]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_keychain/lib/SecPolicy.cpp
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57740.31.2.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / SecPolicy.cpp
1
2 /*
3 * Copyright (c) 2002-2015 Apple Inc. All Rights Reserved.
4 *
5 * @APPLE_LICENSE_HEADER_START@
6 *
7 * This file contains Original Code and/or Modifications of Original Code
8 * as defined in and that are subject to the Apple Public Source License
9 * Version 2.0 (the 'License'). You may not use this file except in
10 * compliance with the License. Please obtain a copy of the License at
11 * http://www.opensource.apple.com/apsl/ and read it before using this
12 * file.
13 *
14 * The Original Code and all software distributed under the License are
15 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
16 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
17 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
19 * Please see the License for the specific language governing rights and
20 * limitations under the License.
21 *
22 * @APPLE_LICENSE_HEADER_END@
23 */
24
25 #include <CoreFoundation/CFString.h>
26 #include <CoreFoundation/CFNumber.h>
27 #include <CoreFoundation/CFArray.h>
28 #include <Security/SecItem.h>
29 #include <Security/SecPolicy.h>
30 #include <Security/SecPolicyPriv.h>
31 #include <Security/SecCertificate.h>
32 #include <Security/SecCertificatePriv.h>
33 #include <security_keychain/Policies.h>
34 #include <security_keychain/PolicyCursor.h>
35 #include "SecBridge.h"
36 #include "utilities/SecCFRelease.h"
37 #include <syslog.h>
38
39
40 // String constant declarations
41
42 #define SEC_CONST_DECL(k,v) const CFStringRef k = CFSTR(v);
43
44 #if !SECTRUST_OSX
45 SEC_CONST_DECL (kSecPolicyAppleX509Basic, "1.2.840.113635.100.1.2");
46 SEC_CONST_DECL (kSecPolicyAppleSSL, "1.2.840.113635.100.1.3");
47 SEC_CONST_DECL (kSecPolicyAppleSMIME, "1.2.840.113635.100.1.8");
48 SEC_CONST_DECL (kSecPolicyAppleEAP, "1.2.840.113635.100.1.9");
49 SEC_CONST_DECL (kSecPolicyAppleSWUpdateSigning, "1.2.840.113635.100.1.10");
50 SEC_CONST_DECL (kSecPolicyAppleIPsec, "1.2.840.113635.100.1.11");
51 SEC_CONST_DECL (kSecPolicyAppleiChat, "1.2.840.113635.100.1.12");
52 SEC_CONST_DECL (kSecPolicyApplePKINITClient, "1.2.840.113635.100.1.14");
53 SEC_CONST_DECL (kSecPolicyApplePKINITServer, "1.2.840.113635.100.1.15");
54 SEC_CONST_DECL (kSecPolicyAppleCodeSigning, "1.2.840.113635.100.1.16");
55 SEC_CONST_DECL (kSecPolicyApplePackageSigning, "1.2.840.113635.100.1.17");
56 SEC_CONST_DECL (kSecPolicyAppleIDValidation, "1.2.840.113635.100.1.18");
57 SEC_CONST_DECL (kSecPolicyMacAppStoreReceipt, "1.2.840.113635.100.1.19");
58 SEC_CONST_DECL (kSecPolicyAppleTimeStamping, "1.2.840.113635.100.1.20");
59 SEC_CONST_DECL (kSecPolicyAppleRevocation, "1.2.840.113635.100.1.21");
60 SEC_CONST_DECL (kSecPolicyApplePassbookSigning, "1.2.840.113635.100.1.22");
61 SEC_CONST_DECL (kSecPolicyAppleMobileStore, "1.2.840.113635.100.1.23");
62 SEC_CONST_DECL (kSecPolicyAppleEscrowService, "1.2.840.113635.100.1.24");
63 SEC_CONST_DECL (kSecPolicyAppleProfileSigner, "1.2.840.113635.100.1.25");
64 SEC_CONST_DECL (kSecPolicyAppleQAProfileSigner, "1.2.840.113635.100.1.26");
65 SEC_CONST_DECL (kSecPolicyAppleTestMobileStore, "1.2.840.113635.100.1.27");
66 SEC_CONST_DECL (kSecPolicyAppleOTAPKISigner, "1.2.840.113635.100.1.28");
67 SEC_CONST_DECL (kSecPolicyAppleTestOTAPKISigner, "1.2.840.113635.100.1.29");
68 /* FIXME: this policy name should be deprecated and replaced with "kSecPolicyAppleIDValidationRecordSigning" */
69 SEC_CONST_DECL (kSecPolicyAppleIDValidationRecordSigningPolicy, "1.2.840.113635.100.1.30");
70 SEC_CONST_DECL (kSecPolicyAppleSMPEncryption, "1.2.840.113635.100.1.31");
71 SEC_CONST_DECL (kSecPolicyAppleTestSMPEncryption, "1.2.840.113635.100.1.32");
72 SEC_CONST_DECL (kSecPolicyAppleServerAuthentication, "1.2.840.113635.100.1.33");
73 SEC_CONST_DECL (kSecPolicyApplePCSEscrowService, "1.2.840.113635.100.1.34");
74 SEC_CONST_DECL (kSecPolicyApplePPQSigning, "1.2.840.113635.100.1.35");
75 SEC_CONST_DECL (kSecPolicyAppleTestPPQSigning, "1.2.840.113635.100.1.36");
76 SEC_CONST_DECL (kSecPolicyApplePayIssuerEncryption, "1.2.840.113635.100.1.39");
77 SEC_CONST_DECL (kSecPolicyAppleOSXProvisioningProfileSigning, "1.2.840.113635.100.1.40");
78 SEC_CONST_DECL (kSecPolicyAppleAST2DiagnosticsServerAuth, "1.2.840.113635.100.1.42");
79 SEC_CONST_DECL (kSecPolicyAppleEscrowProxyServerAuth, "1.2.840.113635.100.1.43");
