--- /dev/null
+/*
+ * Copyright (c) 2005,2011-2015 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * TrustSettings.h - class to manage cert trust settings.
+ *
+ */
+
+#include "TrustSettings.h"
+#include "TrustSettingsSchema.h"
+#include "SecTrustSettings.h"
+#include "TrustSettingsUtils.h"
+#include "TrustKeychains.h"
+#include "Certificate.h"
+#include "cssmdatetime.h"
+#include <Security/SecBase.h>
+#include "SecTrustedApplicationPriv.h"
+#include <security_utilities/errors.h>
+#include <security_utilities/debugging.h>
+#include <security_utilities/logging.h>
+#include <security_utilities/cfutilities.h>
+#include <security_utilities/alloc.h>
+#include <Security/cssmapplePriv.h>
+#include <Security/oidscert.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecPolicyPriv.h>
+#include <security_keychain/KCCursor.h>
+#include <security_ocspd/ocspdClient.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <assert.h>
+#include <Security/Authorization.h>
+#include <sys/stat.h>
+
+#define trustSettingsDbg(args...) secdebug("trustSettings", ## args)
+#define trustSettingsEvalDbg(args...) secdebug("trustSettingsEval", ## args)
+
+/*
+ * Common error return for "malformed TrustSettings record"
+ */
+#define errSecInvalidTrustedRootRecord errSecInvalidTrustSettings
+
+using namespace KeychainCore;
+
+#pragma mark --- Static functions ---
+
+/*
+ * Comparator atoms to determine if an app's specified usage
+ * matches an individual trust setting. Each returns true on a match, false
+ * if the trust setting does not match the app's spec.
+ *
+ * A match fails iff:
+ *
+ * -- the app has specified a field, and the cert has a spec for that
+ * field, and the two specs do not match;
+ *
+ * OR
+ *
+ * -- the cert has a spec for the field and the app hasn't specified the field
+ */
+static bool tsCheckPolicy(
+ const CSSM_OID *appPolicy,
+ CFDataRef certPolicy)
+{
+ if(certPolicy != NULL) {
+ if(appPolicy == NULL) {
+ trustSettingsEvalDbg("tsCheckPolicy: certPolicy, !appPolicy");
+ return false;
+ }
+ unsigned cLen = (unsigned)CFDataGetLength(certPolicy);
+ const UInt8 *cData = CFDataGetBytePtr(certPolicy);
+ if((cLen != appPolicy->Length) || memcmp(appPolicy->Data, cData, cLen)) {
+ trustSettingsEvalDbg("tsCheckPolicy: policy mismatch");
+ return false;
+ }
+ }
+ return true;
+}
+
+/*
+ * This one's slightly different: the match is for *this* app, not one
+ * specified by the app.
+ */
+static bool tsCheckApp(
+ CFDataRef certApp)
+{
+ if(certApp != NULL) {
+ SecTrustedApplicationRef appRef;
+ OSStatus ortn;
+ ortn = SecTrustedApplicationCreateWithExternalRepresentation(certApp, &appRef);
+ if(ortn) {
+ trustSettingsDbg("tsCheckApp: bad trustedApp data\n");
+ return false;
+ }
+ ortn = SecTrustedApplicationValidateWithPath(appRef, NULL);
+ if(ortn) {
+ /* Not this app */
+ return false;
+ }
+ }
+
+ return true;
+}
+
+static bool tsCheckKeyUse(
+ SecTrustSettingsKeyUsage appKeyUse,
+ CFNumberRef certKeyUse)
+{
+ if(certKeyUse != NULL) {
+ SInt32 certUse;
+ CFNumberGetValue(certKeyUse, kCFNumberSInt32Type, &certUse);
+ SecTrustSettingsKeyUsage cku = (SecTrustSettingsKeyUsage)certUse;
+ if(cku == kSecTrustSettingsKeyUseAny) {
+ /* explicitly allows anything */
+ return true;
+ }
+ /* cert specification must be a superset of app's intended use */
+ if(appKeyUse == 0) {
+ trustSettingsEvalDbg("tsCheckKeyUse: certKeyUsage, !appKeyUsage");
+ return false;
+ }
+
+ if((cku & appKeyUse) != appKeyUse) {
+ trustSettingsEvalDbg("tsCheckKeyUse: keyUse mismatch");
+ return false;
+ }
+ }
+ return true;
+}
+
+static bool tsCheckPolicyStr(
+ const char *appPolicyStr,
+ CFStringRef certPolicyStr)
+{
+ if(certPolicyStr != NULL) {
+ if(appPolicyStr == NULL) {
+ trustSettingsEvalDbg("tsCheckPolicyStr: certPolicyStr, !appPolicyStr");
+ return false;
+ }
+ /* Let CF do the string compare */
+ CFStringRef cfPolicyStr = CFStringCreateWithCString(NULL, appPolicyStr,
+ kCFStringEncodingUTF8);
+ if(cfPolicyStr == NULL) {
+ /* I really don't see how this can happen */
+ trustSettingsEvalDbg("tsCheckPolicyStr: policyStr string conversion error");
+ return false;
+ }
+
+ // Some trust setting strings were created with a NULL character at the
+ // end, which was included in the length. Strip those off before compare
+
+ CFMutableStringRef certPolicyStrNoNULL = CFStringCreateMutableCopy(NULL, 0, certPolicyStr);
+ if (certPolicyStrNoNULL == NULL) {
+ /* I really don't see how this can happen either */
+ trustSettingsEvalDbg("tsCheckPolicyStr: policyStr string conversion error 2");
+ return false;
+ }
+
+ CFStringFindAndReplace(certPolicyStrNoNULL, CFSTR("\00"),
+ CFSTR(""), CFRangeMake(0, CFStringGetLength(certPolicyStrNoNULL)), kCFCompareBackwards);
+
+ CFComparisonResult res = CFStringCompare(cfPolicyStr, certPolicyStrNoNULL, 0);
+ CFRelease(cfPolicyStr);
+ CFRelease(certPolicyStrNoNULL);
+ if(res != kCFCompareEqualTo) {
+ trustSettingsEvalDbg("tsCheckPolicyStr: policyStr mismatch");
+ return false;
+ }
+ }
+ return true;
+}
+
+/*
+ * Determine if a cert's trust settings dictionary satisfies the specified
+ * usage constraints. Returns true if so.
+ * Only certs with a SecTrustSettingsResult of kSecTrustSettingsResultTrustRoot
+ * or kSecTrustSettingsResultTrustAsRoot will match.
+ */
+static bool qualifyUsageWithCertDict(
+ CFDictionaryRef certDict,
+ const CSSM_OID *policyOID, /* optional */
+ const char *policyStr, /* optional */
+ SecTrustSettingsKeyUsage keyUsage, /* optional; default = any (actually "all" here) */
+ bool onlyRoots)
+{
+ /* this array is optional */
+ CFArrayRef trustSettings = (CFArrayRef)CFDictionaryGetValue(certDict,
+ kTrustRecordTrustSettings);
+ CFIndex numSpecs = 0;
+ if(trustSettings != NULL) {
+ numSpecs = CFArrayGetCount(trustSettings);
+ }
+ if(numSpecs == 0) {
+ /*
+ * Trivial case: cert has no trust settings, indicating that
+ * it's used for everything.
