2 * Copyright (c) 2006,2010,2012,2014-2019 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 #include <Security/SecTrust.h>
27 #include <Security/SecKeychain.h>
28 #include <Security/SecPolicy.h>
29 #include <Security/SecPolicySearch.h>
30 #include <Security/cssmapple.h>
31 #include <Security/oidsalg.h>
36 #include "trusted_cert_ssl.h"
37 #include "trusted_cert_utils.h"
38 #include "verify_cert.h"
39 #include <utilities/SecCFRelease.h>
40 #include "security_tool.h"
43 * Read file as a cert, add to a CFArray, creating the array if necessary
45 static int addCertFile(
47 CFMutableArrayRef
*array
)
49 SecCertificateRef certRef
;
51 if(readCertFile(fileName
, &certRef
)) {
55 *array
= CFArrayCreateMutable(NULL
, 0, &kCFTypeArrayCallBacks
);
57 CFArrayAppendValue(*array
, certRef
);
63 verify_cert(int argc
, char * const *argv
)
69 CFMutableArrayRef certs
= NULL
;
70 CFMutableArrayRef roots
= NULL
;
71 CFMutableArrayRef keychains
= NULL
;
72 CFMutableArrayRef policies
= NULL
;
73 const CSSM_OID
*policy
= &CSSMOID_APPLE_X509_BASIC
;
74 SecKeychainRef kcRef
= NULL
;
79 bool printPem
= false;
80 bool printText
= false;
81 bool printDetails
= false;
83 SecPolicyRef policyRef
= NULL
;
84 SecPolicyRef revPolicyRef
= NULL
;
85 SecTrustRef trustRef
= NULL
;
86 SecPolicySearchRef searchRef
= NULL
;
87 CFErrorRef errorRef
= NULL
;
88 const char *emailAddrs
= NULL
;
89 const char *sslHost
= NULL
;
90 const char *name
= NULL
;
91 const char *url
= NULL
;
92 CSSM_APPLE_TP_SSL_OPTIONS sslOpts
;
93 CSSM_APPLE_TP_SMIME_OPTIONS smimeOpts
;
94 CSSM_APPLE_TP_ACTION_FLAGS actionFlags
= 0;
95 bool forceActionFlags
= false;
96 CSSM_APPLE_TP_ACTION_DATA actionData
;
98 CFDataRef cfActionData
= NULL
;
99 SecTrustResultType resultType
;
102 CFGregorianDate gregorianDate
;
103 CFDateRef dateRef
= NULL
;
104 CFOptionFlags revOptions
= 0;
107 return SHOW_USAGE_MESSAGE
;
109 /* permit network cert fetch unless explicitly turned off with '-L' */
110 actionFlags
|= CSSM_TP_ACTION_FETCH_CERT_FROM_NET
;
112 while ((arg
= getopt(argc
, argv
, "Cc:r:p:k:e:s:d:LlNnPqR:tv")) != -1) {
118 /* this can be specified multiple times */
119 if(addCertFile(optarg
, &certs
)) {
125 /* this can be specified multiple times */
126 if(addCertFile(optarg
, &roots
)) {
132 policy
= policyStringToOid(optarg
, &useTLS
);
139 ortn
= SecKeychainOpen(optarg
, &kcRef
);
141 cssmPerror("SecKeychainOpen", ortn
);
145 /* this can be specified multiple times */
146 if(keychains
== NULL
) {
147 keychains
= CFArrayCreateMutable(NULL
, 0, &kCFTypeArrayCallBacks
);
149 CFArrayAppendValue(keychains
, kcRef
);
153 actionFlags
&= ~CSSM_TP_ACTION_FETCH_CERT_FROM_NET
;
154 forceActionFlags
= true;
157 actionFlags
|= CSSM_TP_ACTION_LEAF_IS_CA
;
160 /* Legacy macOS used 'n' as the "no keychain search list" flag.
161 iOS interprets it as the name option, with one argument.
