped = (CFTypeRef)(CFSTR("ACLAuthorizationImportWrapped"));
CFTypeRef kSecACLAuthorizationImportClear = (CFTypeRef)(CFSTR("ACLAuthorizationImportClear"));
CFTypeRef kSecACLAuthorizationSign = (CFTypeRef)(CFSTR("ACLAuthorizationSign"));
CFTypeRef kSecACLAuthorizationEncrypt = (CFTypeRef)(CFSTR("ACLAuthorizationEncrypt"));
CFTypeRef kSecACLAuthorizationDecrypt = (CFTypeRef)(CFSTR("ACLAuthorizationDecrypt"));
CFTypeRef kSecACLAuthorizationMAC = (CFTypeRef)(CFSTR("ACLAuthorizationMAC"));
CFTypeRef kSecACLAuthorizationDerive = (CFTypeRef)(CFSTR("ACLAuthorizationDerive"));

/* Defined authorization tag values for Keychain */


CFTypeRef kSecACLAuthorizationKeychainCreate = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainCreate"));
CFTypeRef kSecACLAuthorizationKeychainDelete = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainDelete"));
CFTypeRef kSecACLAuthorizationKeychainItemRead = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemRead"));
CFTypeRef kSecACLAuthorizationKeychainItemInsert = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemInsert"));
CFTypeRef kSecACLAuthorizationKeychainItemModify = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemModify"));
CFTypeRef kSecACLAuthorizationKeychainItemDelete = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemDelete"));

CFTypeRef kSecACLAuthorizationChangeACL = (CFTypeRef)(CFSTR("ACLAuthorizationChangeACL"));
CFTypeRef kSecACLAuthorizationChangeOwner = (CFTypeRef)(CFSTR("ACLAuthorizationChangeOwner"));


static CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName);

static CFStringRef gKeys[] =
{
	(CFStringRef)kSecACLAuthorizationAny,
	(CFStringRef)kSecACLAuthorizationLogin,
	(CFStringRef)kSecACLAuthorizationGenKey,
	(CFStringRef)kSecACLAuthorizationDelete,
	(CFStringRef)kSecACLAuthorizationExportWrapped,
	(CFStringRef)kSecACLAuthorizationExportClear,
	(CFStringRef)kSecACLAuthorizationImportWrapped,
	(CFStringRef)kSecACLAuthorizationImportClear,
	(CFStringRef)kSecACLAuthorizationSign,
	(CFStringRef)kSecACLAuthorizationEncrypt,
	(CFStringRef)kSecACLAuthorizationDecrypt,
	(CFStringRef)kSecACLAuthorizationMAC,
	(CFStringRef)kSecACLAuthorizationDerive,

	/* Defined authorization tag values for Keychain */
	(CFStringRef)kSecACLAuthorizationKeychainCreate,
	(CFStringRef)kSecACLAuthorizationKeychainDelete,
	(CFStringRef)kSecACLAuthorizationKeychainItemRead,
	(CFStringRef)kSecACLAuthorizationKeychainItemInsert,
	(CFStringRef)kSecACLAuthorizationKeychainItemModify,
	(CFStringRef)kSecACLAuthorizationKeychainItemDelete,

	(CFStringRef)kSecACLAuthorizationChangeACL,
	(CFStringRef)kSecACLAuthorizationChangeOwner

};

static sint32 gValues[] =
{
	CSSM_ACL_AUTHORIZATION_ANY,
	CSSM_ACL_AUTHORIZATION_LOGIN,
	CSSM_ACL_AUTHORIZATION_GENKEY,
	CSSM_ACL_AUTHORIZATION_DELETE,
	CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED,
	CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR,
	CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED,
	CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR,
	CSSM_ACL_AUTHORIZATION_SIGN,
	CSSM_ACL_AUTHORIZATION_ENCRYPT,
	CSSM_ACL_AUTHORIZATION_DECRYPT,
	CSSM_ACL_AUTHORIZATION_MAC,
	CSSM_ACL_AUTHORIZATION_DERIVE,
	CSSM_ACL_AUTHORIZATION_DBS_CREATE,
	CSSM_ACL_AUTHORIZATION_DBS_DELETE,
	CSSM_ACL_AUTHORIZATION_DB_READ,
	CSSM_ACL_AUTHORIZATION_DB_INSERT,
	CSSM_ACL_AUTHORIZATION_DB_MODIFY,
	CSSM_ACL_AUTHORIZATION_DB_DELETE,
	CSSM_ACL_AUTHORIZATION_CHANGE_ACL,
	CSSM_ACL_AUTHORIZATION_CHANGE_OWNER
};

static
CFDictionaryRef CreateStringToNumDictionary()
{
	int numItems = (sizeof(gValues) / sizeof(sint32));
	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);

	for (int iCnt = 0; iCnt < numItems; iCnt++)
	{
		sint32 aNumber = gValues[iCnt];
		CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);

		CFStringRef aString = gKeys[iCnt];
		CFDictionaryAddValue(tempDict, aString, aNum);
		CFRelease(aNum);
	}