+ */
+ trustSettingsEvalDbg("qualifyUsageWithCertDict: no trust settings");
+ return true;
+ }
+ for(CFIndex addDex=0; addDex<numSpecs; addDex++) {
+ CFDictionaryRef tsDict = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings,
+ addDex);
+
+ /* per-cert specs: all optional */
+ CFDataRef certPolicy = (CFDataRef)CFDictionaryGetValue(tsDict,
+ kSecTrustSettingsPolicy);
+ CFDataRef certApp = (CFDataRef)CFDictionaryGetValue(tsDict,
+ kSecTrustSettingsApplication);
+ CFStringRef certPolicyStr = (CFStringRef)CFDictionaryGetValue(tsDict,
+ kSecTrustSettingsPolicyString);
+ CFNumberRef certKeyUsage = (CFNumberRef)CFDictionaryGetValue(tsDict,
+ kSecTrustSettingsKeyUsage);
+ CFNumberRef certResultType = (CFNumberRef)CFDictionaryGetValue(tsDict,
+ kSecTrustSettingsResult);
+
+ if(!tsCheckPolicy(policyOID, certPolicy)) {
+ continue;
+ }
+ if(!tsCheckApp(certApp)) {
+ continue;
+ }
+ if(!tsCheckKeyUse(keyUsage, certKeyUsage)) {
+ continue;
+ }
+ if(!tsCheckPolicyStr(policyStr, certPolicyStr)) {
+ continue;
+ }
+
+ /*
+ * This is a match, take whatever SecTrustSettingsResult is here,
+ * including the default if not specified.
+ */
+ SecTrustSettingsResult resultType = kSecTrustSettingsResultTrustRoot;
+ if(certResultType) {
+ SInt32 s;
+ CFNumberGetValue(certResultType, kCFNumberSInt32Type, &s);
+ resultType = (SecTrustSettingsResult)s;
+ }
+ switch(resultType) {
+ case kSecTrustSettingsResultTrustRoot:
+ trustSettingsEvalDbg("qualifyUsageWithCertDict: TrustRoot MATCH");
+ return true;
+ case kSecTrustSettingsResultTrustAsRoot:
+ if(onlyRoots) {
+ trustSettingsEvalDbg("qualifyUsageWithCertDict: TrustAsRoot but not root");
+ return false;
+ }
+ trustSettingsEvalDbg("qualifyUsageWithCertDict: TrustAsRoot MATCH");
+ return true;
+ default:
+ trustSettingsEvalDbg("qualifyUsageWithCertDict: bad resultType "
+ "(%lu)", (unsigned long)resultType);
+ return false;
+ }
+ }
+ trustSettingsEvalDbg("qualifyUsageWithCertDict: NO MATCH");
+ return false;
+}
+
+/*
+ * Create initial top-level dictionary when constructing a new TrustSettings.
+ */
+static CFMutableDictionaryRef tsInitialDict()
+{
+ CFMutableDictionaryRef dict = CFDictionaryCreateMutable(NULL,
+ kSecTrustRecordNumTopDictKeys,
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+
+ /* the dictionary of per-cert entries */
+ CFMutableDictionaryRef trustDict = CFDictionaryCreateMutable(NULL, 0,
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ CFDictionaryAddValue(dict, kTrustRecordTrustList, trustDict);
+ CFRelease(trustDict);
+
+ SInt32 vers = kSecTrustRecordVersionCurrent;
+ CFNumberRef cfVers = CFNumberCreate(NULL, kCFNumberSInt32Type, &vers);
+ CFDictionaryAddValue(dict, kTrustRecordVersion, cfVers);
+ CFRelease(cfVers);
+ return dict;
+}
+
+/*
+ * Set the modification date of a per-cert dictionary to current time.
+ */
+static void tsSetModDate(
+ CFMutableDictionaryRef dict)
+{
+ CFDateRef modDate;
+
+ modDate = CFDateCreate(NULL, CFAbsoluteTimeGetCurrent());
+ CFDictionarySetValue(dict, kTrustRecordModDate, modDate);
+ CFRelease(modDate);
+}
+
+/* make sure a presumed CFNumber can be converted to a 32-bit number */
+static
+bool tsIsGoodCfNum(CFNumberRef cfn, SInt32 *num = NULL)
+{
+ if(cfn == NULL) {
+ /* by convention */
+ if(num) {
+ *num = 0;
+ }
+ return true;
+ }
+ if(CFGetTypeID(cfn) != CFNumberGetTypeID()) {
+ return false;
+ }
+
+ SInt32 s;
+ if(!CFNumberGetValue(cfn, kCFNumberSInt32Type, &s)) {
+ return false;
+ }
+ else {
+ if(num) {
+ *num = s;
+ }
+ return true;
+ }
+}
+
+TrustSettings::TrustSettings(SecTrustSettingsDomain domain)
+ : mPropList(NULL),
+ mTrustDict(NULL),
+ mDictVersion(0),
+ mDomain(domain),
+ mDirty(false)
+{
+}
+
+
+
+#pragma mark --- Public methods ---
+
+/*
+ * Normal constructor, from disk.
+ * If create is true, the absence of an on-disk TrustSettings file
+ * results in the creation of a new empty TrustSettings. If create is
+ * false and no on-disk TrustSettings exists, errSecNoTrustSettings is
+ * thrown.
+ * If trim is true, the components of the on-disk TrustSettings not
+ * needed for cert evaluation are discarded. This is for TrustSettings
+ * that will be cached in memory long-term.
+ */
+OSStatus TrustSettings::CreateTrustSettings(
+ SecTrustSettingsDomain domain,
+ bool create,
+ bool trim,
+ TrustSettings*& ts)
+{
+ TrustSettings* t = new TrustSettings(domain);
+
+ Allocator &alloc = Allocator::standard();
+ CSSM_DATA fileData = {0, NULL};
+ OSStatus ortn = errSecSuccess;
+ struct stat sb;
+ const char *path;
+
+ /* get trust settings from file, one way or another */
+ switch(domain) {
+ case kSecTrustSettingsDomainAdmin:
+ /*
+ * Quickie optimization: if it's not there, don't try to
+ * get it from ocspd. This is possible because the name of the
+ * admin file is hard coded, but the per-user files aren't.
+ */
+ path = TRUST_SETTINGS_PATH "/" ADMIN_TRUST_SETTINGS;
+ if(stat(path, &sb)) {
+ trustSettingsDbg("TrustSettings: no admin record; skipping");
+ ortn = errSecNoTrustSettings;
+ break;
+ }
+ /* else drop thru, get it from ocspd */
+ case kSecTrustSettingsDomainUser:
+ /* get settings from ocspd */
+ ortn = ocspdTrustSettingsRead(alloc, domain, fileData);
+ break;
+ case kSecTrustSettingsDomainSystem:
+ /* immutable; it's safe for us to read this directly */
+ if(tsReadFile(SYSTEM_TRUST_SETTINGS_PATH, alloc, fileData)) {
+ ortn = errSecNoTrustSettings;
+ }
+ break;
+ default:
+ delete t;
+ return errSecParam;
+ }
+ if(ortn) {
+ if(create) {
+ trustSettingsDbg("TrustSettings: creating new record for domain %d",
+ (int)domain);
+ t->mPropList = tsInitialDict();
+ t->mDirty = true;
+ }
+ else {
+ trustSettingsDbg("TrustSettings: record not found for domain %d",
+ (int)domain);
+ delete t;
+ return ortn;
+ }
+ }
+ else {
+ CFRef<CFDataRef> propList(CFDataCreate(NULL, fileData.Data, fileData.Length));
+ t->initFromData(propList);
+ alloc.free(fileData.Data);
+ }
+ t->validatePropList(trim);
+
+ ts = t;
+ return errSecSuccess;
+}
+
+/*
+ * Create from external data, obtained by createExternal().
