]> git.saurik.com Git - apple/security.git/blame_incremental - OSX/libsecurity_keychain/lib/SecAccess.cpp
projects / apple / security.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Security-58286.240.4.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / SecAccess.cpp
... / ...
Content-type: text/html ]> git.saurik.com Git - apple/security.git/blame_incremental - OSX/libsecurity_keychain/lib/SecAccess.cpp
projects / apple / security.git / blame_incremental
? search:


500 - Internal Server Error
Malformed UTF-8 character (fatal) at /usr/lib/x86_64-linux-gnu/perl5/5.40/HTML/Entities.pm line 485, <$fd> line 559.
mirror of Security
CommitLineData
1/*
2 * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24#include <SecBase.h>
25#include <Security/SecAccess.h>
26#include <Security/SecAccessPriv.h>
27#include <Security/SecTrustedApplication.h>
28#include <Security/SecTrustedApplicationPriv.h>
29#include <security_keychain/Access.h>
30#include <security_utilities/casts.h>
31#include <utilities/SecCFRelease.h>
32#include "SecBridge.h"
33#include <sys/param.h>
34
35#include <utilities/SecCFWrappers.h>
36
37
38/* No restrictions. Permission to perform all operations on
39 the resource or available to an ACL owner. */
40
41
42const CFStringRef kSecACLAuthorizationAny = CFSTR("ACLAuthorizationAny");
43
44const CFStringRef kSecACLAuthorizationLogin = CFSTR("ACLAuthorizationLogin");
45const CFStringRef kSecACLAuthorizationGenKey = CFSTR("ACLAuthorizationGenKey");
46const CFStringRef kSecACLAuthorizationDelete = CFSTR("ACLAuthorizationDelete");
47const CFStringRef kSecACLAuthorizationExportWrapped = CFSTR("ACLAuthorizationExportWrapped");
48const CFStringRef kSecACLAuthorizationExportClear = CFSTR("ACLAuthorizationExportClear");
49const CFStringRef kSecACLAuthorizationImportWrapped = CFSTR("ACLAuthorizationImportWrapped");
50const CFStringRef kSecACLAuthorizationImportClear = CFSTR("ACLAuthorizationImportClear");
51const CFStringRef kSecACLAuthorizationSign = CFSTR("ACLAuthorizationSign");
52const CFStringRef kSecACLAuthorizationEncrypt = CFSTR("ACLAuthorizationEncrypt");
53const CFStringRef kSecACLAuthorizationDecrypt = CFSTR("ACLAuthorizationDecrypt");
54const CFStringRef kSecACLAuthorizationMAC = CFSTR("ACLAuthorizationMAC");
55const CFStringRef kSecACLAuthorizationDerive = CFSTR("ACLAuthorizationDerive");
56
57/* Defined authorization tag values for Keychain */
58
59
60
61const CFStringRef kSecACLAuthorizationKeychainCreate = CFSTR("ACLAuthorizationKeychainCreate");
62const CFStringRef kSecACLAuthorizationKeychainDelete = CFSTR("ACLAuthorizationKeychainDelete");
63const CFStringRef kSecACLAuthorizationKeychainItemRead = CFSTR("ACLAuthorizationKeychainItemRead");
64const CFStringRef kSecACLAuthorizationKeychainItemInsert = CFSTR("ACLAuthorizationKeychainItemInsert");
65const CFStringRef kSecACLAuthorizationKeychainItemModify = CFSTR("ACLAuthorizationKeychainItemModify");
66const CFStringRef kSecACLAuthorizationKeychainItemDelete = CFSTR("ACLAuthorizationKeychainItemDelete");
