2 * Copyright (c) 2005,2011-2016 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
25 * SecTrustSettings.cpp - Public interface for manipulation of Trust Settings.
29 #include "SecBridge.h"
30 #include "SecCertificatePriv.h"
31 #include "SecTrustSettings.h"
32 #include "SecTrustSettingsPriv.h"
33 #include "SecTrustSettingsCertificates.h"
34 #include "TrustSettingsUtils.h"
35 #include "TrustSettings.h"
36 #include "TrustSettingsSchema.h"
37 #include "TrustKeychains.h"
39 #include "SecKeychainPriv.h"
41 #include <security_utilities/threading.h>
42 #include <security_utilities/globalizer.h>
43 #include <security_utilities/errors.h>
44 #include <security_cdsa_utilities/cssmerrors.h>
45 #include <security_utilities/logging.h>
46 #include <security_utilities/debugging.h>
47 #include <security_utilities/simpleprefs.h>
48 #include <securityd_client/dictionary.h>
49 #include <securityd_client/ssclient.h>
55 #include <CommonCrypto/CommonDigest.h>
56 #include <CoreFoundation/CFPreferences.h>
57 #include <utilities/SecCFRelease.h>
59 #define trustSettingsDbg(args...) secinfo("trustSettings", ## args)
62 * Ideally we'd like to implement our own lock to protect the state of the cert stores
63 * without grabbing the global Sec API lock, but we deal with SecCFObjects, so we'll have
64 * to bite the bullet and grab the big lock. We also have our own lock protecting the
65 * global trust settings cache which is also used by the keychain callback function
66 * (which does not grab the Sec API lock).
69 #define BEGIN_RCSAPI \
70 OSStatus __secapiresult; \
73 __secapiresult=errSecSuccess; \
75 catch (const MacOSError &err) { __secapiresult=err.osStatus(); } \
76 catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } \
77 catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } \
78 catch (...) { __secapiresult=errSecInternalComponent; } \
79 return __secapiresult;
86 #pragma mark --- TrustSettings preferences ---
89 * If Colonel Klink wants to disable user-level Trust Settings, he'll have
90 * to restart the apps which will be affected after he does so. We are not
91 * going to consult system prefs every time we do a cert evaluation. We
92 * consult it once per process and cache the results here.
94 static bool tsUserTrustDisableValid
= false; /* true once we consult prefs */
95 static bool tsUserTrustDisable
= false; /* the cached value */
98 * Determine whether user-level Trust Settings disabled.
100 static bool tsUserTrustSettingsDisabled()
102 if(tsUserTrustDisableValid
) {
103 return tsUserTrustDisable
;
105 tsUserTrustDisable
= false;
107 Dictionary
* dictionary
= Dictionary::CreateDictionary(kSecTrustSettingsPrefsDomain
, Dictionary::US_System
);
110 auto_ptr
<Dictionary
> prefsDict(dictionary
);
111 /* this returns false if the pref isn't there, just like we want */
112 tsUserTrustDisable
= prefsDict
->getBoolValue(kSecTrustSettingsDisableUserTrustSettings
);
115 tsUserTrustDisableValid
= true;
116 return tsUserTrustDisable
;
119 #pragma mark --- TrustSettings global cache ---
122 *** cache submodule - keeps per-app copy of zero or one TrustSettings
123 *** for each domain. Used only by SecTrustSettingsEvaluateCert()
124 *** and SecTrustSettingsCopyQualifiedCerts(); results of
125 *** manipulation by public API functions are not cached.
129 * API/client code has to hold this lock when doing anything with any of
130 * the TrustSettings maintained here.
131 * It's recursive to accomodate CodeSigning's need to do cert verification
132 * (while we evaluate app equivalence).
134 static ModuleNexus
<RecursiveMutex
> sutCacheLock
;
136 #define TRUST_SETTINGS_NUM_DOMAINS 3
139 * The three global TrustSettings.
140 * We rely on the fact the the domain enums start with 0; we use
141 * the domain value as an index into the following two arrays.