	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	CFRelease(tempDict);
	return result;

}

static
CFDictionaryRef CreateNumToStringDictionary()
{
	int numItems = (sizeof(gValues) / sizeof(sint32));

	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);

	for (int iCnt = 0; iCnt < numItems; iCnt++)
	{
		sint32 aNumber = gValues[iCnt];
		CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);

		CFStringRef aString = gKeys[iCnt];
		CFDictionaryAddValue(tempDict, aNum, aString);
		CFRelease(aNum);

	}

	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	CFRelease(tempDict);
	return result;
}


/* TODO: This should be in some header */
sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr);
sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr)
{
	if (NULL == aclStr)
	{
#ifndef NDEBUG
		CFShow(CFSTR("GetACLAuthorizationTagFromString aclStr is NULL"));
#endif
		return 0;
	}

	static CFDictionaryRef gACLMapping = NULL;

	if (NULL == gACLMapping)
	{
		gACLMapping = CreateStringToNumDictionary();
	}

	sint32 result = 0;
	CFNumberRef valueResult = (CFNumberRef)CFDictionaryGetValue(gACLMapping, aclStr);
	if (NULL != valueResult)
	{
		if (!CFNumberGetValue(valueResult, kCFNumberSInt32Type, &result))
		{
			return 0;
		}

	}
	else
	{
		return 0;
	}

	return result;

}

/* TODO: This should be in some header */
CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag);
CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag)
{
	static CFDictionaryRef gTagMapping = NULL;
	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tag);

	if (NULL == gTagMapping)
	{
		gTagMapping = CreateNumToStringDictionary();
	}

	CFStringRef result = (CFStringRef)kSecACLAuthorizationAny;

	if (NULL != gTagMapping && CFDictionaryContainsKey(gTagMapping, aNum))
	{
		result = (CFStringRef)CFDictionaryGetValue(gTagMapping, aNum);
	}
	return result;
}

//
// CF boilerplate
//
CFTypeID SecAccessGetTypeID(void)
{
	BEGIN_SECAPI
	return gTypes().Access.typeID;
	END_SECAPI1(_kCFRuntimeNotATypeID)
}


//
// API bridge calls
//
/*!
 *	Create a new SecAccessRef that is set to the default configuration
 *	of a (newly created) security object.
 */
OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedList, SecAccessRef *accessRef)
{
	BEGIN_SECAPI
	Required(descriptor);
	SecPointer<Access> access;
	if (trustedList) {
		CFIndex length = CFArrayGetCount(trustedList);
		ACL::ApplicationList trusted;
		for (CFIndex n = 0; n < length; n++)
			trusted.push_back(TrustedApplication::required(
				SecTrustedApplicationRef(CFArrayGetValueAtIndex(trustedList, n))));
		access = new Access(cfString(descriptor), trusted);
	} else {
		access = new Access(cfString(descriptor));
	}
	Required(accessRef) = access->handle();
	END_SECAPI
}


/*!
 */
OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner,
	uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls,
	SecAccessRef *accessRef)
{
	BEGIN_SECAPI
	Required(accessRef);	// preflight
	SecPointer<Access> access = new Access(Required(owner), aclCount, &Required(acls));
	*accessRef = access->handle();
	END_SECAPI
}

SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef acls, CFErrorRef *error)
{
	SecAccessRef result = NULL;

	CSSM_ACL_PROCESS_SUBJECT_SELECTOR selector =
	{
		CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION,	// selector version
		ownerType,
		userId,
		groupId
	};

	CSSM_LIST_ELEMENT subject2 = { NULL, 0 };
	subject2.Element.Word.Data = (UInt8 *)&selector;
	subject2.Element.Word.Length = sizeof(selector);
	CSSM_LIST_ELEMENT subject1 =
	{
		&subject2, CSSM_ACL_SUBJECT_TYPE_PROCESS, CSSM_LIST_ELEMENT_WORDID
	};

	CFIndex numAcls = 0;

	if (NULL != acls)
	{
		numAcls = CFArrayGetCount(acls);
	}

#ifndef NDEBUG
	CFStringRef debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
		CFSTR("SecAccessCreateWithOwnerAndACL: processing %d acls"), (int)numAcls);
	CFShow(debugStr);
	CFRelease(debugStr);
#endif

	CSSM_ACL_AUTHORIZATION_TAG rights[numAcls];
	memset(rights, 0, sizeof(rights));

	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	{
		CFStringRef aclStr = (CFStringRef)CFArrayGetValueAtIndex(acls, iCnt);

#ifndef NDEBUG
		debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
			CFSTR("SecAccessCreateWithOwnerAndACL: acls[%d] = %@"), (int)iCnt, aclStr);

		CFShow(debugStr);
		CFRelease(debugStr);
#endif

		CSSM_ACL_AUTHORIZATION_TAG aTag = GetACLAuthorizationTagFromString(aclStr);

#ifndef NDEBUG
		debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
			CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, aTag);