67
68const CFStringRef kSecACLAuthorizationChangeACL = CFSTR("ACLAuthorizationChangeACL");
69const CFStringRef kSecACLAuthorizationChangeOwner = CFSTR("ACLAuthorizationChangeOwner");
70const CFStringRef kSecACLAuthorizationPartitionID = CFSTR("ACLAuthorizationPartitionID");
71const CFStringRef kSecACLAuthorizationIntegrity = CFSTR("ACLAuthorizationIntegrity");
72
73
74static CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName);
75
76static CFStringRef gKeys[] =
77{
78 kSecACLAuthorizationAny,
79 kSecACLAuthorizationLogin,
80 kSecACLAuthorizationGenKey,
81 kSecACLAuthorizationDelete,
82 kSecACLAuthorizationExportWrapped,
83 kSecACLAuthorizationExportClear,
84 kSecACLAuthorizationImportWrapped,
85 kSecACLAuthorizationImportClear,
86 kSecACLAuthorizationSign,
87 kSecACLAuthorizationEncrypt,
88 kSecACLAuthorizationDecrypt,
89 kSecACLAuthorizationMAC,
90 kSecACLAuthorizationDerive,
91
92 /* Defined authorization tag values for Keychain */
93 kSecACLAuthorizationKeychainCreate,
94 kSecACLAuthorizationKeychainDelete,
95 kSecACLAuthorizationKeychainItemRead,
96 kSecACLAuthorizationKeychainItemInsert,
97 kSecACLAuthorizationKeychainItemModify,
98 kSecACLAuthorizationKeychainItemDelete,
99
100 kSecACLAuthorizationChangeACL,
101 kSecACLAuthorizationChangeOwner,
102 kSecACLAuthorizationPartitionID,
103 kSecACLAuthorizationIntegrity
104};
105
106static sint32 gValues[] =
107{
108 CSSM_ACL_AUTHORIZATION_ANY,
109 CSSM_ACL_AUTHORIZATION_LOGIN,
110 CSSM_ACL_AUTHORIZATION_GENKEY,
111 CSSM_ACL_AUTHORIZATION_DELETE,
112 CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED,
113 CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR,
114 CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED,
115 CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR,
116 CSSM_ACL_AUTHORIZATION_SIGN,
117 CSSM_ACL_AUTHORIZATION_ENCRYPT,
118 CSSM_ACL_AUTHORIZATION_DECRYPT,
119 CSSM_ACL_AUTHORIZATION_MAC,
120 CSSM_ACL_AUTHORIZATION_DERIVE,
121 CSSM_ACL_AUTHORIZATION_DBS_CREATE,
122 CSSM_ACL_AUTHORIZATION_DBS_DELETE,
123 CSSM_ACL_AUTHORIZATION_DB_READ,
124 CSSM_ACL_AUTHORIZATION_DB_INSERT,
125 CSSM_ACL_AUTHORIZATION_DB_MODIFY,
126 CSSM_ACL_AUTHORIZATION_DB_DELETE,
127 CSSM_ACL_AUTHORIZATION_CHANGE_ACL,
128 CSSM_ACL_AUTHORIZATION_CHANGE_OWNER,
129 CSSM_ACL_AUTHORIZATION_PARTITION_ID,
130 CSSM_ACL_AUTHORIZATION_INTEGRITY
131};
132
133static
134CFDictionaryRef CreateStringToNumDictionary()
135{
136 int numItems = (sizeof(gValues) / sizeof(sint32));
137 CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
138
139 for (int iCnt = 0; iCnt < numItems; iCnt++)
140 {
141 sint32 aNumber = gValues[iCnt];
142 CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);
143
144 CFStringRef aString = gKeys[iCnt];
145 CFDictionaryAddValue(tempDict, aString, aNum);
146 CFRelease(aNum);
147 }
148
149 CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
150 CFRelease(tempDict);
151 return result;
152
153}
154
155static