80 SEC_CONST_DECL (kSecPolicyAppleFMiPServerAuth, "1.2.840.113635.100.1.44");
81
82 SEC_CONST_DECL (kSecPolicyOid, "SecPolicyOid");
83 SEC_CONST_DECL (kSecPolicyName, "SecPolicyName");
84 SEC_CONST_DECL (kSecPolicyClient, "SecPolicyClient");
85 SEC_CONST_DECL (kSecPolicyRevocationFlags, "SecPolicyRevocationFlags");
86 SEC_CONST_DECL (kSecPolicyTeamIdentifier, "SecPolicyTeamIdentifier");
87 #else
88 /* Some of these aren't defined in SecPolicy.c, but used here. */
89 SEC_CONST_DECL (kSecPolicyAppleiChat, "1.2.840.113635.100.1.12");
90 #endif
91
92 // Private functions
93
94 extern "C" {
95 #if SECTRUST_OSX
96 CFDictionaryRef SecPolicyGetOptions(SecPolicyRef policy);
97 void SecPolicySetOptionsValue(SecPolicyRef policy, CFStringRef key, CFTypeRef value);
98 #endif
99 }
100
101 // String to CSSM_OID mapping
102
103 struct oidmap_entry_s {
104 const CFTypeRef oidstr;
105 const SecAsn1Oid *oidptr;
106 };
107 typedef struct oidmap_entry_s oidmap_entry_t;
108
109 // policies enumerated by SecPolicySearch (PolicyCursor.cpp)
110 /*
111 static_cast<const CssmOid *>(&CSSMOID_APPLE_ISIGN), // no longer supported
112 static_cast<const CssmOid *>(&CSSMOID_APPLE_X509_BASIC),
113 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_SSL),
114 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_SMIME),
115 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_EAP),
116 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_SW_UPDATE_SIGNING),
117 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_IP_SEC),
118 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_ICHAT), // no longer supported
119 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_RESOURCE_SIGN),
120 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_PKINIT_CLIENT),
121 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_PKINIT_SERVER),
122 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_CODE_SIGNING),
123 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_PACKAGE_SIGNING),
124 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_REVOCATION_CRL),
125 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_REVOCATION_OCSP),
126 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT),
127 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_APPLEID_SHARING),
128 static_cast<const CssmOid *>(&CSSMOID_APPLE_TP_TIMESTAMPING),
129 */
130 const oidmap_entry_t oidmap[] = {
131 { kSecPolicyAppleX509Basic, &CSSMOID_APPLE_X509_BASIC },
132 { kSecPolicyAppleSSL, &CSSMOID_APPLE_TP_SSL },
133 { kSecPolicyAppleSMIME, &CSSMOID_APPLE_TP_SMIME },
134 { kSecPolicyAppleEAP, &CSSMOID_APPLE_TP_EAP },
135 { kSecPolicyAppleSWUpdateSigning, &CSSMOID_APPLE_TP_SW_UPDATE_SIGNING },
136 { kSecPolicyAppleIPsec, &CSSMOID_APPLE_TP_IP_SEC },
137 { kSecPolicyAppleiChat, &CSSMOID_APPLE_TP_ICHAT },
138 { kSecPolicyApplePKINITClient, &CSSMOID_APPLE_TP_PKINIT_CLIENT },
139 { kSecPolicyApplePKINITServer, &CSSMOID_APPLE_TP_PKINIT_SERVER },
140 { kSecPolicyAppleCodeSigning, &CSSMOID_APPLE_TP_CODE_SIGNING },
141 { kSecPolicyApplePackageSigning, &CSSMOID_APPLE_TP_PACKAGE_SIGNING },
142 { kSecPolicyAppleIDValidation, &CSSMOID_APPLE_TP_APPLEID_SHARING },
143 { kSecPolicyMacAppStoreReceipt, &CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT },
144 { kSecPolicyAppleTimeStamping, &CSSMOID_APPLE_TP_TIMESTAMPING },
145 { kSecPolicyAppleRevocation, &CSSMOID_APPLE_TP_REVOCATION },
146 { kSecPolicyAppleRevocation, &CSSMOID_APPLE_TP_REVOCATION_OCSP },
147 { kSecPolicyAppleRevocation, &CSSMOID_APPLE_TP_REVOCATION_CRL },
148 { kSecPolicyApplePassbookSigning, &CSSMOID_APPLE_TP_PASSBOOK_SIGNING },
149 { kSecPolicyAppleMobileStore, &CSSMOID_APPLE_TP_MOBILE_STORE },
150 { kSecPolicyAppleEscrowService, &CSSMOID_APPLE_TP_ESCROW_SERVICE },
151 { kSecPolicyAppleProfileSigner, &CSSMOID_APPLE_TP_PROFILE_SIGNING },
152 { kSecPolicyAppleQAProfileSigner, &CSSMOID_APPLE_TP_QA_PROFILE_SIGNING },
153 { kSecPolicyAppleTestMobileStore, &CSSMOID_APPLE_TP_TEST_MOBILE_STORE },
154 { kSecPolicyApplePCSEscrowService, &CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE },
155 { kSecPolicyAppleOSXProvisioningProfileSigning, &CSSMOID_APPLE_TP_PROVISIONING_PROFILE_SIGNING },
156 };
157
158 #if SECTRUST_OSX
159 const oidmap_entry_t oidmap_priv[] = {
160 { CFSTR("basicX509"), &CSSMOID_APPLE_X509_BASIC },
161 { CFSTR("sslServer"), &CSSMOID_APPLE_TP_SSL },
162 { CFSTR("sslClient"), &CSSMOID_APPLE_TP_SSL },
163 { CFSTR("SMIME"), &CSSMOID_APPLE_TP_SMIME },
164 { CFSTR("eapServer"), &CSSMOID_APPLE_TP_EAP },