		CFShow(debugStr);
		CFRelease(debugStr);
#endif

		rights[iCnt] = aTag;
	}


	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	{
#ifndef NDEBUG
		debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
			CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d]  = %d"), (int)iCnt, rights[iCnt]);

		CFShow(debugStr);
		CFRelease(debugStr);
#endif


	}

	CSSM_ACL_OWNER_PROTOTYPE owner =
	{
		// TypedSubject
		{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
		// Delegate
		false
	};


	// ACL entries (any number, just one here)
	CSSM_ACL_ENTRY_INFO acl_rights[] =
	{
		{
			// prototype
			{
				// TypedSubject
				{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
				false,	// Delegate
				// rights for this entry
				{ (uint32)(sizeof(rights) / sizeof(rights[0])), rights },
				// rest is defaulted
			}
		}
	};

	OSStatus err = SecAccessCreateFromOwnerAndACL(&owner,
		sizeof(acl_rights) / sizeof(acl_rights[0]), acl_rights, &result);

	if (errSecSuccess != err)
	{
		result = NULL;
		if (NULL != error)
		{
			*error  = CFErrorCreate(kCFAllocatorDefault, CFSTR("FIX ME"), err, NULL);
   		}
	}
	return result;
}


/*!
 */
OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef,
	CSSM_ACL_OWNER_PROTOTYPE_PTR *owner,
	uint32 *aclCount, CSSM_ACL_ENTRY_INFO_PTR *acls)
{
	BEGIN_SECAPI
	Access::required(accessRef)->copyOwnerAndAcl(
		Required(owner), Required(aclCount), Required(acls));
	END_SECAPI
}

OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t* userId, gid_t* groupId, SecAccessOwnerType* ownerType, CFArrayRef* aclList)
{
	CSSM_ACL_OWNER_PROTOTYPE_PTR owner = NULL;
	CSSM_ACL_ENTRY_INFO_PTR acls = NULL;
	uint32 aclCount = 0;
	OSStatus result = SecAccessGetOwnerAndACL(accessRef, &owner, &aclCount, &acls);
	if (errSecSuccess != result )
	{
		return result;
	}

	if (NULL != owner)
	{
		CSSM_LIST_ELEMENT_PTR listHead = owner->TypedSubject.Head;
		if (listHead != NULL && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
		{
			CSSM_LIST_ELEMENT_PTR nextElement = listHead->NextElement;
			if (listHead->WordID == CSSM_ACL_SUBJECT_TYPE_PROCESS && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
			{
				// nextElement contains the required data
				CSSM_ACL_PROCESS_SUBJECT_SELECTOR* selectorPtr = (CSSM_ACL_PROCESS_SUBJECT_SELECTOR*)nextElement->Element.Word.Data;
				if (NULL != selectorPtr)
				{
					if (NULL != userId)
					{
						*userId = (uid_t)selectorPtr->uid;
					}

					if (NULL != groupId)
					{
						*groupId = (gid_t)selectorPtr->gid;
					}

					if (NULL != ownerType)
					{
						*ownerType = (SecAccessOwnerType)selectorPtr->mask;
					}
				}
			}

		}

	}

	if (NULL != aclList)
	{
#ifndef NDEBUG
		CFShow(CFSTR("SecAccessCopyOwnerAndACL: processing the ACL list"));
#endif

		CFMutableArrayRef stringArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
		CSSM_ACL_OWNER_PROTOTYPE_PTR protoPtr = NULL;
		uint32 numAcls = 0L;
		CSSM_ACL_ENTRY_INFO_PTR aclEntry = NULL;

		result = SecAccessGetOwnerAndACL(accessRef, &protoPtr, &numAcls, &aclEntry);
		if (errSecSuccess == result)
		{
#ifndef NDEBUG
			CFStringRef tempStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SecAccessCopyOwnerAndACL: numAcls = %d"), numAcls);
			CFShow(tempStr);
			CFRelease(tempStr);
#endif

			for (uint32 iCnt = 0; iCnt < numAcls; iCnt++)
			{
				CSSM_ACL_ENTRY_PROTOTYPE prototype = aclEntry[iCnt].EntryPublicInfo;
				CSSM_AUTHORIZATIONGROUP authGroup = prototype.Authorization;
				int numAuthTags = (int)authGroup.NumberOfAuthTags;

				for (int jCnt = 0; jCnt < numAuthTags; jCnt++)
				{

					sint32 aTag = authGroup.AuthTags[jCnt];
					CFStringRef aString = GetAuthStringFromACLAuthorizationTag(aTag);

					CFArrayAppendValue(stringArray, aString);
				}
			}
		}

		if (NULL != stringArray)
		{
			if (0 < CFArrayGetCount(stringArray))
			{
				*aclList = CFArrayCreateCopy(kCFAllocatorDefault, stringArray);
			}
			CFRelease(stringArray);
		}
	}

	return result;
}

/*!
 */
OSStatus SecAccessCopyACLList(SecAccessRef accessRef,
	CFArrayRef *aclList)
{
	BEGIN_SECAPI
	Required(aclList) = Access::required(accessRef)->copySecACLs();
	END_SECAPI
}


