]> git.saurik.com Git - apple/security.git/blob - SecurityTool/macOS/verify_cert.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-59306.11.20.tar.gz
[apple/security.git] / SecurityTool / macOS / verify_cert.c
1 /*
2 * Copyright (c) 2006,2010,2012,2014-2019 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 * verify_cert.c
24 */
25
26 #include <Security/SecTrust.h>
27 #include <Security/SecKeychain.h>
28 #include <Security/SecPolicy.h>
29 #include <Security/SecPolicySearch.h>
30 #include <Security/cssmapple.h>
31 #include <Security/oidsalg.h>
32 #include <stdlib.h>
33 #include <unistd.h>
34 #include <sys/stat.h>
35 #include <time.h>
36 #include "trusted_cert_ssl.h"
37 #include "trusted_cert_utils.h"
38 #include "verify_cert.h"
39 #include <utilities/SecCFRelease.h>
40 #include "security_tool.h"
41
42 /*
43 * Read file as a cert, add to a CFArray, creating the array if necessary
44 */
45 static int addCertFile(
46 const char *fileName,
47 CFMutableArrayRef *array)
48 {
49 SecCertificateRef certRef;
50
51 if(readCertFile(fileName, &certRef)) {
52 return -1;
53 }
54 if(*array == NULL) {
55 *array = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
56 }
57 CFArrayAppendValue(*array, certRef);
58 CFRelease(certRef);
59 return 0;
60 }
61
62 int
63 verify_cert(int argc, char * const *argv)
64 {
65 extern char *optarg;
66 extern int optind;
67 OSStatus ortn;
68 int arg;
69 CFMutableArrayRef certs = NULL;
70 CFMutableArrayRef roots = NULL;
71 CFMutableArrayRef keychains = NULL;
72 CFMutableArrayRef policies = NULL;
73 const CSSM_OID *policy = &CSSMOID_APPLE_X509_BASIC;
74 SecKeychainRef kcRef = NULL;
75 int ourRtn = 0;
76 bool quiet = false;
77 bool client = false;
78 bool useTLS = false;
79 bool printPem = false;
80 bool printText = false;
81 bool printDetails = false;
82 int verbose = 0;
83 SecPolicyRef policyRef = NULL;
84 SecPolicyRef revPolicyRef = NULL;
85 SecTrustRef trustRef = NULL;
86 SecPolicySearchRef searchRef = NULL;
87 CFErrorRef errorRef = NULL;
88 const char *emailAddrs = NULL;
89 const char *sslHost = NULL;
90 const char *name = NULL;
91 const char *url = NULL;
92 CSSM_APPLE_TP_SSL_OPTIONS sslOpts;
93 CSSM_APPLE_TP_SMIME_OPTIONS smimeOpts;
94 CSSM_APPLE_TP_ACTION_FLAGS actionFlags = 0;
95 bool forceActionFlags = false;
96 CSSM_APPLE_TP_ACTION_DATA actionData;
97 CSSM_DATA optionData;
98 CFDataRef cfActionData = NULL;
99 SecTrustResultType resultType;
100 OSStatus ocrtn;
101 struct tm time;
102 CFGregorianDate gregorianDate;
103 CFDateRef dateRef = NULL;
104 CFOptionFlags revOptions = 0;
105
106 if(argc < 2) {
107 return SHOW_USAGE_MESSAGE;
108 }
109 /* permit network cert fetch unless explicitly turned off with '-L' */
110 actionFlags |= CSSM_TP_ACTION_FETCH_CERT_FROM_NET;
111 optind = 1;
112 while ((arg = getopt(argc, argv, "Cc:r:p:k:e:s:d:LlNnPqR:tv")) != -1) {
113 switch (arg) {
114 case 'C':
115 client = true;
116 break;
117 case 'c':
118 /* this can be specified multiple times */
119 if(addCertFile(optarg, &certs)) {
120 ourRtn = 1;
121 goto errOut;