165 { CFSTR("eapClient"), &CSSMOID_APPLE_TP_EAP },
166 { CFSTR("AppleSWUpdateSigning"), &CSSMOID_APPLE_TP_SW_UPDATE_SIGNING },
167 { CFSTR("ipsecServer"), &CSSMOID_APPLE_TP_IP_SEC },
168 { CFSTR("ipsecClient"), &CSSMOID_APPLE_TP_IP_SEC },
169 { CFSTR("CodeSigning"), &CSSMOID_APPLE_TP_CODE_SIGNING },
170 { CFSTR("PackageSigning"), &CSSMOID_APPLE_TP_PACKAGE_SIGNING },
171 { CFSTR("AppleIDAuthority"), &CSSMOID_APPLE_TP_APPLEID_SHARING },
172 { CFSTR("MacAppStoreReceipt"), &CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT },
173 { CFSTR("AppleTimeStamping"), &CSSMOID_APPLE_TP_TIMESTAMPING },
174 { CFSTR("revocation"), &CSSMOID_APPLE_TP_REVOCATION },
175 { CFSTR("ApplePassbook"), &CSSMOID_APPLE_TP_PASSBOOK_SIGNING },
176 { CFSTR("AppleMobileStore"), &CSSMOID_APPLE_TP_MOBILE_STORE },
177 { CFSTR("AppleEscrowService"), &CSSMOID_APPLE_TP_ESCROW_SERVICE },
178 { CFSTR("AppleProfileSigner"), &CSSMOID_APPLE_TP_PROFILE_SIGNING },
179 { CFSTR("AppleQAProfileSigner"), &CSSMOID_APPLE_TP_QA_PROFILE_SIGNING },
180 { CFSTR("AppleTestMobileStore"), &CSSMOID_APPLE_TP_TEST_MOBILE_STORE },
181 { CFSTR("ApplePCSEscrowService"), &CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE },
182 { CFSTR("AppleOSXProvisioningProfileSigning"), &CSSMOID_APPLE_TP_PROVISIONING_PROFILE_SIGNING },
183 };
184 #endif
185
186 //
187 // CF boilerplate
188 //
189 #if !SECTRUST_OSX
190 CFTypeID
191 SecPolicyGetTypeID(void)
192 {
193 BEGIN_SECAPI
194 return gTypes().Policy.typeID;
195 END_SECAPI1(_kCFRuntimeNotATypeID)
196 }
197 #endif
198
199 //
200 // Sec API bridge functions
201 //
202 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
203 OSStatus
204 SecPolicyGetOID(SecPolicyRef policyRef, CSSM_OID* oid)
205 {
206 #if !SECTRUST_OSX
207 BEGIN_SECAPI
208 Required(oid) = Policy::required(policyRef)->oid();
209 END_SECAPI
210 #else
211 /* bridge to support old functionality */
212 if (!policyRef) {
213 return errSecParam;
214 }
215 CFStringRef oidStr = (CFStringRef) SecPolicyGetOidString(policyRef);
216 if (!oidStr || !oid) {
217 return errSecParam; // bad policy ref?
218 }
219 CSSM_OID *oidptr = NULL;
220 unsigned int i, oidmaplen = sizeof(oidmap) / sizeof(oidmap_entry_t);
221 for (i=0; i<oidmaplen; i++) {
222 CFStringRef str = (CFStringRef) oidmap[i].oidstr;
223 if (CFStringCompare(str, oidStr, 0) == kCFCompareEqualTo) {
224 oidptr = (CSSM_OID*)oidmap[i].oidptr;
225 break;
226 }
227 }
228 if (!oidptr) {
229 // Check private iOS policy names.
230 oidmaplen = sizeof(oidmap_priv) / sizeof(oidmap_entry_t);
231 for (i=0; i<oidmaplen; i++) {
232 CFStringRef str = (CFStringRef) oidmap_priv[i].oidstr;
233 if (CFStringCompare(str, oidStr, 0) == kCFCompareEqualTo) {
234 oidptr = (CSSM_OID*)oidmap_priv[i].oidptr;
235 break;
236 }
237 }
238 }
239 if (oidptr) {
240 oid->Data = oidptr->Data;
241 oid->Length = oidptr->Length;
242 return errSecSuccess;
243 }
244 CFShow(oidStr);
245 syslog(LOG_ERR, "WARNING: SecPolicyGetOID failed to return an OID. This function was deprecated in 10.7. Please use SecPolicyCopyProperties instead.");
246 return errSecServiceNotAvailable;
247 #endif
248 }
249
250 // TODO: use a version of this function from a utility library
251 static CSSM_BOOL compareOids(
252 const CSSM_OID *oid1,
253 const CSSM_OID *oid2)
254 {
255 if((oid1 == NULL) || (oid2 == NULL)) {
256 return CSSM_FALSE;
257 }
258 if(oid1->Length != oid2->Length) {
259 return CSSM_FALSE;
260 }
261 if(memcmp(oid1->Data, oid2->Data, oid1->Length)) {
262 return CSSM_FALSE;
263 }
264 else {
265 return CSSM_TRUE;
266 }
267 }
268
269 /* OS X only: */
270 CFStringRef SecPolicyGetStringForOID(CSSM_OID* oid)
271 {
272 if (!oid) {
273 return NULL;
274 }
275 // given a CSSM_OID pointer, return corresponding string in oidmap
276 unsigned int i, oidmaplen = sizeof(oidmap) / sizeof(oidmap_entry_t);
277 for (i=0; i<oidmaplen; i++) {
278 CSSM_OID* oidptr = (CSSM_OID*)oidmap[i].oidptr;
279 if (compareOids(oid, oidptr)) {
280 return (CFStringRef) oidmap[i].oidstr;
281 }
282 }
283 return NULL;
284 }
285
286 #if SECTRUST_OSX
287 static bool SecPolicyGetCSSMDataValueForString(SecPolicyRef policyRef, CFStringRef stringRef, CSSM_DATA* value)
288 {
289 // Old API expects to vend a pointer and length for a policy value.
290 // The API contract says this pointer is good for the life of the policy.
291 // However, the new policy values are CF objects, and we need a separate
292 // buffer to get their UTF8 bytes. This buffer needs to be released when
293 // the policy object is released.