/*!
 */
OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef,
	CSSM_ACL_AUTHORIZATION_TAG action,
	CFArrayRef *aclList)
{
	BEGIN_SECAPI
	Required(aclList) = Access::required(accessRef)->copySecACLs(action);
	END_SECAPI
}

CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag)
{
	CFArrayRef result = NULL;
	CSSM_ACL_AUTHORIZATION_TAG tag = GetACLAuthorizationTagFromString((CFStringRef)authorizationTag);
	OSStatus err = SecAccessCopySelectedACLList(accessRef, tag, &result);
	if (errSecSuccess != err)
	{
		result = NULL;
	}
	return result;
}

CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName)
{
	CFStringRef errorString = nil;
    CFURLRef bundleURL,trustedAppsURL = NULL;
    CFBundleRef secBundle = NULL;
	CFPropertyListRef trustedAppsPlist = NULL;
	CFDataRef xmlDataRef = NULL;
	SInt32 errorCode;
    CFArrayRef trustedAppList = NULL;
	CFMutableStringRef trustedAppListFileNameWithoutExtension = NULL;
Commit	Line	Data
b1ab9ed8	1	/*
427c49bc A	2	* Copyright (c) 2002-2004,2013 Apple Inc. All Rights Reserved.
427c49bc A	3	*
b1ab9ed8	4	* @APPLE_LICENSE_HEADER_START@
427c49bc	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
427c49bc	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
427c49bc	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
427c49bc	24	#include <SecBase.h>
b1ab9ed8 A	25	#include <Security/SecAccess.h>
b1ab9ed8 A	26	#include <Security/SecAccessPriv.h>
427c49bc A	27	#include <Security/SecTrustedApplication.h>
427c49bc A	28	#include <Security/SecTrustedApplicationPriv.h>
b1ab9ed8 A	29	#include <security_keychain/Access.h>
	30	#include "SecBridge.h"
	31	#include <sys/param.h>
	32
427c49bc A	33	#undef secdebug
	34	#include <utilities/SecCFWrappers.h>
	35
	36
b1ab9ed8 A	37	/* No restrictions. Permission to perform all operations on
	38	the resource or available to an ACL owner. */
	39
	40
	41	CFTypeRef kSecACLAuthorizationAny = (CFTypeRef)(CFSTR("ACLAuthorizationAny"));
	42
	43	CFTypeRef kSecACLAuthorizationLogin = (CFTypeRef)(CFSTR("ACLAuthorizationLogin"));
	44	CFTypeRef kSecACLAuthorizationGenKey = (CFTypeRef)(CFSTR("ACLAuthorizationGenKey"));
	45	CFTypeRef kSecACLAuthorizationDelete = (CFTypeRef)(CFSTR("ACLAuthorizationDelete"));
	46	CFTypeRef kSecACLAuthorizationExportWrapped = (CFTypeRef)(CFSTR("ACLAuthorizationExportWrapped"));
	47	CFTypeRef kSecACLAuthorizationExportClear = (CFTypeRef)(CFSTR("ACLAuthorizationExportClear"));
	48	CFTypeRef kSecACLAuthorizationImportWrapped = (CFTypeRef)(CFSTR("ACLAuthorizationImportWrapped"));
	49	CFTypeRef kSecACLAuthorizationImportClear = (CFTypeRef)(CFSTR("ACLAuthorizationImportClear"));
	50	CFTypeRef kSecACLAuthorizationSign = (CFTypeRef)(CFSTR("ACLAuthorizationSign"));
	51	CFTypeRef kSecACLAuthorizationEncrypt = (CFTypeRef)(CFSTR("ACLAuthorizationEncrypt"));
	52	CFTypeRef kSecACLAuthorizationDecrypt = (CFTypeRef)(CFSTR("ACLAuthorizationDecrypt"));
	53	CFTypeRef kSecACLAuthorizationMAC = (CFTypeRef)(CFSTR("ACLAuthorizationMAC"));
	54	CFTypeRef kSecACLAuthorizationDerive = (CFTypeRef)(CFSTR("ACLAuthorizationDerive"));
	55
	56	/* Defined authorization tag values for Keychain */
	57
	58
427c49bc	59
b1ab9ed8 A	60	CFTypeRef kSecACLAuthorizationKeychainCreate = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainCreate"));
	61	CFTypeRef kSecACLAuthorizationKeychainDelete = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainDelete"));
	62	CFTypeRef kSecACLAuthorizationKeychainItemRead = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemRead"));
	63	CFTypeRef kSecACLAuthorizationKeychainItemInsert = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemInsert"));
	64	CFTypeRef kSecACLAuthorizationKeychainItemModify = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemModify"));
	65	CFTypeRef kSecACLAuthorizationKeychainItemDelete = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemDelete"));