122 }
123 break;
124 case 'r':
125 /* this can be specified multiple times */
126 if(addCertFile(optarg, &roots)) {
127 ourRtn = 1;
128 goto errOut;
129 }
130 break;
131 case 'p':
132 policy = policyStringToOid(optarg, &useTLS);
133 if(policy == NULL) {
134 ourRtn = 2;
135 goto errOut;
136 }
137 break;
138 case 'k':
139 ortn = SecKeychainOpen(optarg, &kcRef);
140 if(ortn) {
141 cssmPerror("SecKeychainOpen", ortn);
142 ourRtn = 1;
143 goto errOut;
144 }
145 /* this can be specified multiple times */
146 if(keychains == NULL) {
147 keychains = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
148 }
149 CFArrayAppendValue(keychains, kcRef);
150 CFRelease(kcRef);
151 break;
152 case 'L':
153 actionFlags &= ~CSSM_TP_ACTION_FETCH_CERT_FROM_NET;
154 forceActionFlags = true;
155 break;
156 case 'l':
157 actionFlags |= CSSM_TP_ACTION_LEAF_IS_CA;
158 break;
159 case 'n': {
160 /* Legacy macOS used 'n' as the "no keychain search list" flag.
161 iOS interprets it as the name option, with one argument.
162 */
163 char *o = argv[optind];
164 if (o && o[0] != '-') {
165 name = optarg;
166 ++optind;
167 break;
168 }
169 } /* intentional fall-through to "no keychains" case, if no arg */
170 case 'N':
171 /* No keychains, signalled by empty keychain array */
172 if(keychains != NULL) {
173 fprintf(stderr, "-k and -%c are mutually exclusive\n", arg);
174 ourRtn = 2;
175 goto errOut;
176 }
177 keychains = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
178 break;
179 case 'e':
180 emailAddrs = optarg;
181 break;
182 case 's':
183 sslHost = optarg;
184 break;
185 case 'q':
186 quiet = true;
187 break;
188 case 'd':
189 memset(&time, 0, sizeof(struct tm));
190 if (strptime(optarg, "%Y-%m-%d-%H:%M:%S", &time) == NULL) {
191 if (strptime(optarg, "%Y-%m-%d", &time) == NULL) {
192 fprintf(stderr, "Date processing error\n");
193 ourRtn = 2;
194 goto errOut;
195 }
196 }
197 gregorianDate.second = time.tm_sec;
198 gregorianDate.minute = time.tm_min;
199 gregorianDate.hour = time.tm_hour;
200 gregorianDate.day = time.tm_mday;
201 gregorianDate.month = time.tm_mon + 1;
202 gregorianDate.year = time.tm_year + 1900;
203
204 if (dateRef == NULL) {
205 dateRef = CFDateCreate(NULL, CFGregorianDateGetAbsoluteTime(gregorianDate, NULL));
206 }
207 break;
208 case 'R':
209 revOptions |= revCheckOptionStringToFlags(optarg);
210 break;
211 case 'P':
212 printPem = true;
213 break;
214 case 't':
215 printText = true;
216 break;
217 case 'v':
218 printDetails = true;
219 verbose++;
220 break;
221 default:
222 ourRtn = 2;
223 goto errOut;
224 }
225 }
226 if(optind != argc) {
227 if (argc > optind) {
228 url = argv[argc-1];
229 }
230 if (url && *url != '\0') {
231 useTLS = true;
232 ourRtn = evaluate_ssl(url, verbose, &trustRef);
233 goto post_evaluate;
234 } else {
235 ourRtn = 2;
236 }
237 goto errOut;
238 }
239
240 if(certs == NULL) {
241 if(roots == NULL) {
242 fprintf(stderr, "***No certs specified.\n");
243 ourRtn = 2;
244 goto errOut;
245 }
246 if(CFArrayGetCount(roots) != 1) {