294
295 CFDataRef data = NULL;
296 CFIndex maxLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(stringRef), kCFStringEncodingUTF8) + 1;
297 char* buf = (char*) malloc(maxLength);
298 if (!buf) {
299 return false;
300 }
301 if (CFStringGetCString(stringRef, buf, (CFIndex)maxLength, kCFStringEncodingUTF8)) {
302 CFIndex length = strlen(buf);
303 data = CFDataCreate(NULL, (const UInt8 *)buf, length);
304 }
305 free(buf);
306 if (value) {
307 value->Data = (uint8*)((data) ? CFDataGetBytePtr(data) : NULL);
308 value->Length = (CSSM_SIZE)((data) ? CFDataGetLength(data) : 0);
309 }
310 if (data) {
311 // stash this in a place where it will be released when the policy is destroyed
312 if (policyRef) {
313 SecPolicySetOptionsValue(policyRef, CFSTR("policy_data"), data);
314 CFRelease(data);
315 }
316 else {
317 syslog(LOG_ERR, "WARNING: policy dictionary not found to store returned data; will leak!");
318 }
319 }
320 return true;
321 }
322 #endif
323
324 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
325 OSStatus
326 SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA* value)
327 {
328 #if !SECTRUST_OSX
329 BEGIN_SECAPI
330 Required(value) = Policy::required(policyRef)->value();
331 END_SECAPI
332 #else
333 /* bridge to support old functionality */
334 #if SECTRUST_DEPRECATION_WARNINGS
335 syslog(LOG_ERR, "WARNING: SecPolicyGetValue was deprecated in 10.7. Please use SecPolicyCopyProperties instead.");
336 #endif
337 if (!(policyRef && value)) {
338 return errSecParam;
339 }
340 CFDictionaryRef options = SecPolicyGetOptions(policyRef);
341 if (!(options && (CFDictionaryGetTypeID() == CFGetTypeID(options)))) {
342 return errSecParam;
343 }
344 CFTypeRef name = NULL;
345 do {
346 if (CFDictionaryGetValueIfPresent(options, CFSTR("SSLHostname") /*kSecPolicyCheckSSLHostname*/,
347 (const void **)&name) && name) {
348 break;
349 }
350 if (CFDictionaryGetValueIfPresent(options, CFSTR("EAPTrustedServerNames") /*kSecPolicyCheckEAPTrustedServerNames*/,
351 (const void **)&name) && name) {
352 break;
353 }
354 if (CFDictionaryGetValueIfPresent(options, CFSTR("email") /*kSecPolicyCheckEmail*/,
355 (const void **)&name) && name) {
356 break;
357 }
358 } while (0);
359 if (name) {
360 CFTypeID typeID = CFGetTypeID(name);
361 if (CFArrayGetTypeID() == typeID) {
362 name = (CFStringRef) CFArrayGetValueAtIndex((CFArrayRef)name, 0);
363 }
364 SecPolicyGetCSSMDataValueForString(policyRef, (CFStringRef)name, value);
365 }
366 else {
367 value->Data = NULL;
368 value->Length = 0;
369 }
370 return errSecSuccess;
371 #endif
372 }
373
374 #if !SECTRUST_OSX
375 CFDictionaryRef
376 SecPolicyCopyProperties(SecPolicyRef policyRef)
377 {
378 /* can't use SECAPI macros, since this function does not return OSStatus */
379 CFDictionaryRef result = NULL;
380 try {
381 result = Policy::required(policyRef)->properties();
382 }
383 catch (...) {
384 if (result) {
385 CFRelease(result);
386 result = NULL;
387 }
388 };
389 return result;
390 }
391 #endif
392
393 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
394 OSStatus
395 SecPolicySetValue(SecPolicyRef policyRef, const CSSM_DATA *value)
396 {
397 #if !SECTRUST_OSX
398 BEGIN_SECAPI
399 Required(value);
400 const CssmData newValue(value->Data, value->Length);
401 Policy::required(policyRef)->setValue(newValue);
402 END_SECAPI
403 #else
404 /* bridge to support old functionality */
405 #if SECTRUST_DEPRECATION_WARNINGS
406 syslog(LOG_ERR, "WARNING: SecPolicySetValue was deprecated in 10.7. Please use SecPolicySetProperties instead.");
407 #endif
408 if (!(policyRef && value)) {
409 return errSecParam;
410 }
411 OSStatus status = errSecSuccess;
412 CFDataRef data = NULL;
413 CFStringRef name = NULL;
414 CFStringRef oid = (CFStringRef) SecPolicyGetOidString(policyRef);
415 if (!oid) {
416 syslog(LOG_ERR, "SecPolicySetValue: unknown policy OID");
417 return errSecParam; // bad policy ref?