+ * If externalData is NULL, we'll create an empty mTrustDict.
+ */
+OSStatus TrustSettings::CreateTrustSettings(
+ SecTrustSettingsDomain domain,
+ CFDataRef externalData,
+ TrustSettings*& ts)
+{
+ switch(domain) {
+ case kSecTrustSettingsDomainUser:
+ case kSecTrustSettingsDomainAdmin:
+ case kSecTrustSettingsDomainMemory:
+ break;
+ case kSecTrustSettingsDomainSystem: /* no can do, that implies writing to it */
+ default:
+ return errSecParam;
+ }
+
+ TrustSettings* t = new TrustSettings(domain);
+
+ if(externalData != NULL) {
+ t->initFromData(externalData);
+ }
+ else {
+ t->mPropList = tsInitialDict();
+ }
+ t->validatePropList(TRIM_NO); /* never trim this */
+ t->mDirty = true;
+
+ ts = t;
+ return errSecSuccess;
+}
+
+
+TrustSettings::~TrustSettings()
+{
+ trustSettingsDbg("TrustSettings(domain %d) destructor", (int)mDomain);
+ CFRELEASE(mPropList); /* may be null if trimmed */
+ CFRELEASE(mTrustDict); /* normally always non-NULL */
+
+}
+
+/* common code to init mPropList from raw data */
+void TrustSettings::initFromData(
+ CFDataRef trustSettingsData)
+{
+ CFStringRef errStr = NULL;
+
+ mPropList = (CFMutableDictionaryRef)CFPropertyListCreateFromXMLData(
+ NULL,
+ trustSettingsData,
+ kCFPropertyListMutableContainersAndLeaves,
+ &errStr);
+ if(mPropList == NULL) {
+ trustSettingsDbg("TrustSettings::initFromData decode err (%s)",
+ errStr ? CFStringGetCStringPtr(errStr, kCFStringEncodingUTF8) : "<no err>");
+ if(errStr != NULL) {
+ CFRelease(errStr);
+ }
+ MacOSError::throwMe(errSecInvalidTrustSettings);
+ }
+}
+
+/*
+ * Flush property list data out to disk if dirty.
+ */
+void TrustSettings::flushToDisk()
+{
+ if(!mDirty) {
+ trustSettingsDbg("flushToDisk, domain %d, !dirty!", (int)mDomain);
+ return;
+ }
+ if(mPropList == NULL) {
+ trustSettingsDbg("flushToDisk, domain %d, trimmed!", (int)mDomain);
+ assert(0);
+ MacOSError::throwMe(errSecInternalComponent);
+ }
+ switch(mDomain) {
+ case kSecTrustSettingsDomainSystem:
+ case kSecTrustSettingsDomainMemory:
+ /* caller shouldn't even try this */
+ default:
+ trustSettingsDbg("flushToDisk, bad domain (%d)", (int)mDomain);
+ MacOSError::throwMe(errSecInternalComponent);
+ case kSecTrustSettingsDomainUser:
+ case kSecTrustSettingsDomainAdmin:
+ break;
+ }
+
+ /*
+ * Optimization: if there are no certs in the mTrustDict dictionary,
+ * we tell ocspd to *remove* the settings for the specified domain.
+ * Having *no* settings uses less memory and is faster than having
+ * an empty settings file, especially for the admin domain, where we
+ * can avoid
+ * an RPC if the settings file is simply not there.
+ */
+ CFRef<CFDataRef> xmlData;
+ CSSM_DATA cssmXmlData = {0, NULL};
+ CFIndex numCerts = CFDictionaryGetCount(mTrustDict);
+ if(numCerts) {
+ xmlData.take(CFPropertyListCreateXMLData(NULL, mPropList));
+ if(!xmlData) {
+ /* we've been very careful; this should never happen */
+ trustSettingsDbg("flushToDisk, domain %d: error converting to XML", (int)mDomain);
+ MacOSError::throwMe(errSecInternalComponent);
+ }
+ cssmXmlData.Data = (uint8 *)CFDataGetBytePtr(xmlData);
+ cssmXmlData.Length = CFDataGetLength(xmlData);
+ }
+ else {
+ trustSettingsDbg("flushToDisk, domain %d: DELETING trust settings", (int)mDomain);
+ }
+
+ /* cook up auth stuff so ocspd can act on our behalf */
+ AuthorizationRef authRef;
+ OSStatus ortn;
+ ortn = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment,
+ 0, &authRef);
+ if(ortn) {
+ trustSettingsDbg("flushToDisk, domain %d: AuthorizationCreate returned %ld",
+ (int)mDomain, (long)ortn);
+ MacOSError::throwMe(errSecInternalComponent);
+ }
+ AuthorizationExternalForm authExt;
+ CSSM_DATA authBlob = {sizeof(authExt), (uint8 *)&authExt};
+ ortn = AuthorizationMakeExternalForm(authRef, &authExt);
+ if(ortn) {
+ trustSettingsDbg("flushToDisk, domain %d: AuthorizationMakeExternalForm returned %ld",
+ (int)mDomain, (long)ortn);
+ ortn = errSecInternalComponent;
+ goto errOut;
+ }
+
+ ortn = ocspdTrustSettingsWrite(mDomain, authBlob, cssmXmlData);
+ if(ortn) {
+ trustSettingsDbg("flushToDisk, domain %d: ocspdTrustSettingsWrite returned %ld",
+ (int)mDomain, (long)ortn);
+ goto errOut;
+ }
+ trustSettingsDbg("flushToDisk, domain %d: wrote to disk", (int)mDomain);
+ mDirty = false;
+errOut:
+ AuthorizationFree(authRef, 0);
+ if(ortn) {
+ MacOSError::throwMe(ortn);
+ }
+}
+
+/*
+ * Obtain external representation of TrustSettings data.
+ */
+CFDataRef TrustSettings::createExternal()
+{
+ assert(mPropList);
+ CFDataRef xmlData = CFPropertyListCreateXMLData(NULL, mPropList);
+ if(xmlData == NULL) {
+ trustSettingsDbg("createExternal, domain %d: error converting to XML",
+ (int)mDomain);
+ MacOSError::throwMe(errSecInternalComponent);
+ }
+ return xmlData;
+}
+
+/*
+ * Evaluate specified cert. Returns true if we found a record for the cert
+ * matching specified constraints.
+ * Note that a true return with a value of kSecTrustSettingsResultUnspecified for
+ * the resultType means that a cert isn't to be trusted or untrusted
+ * per se; it just means that we only found allowedErrors entries.
+ *
+ * Found "allows errors" values are added to the incoming allowedErrors
+ * array which is reallocd as needed (and which may be NULL or non-NULL on
+ * entry).