143 static TrustSettings
*globalTrustSettings
[TRUST_SETTINGS_NUM_DOMAINS
] =
147 * Indicates "the associated global here is currently valid; if there isn't a
148 * globalTrustSettings[domain], don't try to find one"
150 static bool globalTrustSettingsValid
[TRUST_SETTINGS_NUM_DOMAINS
] =
151 {false, false, false};
153 /* remember the fact that we've registered our KC callback */
154 static bool sutRegisteredCallback
= false;
156 static void tsRegisterCallback();
159 * Assign global TrustSetting to new incoming value, which may be NULL.
160 * Caller holds sutCacheLock.
162 static void tsSetGlobalTrustSettings(
164 SecTrustSettingsDomain domain
)
166 assert(((int)domain
>= 0) && ((int)domain
< TRUST_SETTINGS_NUM_DOMAINS
));
168 trustSettingsDbg("tsSetGlobalTrustSettings domain %d: caching TS %p old TS %p",
169 (int)domain
, ts
, globalTrustSettings
[domain
]);
170 delete globalTrustSettings
[domain
];
171 globalTrustSettings
[domain
] = ts
;
172 globalTrustSettingsValid
[domain
] = ts
? true : false;
173 tsRegisterCallback();
177 * Obtain global TrustSettings for specified domain if it exists.
178 * Returns NULL if there is simply no TS for that domain.
179 * The TS, if returned, belongs to this cache module.
180 * Caller holds sutCacheLock.
182 static TrustSettings
*tsGetGlobalTrustSettings(
183 SecTrustSettingsDomain domain
)
185 assert(((int)domain
>= 0) && ((int)domain
< TRUST_SETTINGS_NUM_DOMAINS
));
187 if((domain
== kSecTrustSettingsDomainUser
) && tsUserTrustSettingsDisabled()) {
188 trustSettingsDbg("tsGetGlobalTrustSettings: skipping DISABLED user domain");
192 if(globalTrustSettingsValid
[domain
]) {
193 // ready or not, use this
194 return globalTrustSettings
[domain
];
196 assert(globalTrustSettings
[domain
] == NULL
);
198 /* try to find one */
199 OSStatus result
= errSecSuccess
;
200 TrustSettings
*ts
= NULL
;
201 /* don't create; trim if found */
202 result
= TrustSettings::CreateTrustSettings(domain
, CREATE_NO
, TRIM_YES
, ts
);
203 if ( (domain
!= kSecTrustSettingsDomainSystem
)
204 && (result
== errSecInternalComponent
)) {
206 * Could not connect to ocspd to get the user/admin domain trust settings
207 * This happens in single user mode for example.
208 * Valid flag is set to false and continue.
210 trustSettingsDbg("tsGetGlobalTrustSettings: could not connect to ocspd for domain (%d)",(int)domain
);
211 globalTrustSettingsValid
[domain
] = false;
212 tsRegisterCallback();
215 else if (result
== errSecNoTrustSettings
) {
217 * No TrustSettings for this domain, actually a fairly common case.
218 * Optimize: don't bother trying this again.
220 trustSettingsDbg("tsGetGlobalTrustSettings: flagging known NULL");
221 globalTrustSettingsValid
[domain
] = true;
222 tsRegisterCallback();
225 else if(result
!= errSecSuccess
) {
227 MacOSError::throwMe(result
);
230 tsSetGlobalTrustSettings(ts
, domain
);
235 * Purge TrustSettings cache.
236 * Called by Keychain Event callback and by our API functions that
237 * modify trust settings.
238 * Caller can NOT hold sutCacheLock.
240 static void tsPurgeCache()
244 StLock
<Mutex
> _(sutCacheLock());
245 trustSettingsDbg("tsPurgeCache");
246 for(domain
=0; domain
<TRUST_SETTINGS_NUM_DOMAINS
; domain
++) {
247 tsSetGlobalTrustSettings(NULL
, domain
);
252 * Keychain event callback function, for notification by other processes that
253 * user trust list(s) has/have changed.
255 static OSStatus
tsTrustSettingsCallback (
256 SecKeychainEvent keychainEvent
,
257 SecKeychainCallbackInfo
*info
,
260 trustSettingsDbg("tsTrustSettingsCallback, event %d", (int)keychainEvent
);
261 if(keychainEvent
!= kSecTrustSettingsChangedEvent
) {
262 /* should not happen, right? */
263 return errSecSuccess
;
265 if(info
->pid
== getpid()) {
267 * Avoid dup cache invalidates: we already dealt with this event.