418 }
419 if (CFEqual(oid, CFSTR("sslServer") /*kSecPolicyOIDSSLServer*/) ||
420 CFEqual(oid, CFSTR("sslClient") /*kSecPolicyOIDSSLClient*/) ||
421 CFEqual(oid, CFSTR("ipsecServer") /*kSecPolicyOIDIPSecServer*/) ||
422 CFEqual(oid, CFSTR("ipsecClient") /*kSecPolicyOIDIPSecClient*/) ||
423 CFEqual(oid, kSecPolicyAppleSSL) ||
424 CFEqual(oid, kSecPolicyAppleIPsec) ||
425 CFEqual(oid, kSecPolicyAppleIDValidation)
426 ) {
427 CSSM_APPLE_TP_SSL_OPTIONS *opts = (CSSM_APPLE_TP_SSL_OPTIONS *)value->Data;
428 if (opts->Version == CSSM_APPLE_TP_SSL_OPTS_VERSION) {
429 if (opts->ServerNameLen > 0) {
430 data = CFDataCreate(NULL, (const UInt8 *)opts->ServerName, opts->ServerNameLen);
431 name = (data) ? CFStringCreateFromExternalRepresentation(NULL, data, kCFStringEncodingUTF8) : NULL;
432 }
433 }
434 if (name) {
435 SecPolicySetOptionsValue(policyRef, CFSTR("SSLHostname") /*kSecPolicyCheckSSLHostname*/, name);
436 }
437 else {
438 status = errSecParam;
439 }
440 }
441 else if (CFEqual(oid, CFSTR("eapServer") /*kSecPolicyOIDEAPServer*/) ||
442 CFEqual(oid, CFSTR("eapClient") /*kSecPolicyOIDEAPClient*/) ||
443 CFEqual(oid, kSecPolicyAppleEAP)
444 ) {
445 CSSM_APPLE_TP_SSL_OPTIONS *opts = (CSSM_APPLE_TP_SSL_OPTIONS *)value->Data;
446 if (opts->Version == CSSM_APPLE_TP_SSL_OPTS_VERSION) {
447 if (opts->ServerNameLen > 0) {
448 data = CFDataCreate(NULL, (const UInt8 *)opts->ServerName, opts->ServerNameLen);
449 name = (data) ? CFStringCreateFromExternalRepresentation(NULL, data, kCFStringEncodingUTF8) : NULL;
450 }
451 }
452 if (name) {
453 SecPolicySetOptionsValue(policyRef, CFSTR("EAPTrustedServerNames") /*kSecPolicyCheckEAPTrustedServerNames*/, name);
454 }
455 else {
456 status = errSecParam;
457 }
458 }
459 else if (CFEqual(oid, CFSTR("SMIME") /*kSecPolicyOIDSMIME*/) ||
460 CFEqual(oid, CFSTR("AppleShoebox") /*kSecPolicyOIDAppleShoebox*/) ||
461 CFEqual(oid, CFSTR("ApplePassbook") /*kSecPolicyOIDApplePassbook*/) ||
462 CFEqual(oid, kSecPolicyAppleSMIME) ||
463 CFEqual(oid, kSecPolicyApplePassbookSigning)
464 ) {
465 CSSM_APPLE_TP_SMIME_OPTIONS *opts = (CSSM_APPLE_TP_SMIME_OPTIONS *)value->Data;
466 if (opts->Version == CSSM_APPLE_TP_SMIME_OPTS_VERSION) {
467 if (opts->SenderEmailLen > 0) {
468 data = CFDataCreate(NULL, (const UInt8 *)opts->SenderEmail, opts->SenderEmailLen);
469 name = (data) ? CFStringCreateFromExternalRepresentation(NULL, data, kCFStringEncodingUTF8) : NULL;
470 }
471 }
472 if (name) {
473 SecPolicySetOptionsValue(policyRef, CFSTR("email") /*kSecPolicyCheckEmail*/, name);
474 }
475 else {
476 status = errSecParam;
477 }
478 }
479 else if (CFEqual(oid, CFSTR("revocation") /* kSecPolicyOIDRevocation */) ||
480 CFEqual(oid, kSecPolicyAppleRevocation)
481 ) {
482 CSSM_APPLE_TP_CRL_OPTIONS *opts = (CSSM_APPLE_TP_CRL_OPTIONS *)value->Data;
483 if (opts->Version == CSSM_APPLE_TP_CRL_OPTS_VERSION) {
484 CSSM_APPLE_TP_CRL_OPT_FLAGS crlFlags = opts->CrlFlags;
485 if ((crlFlags & CSSM_TP_ACTION_FETCH_CRL_FROM_NET) == 0) {
486 /* disable network access */
487 SecPolicySetOptionsValue(policyRef, CFSTR("NoNetworkAccess") /*kSecPolicyCheckNoNetworkAccess*/, kCFBooleanTrue);
488 }
489 if ((crlFlags & CSSM_TP_ACTION_CRL_SUFFICIENT) == 0) {
490 /* if CRL method is not sufficient, must use OCSP */
491 SecPolicySetOptionsValue(policyRef, CFSTR("Revocation") /*kSecPolicyCheckRevocation*/,
492 CFSTR("OCSP")/*kSecPolicyCheckRevocationOCSP*/);
493 } else {
494 /* either method is sufficient */
495 SecPolicySetOptionsValue(policyRef, CFSTR("Revocation") /*kSecPolicyCheckRevocation*/,
496 CFSTR("AnyRevocationMethod") /*kSecPolicyCheckRevocationAny*/);
497 }
498
499 if ((crlFlags & CSSM_TP_ACTION_REQUIRE_CRL_PER_CERT) != 0) {
500 /* require a response */
501 SecPolicySetOptionsValue(policyRef,
502 CFSTR("RevocationResponseRequired") /*kSecPolicyCheckRevocationResponseRequired*/,
503 kCFBooleanTrue);
504 }
505 }
506 }
507 else {
508 syslog(LOG_ERR, "SecPolicySetValue: unrecognized policy OID");
509 status = errSecParam;
510 }
511 if (data) { CFRelease(data); }
512 if (name) { CFRelease(name); }
513 return status;
514 #endif
515 }
516
517 #if !SECTRUST_OSX
518 OSStatus
519 SecPolicySetProperties(SecPolicyRef policyRef, CFDictionaryRef properties)
520 {
521 BEGIN_SECAPI
522 Policy::required(policyRef)->setProperties(properties);
523 END_SECAPI
524 }
525 #endif
526
527 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
528 OSStatus
529 SecPolicyGetTPHandle(SecPolicyRef policyRef, CSSM_TP_HANDLE* tpHandle)
530 {
531 #if !SECTRUST_OSX
532 BEGIN_SECAPI
533 Required(tpHandle) = Policy::required(policyRef)->tp()->handle();
534 END_SECAPI
535 #else
536 /* this function is unsupported in unified SecTrust */
537 #if SECTRUST_DEPRECATION_WARNINGS
538 syslog(LOG_ERR, "WARNING: SecPolicyGetTPHandle was deprecated in 10.7, and does nothing in 10.11. Please stop using it.");
539 #endif
540 return errSecServiceNotAvailable;
541 #endif
542 }
543
544 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
545 OSStatus
546 SecPolicyCopyAll(CSSM_CERT_TYPE certificateType, CFArrayRef* policies)