156CFDictionaryRef CreateNumToStringDictionary()
157{
158 int numItems = (sizeof(gValues) / sizeof(sint32));
159
160 CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
161
162 for (int iCnt = 0; iCnt < numItems; iCnt++)
163 {
164 sint32 aNumber = gValues[iCnt];
165 CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);
166
167 CFStringRef aString = gKeys[iCnt];
168 CFDictionaryAddValue(tempDict, aNum, aString);
169 CFRelease(aNum);
170
171 }
172
173 CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
174 CFRelease(tempDict);
175 return result;
176}
177
178
179/* TODO: This should be in some header */
180sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr);
181sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr)
182{
183 if (NULL == aclStr)
184 {
185#ifndef NDEBUG
186 CFShow(CFSTR("GetACLAuthorizationTagFromString aclStr is NULL"));
187#endif
188 return 0;
189 }
190
191 static CFDictionaryRef gACLMapping = NULL;
192
193 if (NULL == gACLMapping)
194 {
195 gACLMapping = CreateStringToNumDictionary();
196 }
197
198 sint32 result = 0;
199 CFNumberRef valueResult = (CFNumberRef)CFDictionaryGetValue(gACLMapping, aclStr);
200 if (NULL != valueResult)
201 {
202 if (!CFNumberGetValue(valueResult, kCFNumberSInt32Type, &result))
203 {
204 return 0;
205 }
206
207 }
208 else
209 {
210 return 0;
211 }
212
213 return result;
214
215}
216
217/* TODO: This should be in some header */
218CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag);
219CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag)
220{
221 static CFDictionaryRef gTagMapping = NULL;
222 CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tag);
223
224 if (NULL == gTagMapping)
225 {
226 gTagMapping = CreateNumToStringDictionary();
227 }
228
229 CFStringRef result = (CFStringRef)kSecACLAuthorizationAny;
230
231 if (NULL != gTagMapping && CFDictionaryContainsKey(gTagMapping, aNum))
232 {
233 result = (CFStringRef)CFDictionaryGetValue(gTagMapping, aNum);
234 }
235 CFReleaseSafe(aNum);
236 return result;
237}
238
239//
240// CF boilerplate
241//
242CFTypeID SecAccessGetTypeID(void)
243{
244 BEGIN_SECAPI
245 return gTypes().Access.typeID;
246 END_SECAPI1(_kCFRuntimeNotATypeID)
247}
248
249
250//
251// API bridge calls
252//
253/*!
254 * Create a new SecAccessRef that is set to the default configuration
255 * of a (newly created) security object.
256 */
257OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedList, SecAccessRef *accessRef)
258{
259 BEGIN_SECAPI
260 Required(descriptor);
261 SecPointer<Access> access;
262 if (trustedList) {
263 CFIndex length = CFArrayGetCount(trustedList);
264 ACL::ApplicationList trusted;
265 for (CFIndex n = 0; n < length; n++)
266 trusted.push_back(TrustedApplication::required(
267 SecTrustedApplicationRef(CFArrayGetValueAtIndex(trustedList, n))));
268 access = new Access(cfString(descriptor), trusted);
269 } else {
270 access = new Access(cfString(descriptor));
271 }
272 Required(accessRef) = access->handle();
273 END_SECAPI
274}
275
276
277/*!