269 trustSettingsDbg("cacheEventCallback: our pid, skipping");
274 return errSecSuccess
;
278 * Ensure that we've registered for kSecTrustSettingsChangedEvent callbacks
280 static void tsRegisterCallback()
282 if(sutRegisteredCallback
) {
285 trustSettingsDbg("tsRegisterCallback: registering callback");
286 OSStatus ortn
= SecKeychainAddCallback(tsTrustSettingsCallback
,
287 kSecTrustSettingsChangedEventMask
, NULL
);
289 trustSettingsDbg("tsRegisterCallback: SecKeychainAddCallback returned %d", (int)ortn
);
290 /* Not sure how this could ever happen - maybe if there is no run loop active? */
292 sutRegisteredCallback
= true;
295 #pragma mark --- Static functions ---
299 * Called by API code when a trust list has changed; we notify other processes
300 * and purge our own cache.
302 static void tsTrustSettingsChanged()
306 /* The only interesting data is our pid */
307 NameValueDictionary nvd
;
308 pid_t ourPid
= getpid();
309 nvd
.Insert (new NameValuePair (PID_KEY
,
310 CssmData (reinterpret_cast<void*>(&ourPid
), sizeof (pid_t
))));
314 trustSettingsDbg("tsTrustSettingsChanged: posting notification");
315 SecurityServer::ClientSession
cs (Allocator::standard(), Allocator::standard());
316 cs
.postNotification (SecurityServer::kNotificationDomainDatabase
,
317 kSecTrustSettingsChangedEvent
, data
);
322 * Common code for SecTrustSettingsCopyTrustSettings(),
323 * SecTrustSettingsCopyModificationDate().
325 static OSStatus
tsCopyTrustSettings(
326 SecCertificateRef cert
,
327 SecTrustSettingsDomain domain
,
328 CFArrayRef
*trustSettings
, /* optionally RETURNED */
329 CFDateRef
*modDate
) /* optionally RETURNED */
335 /* obtain fresh full copy from disk */
339 result
= TrustSettings::CreateTrustSettings(domain
, CREATE_NO
, TRIM_NO
, ts
);
341 // rather than throw these results, just return them because we are at the top level
342 if (result
== errSecNoTrustSettings
) {
343 return errSecItemNotFound
;
345 else if (result
!= errSecSuccess
) {
349 auto_ptr
<TrustSettings
>_(ts
); // make sure this gets deleted just in case something throws underneath
352 *trustSettings
= ts
->copyTrustSettings(cert
);
355 *modDate
= ts
->copyModDate(cert
);
361 static void tsAddConditionalCerts(CFMutableArrayRef certArray
);
364 * Common code for SecTrustSettingsCopyQualifiedCerts() and
365 * SecTrustSettingsCopyUnrestrictedRoots().