547 {
548 #if !SECTRUST_OSX
549 BEGIN_SECAPI
550 Required(policies);
551 CFMutableArrayRef currPolicies = NULL;
552 currPolicies = CFArrayCreateMutable(NULL, 0, NULL);
553 if ( currPolicies )
554 {
555 SecPointer<PolicyCursor> cursor(new PolicyCursor(NULL, NULL));
556 SecPointer<Policy> policy;
557 while ( cursor->next(policy) ) /* copies the next policy */
558 {
559 CFArrayAppendValue(currPolicies, policy->handle()); /* 'SecPolicyRef' appended */
560 CFRelease(policy->handle()); /* refcount bumped up when appended to array */
561 }
562 *policies = CFArrayCreateCopy(NULL, currPolicies);
563 CFRelease(currPolicies);
564 CFRelease(cursor->handle());
565 }
566 END_SECAPI
567 #else
568 /* bridge to support old functionality */
569 #if SECTRUST_DEPRECATION_WARNINGS
570 syslog(LOG_ERR, "WARNING: SecPolicyCopyAll was deprecated in 10.7. Please use SecPolicy creation functions instead.");
571 #endif
572 if (!policies) {
573 return errSecParam;
574 }
575 CFMutableArrayRef curPolicies = CFArrayCreateMutable(NULL, 0, NULL);
576 if (!curPolicies) {
577 return errSecAllocate;
578 }
579 /* build the subset of policies which were supported on OS X,
580 and which are also implemented on iOS */
581 CFStringRef supportedPolicies[] = {
582 kSecPolicyAppleX509Basic, /* CSSMOID_APPLE_X509_BASIC */
583 kSecPolicyAppleSSL, /* CSSMOID_APPLE_TP_SSL */
584 kSecPolicyAppleSMIME, /* CSSMOID_APPLE_TP_SMIME */
585 kSecPolicyAppleEAP, /*CSSMOID_APPLE_TP_EAP */
586 kSecPolicyAppleSWUpdateSigning, /* CSSMOID_APPLE_TP_SW_UPDATE_SIGNING */
587 kSecPolicyAppleIPsec, /* CSSMOID_APPLE_TP_IP_SEC */
588 kSecPolicyAppleCodeSigning, /* CSSMOID_APPLE_TP_CODE_SIGNING */
589 kSecPolicyMacAppStoreReceipt, /* CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT */
590 kSecPolicyAppleIDValidation, /* CSSMOID_APPLE_TP_APPLEID_SHARING */
591 kSecPolicyAppleTimeStamping, /* CSSMOID_APPLE_TP_TIMESTAMPING */
592 kSecPolicyAppleRevocation, /* CSSMOID_APPLE_TP_REVOCATION_{CRL,OCSP} */
593 NULL
594 };
595 CFIndex ix = 0;
596 while (true) {
597 CFStringRef policyID = supportedPolicies[ix++];
598 if (!policyID) {
599 break;
600 }
601 SecPolicyRef curPolicy = SecPolicyCreateWithProperties(policyID, NULL);
602 if (curPolicy) {
603 CFArrayAppendValue(curPolicies, curPolicy);
604 CFRelease(curPolicy);
605 }
606 }
607 *policies = CFArrayCreateCopy(NULL, curPolicies);
608 CFRelease(curPolicies);
609 return errSecSuccess;
610 #endif
611 }
612
613 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_3, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
614 OSStatus
615 SecPolicyCopy(CSSM_CERT_TYPE certificateType, const CSSM_OID *policyOID, SecPolicyRef* policy)
616 {
617 #if !SECTRUST_OSX
618 Required(policy);
619 Required(policyOID);
620 #else
621 if (!policyOID || !policy) {
622 return errSecParam;
623 }
624 #endif
625 SecPolicySearchRef srchRef = NULL;
626 OSStatus ortn;
627
628 ortn = SecPolicySearchCreate(certificateType, policyOID, NULL, &srchRef);
629 if(ortn) {
630 return ortn;
631 }
632 ortn = SecPolicySearchCopyNext(srchRef, policy);
633 CFRelease(srchRef);
634 return ortn;
635 }
636
637 /* OS X only: convert a new-world SecPolicyRef to an old-world ItemImpl instance */
638 SecPolicyRef
639 SecPolicyCreateItemImplInstance(SecPolicyRef policy)
640 {
641 #if !SECTRUST_OSX
642 return (SecPolicyRef)(policy ? CFRetain(policy) : NULL);
643 #else
644 if (!policy) {
645 return NULL;
646 }
647 CSSM_OID oid;
648 OSStatus status = SecPolicyGetOID(policy, &oid);
649 if (status) {
650 return NULL;
651 }
652 SecPolicyRef policyRef = NULL;
653 CFDictionaryRef properties = SecPolicyCopyProperties(policy);
654 try {
655 SecPointer<Policy> policyObj;
656 PolicyCursor::policy(&oid, policyObj);
657 policyRef = policyObj->handle();
658 Policy::required(policyRef)->setProperties(properties);
659 }
660 catch (...) {
661 policyRef = NULL;
662 }
663 if (properties) {
664 CFRelease(properties);
665 }
666 return policyRef;
667 #endif
668 }
669
670 #if !SECTRUST_OSX
671 /* new in 10.6 */
672 SecPolicyRef
673 SecPolicyCreateBasicX509(void)
674 {
675 // return a SecPolicyRef object for the X.509 Basic policy
676 SecPolicyRef policy = nil;
677 SecPolicySearchRef policySearch = nil;
678 OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_X509_BASIC, NULL, &policySearch);
679 if (!status) {
680 status = SecPolicySearchCopyNext(policySearch, &policy);
681 }
682 if (policySearch) {
683 CFRelease(policySearch);
684 }
685 return policy;
686 }
687 #endif
688
689 #if !SECTRUST_OSX
690 /* new in 10.6 */
691 SecPolicyRef
692 SecPolicyCreateSSL(Boolean server, CFStringRef hostname)
693 {
694 // return a SecPolicyRef object for the SSL policy, given hostname and client options
695 SecPolicyRef policy = nil;
696 SecPolicySearchRef policySearch = nil;
697 OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_SSL, NULL, &policySearch);
698 if (!status) {
699 status = SecPolicySearchCopyNext(policySearch, &policy);
700 }
701 if (!status && policy) {
702 // set options for client-side or server-side policy evaluation