163 char *o
= argv
[optind
];
164 if (o
&& o
[0] != '-') {
169 } /* intentional fall-through to "no keychains" case, if no arg */
171 /* No keychains, signalled by empty keychain array */
172 if(keychains
!= NULL
) {
173 fprintf(stderr
, "-k and -%c are mutually exclusive\n", arg
);
177 keychains
= CFArrayCreateMutable(NULL
, 0, &kCFTypeArrayCallBacks
);
189 memset(&time
, 0, sizeof(struct tm
));
190 if (strptime(optarg
, "%Y-%m-%d-%H:%M:%S", &time
) == NULL
) {
191 if (strptime(optarg
, "%Y-%m-%d", &time
) == NULL
) {
192 fprintf(stderr
, "Date processing error\n");
197 gregorianDate
.second
= time
.tm_sec
;
198 gregorianDate
.minute
= time
.tm_min
;
199 gregorianDate
.hour
= time
.tm_hour
;
200 gregorianDate
.day
= time
.tm_mday
;
201 gregorianDate
.month
= time
.tm_mon
+ 1;
202 gregorianDate
.year
= time
.tm_year
+ 1900;
204 if (dateRef
== NULL
) {
205 dateRef
= CFDateCreate(NULL
, CFGregorianDateGetAbsoluteTime(gregorianDate
, NULL
));
209 revOptions
|= revCheckOptionStringToFlags(optarg
);
230 if (url
&& *url
!= '\0') {
232 ourRtn
= evaluate_ssl(url
, verbose
, &trustRef
);
242 fprintf(stderr
, "***No certs specified.\n");
246 if(CFArrayGetCount(roots
) != 1) {
247 fprintf(stderr
, "***Multiple roots and no certs not allowed.\n");
252 /* no certs and one root: verify the root */
253 certs
= CFArrayCreateMutable(NULL
, 0, &kCFTypeArrayCallBacks
);
254 CFArrayAppendValue(certs
, CFArrayGetValueAtIndex(roots
, 0));
255 actionFlags
|= CSSM_TP_ACTION_LEAF_IS_CA
;
258 /* cook up a SecPolicyRef */
259 ortn
= SecPolicySearchCreate(CSSM_CERT_X_509v3
,
264 cssmPerror("SecPolicySearchCreate", ortn
);
268 ortn
= SecPolicySearchCopyNext(searchRef
, &policyRef
);
270 cssmPerror("SecPolicySearchCopyNext", ortn
);
275 /* per-policy options */
276 if(compareOids(policy
, &CSSMOID_APPLE_TP_SSL
) || compareOids(policy
, &CSSMOID_APPLE_TP_APPLEID_SHARING
)) {
277 const char *nameStr
= (name
) ? name
: ((sslHost
) ? sslHost
: NULL
);
279 memset(&sslOpts
, 0, sizeof(sslOpts
));
280 sslOpts
.Version
= CSSM_APPLE_TP_SSL_OPTS_VERSION
;
281 sslOpts
.ServerName
= nameStr
;
282 sslOpts
.ServerNameLen
= (uint32
) strlen(nameStr
);
283 sslOpts
.Flags
= (client
) ? CSSM_APPLE_TP_SSL_CLIENT
: 0;
284 optionData
.Data
= (uint8
*)&sslOpts
;
285 optionData
.Length
= sizeof(sslOpts
);
286 ortn
= SecPolicySetValue(policyRef
, &optionData
);
288 cssmPerror("SecPolicySetValue", ortn
);
294 if(compareOids(policy
, &CSSMOID_APPLE_TP_SMIME
)) {
295 const char *nameStr
= (name
) ? name
: ((emailAddrs
) ? emailAddrs
: NULL
);
297 memset(&smimeOpts
, 0, sizeof(smimeOpts
));
298 smimeOpts
.Version
= CSSM_APPLE_TP_SMIME_OPTS_VERSION
;
299 smimeOpts
.SenderEmail
= nameStr
;
300 smimeOpts
.SenderEmailLen
= (uint32
) strlen(nameStr
);
301 optionData
.Data
= (uint8
*)&smimeOpts
;
302 optionData
.Length
= sizeof(smimeOpts
);
303 ortn
= SecPolicySetValue(policyRef
, &optionData
);
305 cssmPerror("SecPolicySetValue", ortn
);
