[apple/security.git] / OSX / libsecurity_keychain / lib / IdentityCursor.cpp

/*
 * Copyright (c) 2002-2008,2011-2012 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 *
 * IdentityCursor.cpp -- Working with IdentityCursor
 */

#include <security_keychain/IdentityCursor.h>
#include <security_keychain/Identity.h>
#include <security_keychain/Trust.h>
#include <security_keychain/Item.h>
#include <security_keychain/Certificate.h>
#include <security_keychain/KeyItem.h>
#include <security_keychain/Globals.h>
#include <security_cdsa_utilities/Schema.h>
#include <security_cdsa_utilities/KeySchema.h>
#include <Security/oidsalg.h>
#include <Security/SecKeychainItemPriv.h>
#include <security_utilities/simpleprefs.h>
#include <sys/param.h>

using namespace KeychainCore;

IdentityCursorPolicyAndID::IdentityCursorPolicyAndID(const StorageManager::KeychainList &searchList, CSSM_KEYUSE keyUsage, CFStringRef idString, SecPolicyRef policy, bool returnOnlyValidIdentities) :
	IdentityCursor(searchList, keyUsage),
	mPolicy(policy),
	mIDString(idString),
	mReturnOnlyValidIdentities(returnOnlyValidIdentities),
	mPreferredIdentityChecked(false),
	mPreferredIdentity(nil)
{
	if (mPolicy) {
		CFRetain(mPolicy);
	}
	if (mIDString) {
		CFRetain(mIDString);
	}
}

IdentityCursorPolicyAndID::~IdentityCursorPolicyAndID() throw()
{
	if (mPolicy) {
		CFRelease(mPolicy);
	}
	if (mIDString) {
		CFRelease(mIDString);
	}
}

void
IdentityCursorPolicyAndID::findPreferredIdentity()
{
	char idUTF8[MAXPATHLEN];
	if (!mIDString || !CFStringGetCString(mIDString, idUTF8, sizeof(idUTF8)-1, kCFStringEncodingUTF8))
		idUTF8[0] = (char)'\0';
	uint32_t iprfValue = 'iprf'; // value is specified in host byte order, since kSecTypeItemAttr has type uint32 in the db schema
	SecKeychainAttribute sAttrs[] = {
		{ kSecTypeItemAttr, sizeof(uint32_t), &iprfValue },
		{ kSecServiceItemAttr, (UInt32)strlen(idUTF8), (char *)idUTF8 }
	};
	SecKeychainAttributeList sAttrList = { sizeof(sAttrs) / sizeof(sAttrs[0]), sAttrs };

//	StorageManager::KeychainList keychains;
//	globals().storageManager.optionalSearchList((CFTypeRef)nil, keychains);

	Item item;
	KCCursor cursor(mSearchList /*keychains*/, kSecGenericPasswordItemClass, &sAttrList);
	if (!cursor->next(item))
		return;

	// get persistent certificate reference
	SecKeychainAttribute itemAttrs[] = { { kSecGenericItemAttr, 0, NULL } };
	SecKeychainAttributeList itemAttrList = { sizeof(itemAttrs) / sizeof(itemAttrs[0]), itemAttrs };
	item->getContent(NULL, &itemAttrList, NULL, NULL);

	// find certificate, given persistent reference data
	CFDataRef pItemRef = CFDataCreateWithBytesNoCopy(NULL, (const UInt8 *)itemAttrs[0].data, itemAttrs[0].length, kCFAllocatorNull);
	SecKeychainItemRef certItemRef = nil;
	OSStatus status = SecKeychainItemCopyFromPersistentReference(pItemRef, &certItemRef);
	if (pItemRef)
		CFRelease(pItemRef);
	item->freeContent(&itemAttrList, NULL);
	if (status || !certItemRef)
		return;