278 */
279OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner,
280 uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls,
281 SecAccessRef *accessRef)
282{
283 BEGIN_SECAPI
284 Required(accessRef); // preflight
285 SecPointer<Access> access = new Access(Required(owner), aclCount, &Required(acls));
286 *accessRef = access->handle();
287 END_SECAPI
288}
289
290SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef acls, CFErrorRef *error)
291{
292 SecAccessRef result = NULL;
293
294 CSSM_ACL_PROCESS_SUBJECT_SELECTOR selector =
295 {
296 CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION, // selector version
297 int_cast<UInt32, uint16>(ownerType),
298 userId,
299 groupId
300 };
301
302 CSSM_LIST_ELEMENT subject2 = { NULL, 0 };
303 subject2.Element.Word.Data = (UInt8 *)&selector;
304 subject2.Element.Word.Length = sizeof(selector);
305 CSSM_LIST_ELEMENT subject1 =
306 {
307 &subject2, CSSM_ACL_SUBJECT_TYPE_PROCESS, CSSM_LIST_ELEMENT_WORDID
308 };
309
310 CFIndex numAcls = 0;
311
312 if (NULL != acls)
313 {
314 numAcls = CFArrayGetCount(acls);
315 }
316
317#ifndef NDEBUG
318 CFStringRef debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
319 CFSTR("SecAccessCreateWithOwnerAndACL: processing %d acls"), (int)numAcls);
320 CFShow(debugStr);
321 CFRelease(debugStr);
322#endif
323
324 CFIndex rightsSize = numAcls > 0 ? numAcls : 1;
325
326 CSSM_ACL_AUTHORIZATION_TAG rights[rightsSize];
327 memset(rights, 0, sizeof(rights));
328
329 for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
330 {
331 CFStringRef aclStr = (CFStringRef)CFArrayGetValueAtIndex(acls, iCnt);
332
333#ifndef NDEBUG
334 debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
335 CFSTR("SecAccessCreateWithOwnerAndACL: acls[%d] = %@"), (int)iCnt, aclStr);
336
337 CFShow(debugStr);
338 CFRelease(debugStr);
339#endif
340
341 CSSM_ACL_AUTHORIZATION_TAG aTag = GetACLAuthorizationTagFromString(aclStr);
342
343#ifndef NDEBUG
344 debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
345 CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, aTag);
346
347 CFShow(debugStr);
348 CFRelease(debugStr);
349#endif
350
351 rights[iCnt] = aTag;
352 }
353
354
355 for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
356 {
357#ifndef NDEBUG
358 debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
359 CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, rights[iCnt]);
360
361 CFShow(debugStr);
362 CFRelease(debugStr);
363#endif
364
365
366 }
367
368 CSSM_ACL_OWNER_PROTOTYPE owner =
369 {
370 // TypedSubject
371 { CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
372 // Delegate
373 false
374 };
375
376
377 // ACL entries (any number, just one here)
378 CSSM_ACL_ENTRY_INFO acl_rights[] =
379 {
380 {
381 // prototype
382 {
383 // TypedSubject
384 { CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
385 false, // Delegate
386 // rights for this entry
387 { (uint32)numAcls, rights },
388 // rest is defaulted
389 }
390 }
391 };
392
393 OSStatus err = SecAccessCreateFromOwnerAndACL(&owner,
394 sizeof(acl_rights) / sizeof(acl_rights[0]), acl_rights, &result);
395
396 if (errSecSuccess != err)
397 {
398 result = NULL;
399 if (NULL != error)
400 {
401 *error = CFErrorCreate(kCFAllocatorDefault, CFSTR("FIX ME"), err, NULL);
402 }
403 }
404 return result;
405}
406
407
408/*!
409 */
410OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef,
411 CSSM_ACL_OWNER_PROTOTYPE_PTR *owner,
412 uint32 *aclCount, CSSM_ACL_ENTRY_INFO_PTR *acls)
413{
414 BEGIN_SECAPI
415 Access::required(accessRef)->copyOwnerAndAcl(
416 Required(owner), Required(aclCount), Required(acls));
417 END_SECAPI
418}
419
420OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t* userId, gid_t* groupId, SecAccessOwnerType* ownerType, CFArrayRef* aclList)