+ */
+bool TrustSettings::evaluateCert(
+ CFStringRef certHashStr,
+ const CSSM_OID *policyOID, /* optional */
+ const char *policyStr, /* optional */
+ SecTrustSettingsKeyUsage keyUsage, /* optional */
+ bool isRootCert, /* for checking default setting */
+ CSSM_RETURN **allowedErrors, /* IN/OUT; reallocd as needed */
+ uint32 *numAllowedErrors, /* IN/OUT */
+ SecTrustSettingsResult *resultType, /* RETURNED */
+ bool *foundAnyEntry) /* RETURNED */
+{
+ assert(mTrustDict != NULL);
+
+ /* get trust settings dictionary for this cert */
+ CFDictionaryRef certDict = findDictionaryForCertHash(certHashStr);
+ if((certDict == NULL) && isRootCert) {
+ /* No? How about default root setting for this domain? */
+ certDict = findDictionaryForCertHash(kSecTrustRecordDefaultRootCert);
+ }
+#if CERT_HASH_DEBUG
+ /* @@@ debug only @@@ */
+ /* print certificate hash and found dictionary reference */
+ const size_t maxHashStrLen = 512;
+ char *buf = (char*)malloc(maxHashStrLen);
+ if (buf) {
+ if (!CFStringGetCString(certHashStr, buf, (CFIndex)maxHashStrLen, kCFStringEncodingUTF8)) {
+ buf[0]='\0';
+ }
+ trustSettingsEvalDbg("evaluateCert for \"%s\", found dict %p", buf, certDict);
+ free(buf);
+ }
+#endif
+
+ if(certDict == NULL) {
+ *foundAnyEntry = false;
+ return false;
+ }
+ *foundAnyEntry = true;
+
+ /* to-be-returned array of allowed errors */
+ CSSM_RETURN *allowedErrs = *allowedErrors;
+ uint32 numAllowedErrs = *numAllowedErrors;
+
+ /* this means "we found something other than allowedErrors" if true */
+ bool foundSettings = false;
+
+ /* to be returned in *resultType if it ends up something other than Invalid */
+ SecTrustSettingsResult returnedResult = kSecTrustSettingsResultInvalid;
+
+ /*
+ * Note since we validated the entire mPropList in our constructor, and we're careful
+ * about what we put into it, we don't bother typechecking its contents here.
+ * Also note that the kTrustRecordTrustSettings entry is optional.
+ */
+ CFArrayRef trustSettings = (CFArrayRef)CFDictionaryGetValue(certDict,
+ kTrustRecordTrustSettings);
+ CFIndex numSpecs = 0;
+ if(trustSettings != NULL) {
+ numSpecs = CFArrayGetCount(trustSettings);
+ }
+ if(numSpecs == 0) {
+ /*
+ * Trivial case: cert has no trust settings, indicating that
+ * it's used for everything.
+ */
+ trustSettingsEvalDbg("evaluateCert: no trust settings");
+ /* the default... */
+ *resultType = kSecTrustSettingsResultTrustRoot;
+ return true;
+ }
+
+ /*
+ * The decidedly nontrivial part: grind thru all of the cert's trust
+ * settings, see if the cert matches the caller's specified usage.
+ */
+ for(CFIndex addDex=0; addDex<numSpecs; addDex++) {
+ CFDictionaryRef tsDict = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings,
+ addDex);
+
+ /* per-cert specs: all optional */
+ CFDataRef certPolicy = (CFDataRef)CFDictionaryGetValue(tsDict,
+ kSecTrustSettingsPolicy);
+ CFDataRef certApp = (CFDataRef)CFDictionaryGetValue(tsDict,
+ kSecTrustSettingsApplication);
+ CFStringRef certPolicyStr = (CFStringRef)CFDictionaryGetValue(tsDict,
+ kSecTrustSettingsPolicyString);
+ CFNumberRef certKeyUsage = (CFNumberRef)CFDictionaryGetValue(tsDict,
+ kSecTrustSettingsKeyUsage);
+ CFNumberRef certResultType = (CFNumberRef)CFDictionaryGetValue(tsDict,
+ kSecTrustSettingsResult);
+ CFNumberRef certAllowedErr = (CFNumberRef)CFDictionaryGetValue(tsDict,
+ kSecTrustSettingsAllowedError);
+
+ /* now, skip if we find a constraint that doesn't match intended use */
+ if(!tsCheckPolicy(policyOID, certPolicy)) {
+ continue;
+ }
+ if(!tsCheckApp(certApp)) {
+ continue;
+ }
+ if(!tsCheckKeyUse(keyUsage, certKeyUsage)) {
+ continue;
+ }
+ if(!tsCheckPolicyStr(policyStr, certPolicyStr)) {
+ continue;
+ }
+
+ trustSettingsEvalDbg("evaluateCert: MATCH");
+ foundSettings = true;
+
+ if(certAllowedErr) {
+ /* note we already validated this value */
+ SInt32 s;
+ CFNumberGetValue(certAllowedErr, kCFNumberSInt32Type, &s);
+ allowedErrs = (CSSM_RETURN *)::realloc(allowedErrs,
+ ++numAllowedErrs * sizeof(CSSM_RETURN));
+ allowedErrs[numAllowedErrs-1] = (CSSM_RETURN) s;
+ }
+
+ /*
+ * We found a match, but we only return the current result type
+ * to caller if we haven't already returned something other than
+ * kSecTrustSettingsResultUnspecified. Once we find a valid result type,
+ * we keep on searching, but only for additional allowed errors.
+ */
+ switch(returnedResult) {
+ /* found match but no valid resultType yet */
+ case kSecTrustSettingsResultUnspecified:
+ /* haven't been thru here */
+ case kSecTrustSettingsResultInvalid:
+ if(certResultType) {
+ /* note we already validated this */
+ SInt32 s;
+ CFNumberGetValue(certResultType, kCFNumberSInt32Type, &s);
+ returnedResult = (SecTrustSettingsResult)s;
+ }
+ else {
+ /* default is "copacetic" */
+ returnedResult = kSecTrustSettingsResultTrustRoot;
+ }
+ break;
+ default:
+ /* we already have a definitive resultType, don't change it */
+ break;
+ }
+ } /* for each dictionary in trustSettings */
+
+ *allowedErrors = allowedErrs;
+ *numAllowedErrors = numAllowedErrs;
+ if(returnedResult != kSecTrustSettingsResultInvalid) {
+ *resultType = returnedResult;
+ }
+ return foundSettings;
+}
+
+
+/*
+ * Find all certs in specified keychain list which have entries in this trust record.
+ * Certs already in the array are not added.
+ */
+void TrustSettings::findCerts(
+ StorageManager::KeychainList &keychains,
+ CFMutableArrayRef certArray)
+{
+ findQualifiedCerts(keychains,
+ true, /* findAll */
+ false, /* onlyRoots */
+ NULL, NULL, kSecTrustSettingsKeyUseAny,
+ certArray);
+}
+
+void TrustSettings::findQualifiedCerts(
+ StorageManager::KeychainList &keychains,
+ /*
+ * If findAll is true, all certs are returned and the subsequent
+ * qualifiers are ignored
+ */
+ bool findAll,
+ /* if true, only return root (self-signed) certs */
+ bool onlyRoots,
+ const CSSM_OID *policyOID, /* optional */
+ const char *policyString, /* optional */
+ SecTrustSettingsKeyUsage keyUsage, /* optional */
+ CFMutableArrayRef certArray) /* certs appended here */
+{
+ StLock<Mutex> _(SecTrustKeychainsGetMutex());
+
+ /*
+ * a set, hopefully with a good hash function for CFData, to keep track of what's
+ * been added to the outgoing array.