	// create identity reference, given certificate
	Item certItem = ItemImpl::required(SecKeychainItemRef(certItemRef));
	SecPointer<Certificate> certificate(static_cast<Certificate *>(certItem.get()));
	SecPointer<Identity> identity(new Identity(mSearchList /*keychains*/, certificate));

	mPreferredIdentity = identity;

	if (certItemRef)
		CFRelease(certItemRef);
}

bool
IdentityCursorPolicyAndID::next(SecPointer<Identity> &identity)
{
	SecPointer<Identity> currIdentity;
	Boolean identityOK = true;

	if (!mPreferredIdentityChecked)
	{
        try
        {
            findPreferredIdentity();
        }
        catch(...) {}
		mPreferredIdentityChecked = true;
		if (mPreferredIdentity)
		{
			identity = mPreferredIdentity;
			return true;
		}
	}

	for (;;)
	{
		bool result = IdentityCursor::next(currIdentity);   // base class finds the next identity by keyUsage
		if ( result )
		{
			if (mPreferredIdentity && (currIdentity == mPreferredIdentity))
			{
				identityOK = false;	// we already returned this one, move on to the next
				continue;
			}

			// If there was no policy specified, we're done.
			if ( !mPolicy )
			{
				identityOK = true; // return this identity
				break;
			}

			// To reduce the number of (potentially expensive) trust evaluations performed, we need
			// to do some pre-processing to filter out certs that don't match the search criteria.
			// Rather than try to duplicate the TP's policy logic here, we'll just call the TP with
			// a single-element certificate array, no anchors, and no keychains to search.

			SecPointer<Certificate> certificate = currIdentity->certificate();
			CFRef<SecCertificateRef> certRef(certificate->handle());
			CFRef<CFMutableArrayRef> anchorsArray(CFArrayCreateMutable(NULL, 1, NULL));
			CFRef<CFMutableArrayRef> certArray(CFArrayCreateMutable(NULL, 1, NULL));
			if ( !certArray || !anchorsArray )
			{
				identityOK = false; // skip this and move on to the next one
				continue;
			}
			CFArrayAppendValue(certArray, certRef);

			SecPointer<Trust> trustLite = new Trust(certArray, mPolicy);
			StorageManager::KeychainList emptyList;
			// Set the anchors and keychain search list to be empty
			trustLite->anchors(anchorsArray);
			trustLite->searchLibs(emptyList);
			trustLite->evaluate();
			SecTrustResultType trustResult = trustLite->result();

			if (trustResult == kSecTrustResultRecoverableTrustFailure ||
				trustResult == kSecTrustResultFatalTrustFailure)
			{
				CFArrayRef certChain = NULL;
				CSSM_TP_APPLE_EVIDENCE_INFO *statusChain = NULL, *evInfo = NULL;
				trustLite->buildEvidence(certChain, TPEvidenceInfo::overlayVar(statusChain));
				if (statusChain)
					evInfo = &statusChain[0];
				if (!evInfo || evInfo->NumStatusCodes > 0) // per-cert codes means we can't use this cert for this policy
					trustResult = kSecTrustResultInvalid; // handled below
				if (certChain)
					CFRelease(certChain);
			}
			if (trustResult == kSecTrustResultInvalid)
			{
				identityOK = false; // move on to the next one
				continue;
			}

			// If trust evaluation isn't requested, we're done.
			if ( !mReturnOnlyValidIdentities )
			{
				identityOK = true; // return this identity
				break;
			}

			// Perform a full trust evaluation on the certificate with the specified policy.
			SecPointer<Trust> trust = new Trust(certArray, mPolicy);
			trust->evaluate();
			trustResult = trust->result();

			if (trustResult == kSecTrustResultInvalid ||
				trustResult == kSecTrustResultRecoverableTrustFailure ||
				trustResult == kSecTrustResultFatalTrustFailure)
			{
				identityOK = false; // move on to the next one
				continue;
			}

			identityOK = true; // this one was OK; return it.
			break;
		}
		else
		{
			identityOK = false; // no more left.
			break;
		}
	}   // for(;;)

	if ( identityOK )
	{
		identity = currIdentity; // caller will release the identity
		return true;
	}
	else
	{
		return false;
	}
}


IdentityCursor::IdentityCursor(const StorageManager::KeychainList &searchList, CSSM_KEYUSE keyUsage) :
	mSearchList(searchList),
	mKeyCursor(mSearchList, (SecItemClass) CSSM_DL_DB_RECORD_PRIVATE_KEY, NULL),
	mMutex(Mutex::recursive)
{
	StLock<Mutex>_(mMutex);