421{
422 CSSM_ACL_OWNER_PROTOTYPE_PTR owner = NULL;
423 CSSM_ACL_ENTRY_INFO_PTR acls = NULL;
424 uint32 aclCount = 0;
425 OSStatus result = SecAccessGetOwnerAndACL(accessRef, &owner, &aclCount, &acls);
426 if (errSecSuccess != result )
427 {
428 return result;
429 }
430
431 if (NULL != owner)
432 {
433 CSSM_LIST_ELEMENT_PTR listHead = owner->TypedSubject.Head;
434 if (listHead != NULL && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
435 {
436 CSSM_LIST_ELEMENT_PTR nextElement = listHead->NextElement;
437 if (listHead->WordID == CSSM_ACL_SUBJECT_TYPE_PROCESS && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
438 {
439 // nextElement contains the required data
440 CSSM_ACL_PROCESS_SUBJECT_SELECTOR* selectorPtr = (CSSM_ACL_PROCESS_SUBJECT_SELECTOR*)nextElement->Element.Word.Data;
441 if (NULL != selectorPtr)
442 {
443 if (NULL != userId)
444 {
445 *userId = (uid_t)selectorPtr->uid;
446 }
447
448 if (NULL != groupId)
449 {
450 *groupId = (gid_t)selectorPtr->gid;
451 }
452
453 if (NULL != ownerType)
454 {
455 *ownerType = (SecAccessOwnerType)selectorPtr->mask;
456 }
457 }
458 }
459
460 }
461
462 }
463
464 if (NULL != aclList)
465 {
466#ifndef NDEBUG
467 CFShow(CFSTR("SecAccessCopyOwnerAndACL: processing the ACL list"));
468#endif
469
470 CFMutableArrayRef stringArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
471 CSSM_ACL_OWNER_PROTOTYPE_PTR protoPtr = NULL;
472 uint32 numAcls = 0L;
473 CSSM_ACL_ENTRY_INFO_PTR aclEntry = NULL;
474
475 result = SecAccessGetOwnerAndACL(accessRef, &protoPtr, &numAcls, &aclEntry);
476 if (errSecSuccess == result)
477 {
478#ifndef NDEBUG
479 CFStringRef tempStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SecAccessCopyOwnerAndACL: numAcls = %d"), numAcls);
480 CFShow(tempStr);
481 CFRelease(tempStr);
482#endif
483
484 for (uint32 iCnt = 0; iCnt < numAcls; iCnt++)
485 {
486 CSSM_ACL_ENTRY_PROTOTYPE prototype = aclEntry[iCnt].EntryPublicInfo;
487 CSSM_AUTHORIZATIONGROUP authGroup = prototype.Authorization;
488 int numAuthTags = (int)authGroup.NumberOfAuthTags;
489
490 for (int jCnt = 0; jCnt < numAuthTags; jCnt++)
491 {
492
493 sint32 aTag = authGroup.AuthTags[jCnt];
494 CFStringRef aString = GetAuthStringFromACLAuthorizationTag(aTag);
495
496 CFArrayAppendValue(stringArray, aString);
497 }
498 }
499 }
500
501 if (NULL != stringArray)
502 {
503 if (0 < CFArrayGetCount(stringArray))
504 {
505 *aclList = CFArrayCreateCopy(kCFAllocatorDefault, stringArray);
506 }
507 CFRelease(stringArray);
508 }
509 }
510
511 return result;
512}
513
514/*!
515 */
516OSStatus SecAccessCopyACLList(SecAccessRef accessRef,
517 CFArrayRef *aclList)
518{
519 BEGIN_SECAPI
520 Required(aclList) = Access::required(accessRef)->copySecACLs();
521 END_SECAPI
522}
523
524
525/*!
526 */
527OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef,
528 CSSM_ACL_AUTHORIZATION_TAG action,
529 CFArrayRef *aclList)
530{
531 BEGIN_SECAPI
532 Required(aclList) = Access::required(accessRef)->copySecACLs(action);
533 END_SECAPI
534}
535
536CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag)
537{
538 CFArrayRef result = NULL;
539 CSSM_ACL_AUTHORIZATION_TAG tag = GetACLAuthorizationTagFromString((CFStringRef)authorizationTag);
540 OSStatus err = SecAccessCopySelectedACLList(accessRef, tag, &result);
541 if (errSecSuccess != err)
542 {
543 result = NULL;
544 }
545 return result;
546}
547
548CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName)
549{
550 CFStringRef errorString = nil;
551 CFURLRef bundleURL,trustedAppsURL = NULL;
552 CFBundleRef secBundle = NULL;
553 CFPropertyListRef trustedAppsPlist = NULL;
554 CFDataRef xmlDataRef = NULL;
555 SInt32 errorCode;
556 CFArrayRef trustedAppList = NULL;
557 CFMutableStringRef trustedAppListFileNameWithoutExtension = NULL;
558
559