SecurityTool/macOS/requirement.c

   1 /*
   2  * Copyright (c) 2019 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include <stdio.h>
  25
  26 #include <CoreFoundation/CoreFoundation.h>
  27 #include <Security/SecRequirement.h>
  28 #include <Security/SecRequirementPriv.h>
  29
  30 #include <utilities/SecCFRelease.h>
  31 #include "security_tool.h"
  32 #include "trusted_cert_utils.h"
  33 #include "requirement.h"
  34
  35 int requirement_evaluate(int argc, char * const *argv)
  36 {
  37     int err = 0;
  38     CFErrorRef error = NULL;
  39     CFStringRef reqStr = NULL;
  40     SecRequirementRef req = NULL;
  41     CFMutableArrayRef certs = NULL;
  42
  43     if (argc < 3) {
  44         return SHOW_USAGE_MESSAGE;
  45     }
  46
  47     // Create Requirement
  48
  49     reqStr = CFStringCreateWithCString(NULL, argv[1], kCFStringEncodingUTF8);
  50
  51     OSStatus status = SecRequirementCreateWithStringAndErrors(reqStr,
  52                                                               kSecCSDefaultFlags, &error, &req);
  53
  54     if (status != errSecSuccess) {
  55         CFStringRef errorDesc = CFErrorCopyDescription(error);
  56         CFIndex errorLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(errorDesc),
  57                                                                 kCFStringEncodingUTF8);
  58         char *errorStr = malloc(errorLength+1);
  59
  60         CFStringGetCString(errorDesc, errorStr, errorLength+1, kCFStringEncodingUTF8);
  61
  62         fprintf(stderr, "parsing requirement failed (%d): %s\n", status, errorStr);
  63
  64         free(errorStr);
  65         CFReleaseSafe(errorDesc);
  66
  67         err = 1;
  68     }
  69
  70     // Create cert chain
  71
  72     const int num_certs = argc - 2;
  73
  74     certs = CFArrayCreateMutable(NULL, num_certs, &kCFTypeArrayCallBacks);
  75
  76     for (int i = 0; i < num_certs; ++i) {
  77         SecCertificateRef cert = NULL;
  78
  79         if (readCertFile(argv[2 + i], &cert) != 0) {
  80             fprintf(stderr, "Error reading certificate at '%s'\n", argv[2 + i]);
  81             err = 2;
  82             goto out;
  83         }
  84
  85         CFArrayAppendValue(certs, cert);
  86         CFReleaseSafe(cert);
  87     }
  88
  89     // Evaluate!
  90
  91     if (req != NULL) {
  92         status = SecRequirementEvaluate(req, certs, NULL, kSecCSDefaultFlags);
  93         printf("%d\n", status);
  94         err = status == 0 ? 0 : 3;
  95     }
  96
  97 out:
  98     CFReleaseSafe(certs);
  99     CFReleaseSafe(req);
 100     CFReleaseSafe(reqStr);
 101     CFReleaseSafe(error);
 102
 103     return err;
 104 }