+ */
+ CFRef<CFMutableSetRef> certSet(CFSetCreateMutable(NULL, 0, &kCFTypeSetCallBacks));
+
+ /* search: all certs, no attributes */
+ KCCursor cursor(keychains, CSSM_DL_DB_RECORD_X509_CERTIFICATE, NULL);
+ Item certItem;
+ bool found;
+ do {
+ found = cursor->next(certItem);
+ if(!found) {
+ break;
+ }
+ #if !SECTRUST_OSX
+ CFRef<SecCertificateRef> certRef((SecCertificateRef)certItem->handle());
+ #else
+ /* must convert to unified SecCertificateRef */
+ SecPointer<Certificate> certificate(static_cast<Certificate *>(&*certItem));
+ CssmData certCssmData = certificate->data();
+ if (!(certCssmData.Data && certCssmData.Length)) {
+ continue;
+ }
+ CFRef<CFDataRef> cfDataRef(CFDataCreate(NULL, certCssmData.Data, certCssmData.Length));
+ CFRef<SecCertificateRef> certRef(SecCertificateCreateWithData(NULL, cfDataRef));
+ #endif
+
+ /* do we have an entry for this cert? */
+ CFDictionaryRef certDict = findDictionaryForCert(certRef);
+ if(certDict == NULL) {
+ continue;
+ }
+
+ if(!findAll) {
+ /* qualify */
+ if(!qualifyUsageWithCertDict(certDict, policyOID,
+ policyString, keyUsage, onlyRoots)) {
+ continue;
+ }
+ }
+
+ /* see if we already have this one - get in CFData form */
+ CSSM_DATA certData;
+ OSStatus ortn = SecCertificateGetData(certRef, &certData);
+ if(ortn) {
+ trustSettingsEvalDbg("findQualifiedCerts: SecCertificateGetData error");
+ continue;
+ }
+ CFRef<CFDataRef> cfData(CFDataCreate(NULL, certData.Data, certData.Length));
+ CFDataRef cfd = cfData;
+ if(CFSetContainsValue(certSet, cfd)) {
+ trustSettingsEvalDbg("findQualifiedCerts: dup cert");
+ continue;
+ }
+ else {
+ /* add to the tracking set, which owns the CFData now */
+ CFSetAddValue(certSet, cfd);
+ /* and add the SecCert to caller's array, which owns that now */
+ CFArrayAppendValue(certArray, certRef);
+ }
+ } while(found);
+}
+
+/*
+ * Obtain trust settings for the specified cert. Returned settings array
+ * is in the public API form; caller must release. Returns NULL
+ * (does not throw) if the cert is not present in this TrustRecord.
+ */
+CFArrayRef TrustSettings::copyTrustSettings(
+ SecCertificateRef certRef)
+{
+ CFDictionaryRef certDict = NULL;
+
+ /* find the on-disk usage constraints for this cert */
+ certDict = findDictionaryForCert(certRef);
+ if(certDict == NULL) {
+ trustSettingsDbg("copyTrustSettings: dictionary not found");
+ return NULL;
+ }
+ CFArrayRef diskTrustSettings = (CFArrayRef)CFDictionaryGetValue(certDict,
+ kTrustRecordTrustSettings);
+ CFIndex numSpecs = 0;
+ if(diskTrustSettings != NULL) {
+ /* this field is optional */
+ numSpecs = CFArrayGetCount(diskTrustSettings);
+ }
+
+ /*
+ * Convert to API-style array of dictionaries.
+ * We give the caller an array even if it's empty.
+ */
+ CFRef<CFMutableArrayRef> outArray(CFArrayCreateMutable(NULL, numSpecs,
+ &kCFTypeArrayCallBacks));
+ for(CFIndex dex=0; dex<numSpecs; dex++) {
+ CFDictionaryRef diskTsDict =
+ (CFDictionaryRef)CFArrayGetValueAtIndex(diskTrustSettings, dex);
+ /* already validated... */
+ assert(CFGetTypeID(diskTsDict) == CFDictionaryGetTypeID());
+
+ CFDataRef certPolicy = (CFDataRef) CFDictionaryGetValue(diskTsDict, kSecTrustSettingsPolicy);
+ CFDataRef certApp = (CFDataRef) CFDictionaryGetValue(diskTsDict, kSecTrustSettingsApplication);
+ CFStringRef policyStr = (CFStringRef)CFDictionaryGetValue(diskTsDict, kSecTrustSettingsPolicyString);
+ CFNumberRef allowedErr = (CFNumberRef)CFDictionaryGetValue(diskTsDict, kSecTrustSettingsAllowedError);
+ CFNumberRef resultType = (CFNumberRef)CFDictionaryGetValue(diskTsDict, kSecTrustSettingsResult);
+ CFNumberRef keyUsage = (CFNumberRef)CFDictionaryGetValue(diskTsDict, kSecTrustSettingsKeyUsage);
+
+ if((certPolicy == NULL) &&
+ (certApp == NULL) &&
+ (policyStr == NULL) &&
+ (allowedErr == NULL) &&
+ (resultType == NULL) &&
+ (keyUsage == NULL)) {
+ /* weird but legal */
+ continue;
+ }
+ CFRef<CFMutableDictionaryRef> outTsDict(CFDictionaryCreateMutable(NULL,
+ 0, // capacity
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks));
+
+ if(certPolicy != NULL) {
+ /* convert OID as CFDataRef to SecPolicyRef */
+ SecPolicyRef policyRef = NULL;
+ CSSM_OID policyOid = { CFDataGetLength(certPolicy),
+ (uint8 *)CFDataGetBytePtr(certPolicy) };
+ OSStatus ortn = SecPolicyCopy(CSSM_CERT_X_509v3, &policyOid, &policyRef);
+ if(ortn) {
+ trustSettingsDbg("copyTrustSettings: OID conversion error");
+ abort("Bad Policy OID in trusted root list", errSecInvalidTrustedRootRecord);
+ }
+ CFDictionaryAddValue(outTsDict, kSecTrustSettingsPolicy, policyRef);
+ CFRelease(policyRef); // owned by dictionary
+ }
+
+ if(certApp != NULL) {
+ /* convert app as CFDataRef to SecTrustedApplicationRef */
+ SecTrustedApplicationRef appRef;
+ OSStatus ortn = SecTrustedApplicationCreateWithExternalRepresentation(certApp, &appRef);
+ if(ortn) {
+ trustSettingsDbg("copyTrustSettings: App conversion error");
+ abort("Bad application data in trusted root list", errSecInvalidTrustedRootRecord);
+ }
+ CFDictionaryAddValue(outTsDict, kSecTrustSettingsApplication, appRef);
+ CFRelease(appRef); // owned by dictionary
+ }
+
+ /* remaining 4 are trivial */
+ if(policyStr != NULL) {
+ /*
+ * copy, since policyStr is in our mutable dictionary and could change out from
+ * under the caller
+ */
+ CFStringRef str = CFStringCreateCopy(NULL, policyStr);
+ CFDictionaryAddValue(outTsDict, kSecTrustSettingsPolicyString, str);
+ CFRelease(str); // owned by dictionary
+ }
+ if(allowedErr != NULL) {
+ /* there is no mutable CFNumber, so.... */
+ CFDictionaryAddValue(outTsDict, kSecTrustSettingsAllowedError, allowedErr);
+ }
+ if(resultType != NULL) {
+ CFDictionaryAddValue(outTsDict, kSecTrustSettingsResult, resultType);
+ }
+ if(keyUsage != NULL) {
+ CFDictionaryAddValue(outTsDict, kSecTrustSettingsKeyUsage, keyUsage);
+ }
+ CFArrayAppendValue(outArray, outTsDict);
+ /* outTsDict autoreleases; owned by outArray now */
+ }
+ CFRetain(outArray); // now that it's good to go....
