#include "TrustAdditions.h"
#include "TrustKeychains.h"
#include <security_cdsa_client/dlclient.h>
+#include <security_keychain/Keychains.h>
using namespace Security;
#pragma mark -- TrustKeychains --
-static const CSSM_DL_DB_HANDLE nullCSSMDLDBHandle = {0,};
-//
-// TrustKeychains maintains a global reference to standard system keychains,
-// to avoid having them be opened anew for each Trust instance.
-//
-class TrustKeychains
-{
-public:
- TrustKeychains();
- ~TrustKeychains() {}
- CSSM_DL_DB_HANDLE rootStoreHandle() { return mRootStoreHandle; }
- CSSM_DL_DB_HANDLE systemKcHandle() { return mSystem ? mSystem->database()->handle() : nullCSSMDLDBHandle; }
- Keychain &systemKc() { return mSystem; }
- Keychain &rootStore() { return *mRootStore; }
-
-private:
- DL* mRootStoreDL;
- Db* mRootStoreDb;
- Keychain* mRootStore;
- CSSM_DL_DB_HANDLE mRootStoreHandle;
- Keychain mSystem;
-};
-
//
// Singleton maintaining open references to standard system keychains,
// to avoid having them be opened anew every time SecTrust is used.
mRootStoreHandle(nullCSSMDLDBHandle),
mSystem(globals().storageManager.make(ADMIN_CERT_STORE_PATH, false))
{
- if (GetServerMode()) // in server mode? Don't make a keychain for the root store
+ if (GetServerMode()) // in server mode? Don't go through StorageManager to make a keychain
{
- mRootStoreDL = new DL(gGuidAppleFileDL),
- mRootStoreDb = new Db(*mRootStoreDL, SYSTEM_ROOT_STORE_PATH),
- (*mRootStoreDb)->activate();
- mRootStoreHandle = (*mRootStoreDb)->handle();
+ mRootStoreDL = new DL(gGuidAppleFileDL);
+ mRootStoreDb = new Db(*mRootStoreDL, SYSTEM_ROOT_STORE_PATH);
+ mRootStore = new Keychain(*mRootStoreDb);
}
else
{
+ mRootStoreDL = NULL;
+ mRootStoreDb = NULL;
mRootStore = new Keychain(globals().storageManager.make(SYSTEM_ROOT_STORE_PATH, false));
- (*mRootStore)->database()->activate();
- mRootStoreHandle = (*mRootStore)->database()->handle();
}
+ (*mRootStore)->database()->activate();
+ mRootStoreHandle = (*mRootStore)->database()->handle();
+}
+
+TrustKeychains::~TrustKeychains() {
+ if(mRootStoreDL) {
+ delete mRootStoreDL;
+ mRootStoreDL = NULL;
+ }
+ if(mRootStoreDb) {
+ delete mRootStoreDb;
+ mRootStoreDb = NULL;
+ }
+ if(mRootStore) {
+ delete mRootStore;
+ mRootStore = NULL;
+ }
}
RecursiveMutex& SecTrustKeychainsGetMutex()
}
CFArrayRef filteredCerts = NULL;
if (isEVCandidate) {
- secdebug("evTrust", "Trust::evaluate() certificate is EV candidate");
+ secinfo("evTrust", "Trust::evaluate() certificate is EV candidate");
filteredCerts = potentialEVChainWithCertificates(mCerts);
mCerts = filteredCerts;
} else {
- secdebug("evTrust", "Trust::evaluate() performing standard evaluation");
+ secinfo("evTrust", "Trust::evaluate() performing standard evaluation");
if (mCerts) {
filteredCerts = CFArrayCreateMutableCopy(NULL, 0, mCerts);
}
if (mAllowedAnchors)
{
- secdebug("trusteval", "Trust::evaluate: anchors: %ld", CFArrayGetCount(mAllowedAnchors));
+ secinfo("trusteval", "Trust::evaluate: anchors: %ld", CFArrayGetCount(mAllowedAnchors));
#if !defined(NDEBUG)
CFArrayApplyFunction(mAllowedAnchors, CFRangeMake(0, CFArrayGetCount(mAllowedAnchors)), showCertSKID, NULL);
#endif