247 fprintf(stderr, "***Multiple roots and no certs not allowed.\n");
248 ourRtn = 2;
249 goto errOut;
250 }
251
252 /* no certs and one root: verify the root */
253 certs = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
254 CFArrayAppendValue(certs, CFArrayGetValueAtIndex(roots, 0));
255 actionFlags |= CSSM_TP_ACTION_LEAF_IS_CA;
256 }
257
258 /* cook up a SecPolicyRef */
259 ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
260 policy,
261 NULL, // policy opts
262 &searchRef);
263 if(ortn) {
264 cssmPerror("SecPolicySearchCreate", ortn);
265 ourRtn = 1;
266 goto errOut;
267 }
268 ortn = SecPolicySearchCopyNext(searchRef, &policyRef);
269 if(ortn) {
270 cssmPerror("SecPolicySearchCopyNext", ortn);
271 ourRtn = 1;
272 goto errOut;
273 }
274
275 /* per-policy options */
276 if(compareOids(policy, &CSSMOID_APPLE_TP_SSL) || compareOids(policy, &CSSMOID_APPLE_TP_APPLEID_SHARING)) {
277 const char *nameStr = (name) ? name : ((sslHost) ? sslHost : NULL);
278 if(nameStr) {
279 memset(&sslOpts, 0, sizeof(sslOpts));
280 sslOpts.Version = CSSM_APPLE_TP_SSL_OPTS_VERSION;
281 sslOpts.ServerName = nameStr;
282 sslOpts.ServerNameLen = (uint32) strlen(nameStr);
283 sslOpts.Flags = (client) ? CSSM_APPLE_TP_SSL_CLIENT : 0;
284 optionData.Data = (uint8 *)&sslOpts;
285 optionData.Length = sizeof(sslOpts);
286 ortn = SecPolicySetValue(policyRef, &optionData);
287 if(ortn) {
288 cssmPerror("SecPolicySetValue", ortn);
289 ourRtn = 1;
290 goto errOut;
291 }
292 }
293 }
294 if(compareOids(policy, &CSSMOID_APPLE_TP_SMIME)) {
295 const char *nameStr = (name) ? name : ((emailAddrs) ? emailAddrs : NULL);
296 if(nameStr) {
297 memset(&smimeOpts, 0, sizeof(smimeOpts));
298 smimeOpts.Version = CSSM_APPLE_TP_SMIME_OPTS_VERSION;
299 smimeOpts.SenderEmail = nameStr;
300 smimeOpts.SenderEmailLen = (uint32) strlen(nameStr);
301 optionData.Data = (uint8 *)&smimeOpts;
302 optionData.Length = sizeof(smimeOpts);
303 ortn = SecPolicySetValue(policyRef, &optionData);
304 if(ortn) {
305 cssmPerror("SecPolicySetValue", ortn);
306 ourRtn = 1;
307 goto errOut;
308 }
309 }
310 }
311
312 /* create policies array */
313 policies = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
314 CFArrayAppendValue(policies, policyRef);
315 /* add optional SecPolicyRef for revocation, if specified */
316 if(revOptions != 0) {
317 revPolicyRef = SecPolicyCreateRevocation(revOptions);
318 CFArrayAppendValue(policies, revPolicyRef);
319 }
320
321 /* create trust reference from certs and policies */
322 ortn = SecTrustCreateWithCertificates(certs, policies, &trustRef);
323 if(ortn) {
324 cssmPerror("SecTrustCreateWithCertificates", ortn);
325 ourRtn = 1;
326 goto errOut;
327 }
328
329 /* roots (anchors) are optional */
330 if(roots != NULL) {
331 ortn = SecTrustSetAnchorCertificates(trustRef, roots);
332 if(ortn) {
333 cssmPerror("SecTrustSetAnchorCertificates", ortn);
334 ourRtn = 1;
335 goto errOut;
336 }
337 }
338 if(actionFlags || forceActionFlags) {
339 memset(&actionData, 0, sizeof(actionData));
340 actionData.Version = CSSM_APPLE_TP_ACTION_VERSION;