	// If keyUsage is CSSM_KEYUSE_ANY then we need a key that can do everything
	if (keyUsage & CSSM_KEYUSE_ANY)
		keyUsage = CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_DECRYPT
						   | CSSM_KEYUSE_DERIVE | CSSM_KEYUSE_SIGN
						   | CSSM_KEYUSE_VERIFY | CSSM_KEYUSE_SIGN_RECOVER
						   | CSSM_KEYUSE_VERIFY_RECOVER | CSSM_KEYUSE_WRAP
						   | CSSM_KEYUSE_UNWRAP;

	if (keyUsage & CSSM_KEYUSE_ENCRYPT)
		mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Encrypt, true);
	if (keyUsage & CSSM_KEYUSE_DECRYPT)
		mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Decrypt, true);
	if (keyUsage & CSSM_KEYUSE_DERIVE)
		mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Derive, true);
	if (keyUsage & CSSM_KEYUSE_SIGN)
		mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Sign, true);
	if (keyUsage & CSSM_KEYUSE_VERIFY)
		mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Verify, true);
	if (keyUsage & CSSM_KEYUSE_SIGN_RECOVER)
		mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::SignRecover, true);
	if (keyUsage & CSSM_KEYUSE_VERIFY_RECOVER)
		mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::VerifyRecover, true);
	if (keyUsage & CSSM_KEYUSE_WRAP)
		mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Wrap, true);
	if (keyUsage & CSSM_KEYUSE_UNWRAP)
		mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Unwrap, true);
}

IdentityCursor::~IdentityCursor() throw()
{
}

CFDataRef
IdentityCursor::pubKeyHashForSystemIdentity(CFStringRef domain)
{
	StLock<Mutex>_(mMutex);

    CFDataRef entryValue = nil;
	auto_ptr<Dictionary> identDict;
	Dictionary* d = Dictionary::CreateDictionary("com.apple.security.systemidentities", Dictionary::US_System);
	if (d)
	{
		identDict.reset(d);
        entryValue = identDict->getDataValue(domain);
        if (entryValue == nil) {
            /* try for default entry if we're not already looking for default */
            if(!CFEqual(domain, kSecIdentityDomainDefault)) {
                entryValue = identDict->getDataValue(kSecIdentityDomainDefault);
            }
        }
    }

    if (entryValue) {
        CFRetain(entryValue);
    }
    return entryValue;
}

bool
IdentityCursor::next(SecPointer<Identity> &identity)
{
	StLock<Mutex>_(mMutex);

	for (;;)
	{
		if (!mCertificateCursor)
		{
			Item key;
			if (!mKeyCursor->next(key))
				return false;

			mCurrentKey = static_cast<KeyItem *>(key.get());

			CssmClient::DbUniqueRecord uniqueId = mCurrentKey->dbUniqueRecord();
			CssmClient::DbAttributes dbAttributes(uniqueId->database(), 1);
			dbAttributes.add(KeySchema::Label);
			uniqueId->get(&dbAttributes, NULL);
			const CssmData &keyHash = dbAttributes[0];

			mCertificateCursor = KCCursor(mSearchList, (SecItemClass) CSSM_DL_DB_RECORD_X509_CERTIFICATE, NULL);
			mCertificateCursor->add(CSSM_DB_EQUAL, Schema::kX509CertificatePublicKeyHash, keyHash);

            // if we have entries for the system identities, exclude their public key hashes in the search
            CFDataRef systemDefaultCertPubKeyHash = pubKeyHashForSystemIdentity(kSecIdentityDomainDefault);
            if (systemDefaultCertPubKeyHash) {
                CssmData pkHash((void *)CFDataGetBytePtr(systemDefaultCertPubKeyHash), CFDataGetLength(systemDefaultCertPubKeyHash));
                mCertificateCursor->add(CSSM_DB_NOT_EQUAL, Schema::kX509CertificatePublicKeyHash, pkHash);
                CFRelease(systemDefaultCertPubKeyHash);
            }
            CFDataRef kerbKDCCertPubKeyHash = pubKeyHashForSystemIdentity(kSecIdentityDomainKerberosKDC);
            if (kerbKDCCertPubKeyHash) {
                CssmData pkHash((void *)CFDataGetBytePtr(kerbKDCCertPubKeyHash), CFDataGetLength(kerbKDCCertPubKeyHash));
                mCertificateCursor->add(CSSM_DB_NOT_EQUAL, Schema::kX509CertificatePublicKeyHash, pkHash);
                CFRelease(kerbKDCCertPubKeyHash);
            }
		}