367 static OSStatus
tsCopyCertsCommon(
368 /* usage constraints, all optional */
369 const CSSM_OID
*policyOID
,
370 const char *policyString
,
371 SecTrustSettingsKeyUsage keyUsage
,
372 /* constrain to only roots */
374 /* per-domain enables */
378 CFArrayRef
*certArray
) /* RETURNED */
380 StLock
<Mutex
> _TC(sutCacheLock());
381 StLock
<Mutex
> _TK(SecTrustKeychainsGetMutex());
383 TS_REQUIRED(certArray
)
385 /* this relies on the domain enums being numbered 0..2, user..system */
386 bool domainEnable
[3] = {user
, admin
, system
};
388 /* we'll retain it again before successful exit */
389 CFRef
<CFMutableArrayRef
> outArray(CFArrayCreateMutable(NULL
, 0,
390 &kCFTypeArrayCallBacks
));
393 * Search all keychains - user's keychain list, System.keychain,
394 * and system root store
396 StorageManager::KeychainList keychains
;
399 globals().storageManager
.getSearchList(keychains
);
402 adminKc
= globals().storageManager
.make(ADMIN_CERT_STORE_PATH
, false);
403 keychains
.push_back(adminKc
);
405 Keychain sysRootKc
= globals().storageManager
.make(SYSTEM_ROOT_STORE_PATH
, false);
406 keychains
.push_back(sysRootKc
);
408 assert(kSecTrustSettingsDomainUser
== 0);
409 for(unsigned domain
=0; domain
<TRUST_SETTINGS_NUM_DOMAINS
; domain
++) {
410 if(!domainEnable
[domain
]) {
413 TrustSettings
*ts
= tsGetGlobalTrustSettings(domain
);
417 ts
->findQualifiedCerts(keychains
,
418 false, /* !findAll */
420 policyOID
, policyString
, keyUsage
,
424 tsAddConditionalCerts(outArray
);
426 *certArray
= outArray
;
427 CFRetain(*certArray
);
428 trustSettingsDbg("tsCopyCertsCommon: %ld certs found",
429 CFArrayGetCount(outArray
));
430 return errSecSuccess
;
433 static void tsAddConditionalCerts(CFMutableArrayRef certArray
)
435 #if TARGET_OS_MAC && !TARGET_IPHONE_SIMULATOR && !TARGET_OS_IPHONE && !TARGET_OS_NANO
436 struct certmap_entry_s
{
437 CFStringRef bundleId
;
439 const CFIndex length
;
441 typedef struct certmap_entry_s certmap_entry_t
;
443 CFBundleRef bundle
= CFBundleGetMainBundle();
444 CFStringRef bundleIdentifier
= (bundle
) ? CFBundleGetIdentifier(bundle
) : NULL
;
445 if (!bundleIdentifier
|| !certArray
) { return; }
447 // conditionally include 1024-bit compatibility roots for specific apps
448 const certmap_entry_t certmap
[] = {
449 { CFSTR("com.autodesk.AdSSO"), _GTECyberTrustGlobalRootCA
, sizeof(_GTECyberTrustGlobalRootCA
) }, // rdar://25916338
450 { CFSTR("com.clo3d.MD5"), _ThawtePremiumServerCA
, sizeof(_ThawtePremiumServerCA
) }, // rdar://26281864
453 unsigned int i
, certmaplen
= sizeof(certmap
) / sizeof(certmap_entry_t
);
454 for (i
=0; i
<certmaplen
; i
++) {
455 if (CFStringCompare(bundleIdentifier
, certmap
[i
].bundleId
, 0) == kCFCompareEqualTo
) {
456 SecCertificateRef cert
= SecCertificateCreateWithBytes(NULL
, certmap
[i
].data
, certmap
[i
].length
);
457 if (!cert
) { continue; }
458 CFArrayAppendValue(certArray
, cert
);
464 // this function is a no-op on iOS platforms
469 #pragma mark --- SPI functions ---
473 * Fundamental routine used by TP to ascertain status of one cert.
475 * Returns true in *foundMatchingEntry if a trust setting matching
476 * specific constraints was found for the cert. Returns true in
477 * *foundAnyEntry if any entry was found for the cert, even if it
478 * did not match the specified constraints. The TP uses this to
479 * optimize for the case where a cert is being evaluated for
480 * one type of usage, and then later for another type. If
481 * foundAnyEntry is false, the second evaluation need not occur.
483 * Returns the domain in which a setting was found in *foundDomain.
485 * Allowed errors applying to the specified cert evaluation
486 * are returned in a mallocd array in *allowedErrors and must
487 * be freed by caller.
489 * The design of the entire TrustSettings module is centered around
490 * optimizing the performance of this routine (security concerns
491 * aside, that is). It's why the per-cert dictionaries are stored
492 * as a dictionary, keyed off of the cert hash. It's why TrustSettings
493 * are cached in memory by tsGetGlobalTrustSettings(), and why those
494 * cached TrustSettings objects are 'trimmed' of dictionary fields
495 * which are not needed to verify a cert.
497 * The API functions which are used to manipulate Trust Settings
498 * are called infrequently and need not be particularly fast since
499 * they result in user interaction for authentication. Thus they do
500 * not use cached TrustSettings as this function does.