allPolicies = convertRevocationPolicy(numRevocationAdded, context.allocator);
if (allPolicies) {
// caller has explicitly set the revocation policy they want to use
- secdebug("evTrust", "Trust::evaluate() using explicit revocation policy (%d)",
+ secinfo("evTrust", "Trust::evaluate() using explicit revocation policy (%d)",
numRevocationAdded);
if (numRevocationAdded == 0)
isEVCandidate = false;
// caller explicitly provided empty anchors and no keychain list,
// and did not explicitly specify the revocation policy;
// override global revocation check setting for this evaluation
- secdebug("evTrust", "Trust::evaluate() has empty anchors and no keychains");
+ secinfo("evTrust", "Trust::evaluate() has empty anchors and no keychains");
allPolicies = NULL; // use only mPolicies
isEVCandidate = false;
}
else if (isEVCandidate || requirePerCert) {
// force revocation checking for this evaluation
- secdebug("evTrust", "Trust::evaluate() forcing OCSP/CRL revocation check");
+ secinfo("evTrust", "Trust::evaluate() forcing OCSP/CRL revocation check");
allPolicies = forceRevocationPolicies(true, requirePerCert,
numRevocationAdded, context.allocator, requirePerCert);
}
}
if (allPolicies == NULL) {
// use mPolicies; no revocation checking will be performed
- secdebug("evTrust", "Trust::evaluate() will not perform revocation check");
+ secinfo("evTrust", "Trust::evaluate() will not perform revocation check");
CFIndex numPolicies = CFArrayGetCount(mPolicies);
CFAllocatorRef allocator = CFGetAllocator(mPolicies);
allPolicies = CFArrayCreateMutableCopy(allocator, numPolicies, mPolicies);
// no anchor certificates were provided;
// built-in anchors will be trusted unless explicitly disabled.
mUsingTrustSettings = (mAnchorPolicy < useAnchorsOnly);
- secdebug("userTrust", "Trust::evaluate() %s",
+ secinfo("userTrust", "Trust::evaluate() %s",
(mUsingTrustSettings) ? "using UserTrust" : "has no trusted anchors!");
}
else {
// anchor certificates were provided;
// built-in anchors will NOT also be trusted unless explicitly enabled.
mUsingTrustSettings = (mAnchorPolicy == useAnchorsAndBuiltIns);
- secdebug("userTrust", "Trust::evaluate() using %s %s anchors",
+ secinfo("userTrust", "Trust::evaluate() using %s %s anchors",
(mUsingTrustSettings) ? "UserTrust AND" : "only",
(isEVCandidate) ? "EV" : "caller");
context.anchors(roots, roots);
mTpReturn = errSecSuccess;
} catch (CommonError &err) {
mTpReturn = err.osStatus();
- secdebug("trusteval", "certGroupVerify exception: %d", (int)mTpReturn);
+ secinfo("trusteval", "certGroupVerify exception: %d", (int)mTpReturn);
}
mResult = diagnoseOutcome();
mTpResult[2].as<CSSM_TP_APPLE_EVIDENCE_INFO>(), anchors);
} else {
// unexpected evidence information. Can't use it
- secdebug("trusteval", "unexpected evidence ignored");
+ secinfo("trusteval", "unexpected evidence ignored");
}
/* do post-processing for the evaluated certificate chain */
- CFArrayRef fullChain = makeCFArray(convert, mCertChain);
+ CFArrayRef fullChain = makeCFArrayFrom(convert, mCertChain);
CFDictionaryRef etResult = extendedTrustResults(fullChain, mResult, mTpReturn, isEVCandidate);