+ return outArray;
+}
+
+CFDateRef TrustSettings::copyModDate(
+ SecCertificateRef certRef)
+{
+ CFDictionaryRef certDict = NULL;
+
+ /* find the on-disk usage constraints dictionary for this cert */
+ certDict = findDictionaryForCert(certRef);
+ if(certDict == NULL) {
+ trustSettingsDbg("copyModDate: dictionary not found");
+ return NULL;
+ }
+ CFDateRef modDate = (CFDateRef)CFDictionaryGetValue(certDict, kTrustRecordModDate);
+ if(modDate == NULL) {
+ return NULL;
+ }
+
+ /* this only works becuase there is no mutable CFDateRef */
+ CFRetain(modDate);
+ return modDate;
+}
+
+/*
+ * Modify cert's trust settings, or add a new cert to the record.
+ */
+void TrustSettings::setTrustSettings(
+ SecCertificateRef certRef,
+ CFTypeRef trustSettingsDictOrArray)
+{
+ /* to validate, we need to know if the cert is self-signed */
+ OSStatus ortn;
+ Boolean isSelfSigned = false;
+
+ if(certRef == kSecTrustSettingsDefaultRootCertSetting) {
+ /*
+ * Validate settings as if this were root, specifically,
+ * kSecTrustSettingsResultTrustRoot (explicitly or by
+ * default) is OK.
+ */
+ isSelfSigned = true;
+ }
+ else {
+ ortn = SecCertificateIsSelfSigned(certRef, &isSelfSigned);
+ if(ortn) {
+ MacOSError::throwMe(ortn);
+ }
+ }
+
+ /* caller's app/policy spec OK? */
+ CFRef<CFArrayRef> trustSettings(validateApiTrustSettings(
+ trustSettingsDictOrArray, isSelfSigned));
+
+ /* caller is responsible for ensuring these */
+ assert(mPropList != NULL);
+ assert(mDomain != kSecTrustSettingsDomainSystem);
+
+ /* extract issuer and serial number from the cert, if it's a cert */
+ CFRef<CFDataRef> issuer;
+ CFRef<CFDataRef> serial;
+ if(certRef != kSecTrustSettingsDefaultRootCertSetting) {
+ copyIssuerAndSerial(certRef, issuer.take(), serial.take());
+ }
+ else {
+ UInt8 dummy;
+ issuer = CFDataCreate(NULL, &dummy, 0);
+ serial = CFDataCreate(NULL, &dummy, 0);
+ }
+
+ /* SHA1 digest as string */
+ CFRef<CFStringRef> certHashStr(SecTrustSettingsCertHashStrFromCert(certRef));
+ if(!certHashStr) {
+ trustSettingsDbg("TrustSettings::setTrustSettings: CertHashStrFromCert error");
+ MacOSError::throwMe(errSecItemNotFound);
+ }
+
+ /*
+ * Find entry for this cert, if present.
+ */
+ CFMutableDictionaryRef certDict =
+ (CFMutableDictionaryRef)findDictionaryForCertHash(certHashStr);
+ if(certDict == NULL) {
+ /* create new dictionary */
+ certDict = CFDictionaryCreateMutable(NULL, kSecTrustRecordNumCertDictKeys,
+ &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ if(certDict == NULL) {
+ MacOSError::throwMe(errSecAllocate);
+ }
+ CFDictionaryAddValue(certDict, kTrustRecordIssuer, issuer);
+ CFDictionaryAddValue(certDict, kTrustRecordSerialNumber, serial);
+ if(CFArrayGetCount(trustSettings) != 0) {
+ /* skip this if the settings array is empty */
+ CFDictionaryAddValue(certDict, kTrustRecordTrustSettings, trustSettings);
+ }
+ tsSetModDate(certDict);
+
+ /* add this new cert dictionary to top-level mTrustDict */
+ CFDictionaryAddValue(mTrustDict, static_cast<CFStringRef>(certHashStr), certDict);
+
+ /* mTrustDict owns the dictionary now */
+ CFRelease(certDict);
+ }
+ else {
+ /* update */
+ tsSetModDate(certDict);
+ if(CFArrayGetCount(trustSettings) != 0) {
+ CFDictionarySetValue(certDict, kTrustRecordTrustSettings, trustSettings);
+ }
+ else {
+ /* empty settings array: remove from dictionary */
+ CFDictionaryRemoveValue(certDict, kTrustRecordTrustSettings);
+ }
+ }
+ mDirty = true;
+}
+
+/*
+ * Delete a certificate's trust settings.
+ */
+void TrustSettings::deleteTrustSettings(
+ SecCertificateRef certRef)
+{
+ CFDictionaryRef certDict = NULL;
+
+ /* caller is responsible for ensuring these */
+ assert(mPropList != NULL);
+ assert(mDomain != kSecTrustSettingsDomainSystem);
+
+ /* SHA1 digest as string */
+ CFRef<CFStringRef> certHashStr(SecTrustSettingsCertHashStrFromCert(certRef));
+ if(!certHashStr) {
+ MacOSError::throwMe(errSecItemNotFound);
+ }
+
+ /* present in top-level mTrustDict? */
+ certDict = findDictionaryForCertHash(certHashStr);
+ if(certDict != NULL) {
+ CFDictionaryRemoveValue(mTrustDict, static_cast<CFStringRef>(certHashStr));
+ mDirty = true;
+ }
+ else {
+ /*
+ * Throwing this error is the only reason we don't blindly do
+ * a CFDictionaryRemoveValue() without first doing
+ * findDictionaryForCertHash().
+ */
+ trustSettingsDbg("TrustSettings::deleteRoot: cert dictionary not found");
+ MacOSError::throwMe(errSecItemNotFound);
+ }
+}
+
+#pragma mark --- Private methods ---
+
+/*
+ * Find a given cert's entry in the top-level mTrustDict. Return the
+ * entry as a dictionary. Returned dictionary is not refcounted.
+ * The mutability of the returned dictionary is the same as the mutability
+ * of the underlying StickRecord::mPropList, which the caller is just
+ * going to have to know (and cast accordingly if a mutable dictionary
+ * is needed).
+ */
+CFDictionaryRef TrustSettings::findDictionaryForCert(
+ SecCertificateRef certRef)
+{
+ CFRef<CFStringRef> certHashStr(SecTrustSettingsCertHashStrFromCert(certRef));
+ if (certHashStr.get() == NULL)
+ {
+ return NULL;
+ }
+
+ return findDictionaryForCertHash(static_cast<CFStringRef>(certHashStr));
+}
+
+/*
+ * Find entry in mTrustDict given cert hash string.