502 OSStatus
SecTrustSettingsEvaluateCert(
503 CFStringRef certHashStr
,
504 /* parameters describing the current cert evalaution */
505 const CSSM_OID
*policyOID
,
506 const char *policyString
, /* optional */
507 uint32 policyStringLen
,
508 SecTrustSettingsKeyUsage keyUsage
, /* optional */
509 bool isRootCert
, /* for checking default setting */
510 /* RETURNED values */
511 SecTrustSettingsDomain
*foundDomain
,
512 CSSM_RETURN
**allowedErrors
, /* mallocd */
513 uint32
*numAllowedErrors
,
514 SecTrustSettingsResult
*resultType
,
515 bool *foundMatchingEntry
,
520 StLock
<Mutex
> _(sutCacheLock());
522 TS_REQUIRED(certHashStr
)
523 TS_REQUIRED(foundDomain
)
524 TS_REQUIRED(allowedErrors
)
525 TS_REQUIRED(numAllowedErrors
)
526 TS_REQUIRED(resultType
)
527 TS_REQUIRED(foundMatchingEntry
)
528 TS_REQUIRED(foundAnyEntry
)
530 /* ensure a NULL_terminated string */
531 auto_array
<char> polStr
;
532 if(policyString
!= NULL
&& policyStringLen
> 0) {
533 polStr
.allocate(policyStringLen
+ 1);
534 memmove(polStr
.get(), policyString
, policyStringLen
);
535 if(policyString
[policyStringLen
- 1] != '\0') {
536 (polStr
.get())[policyStringLen
] = '\0';
540 /* initial condition - this can grow if we inspect multiple TrustSettings */
541 *allowedErrors
= NULL
;
542 *numAllowedErrors
= 0;
545 * This loop relies on the ordering of the SecTrustSettingsDomain enum:
546 * search user first, then admin, then system.
548 assert(kSecTrustSettingsDomainAdmin
== (kSecTrustSettingsDomainUser
+ 1));
549 assert(kSecTrustSettingsDomainSystem
== (kSecTrustSettingsDomainAdmin
+ 1));
550 bool foundAny
= false;
551 for(unsigned domain
=kSecTrustSettingsDomainUser
;
552 domain
<=kSecTrustSettingsDomainSystem
;
554 TrustSettings
*ts
= tsGetGlobalTrustSettings(domain
);
559 /* validate cert returns true if matching entry was found */
560 bool foundAnyHere
= false;
561 bool found
= ts
->evaluateCert(certHashStr
, policyOID
,
562 polStr
.get(), keyUsage
, isRootCert
,
563 allowedErrors
, numAllowedErrors
, resultType
, &foundAnyHere
);
567 * Note this, even though we may overwrite it later if this
568 * is an Unspecified entry and we find a definitive entry
571 *foundDomain
= domain
;
573 if(found
&& (*resultType
!= kSecTrustSettingsResultUnspecified
)) {
574 trustSettingsDbg("SecTrustSettingsEvaluateCert: found in domain %d", domain
);
575 *foundAnyEntry
= true;
576 *foundMatchingEntry
= true;
577 return errSecSuccess
;
579 foundAny
|= foundAnyHere
;
581 trustSettingsDbg("SecTrustSettingsEvaluateCert: NOT FOUND");
582 *foundAnyEntry
= foundAny
;
583 *foundMatchingEntry
= false;
584 return errSecSuccess
;
589 * Obtain trusted certs which match specified usage.
590 * Only certs with a SecTrustSettingsResult of
591 * kSecTrustSettingsResultTrustRoot or
592 * or kSecTrustSettingsResultTrustAsRoot will be returned.
593 * To be used by SecureTransport for its SSLSetTrustedRoots() call;
594 * I hope nothing else has to use this...
595 * Caller must CFRelease the returned CFArrayRef.
