SecurityTests/clxutils/trustApps/trustApps.cpp

   1 /*
   2  * trustApps.cpp - set list of trusted apps for specified executable
   3  */
   4 #include <Security/Security.h>
   5 #include <stdio.h>
   6 #include <stdlib.h>
   7 #include <utilLib/common.h>
   8 #include <clAppUtils/identPicker.h>
   9
  10 static void usage(char **argv)
  11 {
  12         printf("Usage: %s keychain [-q(uiet)] executable ...\n", argv[0]);
  13         exit(1);
  14 }
  15
  16 int main(int argc, char **argv)
  17 {
  18         if(argc < 3) {
  19                 usage(argv);
  20         }
  21
  22         const char *keychainName = argv[1];
  23         int nextArg;
  24         bool quiet = false;
  25         OSStatus ortn;
  26
  27         for(nextArg=2; nextArg<argc; ) {
  28                 char *argp = argv[nextArg];
  29                 if(argp[0] != '-') {
  30                         break;
  31                 }
  32                 switch(argp[2]) {
  33                         case 'q':
  34                                 quiet = true;
  35                                 break;
  36                         default:
  37                                 usage(argv);
  38                 }
  39         }
  40         if(nextArg == argc) {
  41                 usage(argv);
  42         }
  43
  44         /* create an array of SecTrustedApplications */
  45         CFMutableArrayRef appList = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
  46         for(; nextArg<argc; nextArg++) {
  47                 SecTrustedApplicationRef appRef;
  48                 ortn = SecTrustedApplicationCreateFromPath(argv[nextArg], &appRef);
  49                 if(ortn) {
  50                         cssmPerror("SecTrustedApplicationCreateFromPath", ortn);
  51                         exit(1);
  52                 }
  53                 CFArrayAppendValue(appList, appRef);
  54         }
  55
  56         /* Find a signing identity; extract its private key */
  57         SecKeychainRef kcRef;
  58         ortn = SecKeychainOpen(keychainName, &kcRef);
  59         if(ortn) {
  60                 cssmPerror("SecKeychainOpen", ortn);
  61                 exit(1);
  62         }
  63         SecIdentityRef identRef;
  64         ortn = sslSimpleIdentPicker(kcRef, &identRef);
  65         if(ortn) {
  66                 exit(1);
  67         }
  68
  69         SecKeyRef keyRef;
  70         ortn = SecIdentityCopyPrivateKey(identRef, &keyRef);
  71         if(ortn) {
  72                 cssmPerror("SecIdentityCopyPrivateKey", ortn);
  73                 exit(1);
  74         }
  75
  76         /*
  77          * Get existing ACL list (may be empty)
  78          */
  79         SecAccessRef accessRef;
  80         CFArrayRef aclList = NULL;
  81         ortn = SecKeychainItemCopyAccess((SecKeychainItemRef)keyRef, &accessRef);
  82         if(ortn) {
  83                 cssmPerror("SecIdentityCopyPrivateKey", ortn);
  84                 exit(1);
  85         }
  86         ortn = SecAccessCopySelectedACLList(accessRef, CSSM_ACL_AUTHORIZATION_DECRYPT,
  87                 &aclList);
  88         if(ortn) {
  89                 cssmPerror("SecAccessCopySelectedACLList", ortn);
  90                 exit(1);
  91         }
  92         if((aclList == NULL) || (CFArrayGetCount(aclList) == 0)) {
  93                 printf("No ACL list found. I don't know how to set the trusted app list.\n");
  94                 exit(1);
  95         }
  96
  97         /* append our app list to each ACL's trusted app list */
  98         for(int aclDex=0; aclDex<CFArrayGetCount(aclList); aclDex++) {
  99
 100                 /* get existing app list */
 101                 SecACLRef aclRef = (SecACLRef)CFArrayGetValueAtIndex(aclList, aclDex);
 102                 CFArrayRef existApps = NULL;
 103                 CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR promptSelector;
 104                 CFStringRef promptDescription;
 105
 106                 ortn = SecACLCopySimpleContents(aclRef, &existApps, &promptDescription,
 107                         &promptSelector);
 108                 if(ortn) {
 109                         cssmPerror("SecACLCopySimpleContents", ortn);
 110                         exit(1);
 111                 }
 112
 113                 /* appends its contents to our list */
 114                 if(existApps != NULL) {
 115                         for(int i=0; i<CFArrayGetCount(existApps); i++) {
 116                                 CFArrayAppendValue(appList, CFArrayGetValueAtIndex(existApps, i));
 117                         }
 118                 }
 119
 120                 /* turn off possible keychain prompt flag */
 121                 promptSelector.flags &= ~CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE;
 122
 123                 /* Update */
 124                 ortn = SecACLSetSimpleContents(aclRef, appList, promptDescription,
 125                         &promptSelector);
 126                 if(ortn) {
 127                         cssmPerror("SecACLCopySimpleContents", ortn);
 128                         exit(1);
 129                 }
 130                 if(existApps != NULL) {
 131                         CFRelease(existApps);
 132                 }
 133         }
 134
 135         /* presumably we're been operating on "the" ACL list in "the" SecAccess,
 136          * not a separate copy... */
 137         ortn =  SecKeychainItemSetAccess((SecKeychainItemRef)keyRef, accessRef);
 138         if(ortn) {
 139                 cssmPerror("SecKeychainItemSetAccess", ortn);
 140                 exit(1);
 141         }
 142
 143         /* is that it? */
 144         CFRelease(appList);
 145         CFRelease(kcRef);
 146         CFRelease(identRef);
 147         CFRelease(keyRef);
 148         CFRelease(accessRef);
 149         CFRelease(aclList);
 150         if(!quiet) {
 151                 printf("...success\n");
 152         }
 153 }