	66
	67	CFTypeRef kSecACLAuthorizationChangeACL = (CFTypeRef)(CFSTR("ACLAuthorizationChangeACL"));
	68	CFTypeRef kSecACLAuthorizationChangeOwner = (CFTypeRef)(CFSTR("ACLAuthorizationChangeOwner"));
	69
	70
	71	static CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName);
	72
427c49bc	73	static CFStringRef gKeys[] =
b1ab9ed8 A	74	{
	75	(CFStringRef)kSecACLAuthorizationAny,
	76	(CFStringRef)kSecACLAuthorizationLogin,
	77	(CFStringRef)kSecACLAuthorizationGenKey,
	78	(CFStringRef)kSecACLAuthorizationDelete,
	79	(CFStringRef)kSecACLAuthorizationExportWrapped,
	80	(CFStringRef)kSecACLAuthorizationExportClear,
	81	(CFStringRef)kSecACLAuthorizationImportWrapped,
	82	(CFStringRef)kSecACLAuthorizationImportClear,
	83	(CFStringRef)kSecACLAuthorizationSign,
	84	(CFStringRef)kSecACLAuthorizationEncrypt,
	85	(CFStringRef)kSecACLAuthorizationDecrypt,
	86	(CFStringRef)kSecACLAuthorizationMAC,
	87	(CFStringRef)kSecACLAuthorizationDerive,
	88
	89	/* Defined authorization tag values for Keychain */
	90	(CFStringRef)kSecACLAuthorizationKeychainCreate,
	91	(CFStringRef)kSecACLAuthorizationKeychainDelete,
	92	(CFStringRef)kSecACLAuthorizationKeychainItemRead,
	93	(CFStringRef)kSecACLAuthorizationKeychainItemInsert,
	94	(CFStringRef)kSecACLAuthorizationKeychainItemModify,
	95	(CFStringRef)kSecACLAuthorizationKeychainItemDelete,
427c49bc	96
b1ab9ed8 A	97	(CFStringRef)kSecACLAuthorizationChangeACL,
b1ab9ed8 A	98	(CFStringRef)kSecACLAuthorizationChangeOwner
427c49bc	99
b1ab9ed8 A	100	};
	101
	102	static sint32 gValues[] =
	103	{
	104	CSSM_ACL_AUTHORIZATION_ANY,
	105	CSSM_ACL_AUTHORIZATION_LOGIN,
	106	CSSM_ACL_AUTHORIZATION_GENKEY,
	107	CSSM_ACL_AUTHORIZATION_DELETE,
	108	CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED,
	109	CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR,
	110	CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED,
	111	CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR,
	112	CSSM_ACL_AUTHORIZATION_SIGN,
	113	CSSM_ACL_AUTHORIZATION_ENCRYPT,
	114	CSSM_ACL_AUTHORIZATION_DECRYPT,
	115	CSSM_ACL_AUTHORIZATION_MAC,
	116	CSSM_ACL_AUTHORIZATION_DERIVE,
	117	CSSM_ACL_AUTHORIZATION_DBS_CREATE,
	118	CSSM_ACL_AUTHORIZATION_DBS_DELETE,
	119	CSSM_ACL_AUTHORIZATION_DB_READ,
	120	CSSM_ACL_AUTHORIZATION_DB_INSERT,
	121	CSSM_ACL_AUTHORIZATION_DB_MODIFY,
	122	CSSM_ACL_AUTHORIZATION_DB_DELETE,
	123	CSSM_ACL_AUTHORIZATION_CHANGE_ACL,
	124	CSSM_ACL_AUTHORIZATION_CHANGE_OWNER
	125	};
	126
427c49bc	127	static
b1ab9ed8 A	128	CFDictionaryRef CreateStringToNumDictionary()
	129	{
	130	int numItems = (sizeof(gValues) / sizeof(sint32));
427c49bc A	131	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
427c49bc A	132
b1ab9ed8 A	133	for (int iCnt = 0; iCnt < numItems; iCnt++)
	134	{
	135	sint32 aNumber = gValues[iCnt];
	136	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);
427c49bc	137
b1ab9ed8 A	138	CFStringRef aString = gKeys[iCnt];
b1ab9ed8 A	139	CFDictionaryAddValue(tempDict, aString, aNum);
427c49bc	140	CFRelease(aNum);
b1ab9ed8	141	}
427c49bc	142
b1ab9ed8 A	143	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	144	CFRelease(tempDict);
	145	return result;
427c49bc	146
b1ab9ed8 A	147	}
b1ab9ed8 A	148
427c49bc	149	static
b1ab9ed8 A	150	CFDictionaryRef CreateNumToStringDictionary()
	151	{
	152	int numItems = (sizeof(gValues) / sizeof(sint32));
427c49bc A	153
	154	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
	155
b1ab9ed8 A	156	for (int iCnt = 0; iCnt < numItems; iCnt++)
	157	{
	158	sint32 aNumber = gValues[iCnt];
427c49bc A	159	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);
427c49bc A	160
b1ab9ed8 A	161	CFStringRef aString = gKeys[iCnt];
	162	CFDictionaryAddValue(tempDict, aNum, aString);
	163	CFRelease(aNum);
427c49bc	164
b1ab9ed8	165	}
427c49bc	166
b1ab9ed8 A	167	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	168	CFRelease(tempDict);