597 OSStatus
SecTrustSettingsCopyQualifiedCerts(
598 const CSSM_OID
*policyOID
,
599 const char *policyString
, /* optional */
600 uint32 policyStringLen
,
601 SecTrustSettingsKeyUsage keyUsage
, /* optional */
602 CFArrayRef
*certArray
) /* RETURNED */
606 /* ensure a NULL_terminated string */
607 auto_array
<char> polStr
;
608 if(policyString
!= NULL
) {
609 polStr
.allocate(policyStringLen
+ 1);
610 memmove(polStr
.get(), policyString
, policyStringLen
);
611 if(policyString
[policyStringLen
- 1] != '\0') {
612 (polStr
.get())[policyStringLen
] = '\0';
616 return tsCopyCertsCommon(policyOID
, polStr
.get(), keyUsage
,
617 false, /* !onlyRoots */
618 true, true, true, /* all domains */
625 * Obtain unrestricted root certs from the specified domain(s).
626 * Only returns roots with no usage constraints.
627 * Caller must CFRelease the returned CFArrayRef.
629 OSStatus
SecTrustSettingsCopyUnrestrictedRoots(
633 CFArrayRef
*certArray
) /* RETURNED */
637 OSStatus status
= tsCopyCertsCommon(NULL
, NULL
, NULL
, /* no constraints */
638 true, /* onlyRoots */
647 static const char hexChars
[16] = {
648 '0', '1', '2', '3', '4', '5', '6', '7',
649 '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'
653 * Obtain a string representing a cert's SHA1 digest. This string is
654 * the key used to look up per-cert trust settings in a TrustSettings record.
656 CFStringRef
SecTrustSettingsCertHashStrFromCert(
657 SecCertificateRef certRef
)
659 if(certRef
== NULL
) {
663 if(certRef
== kSecTrustSettingsDefaultRootCertSetting
) {
664 /* use this string instead of the cert hash as the dictionary key */
665 trustSettingsDbg("SecTrustSettingsCertHashStrFromCert: DefaultSetting");
666 return kSecTrustRecordDefaultRootCert
;
670 OSStatus ortn
= SecCertificateGetData(certRef
, &certData
);
674 return SecTrustSettingsCertHashStrFromData(certData
.Data
, certData
.Length
);
677 CFStringRef
SecTrustSettingsCertHashStrFromData(
681 unsigned char digest
[CC_SHA1_DIGEST_LENGTH
];
682 char asciiDigest
[(2 * CC_SHA1_DIGEST_LENGTH
) + 1];
684 char *outp
= asciiDigest
;
685 unsigned char *inp
= digest
;
691 CC_SHA1(cert
, (CC_LONG
)certLen
, digest
);
693 for(dex
=0; dex
<CC_SHA1_DIGEST_LENGTH
; dex
++) {
695 outp
[1] = hexChars
[c
& 0xf];
697 outp
[0] = hexChars
[c
];
701 return CFStringCreateWithCString(NULL
, asciiDigest
, kCFStringEncodingASCII
);
705 * Add a cert's TrustSettings to a non-persistent TrustSettings record.
706 * No locking or cache flushing here; it's all local to the TrustSettings
709 OSStatus
SecTrustSettingsSetTrustSettingsExternal(
710 CFDataRef settingsIn
, /* optional */
711 SecCertificateRef certRef
, /* optional */
712 CFTypeRef trustSettingsDictOrArray
, /* optional */
713 CFDataRef
*settingsOut
) /* RETURNED */
717 TS_REQUIRED(settingsOut
)
722 result
= TrustSettings::CreateTrustSettings(kSecTrustSettingsDomainMemory
, settingsIn
, ts
);
723 if (result
!= errSecSuccess
) {
727 auto_ptr
<TrustSettings
>_(ts
);
729 if(certRef
!= NULL
) {
730 ts
->setTrustSettings(certRef
, trustSettingsDictOrArray
);
732 *settingsOut
= ts
->createExternal();
733 return errSecSuccess
;
738 #pragma mark --- API functions ---
740 OSStatus
SecTrustSettingsCopyTrustSettings(
741 SecCertificateRef certRef
,
742 SecTrustSettingsDomain domain
,
743 CFArrayRef
*trustSettings
) /* RETURNED */
746 TS_REQUIRED(trustSettings