		Item cert;
		if (mCertificateCursor->next(cert))
		{
			SecPointer<Certificate> certificate(static_cast<Certificate *>(cert.get()));
			identity = new Identity(mCurrentKey, certificate);
			return true;
		}
		else
			mCertificateCursor = KCCursor();
	}
}
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2002-2008,2011-2012 Apple Inc. All Rights Reserved.
fa7225c8	3	*
b1ab9ed8	4	* @APPLE_LICENSE_HEADER_START@
fa7225c8	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
fa7225c8	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
fa7225c8	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
	22	*
	23	* IdentityCursor.cpp -- Working with IdentityCursor
	24	*/
	25
	26	#include <security_keychain/IdentityCursor.h>
	27	#include <security_keychain/Identity.h>
	28	#include <security_keychain/Trust.h>
	29	#include <security_keychain/Item.h>
	30	#include <security_keychain/Certificate.h>
	31	#include <security_keychain/KeyItem.h>
	32	#include <security_keychain/Globals.h>
	33	#include <security_cdsa_utilities/Schema.h>
	34	#include <security_cdsa_utilities/KeySchema.h>
	35	#include <Security/oidsalg.h>
	36	#include <Security/SecKeychainItemPriv.h>
	37	#include <security_utilities/simpleprefs.h>
	38	#include <sys/param.h>
	39
	40	using namespace KeychainCore;
	41
	42	IdentityCursorPolicyAndID::IdentityCursorPolicyAndID(const StorageManager::KeychainList &searchList, CSSM_KEYUSE keyUsage, CFStringRef idString, SecPolicyRef policy, bool returnOnlyValidIdentities) :
	43	IdentityCursor(searchList, keyUsage),
	44	mPolicy(policy),
	45	mIDString(idString),
	46	mReturnOnlyValidIdentities(returnOnlyValidIdentities),
	47	mPreferredIdentityChecked(false),
	48	mPreferredIdentity(nil)
	49	{
fa7225c8 A	50	if (mPolicy) {
	51	CFRetain(mPolicy);
	52	}
	53	if (mIDString) {
	54	CFRetain(mIDString);
	55	}
b1ab9ed8 A	56	}
	57
	58	IdentityCursorPolicyAndID::~IdentityCursorPolicyAndID() throw()
	59	{
fa7225c8 A	60	if (mPolicy) {
	61	CFRelease(mPolicy);
	62	}
	63	if (mIDString) {
	64	CFRelease(mIDString);
	65	}
b1ab9ed8 A	66	}
	67
	68	void
	69	IdentityCursorPolicyAndID::findPreferredIdentity()
	70	{
	71	char idUTF8[MAXPATHLEN];
	72	if (!mIDString \|\| !CFStringGetCString(mIDString, idUTF8, sizeof(idUTF8)-1, kCFStringEncodingUTF8))
	73	idUTF8[0] = (char)'\0';
	74	uint32_t iprfValue = 'iprf'; // value is specified in host byte order, since kSecTypeItemAttr has type uint32 in the db schema
	75	SecKeychainAttribute sAttrs[] = {
	76	{ kSecTypeItemAttr, sizeof(uint32_t), &iprfValue },
427c49bc	77	{ kSecServiceItemAttr, (UInt32)strlen(idUTF8), (char *)idUTF8 }
b1ab9ed8 A	78	};
	79	SecKeychainAttributeList sAttrList = { sizeof(sAttrs) / sizeof(sAttrs[0]), sAttrs };
	80
	81	// StorageManager::KeychainList keychains;
	82	// globals().storageManager.optionalSearchList((CFTypeRef)nil, keychains);
	83
	84	Item item;
	85	KCCursor cursor(mSearchList /keychains/, kSecGenericPasswordItemClass, &sAttrList);
	86	if (!cursor->next(item))
	87	return;
	88
	89	// get persistent certificate reference
	90	SecKeychainAttribute itemAttrs[] = { { kSecGenericItemAttr, 0, NULL } };