703 char *strbuf = NULL;
704 const char *hostnamestr = NULL;
705 if (hostname) {
706 hostnamestr = CFStringGetCStringPtr(hostname, kCFStringEncodingUTF8);
707 if (hostnamestr == NULL) {
708 CFIndex maxLen = CFStringGetMaximumSizeForEncoding(CFStringGetLength(hostname), kCFStringEncodingUTF8) + 1;
709 strbuf = (char *)malloc(maxLen);
710 if (CFStringGetCString(hostname, strbuf, maxLen, kCFStringEncodingUTF8)) {
711 hostnamestr = strbuf;
712 }
713 }
714 }
715 uint32 hostnamelen = (hostnamestr) ? (uint32)strlen(hostnamestr) : 0;
716 uint32 flags = (!server) ? CSSM_APPLE_TP_SSL_CLIENT : 0;
717 CSSM_APPLE_TP_SSL_OPTIONS opts = {CSSM_APPLE_TP_SSL_OPTS_VERSION, hostnamelen, hostnamestr, flags};
718 CSSM_DATA data = {sizeof(opts), (uint8*)&opts};
719 SecPolicySetValue(policy, &data);
720
721 if (strbuf) {
722 free(strbuf);
723 }
724 }
725 if (policySearch) {
726 CFRelease(policySearch);
727 }
728 return policy;
729 }
730 #endif
731
732 #if !SECTRUST_OSX
733 /* not exported */
734 static SecPolicyRef
735 SecPolicyCreateWithSecAsn1Oid(SecAsn1Oid *oidPtr)
736 {
737 SecPolicyRef policy = NULL;
738 try {
739 SecPointer<Policy> policyObj;
740 PolicyCursor::policy(oidPtr, policyObj);
741 policy = policyObj->handle();
742 }
743 catch (...) {}
744
745 return policy;
746 }
747 #endif
748
749 static SecPolicyRef
750 _SecPolicyCreateWithOID(CFTypeRef policyOID)
751 {
752 // for now, we only accept the policy constants that are defined in SecPolicy.h
753 CFStringRef oidStr = (CFStringRef)policyOID;
754 CSSM_OID *oidPtr = NULL;
755 SecPolicyRef policy = NULL;
756 if (!oidStr) {
757 return policy;
758 }
759 unsigned int i, oidmaplen = sizeof(oidmap) / sizeof(oidmap_entry_t);
760 for (i=0; i<oidmaplen; i++) {
761 CFStringRef str = (CFStringRef) oidmap[i].oidstr;
762 if (CFStringCompare(str, oidStr, 0) == kCFCompareEqualTo) {
763 oidPtr = (CSSM_OID*)oidmap[i].oidptr;
764 break;
765 }
766 }
767 if (CFEqual(oidStr, kSecPolicyAppleServerAuthentication)) {
768 return SecPolicyCreateAppleSSLService(NULL);
769 }
770 if (oidPtr) {
771 SecPolicySearchRef policySearch = NULL;
772 OSStatus status = SecPolicySearchCreate(CSSM_CERT_X_509v3, oidPtr, NULL, &policySearch);
773 if (!status && policySearch) {
774 status = SecPolicySearchCopyNext(policySearch, &policy);
775 if (status != errSecSuccess) {
776 policy = NULL;
777 }
778 CFRelease(policySearch);
779 }
780 if (!policy && CFEqual(policyOID, kSecPolicyAppleRevocation)) {
781 policy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod);
782 }
783 #if !SECTRUST_OSX
784 if (!policy) {
785 policy = SecPolicyCreateWithSecAsn1Oid((SecAsn1Oid*)oidPtr);
786 }
787 #endif
788 }
789 return policy;
790 }
791
792 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA) */
793 SecPolicyRef
794 SecPolicyCreateWithOID(CFTypeRef policyOID)
795 {
796 SecPolicyRef policy = _SecPolicyCreateWithOID(policyOID);
797 if (!policy) {
798 syslog(LOG_ERR, "WARNING: SecPolicyCreateWithOID was unable to return the requested policy. This function was deprecated in 10.9. Please use supported SecPolicy creation functions instead.");
799 }
800 return policy;
801 }
802
803 #if !SECTRUST_OSX
804 /* new in 10.9 */
805 SecPolicyRef
806 SecPolicyCreateWithProperties(CFTypeRef policyIdentifier, CFDictionaryRef properties)
807 {
808 SecPolicyRef policy = _SecPolicyCreateWithOID(policyIdentifier);
809 SecPolicySetProperties(policy, properties);
810
811 return policy;
812 }
813 #endif
814
815 #if !SECTRUST_OSX
816 /* new in 10.9 */
817 SecPolicyRef
818 SecPolicyCreateRevocation(CFOptionFlags revocationFlags)
819 {
820 // return a SecPolicyRef object for the unified revocation policy
821 SecAsn1Oid *oidPtr = (SecAsn1Oid*)&CSSMOID_APPLE_TP_REVOCATION;
822 SecPolicyRef policy = SecPolicyCreateWithSecAsn1Oid(oidPtr);
823 if (policy) {
824 CSSM_DATA policyData = { (CSSM_SIZE)sizeof(CFOptionFlags), (uint8*)&revocationFlags };
825 SecPolicySetValue(policy, &policyData);
826 }
827 return policy;
828 }
829 #endif
830
831 #if !SECTRUST_OSX
832 SecPolicyRef SecPolicyCreateAppleIDSService(CFStringRef hostname)
833 {
834 return SecPolicyCreateSSL(true, hostname);
835 }
836 #endif
837
838 #if !SECTRUST_OSX
839 SecPolicyRef SecPolicyCreateAppleIDSServiceContext(CFStringRef hostname, CFDictionaryRef __unused context)
840 {
841 return SecPolicyCreateSSL(true, hostname);
842 }
843 #endif
844
845 #if !SECTRUST_OSX
846 SecPolicyRef SecPolicyCreateApplePushService(CFStringRef hostname, CFDictionaryRef __unused context)
847 {
848 return SecPolicyCreateSSL(true, hostname);
849 }
850 #endif
851
852 #if !SECTRUST_OSX
853 SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname)
854 {
855 return SecPolicyCreateSSL(true, hostname);
856 }
857 #endif
858
859 #if !SECTRUST_OSX
860 SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef __unused context)
861 {
862 return SecPolicyCreateSSL(true, hostname);
863 }
864 #endif
865
866 #if !SECTRUST_OSX
867 SecPolicyRef SecPolicyCreateAppleGSService(CFStringRef hostname, CFDictionaryRef __unused context)
868 {