)
748 OSStatus result
= tsCopyTrustSettings(certRef
, domain
, trustSettings
, NULL
);
749 if (result
== errSecSuccess
&& *trustSettings
== NULL
) {
750 result
= errSecItemNotFound
; /* documented result if no trust settings exist */
755 OSStatus
SecTrustSettingsCopyModificationDate(
756 SecCertificateRef certRef
,
757 SecTrustSettingsDomain domain
,
758 CFDateRef
*modificationDate
) /* RETURNED */
761 TS_REQUIRED(modificationDate
)
763 OSStatus result
= tsCopyTrustSettings(certRef
, domain
, NULL
, modificationDate
);
764 if (result
== errSecSuccess
&& *modificationDate
== NULL
) {
765 result
= errSecItemNotFound
; /* documented result if no trust settings exist */
770 /* works with existing and with new cert */
771 OSStatus
SecTrustSettingsSetTrustSettings(
772 SecCertificateRef certRef
,
773 SecTrustSettingsDomain domain
,
774 CFTypeRef trustSettingsDictOrArray
)
780 if(domain
== kSecTrustSettingsDomainSystem
) {
781 return errSecDataNotModifiable
;
787 result
= TrustSettings::CreateTrustSettings(domain
, CREATE_YES
, TRIM_NO
, ts
);
788 if (result
!= errSecSuccess
) {
792 auto_ptr
<TrustSettings
>_(ts
);
794 ts
->setTrustSettings(certRef
, trustSettingsDictOrArray
);
796 tsTrustSettingsChanged();
797 return errSecSuccess
;
802 OSStatus
SecTrustSettingsRemoveTrustSettings(
803 SecCertificateRef cert
,
804 SecTrustSettingsDomain domain
)
810 if(domain
== kSecTrustSettingsDomainSystem
) {
811 return errSecDataNotModifiable
;
817 result
= TrustSettings::CreateTrustSettings(domain
, CREATE_NO
, TRIM_NO
, ts
);
818 if (result
!= errSecSuccess
) {
822 auto_ptr
<TrustSettings
>_(ts
);
824 /* deleteTrustSettings throws if record not found */
825 trustSettingsDbg("SecTrustSettingsRemoveTrustSettings: deleting from domain %d",
827 ts
->deleteTrustSettings(cert
);
829 tsTrustSettingsChanged();
830 return errSecSuccess
;
835 /* get all certs listed in specified domain */
836 OSStatus
SecTrustSettingsCopyCertificates(
837 SecTrustSettingsDomain domain
,
838 CFArrayRef
*certArray
)
842 TS_REQUIRED(certArray
)
847 result
= TrustSettings::CreateTrustSettings(domain
, CREATE_NO
, TRIM_NO
, ts
);
848 if (result
!= errSecSuccess
) {
852 auto_ptr
<TrustSettings
>_(ts
);
854 CFMutableArrayRef outArray
= CFArrayCreateMutable(NULL
, 0, &kCFTypeArrayCallBacks
);
857 * Keychains to search: user's search list, System.keychain, system root store
859 StorageManager::KeychainList keychains
;
863 case kSecTrustSettingsDomainUser
:
864 /* user search list */
865 globals().storageManager
.getSearchList(keychains
);
866 /* drop thru to next case */
867 case kSecTrustSettingsDomainAdmin
:
868 /* admin certs in system keychain */
869 adminKc
= globals().storageManager
.make(ADMIN_CERT_STORE_PATH
, false);
870 keychains
.push_back(adminKc
);
871 /* drop thru to next case */
872 case kSecTrustSettingsDomainSystem
:
873 /* and, for all cases, immutable system root store */
874 sysRootKc
= globals().storageManager
.make(SYSTEM_ROOT_STORE_PATH
, false);
875 keychains
.push_back(sysRootKc
);
877 /* already validated when we created the TrustSettings */
880 ts
->findCerts(keychains
, outArray
);
881 if(CFArrayGetCount(outArray
) == 0) {
883 return errSecNoTrustSettings
;
885 if (kSecTrustSettingsDomainSystem
== domain
) {
886 tsAddConditionalCerts(outArray
);
888 *certArray
= outArray
;
892 static CFArrayRef gUserAdminCerts
= NULL
;