312 /* create policies array */
313 policies
= CFArrayCreateMutable(NULL
, 0, &kCFTypeArrayCallBacks
);
314 CFArrayAppendValue(policies
, policyRef
);
315 /* add optional SecPolicyRef for revocation, if specified */
316 if(revOptions
!= 0) {
317 revPolicyRef
= SecPolicyCreateRevocation(revOptions
);
318 CFArrayAppendValue(policies
, revPolicyRef
);
321 /* create trust reference from certs and policies */
322 ortn
= SecTrustCreateWithCertificates(certs
, policies
, &trustRef
);
324 cssmPerror("SecTrustCreateWithCertificates", ortn
);
329 /* roots (anchors) are optional */
331 ortn
= SecTrustSetAnchorCertificates(trustRef
, roots
);
333 cssmPerror("SecTrustSetAnchorCertificates", ortn
);
338 if(actionFlags
|| forceActionFlags
) {
339 memset(&actionData
, 0, sizeof(actionData
));
340 actionData
.Version
= CSSM_APPLE_TP_ACTION_VERSION
;
341 actionData
.ActionFlags
= actionFlags
;
342 cfActionData
= CFDataCreate(NULL
, (UInt8
*)&actionData
, sizeof(actionData
));
343 ortn
= SecTrustSetParameters(trustRef
, CSSM_TP_ACTION_DEFAULT
, cfActionData
);
345 cssmPerror("SecTrustSetParameters", ortn
);
351 ortn
= SecTrustSetKeychains(trustRef
, keychains
);
353 cssmPerror("SecTrustSetKeychains", ortn
);
358 if(dateRef
!= NULL
) {
359 ortn
= SecTrustSetVerifyDate(trustRef
, dateRef
);
361 cssmPerror("SecTrustSetVerifyDate", ortn
);
368 (void)SecTrustEvaluateWithError(trustRef
, &errorRef
);
370 ortn
= SecTrustGetTrustResult(trustRef
, &resultType
);
372 /* should never fail - error on this doesn't mean the cert verified badly */
373 cssmPerror("SecTrustEvaluate", ortn
);
378 case kSecTrustResultUnspecified
:
379 /* cert chain valid, no special UserTrust assignments */
380 case kSecTrustResultProceed
:
381 /* cert chain valid AND user explicitly trusts this */
383 case kSecTrustResultDeny
:
385 fprintf(stderr
, "SecTrustEvaluate result: kSecTrustResultDeny\n");
392 /* See what the TP had to say about this */
393 ortn
= SecTrustGetCssmResultCode(trustRef
, &ocrtn
);
395 cssmPerror("SecTrustGetCssmResultCode", ortn
);
398 cssmPerror("Cert Verify Result", ocrtn
);
403 if((ourRtn
== 0) & !quiet
) {
404 printf("...certificate verification successful.\n");
406 if (printPem
|| printText
|| verbose
) {
407 fprintf(stdout
, "---\nCertificate chain\n");
408 printCertChain(trustRef
, printPem
, printText
);
411 printErrorDetails(trustRef
);
414 printExtendedResults(trustRef
);
417 CFArrayRef properties
= SecTrustCopyProperties(trustRef
);
419 fprintf(stderr
, "---\nCertificate chain properties\n");
420 CFShow(properties
); // output goes to stderr
423 CFRelease(properties
);
425 CFDictionaryRef result
= SecTrustCopyResult(trustRef
);
427 fprintf(stderr
, "---\nTrust evaluation results\n");
428 CFShow(result
); // output goes to stderr
432 fprintf(stdout
, "---\nTrust evaluation errors\n");
441 CFRELEASE(keychains
);
443 CFRELEASE(revPolicyRef
);
445 CFRELEASE(policyRef
);
447 CFRELEASE(searchRef
);
449 CFRELEASE(cfActionData
);