mExtendedResult = etResult; // assignment to CFRef type is an implicit retain
if (etResult) {
if (info.recordId()) {
Keychain keychain = keychainByDLDb(info.DlDbHandle);
DbUniqueRecord uniqueId(keychain->database()->newDbUniqueRecord());
- secdebug("trusteval", "evidence %lu from keychain \"%s\"", (unsigned long)n, keychain->name());
+ secinfo("trusteval", "evidence %lu from keychain \"%s\"", (unsigned long)n, keychain->name());
*static_cast<CSSM_DB_UNIQUE_RECORD_PTR *>(uniqueId) = info.UniqueRecord;
uniqueId->activate(); // transfers ownership
Item ii = keychain->item(CSSM_DL_DB_RECORD_X509_CERTIFICATE, uniqueId);
}
mCertChain[n] = cert;
} else if (info.status(CSSM_CERT_STATUS_IS_IN_INPUT_CERTS)) {
- secdebug("trusteval", "evidence %lu from input cert %lu", (unsigned long)n, (unsigned long)info.index());
+ secinfo("trusteval", "evidence %lu from input cert %lu", (unsigned long)n, (unsigned long)info.index());
assert(info.index() < uint32(CFArrayGetCount(mCerts)));
SecCertificateRef cert = SecCertificateRef(CFArrayGetValueAtIndex(mCerts,
info.index()));
mCertChain[n] = Certificate::required(cert);
} else if (info.status(CSSM_CERT_STATUS_IS_IN_ANCHORS)) {
- secdebug("trusteval", "evidence %lu from anchor cert %lu", (unsigned long)n, (unsigned long)info.index());
+ secinfo("trusteval", "evidence %lu from anchor cert %lu", (unsigned long)n, (unsigned long)info.index());
assert(info.index() < uint32(CFArrayGetCount(anchors)));
SecCertificateRef cert = SecCertificateRef(CFArrayGetValueAtIndex(anchors,
info.index()));
mCertChain[n] = Certificate::required(cert);
} else {
// unknown source; make a new Certificate for it
- secdebug("trusteval", "evidence %lu from unknown source", (unsigned long)n);
+ secinfo("trusteval", "evidence %lu from unknown source", (unsigned long)n);
mCertChain[n] =
new Certificate(chain.blobCerts()[n],
CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_BER);
continue;
}
mResult = store.find(mCertChain[mResultIndex], policy, searchLibs());
- secdebug("trusteval", "trustResult=%d from cert %d", (int)mResult, (int)mResultIndex);
+ secinfo("trusteval", "trustResult=%d from cert %d", (int)mResult, (int)mResultIndex);
}
}
allocator.free(evidence[n].StatusCodes);
allocator.free(result[2].data()); // array of (flat) info structs
} else {
- secdebug("trusteval", "unrecognized Apple TP evidence format");
+ secinfo("trusteval", "unrecognized Apple TP evidence format");
// drop it -- better leak than kill
}
} else {
// unknown format -- blindly assume flat blobs
- secdebug("trusteval", "destroying unknown TP evidence format");
+ secinfo("trusteval", "destroying unknown TP evidence format");
for (uint32 n = 0; n < result.count(); n++)
{
allocator.free(result[n].data());
if (mResult != kSecTrustResultInvalid) {
releaseTPEvidence(mTpResult, mTP.allocator());
mResult = kSecTrustResultInvalid;
+ mExtendedResult = NULL;
}
}
if (mResult == kSecTrustResultInvalid)
MacOSError::throwMe(errSecTrustNotAvailable);
certChain = mEvidenceReturned =
- makeCFArray(convert, mCertChain);
+ makeCFArrayFrom(convert, mCertChain);
if(mTpResult.count() >= 3) {
statusChain = mTpResult[2].as<TPEvidenceInfo>();
}
projects / apple / security.git / blobdiff