341 actionData.ActionFlags = actionFlags;
342 cfActionData = CFDataCreate(NULL, (UInt8 *)&actionData, sizeof(actionData));
343 ortn = SecTrustSetParameters(trustRef, CSSM_TP_ACTION_DEFAULT, cfActionData);
344 if(ortn) {
345 cssmPerror("SecTrustSetParameters", ortn);
346 ourRtn = 1;
347 goto errOut;
348 }
349 }
350 if(keychains) {
351 ortn = SecTrustSetKeychains(trustRef, keychains);
352 if(ortn) {
353 cssmPerror("SecTrustSetKeychains", ortn);
354 ourRtn = 1;
355 goto errOut;
356 }
357 }
358 if(dateRef != NULL) {
359 ortn = SecTrustSetVerifyDate(trustRef, dateRef);
360 if(ortn) {
361 cssmPerror("SecTrustSetVerifyDate", ortn);
362 ourRtn = 1;
363 goto errOut;
364 }
365 }
366
367 /* GO */
368 (void)SecTrustEvaluateWithError(trustRef, &errorRef);
369 post_evaluate:
370 ortn = SecTrustGetTrustResult(trustRef, &resultType);
371 if(ortn) {
372 /* should never fail - error on this doesn't mean the cert verified badly */
373 cssmPerror("SecTrustEvaluate", ortn);
374 ourRtn = 1;
375 goto errOut;
376 }
377 switch(resultType) {
378 case kSecTrustResultUnspecified:
379 /* cert chain valid, no special UserTrust assignments */
380 case kSecTrustResultProceed:
381 /* cert chain valid AND user explicitly trusts this */
382 break;
383 case kSecTrustResultDeny:
384 if(!quiet) {
385 fprintf(stderr, "SecTrustEvaluate result: kSecTrustResultDeny\n");
386 }
387 ourRtn = 1;
388 break;
389 default:
390 ourRtn = 1;
391 if(!quiet) {
392 /* See what the TP had to say about this */
393 ortn = SecTrustGetCssmResultCode(trustRef, &ocrtn);
394 if(ortn) {
395 cssmPerror("SecTrustGetCssmResultCode", ortn);
396 }
397 else {
398 cssmPerror("Cert Verify Result", ocrtn);
399 }
400 }
401 break;
402 }
403 if((ourRtn == 0) & !quiet) {
404 printf("...certificate verification successful.\n");
405 }
406 if (printPem || printText || verbose) {
407 fprintf(stdout, "---\nCertificate chain\n");
408 printCertChain(trustRef, printPem, printText);
409 }
410 if (verbose) {
411 printErrorDetails(trustRef);
412 }
413 if (useTLS) {
414 printExtendedResults(trustRef);
415 }
416 if (printDetails) {
417 CFArrayRef properties = SecTrustCopyProperties(trustRef);
418 if (verbose > 1) {
419 fprintf(stderr, "---\nCertificate chain properties\n");
420 CFShow(properties); // output goes to stderr
421 }
422 if (properties) {
423 CFRelease(properties);
424 }
425 CFDictionaryRef result = SecTrustCopyResult(trustRef);
426 if (result) {
427 fprintf(stderr, "---\nTrust evaluation results\n");
428 CFShow(result); // output goes to stderr
429 CFRelease(result);
430 }
431 if (errorRef) {
432 fprintf(stdout, "---\nTrust evaluation errors\n");
433 CFShow(errorRef);
434 }
435 }
436
437 errOut:
438 /* cleanup */
439 CFRELEASE(certs);
440 CFRELEASE(roots);
441 CFRELEASE(keychains);
442 CFRELEASE(policies);
443 CFRELEASE(revPolicyRef);
444 CFRELEASE(dateRef);
445 CFRELEASE(policyRef);
446 CFRELEASE(trustRef);
447 CFRELEASE(searchRef);
448 CFRELEASE(errorRef);
449 CFRELEASE(cfActionData);
450 return ourRtn;
451 }
mirror of Security