	169	return result;
	170	}
	171
	172
427c49bc A	173	/* TODO: This should be in some header */
427c49bc A	174	sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr);
b1ab9ed8 A	175	sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr)
	176	{
	177	if (NULL == aclStr)
	178	{
	179	#ifndef NDEBUG
	180	CFShow(CFSTR("GetACLAuthorizationTagFromString aclStr is NULL"));
	181	#endif
	182	return 0;
	183	}
427c49bc	184
b1ab9ed8	185	static CFDictionaryRef gACLMapping = NULL;
427c49bc	186
b1ab9ed8 A	187	if (NULL == gACLMapping)
	188	{
	189	gACLMapping = CreateStringToNumDictionary();
	190	}
427c49bc	191
b1ab9ed8 A	192	sint32 result = 0;
	193	CFNumberRef valueResult = (CFNumberRef)CFDictionaryGetValue(gACLMapping, aclStr);
	194	if (NULL != valueResult)
	195	{
	196	if (!CFNumberGetValue(valueResult, kCFNumberSInt32Type, &result))
	197	{
	198	return 0;
	199	}
427c49bc	200
b1ab9ed8 A	201	}
	202	else
	203	{
	204	return 0;
	205	}
427c49bc	206
b1ab9ed8	207	return result;
427c49bc	208
b1ab9ed8 A	209	}
b1ab9ed8 A	210
427c49bc A	211	/* TODO: This should be in some header */
427c49bc A	212	CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag);
b1ab9ed8 A	213	CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag)
	214	{
	215	static CFDictionaryRef gTagMapping = NULL;
	216	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tag);
427c49bc	217
b1ab9ed8 A	218	if (NULL == gTagMapping)
	219	{
	220	gTagMapping = CreateNumToStringDictionary();
	221	}
427c49bc	222
b1ab9ed8	223	CFStringRef result = (CFStringRef)kSecACLAuthorizationAny;
427c49bc	224
b1ab9ed8 A	225	if (NULL != gTagMapping && CFDictionaryContainsKey(gTagMapping, aNum))
	226	{
	227	result = (CFStringRef)CFDictionaryGetValue(gTagMapping, aNum);
	228	}
	229	return result;
	230	}
	231
	232	//
	233	// CF boilerplate
	234	//
	235	CFTypeID SecAccessGetTypeID(void)
	236	{
	237	BEGIN_SECAPI
	238	return gTypes().Access.typeID;
	239	END_SECAPI1(_kCFRuntimeNotATypeID)
	240	}
	241
	242
	243	//
	244	// API bridge calls
	245	//
	246	/*!
	247	* Create a new SecAccessRef that is set to the default configuration
	248	* of a (newly created) security object.
	249	*/
	250	OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedList, SecAccessRef *accessRef)
	251	{
	252	BEGIN_SECAPI
	253	Required(descriptor);
	254	SecPointer<Access> access;
	255	if (trustedList) {
	256	CFIndex length = CFArrayGetCount(trustedList);
	257	ACL::ApplicationList trusted;
	258	for (CFIndex n = 0; n < length; n++)
	259	trusted.push_back(TrustedApplication::required(
	260	SecTrustedApplicationRef(CFArrayGetValueAtIndex(trustedList, n))));
	261	access = new Access(cfString(descriptor), trusted);
	262	} else {
	263	access = new Access(cfString(descriptor));
	264	}
	265	Required(accessRef) = access->handle();
	266	END_SECAPI
	267	}
	268
	269
	270	/*!
	271	*/
	272	OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner,
	273	uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls,
	274	SecAccessRef *accessRef)
	275	{
	276	BEGIN_SECAPI
	277	Required(accessRef); // preflight
	278	SecPointer<Access> access = new Access(Required(owner), aclCount, &Required(acls));
	279	*accessRef = access->handle();
	280	END_SECAPI
	281	}
	282
	283	SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef acls, CFErrorRef *error)
	284	{
	285	SecAccessRef result = NULL;
427c49bc A	286
427c49bc A	287	CSSM_ACL_PROCESS_SUBJECT_SELECTOR selector =
b1ab9ed8 A	288	{
b1ab9ed8 A	289	CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION, // selector version
427c49bc A	290	ownerType,
	291	userId,
	292	groupId
b1ab9ed8	293	};
427c49bc	294
b1ab9ed8 A	295	CSSM_LIST_ELEMENT subject2 = { NULL, 0 };
	296	subject2.Element.Word.Data = (UInt8 *)&selector;
	297	subject2.Element.Word.Length = sizeof(selector);
427c49bc	298	CSSM_LIST_ELEMENT subject1 =
b1ab9ed8 A	299	{