+ */
+CFDictionaryRef TrustSettings::findDictionaryForCertHash(
+ CFStringRef certHashStr)
+{
+ assert(mTrustDict != NULL);
+ return (CFDictionaryRef)CFDictionaryGetValue(mTrustDict, certHashStr);
+}
+
+/*
+ * Validate incoming trust settings, which may be NULL, a dictionary, or
+ * an array of dictionaries. Convert from the API-style dictionaries
+ * to the internal style suitable for writing to disk as part of
+ * mPropList.
+ *
+ * We return a refcounted CFArray in any case if the incoming parameter is good.
+ */
+CFArrayRef TrustSettings::validateApiTrustSettings(
+ CFTypeRef trustSettingsDictOrArray,
+ Boolean isSelfSigned)
+{
+ CFArrayRef tmpInArray = NULL;
+
+ if(trustSettingsDictOrArray == NULL) {
+#if SECTRUST_OSX
+#warning STU: temporarily unblocking build
+#else
+ /* trivial case, only valid for roots */
+ if(!isSelfSigned) {
+ trustSettingsDbg("validateApiUsageConstraints: !isSelfSigned, no settings");
+ MacOSError::throwMe(errSecParam);
+ }
+#endif
+ return CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks);
+ }
+ else if(CFGetTypeID(trustSettingsDictOrArray) == CFDictionaryGetTypeID()) {
+ /* array-ize it */
+ tmpInArray = CFArrayCreate(NULL, &trustSettingsDictOrArray, 1,
+ &kCFTypeArrayCallBacks);
+ }
+ else if(CFGetTypeID(trustSettingsDictOrArray) == CFArrayGetTypeID()) {
+ /* as is, refcount - we'll release later */
+ tmpInArray = (CFArrayRef)trustSettingsDictOrArray;
+ CFRetain(tmpInArray);
+ }
+ else {
+ trustSettingsDbg("validateApiUsageConstraints: bad trustSettingsDictOrArray");
+ MacOSError::throwMe(errSecParam);
+ }
+
+ CFIndex numSpecs = CFArrayGetCount(tmpInArray);
+ CFMutableArrayRef outArray = CFArrayCreateMutable(NULL, numSpecs, &kCFTypeArrayCallBacks);
+ CSSM_OID oid;
+ OSStatus ortn = errSecSuccess;
+ SecPolicyRef certPolicy;
+ SecTrustedApplicationRef certApp;
+
+ /* convert */
+ for(CFIndex dex=0; dex<numSpecs; dex++) {
+ CFDataRef oidData = NULL;
+ CFDataRef appData = NULL;
+ CFStringRef policyStr = NULL;
+ CFNumberRef allowedErr = NULL;
+ CFNumberRef resultType = NULL;
+ CFNumberRef keyUsage = NULL;
+ SInt32 resultNum;
+ SecTrustSettingsResult result;
+
+ /* each element is a dictionary */
+ CFDictionaryRef ucDict = (CFDictionaryRef)CFArrayGetValueAtIndex(tmpInArray, dex);
+ if(CFGetTypeID(ucDict) != CFDictionaryGetTypeID()) {
+ trustSettingsDbg("validateAppPolicyArray: malformed usageConstraint dictionary");
+ ortn = errSecParam;
+ break;
+ }
+
+ /* policy - optional */
+ certPolicy = (SecPolicyRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicy);
+ if(certPolicy != NULL) {
+ if(CFGetTypeID(certPolicy) != SecPolicyGetTypeID()) {
+ trustSettingsDbg("validateAppPolicyArray: malformed certPolicy");
+ ortn = errSecParam;
+ break;
+ }
+ ortn = SecPolicyGetOID(certPolicy, &oid);
+ if(ortn) {
+ trustSettingsDbg("validateAppPolicyArray: SecPolicyGetOID error");
+ break;
+ }
+ oidData = CFDataCreate(NULL, oid.Data, oid.Length);
+ }
+
+ /* application - optional */
+ certApp = (SecTrustedApplicationRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsApplication);
+ if(certApp != NULL) {
+ if(CFGetTypeID(certApp) != SecTrustedApplicationGetTypeID()) {
+ trustSettingsDbg("validateAppPolicyArray: malformed certApp");
+ ortn = errSecParam;
+ break;
+ }
+ ortn = SecTrustedApplicationCopyExternalRepresentation(certApp, &appData);
+ if(ortn) {
+ trustSettingsDbg("validateAppPolicyArray: "
+ "SecTrustedApplicationCopyExternalRepresentation error");
+ break;
+ }
+ }
+
+ policyStr = (CFStringRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicyString);
+ if(policyStr != NULL) {
+ if(CFGetTypeID(policyStr) != CFStringGetTypeID()) {
+ trustSettingsDbg("validateAppPolicyArray: malformed policyStr");
+ ortn = errSecParam;
+ break;
+ }
+ }
+ allowedErr = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsAllowedError);
+ if(!tsIsGoodCfNum(allowedErr)) {
+ trustSettingsDbg("validateAppPolicyArray: malformed allowedErr");
+ ortn = errSecParam;
+ break;
+ }
+ resultType = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsResult);
+ if(!tsIsGoodCfNum(resultType, &resultNum)) {
+ trustSettingsDbg("validateAppPolicyArray: malformed resultType");
+ ortn = errSecParam;
+ break;
+ }
+ result = resultNum;
+ /* validate result later */
+
+ keyUsage = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsKeyUsage);
+ if(!tsIsGoodCfNum(keyUsage)) {
+ trustSettingsDbg("validateAppPolicyArray: malformed keyUsage");
+ ortn = errSecParam;
+ break;
+ }
+
+ if(!oidData && !appData && !policyStr &&
+ !allowedErr && !resultType && !keyUsage) {
+ /* nothing here - weird, but legal - skip it */
+ continue;
+ }
+
+ /* create dictionary for this usageConstraint */
+ CFMutableDictionaryRef outDict = CFDictionaryCreateMutable(NULL,
+ 2,
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+ if(oidData) {
+ CFDictionaryAddValue(outDict, kSecTrustSettingsPolicy, oidData);
+ CFRelease(oidData); // owned by dictionary
+ }
+ if(appData) {
+ CFDictionaryAddValue(outDict, kSecTrustSettingsApplication, appData);
+ CFRelease(appData); // owned by dictionary
+ }
+ if(policyStr) {
+ CFDictionaryAddValue(outDict, kSecTrustSettingsPolicyString, policyStr);
+ /* still owned by ucDict */
+ }
+ if(allowedErr) {
+ CFDictionaryAddValue(outDict, kSecTrustSettingsAllowedError, allowedErr);
+ }
+#if SECTRUST_OSX
+#warning STU: temporarily unblocking build
+ ortn = errSecSuccess;
+#else
+ if(resultType) {
+ /* let's be really picky on this one */
+ switch(result) {
+ case kSecTrustSettingsResultInvalid:
+ ortn = errSecParam;
+ break;
+ case kSecTrustSettingsResultTrustRoot:
+ if(!isSelfSigned) {
+ trustSettingsDbg("validateAppPolicyArray: TrustRoot, !isSelfSigned");
+ ortn = errSecParam;
+ }
+ break;
+ case kSecTrustSettingsResultTrustAsRoot:
+ if(isSelfSigned) {
+ trustSettingsDbg("validateAppPolicyArray: TrustAsRoot, isSelfSigned");
+ ortn = errSecParam;
+ }
+ break;
+ case kSecTrustSettingsResultDeny:
+ case kSecTrustSettingsResultUnspecified:
+ break;
+ default:
+ trustSettingsDbg("validateAppPolicyArray: bogus resultType");
+ ortn = errSecParam;
+ break;
+ }
+ if(ortn) {
+ break;
+ }
+ CFDictionaryAddValue(outDict, kSecTrustSettingsResult, resultType);
+ }
+ else {
+ /* no resultType; default of TrustRoot only valid for root */
+ if(!isSelfSigned) {
+ trustSettingsDbg("validateAppPolicyArray: default result, !isSelfSigned");
+ ortn = errSecParam;
+ break;
+ }
+ }
+#endif
+ if(keyUsage) {
+ CFDictionaryAddValue(outDict, kSecTrustSettingsKeyUsage, keyUsage);
+ }
+
+ /* append dictionary to output */
+ CFArrayAppendValue(outArray, outDict);
+ /* array owns the dictionary now */
+ CFRelease(outDict);
+
+ } /* for each usage constraint dictionary */
+
+ CFRelease(tmpInArray);
+ if(ortn) {
+ CFRelease(outArray);
+ MacOSError::throwMe(ortn);
+ }
+ return outArray;
+}
+
+/*
+ * Validate an trust settings array obtained from disk.
