2 * Copyright (c) 2003-2009,2012,2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 #include "security_tool.h"
28 #include "trusted_cert_dump.h"
29 #include "trusted_cert_utils.h"
33 #include <Security/Security.h>
34 #include <Security/cssmapple.h>
35 #include <Security/SecTrustSettings.h>
36 #include <Security/oidsalg.h>
37 #include <security_cdsa_utils/cuFileIo.h>
38 #include <CoreFoundation/CoreFoundation.h>
40 // SecCertificateInferLabel
41 #include <Security/SecCertificatePriv.h>
44 /* print cert's label (the one SecCertificate infers) */
45 static OSStatus
printCertLabel(
46 SecCertificateRef certRef
)
51 ortn
= SecCertificateInferLabel(certRef
, &label
);
53 cssmPerror("SecCertificateInferLabel", ortn
);
62 * Display a Trust Settings array as obtained from
63 * SecTrustSettingsCopyTrustSettings().
65 static int displayTrustSettings(
66 CFArrayRef trustSettings
)
68 /* must always be there though it may be empty */
69 if(trustSettings
== NULL
) {
70 fprintf(stderr
, "***displayTrustSettings: missing trust settings array");
73 if(CFGetTypeID(trustSettings
) != CFArrayGetTypeID()) {
74 fprintf(stderr
, "***displayTrustSettings: malformed trust settings array");
79 CFIndex numUseConstraints
= CFArrayGetCount(trustSettings
);
81 indent(); printf("Number of trust settings : %ld\n", (long)numUseConstraints
);
83 SecPolicyRef certPolicy
;
84 SecTrustedApplicationRef certApp
;
85 CFDictionaryRef ucDict
;
86 CFStringRef policyStr
;
90 /* grind thru the trust settings dictionaries */
91 for(ucDex
=0; ucDex
<numUseConstraints
; ucDex
++) {
92 indent(); printf("Trust Setting %ld:\n", (long)ucDex
);
95 ucDict
= (CFDictionaryRef
)CFArrayGetValueAtIndex(trustSettings
, ucDex
);
96 if(CFGetTypeID(ucDict
) != CFDictionaryGetTypeID()) {
97 fprintf(stderr
, "***displayTrustSettings: malformed usage constraints dictionary");
102 /* policy - optional */
103 certPolicy
= (SecPolicyRef
)CFDictionaryGetValue(ucDict
, kSecTrustSettingsPolicy
);
104 if(certPolicy
!= NULL
) {
105 if(CFGetTypeID(certPolicy
) != SecPolicyGetTypeID()) {
106 fprintf(stderr
, "***displayTrustSettings: malformed certPolicy");
111 ortn
= SecPolicyGetOID(certPolicy
, &policyOid
);
113 cssmPerror("SecPolicyGetOID", ortn
);
117 indent(); printf("Policy OID : %s\n",
118 oidToOidString(&policyOid
));
122 certApp
= (SecTrustedApplicationRef
)CFDictionaryGetValue(ucDict
,
123 kSecTrustSettingsApplication
);
124 if(certApp
!= NULL
) {
125 if(CFGetTypeID(certApp
) != SecTrustedApplicationGetTypeID()) {
126 fprintf(stderr
, "***displayTrustSettings: malformed certApp");
130 CFDataRef appPath
= NULL
;
131 ortn
= SecTrustedApplicationCopyData(certApp
, &appPath
);
133 cssmPerror("SecTrustedApplicationCopyData", ortn
);
137 indent(); printf("Application : %s", CFDataGetBytePtr(appPath
));
143 policyStr
= (CFStringRef
)CFDictionaryGetValue(ucDict
, kSecTrustSettingsPolicyString
);
144 if(policyStr
!= NULL
) {
145 if(CFGetTypeID(policyStr
) != CFStringGetTypeID()) {
146 fprintf(stderr
, "***displayTrustSettings: malformed policyStr");
150 indent(); printf("Policy String : ");
151 printCfStr(policyStr
); printf("\n");
155 cfNum
= (CFNumberRef
)CFDictionaryGetValue(ucDict
, kSecTrustSettingsAllowedError
);
157 if(CFGetTypeID(cfNum
) != CFNumberGetTypeID()) {
158 fprintf(stderr
, "***displayTrustSettings: malformed allowedError");
162 indent(); printf("Allowed Error : ");
163 printCssmErr(cfNum
); printf("\n");
167 cfNum
= (CFNumberRef
)CFDictionaryGetValue(ucDict
, kSecTrustSettingsResult
);
169 if(CFGetTypeID(cfNum
) != CFNumberGetTypeID()) {
170 fprintf(stderr
, "***displayTrustSettings: malformed ResultType");
174 indent(); printf("Result Type : ");
175 printResultType(cfNum
); printf("\n");
179 cfNum
= (CFNumberRef
)CFDictionaryGetValue(ucDict
, kSecTrustSettingsKeyUsage
);
181 if(CFGetTypeID(cfNum
) != CFNumberGetTypeID()) {
182 fprintf(stderr
, "***displayTrustSettings: malformed keyUsage");
186 indent(); printf("Key Usage : ");
187 printKeyUsage(cfNum
); printf("\n");
198 trusted_cert_dump(int argc
, char * const *argv
)
200 CFArrayRef certArray
= NULL
;
201 OSStatus ortn
= noErr
;
204 CFArrayRef trustSettings
;
206 SecTrustSettingsDomain domain
= kSecTrustSettingsDomainUser
;
213 while ((arg
= getopt(argc
, argv
, "sdh")) != -1) {
216 domain
= kSecTrustSettingsDomainSystem
;
219 domain
= kSecTrustSettingsDomainAdmin
;
223 return SHOW_USAGE_MESSAGE
;
228 return SHOW_USAGE_MESSAGE
;
231 ortn
= SecTrustSettingsCopyCertificates(domain
, &certArray
);
233 cssmPerror("SecTrustSettingsCopyCertificates", ortn
);
236 numCerts
= CFArrayGetCount(certArray
);
237 printf("Number of trusted certs = %ld\n", (long)numCerts
);
239 for(dex
=0; dex
<numCerts
; dex
++) {
240 SecCertificateRef certRef
=
241 (SecCertificateRef
)CFArrayGetValueAtIndex(certArray
, dex
);
242 if(CFGetTypeID(certRef
) != SecCertificateGetTypeID()) {
243 fprintf(stderr
, "***Bad CFGetTypeID for cert %ld\n", (long)dex
);
248 /* always print the cert's label */
249 printf("Cert %ld: ", dex
);
250 printCertLabel(certRef
);
253 /* see if the cert has any usage constraints (it should!) */
254 ortn
= SecTrustSettingsCopyTrustSettings(certRef
, domain
, &trustSettings
);
256 cssmPerror("SecTrustSettingsCopyTrustSettings", ortn
);
260 if(displayTrustSettings(trustSettings
)) {
264 CFRelease(certArray
);