893 static bool gUserAdminCertsCacheBuilt
= false;
894 static ReadWriteLock gUserAdminCertsLock
;
896 void SecTrustSettingsPurgeUserAdminCertsCache(void) {
897 StReadWriteLock
_(gUserAdminCertsLock
, StReadWriteLock::Write
);
898 CFReleaseNull(gUserAdminCerts
);
899 gUserAdminCertsCacheBuilt
= false;
902 OSStatus
SecTrustSettingsCopyCertificatesForUserAdminDomains(
903 CFArrayRef
*certArray
)
905 TS_REQUIRED(certArray
);
906 OSStatus result
= errSecSuccess
;
908 { /* Hold the read lock for the check */
909 StReadWriteLock
_(gUserAdminCertsLock
, StReadWriteLock::Read
);
910 if (gUserAdminCertsCacheBuilt
) {
911 if (gUserAdminCerts
) {
912 *certArray
= (CFArrayRef
)CFRetain(gUserAdminCerts
);
913 return errSecSuccess
;
915 return errSecNoTrustSettings
;
920 /* There were no cached results. We'll have to recreate them. */
921 CFMutableArrayRef outArray
= CFArrayCreateMutable(NULL
, 0, &kCFTypeArrayCallBacks
);
923 return errSecAllocate
;
926 CFArrayRef userTrusted
= NULL
, adminTrusted
= NULL
;
927 OSStatus userStatus
= SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainUser
, &userTrusted
);
928 if ((userStatus
== errSecSuccess
) && (userTrusted
!= NULL
)) {
929 CFArrayAppendArray(outArray
, userTrusted
, CFRangeMake(0, CFArrayGetCount(userTrusted
)));
930 CFRelease(userTrusted
);
933 OSStatus adminStatus
= SecTrustSettingsCopyCertificates(kSecTrustSettingsDomainAdmin
, &adminTrusted
);
934 if ((adminStatus
== errSecSuccess
) && (adminTrusted
!= NULL
)) {
935 CFArrayAppendArray(outArray
, adminTrusted
, CFRangeMake(0, CFArrayGetCount(adminTrusted
)));
936 CFRelease(adminTrusted
);
939 /* Lack of trust settings for a domain results in an error above. Only fail
940 * if we weren't able to get trust settings for both domains. */
941 if (userStatus
!= errSecSuccess
&& adminStatus
!= errSecSuccess
) {
945 if (result
!= errSecSuccess
&& outArray
) {
950 *certArray
= outArray
;
952 /* For valid results, update the global cache */
953 if (result
== errSecSuccess
|| result
== errSecNoTrustSettings
) {
954 StReadWriteLock
_(gUserAdminCertsLock
, StReadWriteLock::Write
);
955 CFReleaseNull(gUserAdminCerts
);
956 gUserAdminCerts
= (CFArrayRef
)CFRetainSafe(outArray
);
957 gUserAdminCertsCacheBuilt
= true;
964 * Obtain an external, portable representation of the specified
965 * domain's TrustSettings. Caller must CFRelease the returned data.
967 OSStatus
SecTrustSettingsCreateExternalRepresentation(
968 SecTrustSettingsDomain domain
,
969 CFDataRef
*trustSettings
)
973 TS_REQUIRED(trustSettings
)
978 result
= TrustSettings::CreateTrustSettings(domain
, CREATE_NO
, TRIM_NO
, ts
);
979 if (result
!= errSecSuccess
) {
983 auto_ptr
<TrustSettings
>_(ts
);
985 *trustSettings
= ts
->createExternal();
986 return errSecSuccess
;
992 * Import trust settings, obtained via SecTrustSettingsCreateExternalRepresentation,
993 * into the specified domain.
995 OSStatus
SecTrustSettingsImportExternalRepresentation(
996 SecTrustSettingsDomain domain
,
997 CFDataRef trustSettings
) /* optional - NULL means empty settings */
1001 if(domain
== kSecTrustSettingsDomainSystem
) {
1002 return errSecDataNotModifiable
;
1008 result
= TrustSettings::CreateTrustSettings(domain
, trustSettings
, ts
);
1009 if (result
!= errSecSuccess
) {
1013 auto_ptr
<TrustSettings
>_(ts
);
1016 tsTrustSettingsChanged();
1017 return errSecSuccess
;