	91	SecKeychainAttributeList itemAttrList = { sizeof(itemAttrs) / sizeof(itemAttrs[0]), itemAttrs };
	92	item->getContent(NULL, &itemAttrList, NULL, NULL);
	93
	94	// find certificate, given persistent reference data
	95	CFDataRef pItemRef = CFDataCreateWithBytesNoCopy(NULL, (const UInt8 *)itemAttrs[0].data, itemAttrs[0].length, kCFAllocatorNull);
	96	SecKeychainItemRef certItemRef = nil;
	97	OSStatus status = SecKeychainItemCopyFromPersistentReference(pItemRef, &certItemRef);
	98	if (pItemRef)
	99	CFRelease(pItemRef);
	100	item->freeContent(&itemAttrList, NULL);
	101	if (status \|\| !certItemRef)
	102	return;
	103
	104	// create identity reference, given certificate
	105	Item certItem = ItemImpl::required(SecKeychainItemRef(certItemRef));
	106	SecPointer<Certificate> certificate(static_cast<Certificate *>(certItem.get()));
	107	SecPointer<Identity> identity(new Identity(mSearchList /keychains/, certificate));
	108
	109	mPreferredIdentity = identity;
fa7225c8	110
b1ab9ed8 A	111	if (certItemRef)
	112	CFRelease(certItemRef);
	113	}
	114
	115	bool
	116	IdentityCursorPolicyAndID::next(SecPointer<Identity> &identity)
	117	{
	118	SecPointer<Identity> currIdentity;
	119	Boolean identityOK = true;
	120
	121	if (!mPreferredIdentityChecked)
	122	{
	123	try
	124	{
	125	findPreferredIdentity();
	126	}
	127	catch(...) {}
	128	mPreferredIdentityChecked = true;
	129	if (mPreferredIdentity)
	130	{
	131	identity = mPreferredIdentity;
	132	return true;
	133	}
	134	}
	135
	136	for (;;)
	137	{
	138	bool result = IdentityCursor::next(currIdentity); // base class finds the next identity by keyUsage
	139	if ( result )
	140	{
	141	if (mPreferredIdentity && (currIdentity == mPreferredIdentity))
	142	{
	143	identityOK = false; // we already returned this one, move on to the next
	144	continue;
	145	}
	146
	147	// If there was no policy specified, we're done.
	148	if ( !mPolicy )
	149	{
	150	identityOK = true; // return this identity
	151	break;
	152	}
	153
	154	// To reduce the number of (potentially expensive) trust evaluations performed, we need
	155	// to do some pre-processing to filter out certs that don't match the search criteria.
	156	// Rather than try to duplicate the TP's policy logic here, we'll just call the TP with
	157	// a single-element certificate array, no anchors, and no keychains to search.
	158
	159	SecPointer<Certificate> certificate = currIdentity->certificate();
	160	CFRef<SecCertificateRef> certRef(certificate->handle());
	161	CFRef<CFMutableArrayRef> anchorsArray(CFArrayCreateMutable(NULL, 1, NULL));
	162	CFRef<CFMutableArrayRef> certArray(CFArrayCreateMutable(NULL, 1, NULL));
	163	if ( !certArray \|\| !anchorsArray )
	164	{
	165	identityOK = false; // skip this and move on to the next one
	166	continue;
	167	}
	168	CFArrayAppendValue(certArray, certRef);
	169
	170	SecPointer<Trust> trustLite = new Trust(certArray, mPolicy);
	171	StorageManager::KeychainList emptyList;
	172	// Set the anchors and keychain search list to be empty
	173	trustLite->anchors(anchorsArray);
	174	trustLite->searchLibs(emptyList);
175	trustLite->evaluate();
176	SecTrustResultType trustResult = trustLite->result();
177
