SecurityTool/macOS/requirement.c

   1 /*
   2  * Copyright (c) 2019 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #include <stdio.h>
  25
  26 #include <CoreFoundation/CoreFoundation.h>
  27 #include <Security/SecRequirement.h>
  28 #include <Security/SecRequirementPriv.h>
  29
  30 #include <utilities/SecCFRelease.h>
  31 #include "security_tool.h"
  32 #include "trusted_cert_utils.h"
  33 #include "requirement.h"
  34
  35 int requirement_evaluate(int argc, char * const *argv)
  36 {
  37     int err = 0;
  38     CFErrorRef error = NULL;
  39     CFStringRef reqStr = NULL;
  40     SecRequirementRef req = NULL;
  41     CFMutableArrayRef certs = NULL;
  42
  43     if (argc < 3) {
  44         return SHOW_USAGE_MESSAGE;
  45     }
  46
  47     // Create Requirement
  48
  49     reqStr = CFStringCreateWithCString(NULL, argv[1], kCFStringEncodingUTF8);
  50
  51     OSStatus status = SecRequirementCreateWithStringAndErrors(reqStr,
  52                                                               kSecCSDefaultFlags, &error, &req);
  53
  54     if (status != errSecSuccess) {
  55         CFStringRef errorDesc = CFErrorCopyDescription(error);
  56         CFIndex errorLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(errorDesc),
  57                                                                 kCFStringEncodingUTF8);
  58         char *errorStr = malloc(errorLength+1);
  59
  60         CFStringGetCString(errorDesc, errorStr, errorLength+1, kCFStringEncodingUTF8);
  61
  62         fprintf(stderr, "parsing requirement failed (%d): %s\n", status, errorStr);
  63
  64         free(errorStr);
  65
  66         err = 1;
  67     }
  68
  69     // Create cert chain
  70
  71     const int num_certs = argc - 2;
  72
  73     certs = CFArrayCreateMutable(NULL, num_certs, &kCFTypeArrayCallBacks);
  74
  75     for (int i = 0; i < num_certs; ++i) {
  76         SecCertificateRef cert = NULL;
  77
  78         if (readCertFile(argv[2 + i], &cert) != 0) {
  79             fprintf(stderr, "Error reading certificate at '%s'\n", argv[2 + i]);
  80             err = 2;
  81             goto out;
  82         }
  83
  84         CFArrayAppendValue(certs, cert);
  85         CFRelease(cert);
  86     }
  87
  88     // Evaluate!
  89
  90     if (req != NULL) {
  91         status = SecRequirementEvaluate(req, certs, NULL, kSecCSDefaultFlags);
  92         printf("%d\n", status);
  93         err = status == 0 ? 0 : 3;
  94     }
  95
  96 out:
  97     CFReleaseSafe(certs);
  98     CFReleaseSafe(req);
  99     CFReleaseSafe(reqStr);
 100     CFReleaseSafe(error);
 101
 102     return err;
 103 }