869 return SecPolicyCreateSSL(true, hostname);
870 }
871 #endif
872
873 #if !SECTRUST_OSX
874 SecPolicyRef SecPolicyCreateApplePPQService(CFStringRef hostname, CFDictionaryRef __unused context)
875 {
876 return SecPolicyCreateSSL(true, hostname);
877 }
878 #endif
879
880 #if !SECTRUST_OSX
881 /* new in 10.11.4 */
882 SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryRef __unused context)
883 {
884 return SecPolicyCreateSSL(true, hostname);
885 }
886 #endif
887
888 #if !SECTRUST_OSX
889 /* new in 10.12 */
890 SecPolicyRef SecPolicyCreateAppleEscrowProxyService(CFStringRef hostname, CFDictionaryRef __unused context)
891 {
892 return SecPolicyCreateSSL(true, hostname);
893 }
894 #endif
895
896 #if !SECTRUST_OSX
897 /* new in 10.12 */
898 SecPolicyRef SecPolicyCreateAppleFMiPService(CFStringRef hostname, CFDictionaryRef __unused context)
899 {
900 return SecPolicyCreateSSL(true, hostname);
901 }
902 #endif
903
904 #if !SECTRUST_OSX
905 /* new in 10.11.4 */
906 SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
907 {
908 return SecPolicyCreateSSL(true, hostname);
909 }
910 #endif
911
912 #if !SECTRUST_OSX
913 /* new in 10.11 */
914 SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
915 {
916 return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
917 }
918 #endif
919
920 #if !SECTRUST_OSX
921 /* new in 10.11 */
922 SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void)
923 {
924 return _SecPolicyCreateWithOID(kSecPolicyAppleOSXProvisioningProfileSigning);
925 }
926 #endif
927
928
929 #if !SECTRUST_OSX
930 /* new in 10.11 */
931 SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
932 {
933 return _SecPolicyCreateWithOID(kSecPolicyAppleX509Basic);
934 }
935 #endif
936
937 #if !SECTRUST_OSX
938 SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname)
939 {
940 // SSL server, pinned to an Apple intermediate
941 SecPolicyRef policy = SecPolicyCreateSSL(true, hostname);
942 if (policy) {
943 // change options for policy evaluation
944 char *strbuf = NULL;
945 const char *hostnamestr = NULL;
946 if (hostname) {
947 hostnamestr = CFStringGetCStringPtr(hostname, kCFStringEncodingUTF8);
948 if (hostnamestr == NULL) {
949 CFIndex maxLen = CFStringGetMaximumSizeForEncoding(CFStringGetLength(hostname), kCFStringEncodingUTF8) + 1;
950 strbuf = (char *)malloc(maxLen);
951 if (CFStringGetCString(hostname, strbuf, maxLen, kCFStringEncodingUTF8)) {
952 hostnamestr = strbuf;
953 }
954 }
955 }
956 uint32 hostnamelen = (hostnamestr) ? (uint32)strlen(hostnamestr) : 0;
957 uint32 flags = 0x00000002; // 2nd-lowest bit set to require Apple intermediate pin
958 CSSM_APPLE_TP_SSL_OPTIONS opts = {CSSM_APPLE_TP_SSL_OPTS_VERSION, hostnamelen, hostnamestr, flags};
959 CSSM_DATA data = {sizeof(opts), (uint8*)&opts};
960 SecPolicySetValue(policy, &data);
961 }
962 return policy;
963 }
964 #endif
965
966 /* OS X only: TBD */
967 #include <security_utilities/cfutilities.h>
968 /* New in 10.10 */
969 // Takes the "context" policies to extract the revocation and apply it to timeStamp.
970 CFArrayRef
971 SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray)
972 {
973 #if !SECTRUST_OSX
974 /* can't use SECAPI macros, since this function does not return OSStatus */
975 CFArrayRef resultPolicyArray=NULL;
976 try {
977 // Set default policy
978 CFRef<CFArrayRef> policyArray = cfArrayize(policyOrArray);
979 CFRef<SecPolicyRef> defaultPolicy = _SecPolicyCreateWithOID(kSecPolicyAppleTimeStamping);
980 CFRef<CFMutableArrayRef> appleTimeStampingPolicies = makeCFMutableArray(1,defaultPolicy.get());
981
982 // Parse the policy and add revocation related ones
983 CFIndex numPolicies = CFArrayGetCount(policyArray);
984 for(CFIndex dex=0; dex<numPolicies; dex++) {
985 SecPolicyRef secPol = (SecPolicyRef)CFArrayGetValueAtIndex(policyArray, dex);
986 SecPointer<Policy> pol = Policy::required(SecPolicyRef(secPol));
987 const CssmOid &oid = pol->oid();
988 if ((oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION))
989 || (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_CRL))
990 || (oid == CssmOid::overlay(CSSMOID_APPLE_TP_REVOCATION_OCSP)))
991 {
992 CFArrayAppendValue(appleTimeStampingPolicies, secPol);
993 }
994 }
995 // Transfer of ownership
996 resultPolicyArray=appleTimeStampingPolicies.yield();
997 }
998 catch (...) {
999 CFReleaseNull(resultPolicyArray);
1000 };
1001 #else
1002 /* implement with unified SecPolicyRef instances */
1003 SecPolicyRef policy = NULL;
1004 CFMutableArrayRef resultPolicyArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
1005 if (!resultPolicyArray) {
1006 return NULL;
1007 }
1008 policy = SecPolicyCreateWithProperties(kSecPolicyAppleTimeStamping, NULL);
1009 if (policy) {
1010 CFArrayAppendValue(resultPolicyArray, policy);
1011 CFReleaseNull(policy);
1012 }
1013 policy = SecPolicyCreateWithProperties(kSecPolicyAppleRevocation, NULL);
1014 if (policy) {
1015 CFArrayAppendValue(resultPolicyArray, policy);
1016 CFReleaseNull(policy);
1017 }
1018 #endif
1019 return resultPolicyArray;
1020 }
1021
mirror of Security