	300	&subject2, CSSM_ACL_SUBJECT_TYPE_PROCESS, CSSM_LIST_ELEMENT_WORDID
	301	};
427c49bc	302
b1ab9ed8	303	CFIndex numAcls = 0;
427c49bc	304
b1ab9ed8 A	305	if (NULL != acls)
	306	{
	307	numAcls = CFArrayGetCount(acls);
427c49bc A	308	}
427c49bc A	309
b1ab9ed8	310	#ifndef NDEBUG
427c49bc A	311	CFStringRef debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
427c49bc A	312	CFSTR("SecAccessCreateWithOwnerAndACL: processing %d acls"), (int)numAcls);
b1ab9ed8 A	313	CFShow(debugStr);
	314	CFRelease(debugStr);
	315	#endif
427c49bc	316
b1ab9ed8 A	317	CSSM_ACL_AUTHORIZATION_TAG rights[numAcls];
b1ab9ed8 A	318	memset(rights, 0, sizeof(rights));
427c49bc	319
b1ab9ed8 A	320	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	321	{
	322	CFStringRef aclStr = (CFStringRef)CFArrayGetValueAtIndex(acls, iCnt);
427c49bc	323
b1ab9ed8	324	#ifndef NDEBUG
427c49bc A	325	debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
	326	CFSTR("SecAccessCreateWithOwnerAndACL: acls[%d] = %@"), (int)iCnt, aclStr);
	327
b1ab9ed8 A	328	CFShow(debugStr);
	329	CFRelease(debugStr);
	330	#endif
427c49bc	331
b1ab9ed8	332	CSSM_ACL_AUTHORIZATION_TAG aTag = GetACLAuthorizationTagFromString(aclStr);
427c49bc	333
b1ab9ed8	334	#ifndef NDEBUG
427c49bc A	335	debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
	336	CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, aTag);
	337
b1ab9ed8 A	338	CFShow(debugStr);
	339	CFRelease(debugStr);
	340	#endif
427c49bc	341
b1ab9ed8 A	342	rights[iCnt] = aTag;
b1ab9ed8 A	343	}
427c49bc A	344
427c49bc A	345
b1ab9ed8 A	346	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	347	{
	348	#ifndef NDEBUG
427c49bc A	349	debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
	350	CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, rights[iCnt]);
	351
b1ab9ed8 A	352	CFShow(debugStr);
	353	CFRelease(debugStr);
	354	#endif
427c49bc	355
b1ab9ed8 A	356
b1ab9ed8 A	357	}
427c49bc A	358
427c49bc A	359	CSSM_ACL_OWNER_PROTOTYPE owner =
b1ab9ed8 A	360	{
	361	// TypedSubject
	362	{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
	363	// Delegate
	364	false
	365	};
427c49bc A	366
427c49bc A	367
b1ab9ed8	368	// ACL entries (any number, just one here)
427c49bc	369	CSSM_ACL_ENTRY_INFO acl_rights[] =
b1ab9ed8 A	370	{
	371	{
	372	// prototype
	373	{
	374	// TypedSubject
	375	{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
	376	false, // Delegate
	377	// rights for this entry
427c49bc	378	{ (uint32)(sizeof(rights) / sizeof(rights[0])), rights },
b1ab9ed8 A	379	// rest is defaulted
	380	}
	381	}
	382	};
427c49bc A	383
427c49bc A	384	OSStatus err = SecAccessCreateFromOwnerAndACL(&owner,
b1ab9ed8	385	sizeof(acl_rights) / sizeof(acl_rights[0]), acl_rights, &result);
427c49bc A	386
427c49bc A	387	if (errSecSuccess != err)
b1ab9ed8 A	388	{
	389	result = NULL;
	390	if (NULL != error)
	391	{
	392	*error = CFErrorCreate(kCFAllocatorDefault, CFSTR("FIX ME"), err, NULL);
	393	}
	394	}
427c49bc	395	return result;
b1ab9ed8 A	396	}
	397
	398
	399	/*!
	400	*/
	401	OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef,
	402	CSSM_ACL_OWNER_PROTOTYPE_PTR *owner,
	403	uint32 aclCount, CSSM_ACL_ENTRY_INFO_PTR acls)
	404	{
	405	BEGIN_SECAPI
	406	Access::required(accessRef)->copyOwnerAndAcl(
	407	Required(owner), Required(aclCount), Required(acls));
	408	END_SECAPI
	409	}
	410
	411	OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t* userId, gid_t* groupId, SecAccessOwnerType* ownerType, CFArrayRef* aclList)
	412	{
	413	CSSM_ACL_OWNER_PROTOTYPE_PTR owner = NULL;
	414	CSSM_ACL_ENTRY_INFO_PTR acls = NULL;
	415	uint32 aclCount = 0;
	416	OSStatus result = SecAccessGetOwnerAndACL(accessRef, &owner, &aclCount, &acls);
427c49bc	417	if (errSecSuccess != result )
b1ab9ed8 A	418	{
	419	return result;
	420	}
427c49bc	421
b1ab9ed8 A	422	if (NULL != owner)
	423	{
	424	CSSM_LIST_ELEMENT_PTR listHead = owner->TypedSubject.Head;