178	if (trustResult == kSecTrustResultRecoverableTrustFailure \|\|
179	trustResult == kSecTrustResultFatalTrustFailure)
180	{
181	CFArrayRef certChain = NULL;
182	CSSM_TP_APPLE_EVIDENCE_INFO statusChain = NULL, evInfo = NULL;
183	trustLite->buildEvidence(certChain, TPEvidenceInfo::overlayVar(statusChain));
184	if (statusChain)
185	evInfo = &statusChain[0];
186	if (!evInfo \|\| evInfo->NumStatusCodes > 0) // per-cert codes means we can't use this cert for this policy
187	trustResult = kSecTrustResultInvalid; // handled below
188	if (certChain)
189	CFRelease(certChain);
190	}
191	if (trustResult == kSecTrustResultInvalid)
192	{
193	identityOK = false; // move on to the next one
194	continue;
195	}
196
197	// If trust evaluation isn't requested, we're done.
198	if ( !mReturnOnlyValidIdentities )
199	{
200	identityOK = true; // return this identity
201	break;
202	}
203
204	// Perform a full trust evaluation on the certificate with the specified policy.
205	SecPointer<Trust> trust = new Trust(certArray, mPolicy);
206	trust->evaluate();
207	trustResult = trust->result();
208
209	if (trustResult == kSecTrustResultInvalid \|\|
210	trustResult == kSecTrustResultRecoverableTrustFailure \|\|
211	trustResult == kSecTrustResultFatalTrustFailure)
212	{
213	identityOK = false; // move on to the next one
214	continue;
215	}
216
217	identityOK = true; // this one was OK; return it.
218	break;
219	}
220	else
221	{
222	identityOK = false; // no more left.
223	break;
224	}
225	} // for(;;)
fa7225c8	226
b1ab9ed8 A	227	if ( identityOK )
	228	{
	229	identity = currIdentity; // caller will release the identity
	230	return true;
	231	}
	232	else
	233	{
	234	return false;
	235	}
	236	}
	237
	238
	239	IdentityCursor::IdentityCursor(const StorageManager::KeychainList &searchList, CSSM_KEYUSE keyUsage) :
	240	mSearchList(searchList),
6b200bc3	241	mKeyCursor(mSearchList, (SecItemClass) CSSM_DL_DB_RECORD_PRIVATE_KEY, NULL),
b1ab9ed8 A	242	mMutex(Mutex::recursive)
	243	{
	244	StLock<Mutex>_(mMutex);
	245
	246	// If keyUsage is CSSM_KEYUSE_ANY then we need a key that can do everything
	247	if (keyUsage & CSSM_KEYUSE_ANY)
	248	keyUsage = CSSM_KEYUSE_ENCRYPT \| CSSM_KEYUSE_DECRYPT
	249	\| CSSM_KEYUSE_DERIVE \| CSSM_KEYUSE_SIGN
	250	\| CSSM_KEYUSE_VERIFY \| CSSM_KEYUSE_SIGN_RECOVER
	251	\| CSSM_KEYUSE_VERIFY_RECOVER \| CSSM_KEYUSE_WRAP
	252	\| CSSM_KEYUSE_UNWRAP;
	253
	254	if (keyUsage & CSSM_KEYUSE_ENCRYPT)
	255	mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Encrypt, true);
	256	if (keyUsage & CSSM_KEYUSE_DECRYPT)
	257	mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Decrypt, true);
	258	if (keyUsage & CSSM_KEYUSE_DERIVE)
	259	mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Derive, true);
	260	if (keyUsage & CSSM_KEYUSE_SIGN)
	261	mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Sign, true);
	262	if (keyUsage & CSSM_KEYUSE_VERIFY)
	263	mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Verify, true);
	264	if (keyUsage & CSSM_KEYUSE_SIGN_RECOVER)
	265	mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::SignRecover, true);
	266	if (keyUsage & CSSM_KEYUSE_VERIFY_RECOVER)
	267	mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::VerifyRecover, true);
	268	if (keyUsage & CSSM_KEYUSE_WRAP)
	269	mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Wrap, true);
	270	if (keyUsage & CSSM_KEYUSE_UNWRAP)
	271	mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Unwrap, true);
	272	}
	273
	274	IdentityCursor::~IdentityCursor() throw()
	275	{
	276	}
	277
	278	CFDataRef
	279	IdentityCursor::pubKeyHashForSystemIdentity(CFStringRef domain)
	280	{
	281	StLock<Mutex>_(mMutex);
	282
	283	CFDataRef entryValue = nil;
	284	auto_ptr<Dictionary> identDict;
	285	Dictionary* d = Dictionary::CreateDictionary("com.apple.security.systemidentities", Dictionary::US_System);
	286	if (d)
	287	{
	288	identDict.reset(d);
	289	entryValue = identDict->getDataValue(domain);
	290	if (entryValue == nil) {
	291	/* try for default entry if we're not already looking for default */
	292	if(!CFEqual(domain, kSecIdentityDomainDefault)) {
	293	entryValue = identDict->getDataValue(kSecIdentityDomainDefault);
	294	}
	295	}
	296	}
	297
	298	if (entryValue) {
	299	CFRetain(entryValue);
	300	}
	301	return entryValue;
	302	}
	303
	304	bool
	305	IdentityCursor::next(SecPointer<Identity> &identity)
306	{
307	StLock<Mutex>_(mMutex);
308
309	for (;;)
310	{
311	if (!mCertificateCursor)
312	{
313	Item key;
314	if (!mKeyCursor->next(key))
315	return false;
fa7225c8	316
b1ab9ed8 A	317	mCurrentKey = static_cast<KeyItem *>(key.get());
	318
	319	CssmClient::DbUniqueRecord uniqueId = mCurrentKey->dbUniqueRecord();
	320	CssmClient::DbAttributes dbAttributes(uniqueId->database(), 1);
	321	dbAttributes.add(KeySchema::Label);
	322	uniqueId->get(&dbAttributes, NULL);
	323	const CssmData &keyHash = dbAttributes[0];
fa7225c8	324
6b200bc3	325	mCertificateCursor = KCCursor(mSearchList, (SecItemClass) CSSM_DL_DB_RECORD_X509_CERTIFICATE, NULL);
b1ab9ed8 A	326	mCertificateCursor->add(CSSM_DB_EQUAL, Schema::kX509CertificatePublicKeyHash, keyHash);
	327
	328	// if we have entries for the system identities, exclude their public key hashes in the search
	329	CFDataRef systemDefaultCertPubKeyHash = pubKeyHashForSystemIdentity(kSecIdentityDomainDefault);
	330	if (systemDefaultCertPubKeyHash) {
	331	CssmData pkHash((void *)CFDataGetBytePtr(systemDefaultCertPubKeyHash), CFDataGetLength(systemDefaultCertPubKeyHash));
	332	mCertificateCursor->add(CSSM_DB_NOT_EQUAL, Schema::kX509CertificatePublicKeyHash, pkHash);
	333	CFRelease(systemDefaultCertPubKeyHash);
	334	}
	335	CFDataRef kerbKDCCertPubKeyHash = pubKeyHashForSystemIdentity(kSecIdentityDomainKerberosKDC);
	336	if (kerbKDCCertPubKeyHash) {
	337	CssmData pkHash((void *)CFDataGetBytePtr(kerbKDCCertPubKeyHash), CFDataGetLength(kerbKDCCertPubKeyHash));
	338	mCertificateCursor->add(CSSM_DB_NOT_EQUAL, Schema::kX509CertificatePublicKeyHash, pkHash);
	339	CFRelease(kerbKDCCertPubKeyHash);
	340	}
	341	}
fa7225c8	342
b1ab9ed8 A	343	Item cert;
	344	if (mCertificateCursor->next(cert))
	345	{
	346	SecPointer<Certificate> certificate(static_cast<Certificate *>(cert.get()));
	347	identity = new Identity(mCurrentKey, certificate);
	348	return true;
	349	}
	350	else
	351	mCertificateCursor = KCCursor();
	352	}
	353	}