	425	if (listHead != NULL && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
	426	{
	427	CSSM_LIST_ELEMENT_PTR nextElement = listHead->NextElement;
	428	if (listHead->WordID == CSSM_ACL_SUBJECT_TYPE_PROCESS && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
	429	{
	430	// nextElement contains the required data
	431	CSSM_ACL_PROCESS_SUBJECT_SELECTOR* selectorPtr = (CSSM_ACL_PROCESS_SUBJECT_SELECTOR*)nextElement->Element.Word.Data;
	432	if (NULL != selectorPtr)
	433	{
	434	if (NULL != userId)
	435	{
	436	*userId = (uid_t)selectorPtr->uid;
	437	}
427c49bc	438
b1ab9ed8 A	439	if (NULL != groupId)
	440	{
	441	*groupId = (gid_t)selectorPtr->gid;
	442	}
427c49bc	443
b1ab9ed8 A	444	if (NULL != ownerType)
	445	{
	446	*ownerType = (SecAccessOwnerType)selectorPtr->mask;
	447	}
	448	}
	449	}
427c49bc	450
b1ab9ed8	451	}
427c49bc	452
b1ab9ed8	453	}
427c49bc	454
b1ab9ed8 A	455	if (NULL != aclList)
	456	{
	457	#ifndef NDEBUG
	458	CFShow(CFSTR("SecAccessCopyOwnerAndACL: processing the ACL list"));
	459	#endif
	460
	461	CFMutableArrayRef stringArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
	462	CSSM_ACL_OWNER_PROTOTYPE_PTR protoPtr = NULL;
	463	uint32 numAcls = 0L;
	464	CSSM_ACL_ENTRY_INFO_PTR aclEntry = NULL;
427c49bc	465
b1ab9ed8	466	result = SecAccessGetOwnerAndACL(accessRef, &protoPtr, &numAcls, &aclEntry);
427c49bc	467	if (errSecSuccess == result)
b1ab9ed8 A	468	{
	469	#ifndef NDEBUG
	470	CFStringRef tempStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SecAccessCopyOwnerAndACL: numAcls = %d"), numAcls);
	471	CFShow(tempStr);
	472	CFRelease(tempStr);
	473	#endif
	474
	475	for (uint32 iCnt = 0; iCnt < numAcls; iCnt++)
	476	{
	477	CSSM_ACL_ENTRY_PROTOTYPE prototype = aclEntry[iCnt].EntryPublicInfo;
	478	CSSM_AUTHORIZATIONGROUP authGroup = prototype.Authorization;
	479	int numAuthTags = (int)authGroup.NumberOfAuthTags;
427c49bc	480
b1ab9ed8 A	481	for (int jCnt = 0; jCnt < numAuthTags; jCnt++)
b1ab9ed8 A	482	{
427c49bc	483
b1ab9ed8 A	484	sint32 aTag = authGroup.AuthTags[jCnt];
b1ab9ed8 A	485	CFStringRef aString = GetAuthStringFromACLAuthorizationTag(aTag);
427c49bc	486
b1ab9ed8 A	487	CFArrayAppendValue(stringArray, aString);
	488	}
	489	}
	490	}
427c49bc	491
b1ab9ed8 A	492	if (NULL != stringArray)
	493	{
	494	if (0 < CFArrayGetCount(stringArray))
	495	{
	496	*aclList = CFArrayCreateCopy(kCFAllocatorDefault, stringArray);
	497	}
	498	CFRelease(stringArray);
	499	}
	500	}
427c49bc A	501
427c49bc A	502	return result;
b1ab9ed8 A	503	}
	504
	505	/*!
	506	*/
	507	OSStatus SecAccessCopyACLList(SecAccessRef accessRef,
	508	CFArrayRef *aclList)
	509	{
	510	BEGIN_SECAPI
	511	Required(aclList) = Access::required(accessRef)->copySecACLs();
	512	END_SECAPI
	513	}
	514
	515
	516	/*!
	517	*/
	518	OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef,
	519	CSSM_ACL_AUTHORIZATION_TAG action,
	520	CFArrayRef *aclList)
	521	{
	522	BEGIN_SECAPI
	523	Required(aclList) = Access::required(accessRef)->copySecACLs(action);
	524	END_SECAPI
	525	}
	526
	527	CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag)
	528	{
	529	CFArrayRef result = NULL;
	530	CSSM_ACL_AUTHORIZATION_TAG tag = GetACLAuthorizationTagFromString((CFStringRef)authorizationTag);
	531	OSStatus err = SecAccessCopySelectedACLList(accessRef, tag, &result);
427c49bc	532	if (errSecSuccess != err)
b1ab9ed8 A	533	{
	534	result = NULL;
	535	}
	536	return result;
	537	}
	538
	539	CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName)
	540	{
	541	CFStringRef errorString = nil;
	542	CFURLRef bundleURL,trustedAppsURL = NULL;
	543	CFBundleRef secBundle = NULL;
	544	CFPropertyListRef trustedAppsPlist = NULL;
	545	CFDataRef xmlDataRef = NULL;
	546	SInt32 errorCode;
	547	CFArrayRef trustedAppList = NULL;
	548	CFMutableStringRef trustedAppListFileNameWithoutExtension = NULL;
	549
	550