+ * Returns true if OK, else returns false.
+ */
+bool TrustSettings::validateTrustSettingsArray(
+ CFArrayRef trustSettings)
+{
+ CFIndex numSpecs = CFArrayGetCount(trustSettings);
+ for(CFIndex dex=0; dex<numSpecs; dex++) {
+ CFDictionaryRef ucDict = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings,
+ dex);
+ if(CFGetTypeID(ucDict) != CFDictionaryGetTypeID()) {
+ trustSettingsDbg("validateAppPolicyArray: malformed app/policy dictionary");
+ return false;
+ }
+ CFDataRef certPolicy = (CFDataRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicy);
+ if((certPolicy != NULL) && (CFGetTypeID(certPolicy) != CFDataGetTypeID())) {
+ trustSettingsDbg("validateAppPolicyArray: malformed certPolicy");
+ return false;
+ }
+ CFDataRef certApp = (CFDataRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsApplication);
+ if((certApp != NULL) && (CFGetTypeID(certApp) != CFDataGetTypeID())) {
+ trustSettingsDbg("validateAppPolicyArray: malformed certApp");
+ return false;
+ }
+ CFStringRef policyStr = (CFStringRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicyString);
+ if((policyStr != NULL) && (CFGetTypeID(policyStr) != CFStringGetTypeID())) {
+ trustSettingsDbg("validateAppPolicyArray: malformed policyStr");
+ return false;
+ }
+ CFNumberRef cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsAllowedError);
+ if(!tsIsGoodCfNum(cfNum)) {
+ trustSettingsDbg("validateAppPolicyArray: malformed allowedErr");
+ return false;
+ }
+ cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsResult);
+ if(!tsIsGoodCfNum(cfNum)) {
+ trustSettingsDbg("validateAppPolicyArray: malformed resultType");
+ return false;
+ }
+ cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsKeyUsage);
+ if(!tsIsGoodCfNum(cfNum)) {
+ trustSettingsDbg("validateAppPolicyArray: malformed keyUsage");
+ return false;
+ }
+ } /* for each usageConstraint dictionary */
+ return true;
+}
+
+/*
+ * Validate mPropList after it's read from disk or supplied as an external
+ * representation. Allows subsequent use of mTrustDict to proceed with
+ * relative impunity.
+ */
+void TrustSettings::validatePropList(bool trim)
+{
+ /* top level dictionary */
+ if(!mPropList) {
+ trustSettingsDbg("TrustSettings::validatePropList missing mPropList");
+ abort("missing propList", errSecInvalidTrustedRootRecord);
+ }
+
+ if(CFGetTypeID(mPropList) != CFDictionaryGetTypeID()) {
+ trustSettingsDbg("TrustSettings::validatePropList: malformed mPropList");
+ abort("malformed propList", errSecInvalidTrustedRootRecord);
+ }
+
+ /* That dictionary has two entries */
+ CFNumberRef cfVers = (CFNumberRef)CFDictionaryGetValue(mPropList, kTrustRecordVersion);
+ if((cfVers == NULL) || (CFGetTypeID(cfVers) != CFNumberGetTypeID())) {
+ trustSettingsDbg("TrustSettings::validatePropList: malformed version");
+ abort("malformed version", errSecInvalidTrustedRootRecord);
+ }
+ if(!CFNumberGetValue(cfVers, kCFNumberSInt32Type, &mDictVersion)) {
+ trustSettingsDbg("TrustSettings::validatePropList: malformed version");
+ abort("malformed version", errSecInvalidTrustedRootRecord);
+ }
+ if((mDictVersion > kSecTrustRecordVersionCurrent) ||
+ (mDictVersion == kSecTrustRecordVersionInvalid)) {
+ trustSettingsDbg("TrustSettings::validatePropList: incompatible version");
+ abort("incompatible version", errSecInvalidTrustedRootRecord);
+ }
+ /* other backwards-compatibility handling done later, if needed, per mDictVersion */
+
+ mTrustDict = (CFMutableDictionaryRef)CFDictionaryGetValue(mPropList, kTrustRecordTrustList);
+ if(mTrustDict != NULL) {
+ CFRetain(mTrustDict);
+ }
+ if((mTrustDict == NULL) || (CFGetTypeID(mTrustDict) != CFDictionaryGetTypeID())) {
+ trustSettingsDbg("TrustSettings::validatePropList: malformed mTrustDict");
+ abort("malformed TrustArray", errSecInvalidTrustedRootRecord);
+ }
+
+ /* grind through the per-cert entries */
+ CFIndex numCerts = CFDictionaryGetCount(mTrustDict);
+ const void *dictKeys[numCerts];
+ const void *dictValues[numCerts];
+ CFDictionaryGetKeysAndValues(mTrustDict, dictKeys, dictValues);
+
+ for(CFIndex dex=0; dex<numCerts; dex++) {
+ /* get per-cert dictionary */
+ CFMutableDictionaryRef certDict = (CFMutableDictionaryRef)dictValues[dex];
+ if((certDict == NULL) || (CFGetTypeID(certDict) != CFDictionaryGetTypeID())) {
+ trustSettingsDbg("TrustSettings::validatePropList: malformed certDict");
+ abort("malformed certDict", errSecInvalidTrustedRootRecord);
+ }
+
+ /*
+ * That dictionary has exactly four entries.
+ * If we're trimming, all we need is the actual trust settings.
+ */
+
+ /* issuer */
+ CFDataRef cfd = (CFDataRef)CFDictionaryGetValue(certDict, kTrustRecordIssuer);
+ if(cfd == NULL) {
+ trustSettingsDbg("TrustSettings::validatePropList: missing issuer");
+ abort("missing issuer", errSecInvalidTrustedRootRecord);
+ }
+ if(CFGetTypeID(cfd) != CFDataGetTypeID()) {
+ trustSettingsDbg("TrustSettings::validatePropList: malformed issuer");
+ abort("malformed issuer", errSecInvalidTrustedRootRecord);
+ }
+ if(trim) {
+ CFDictionaryRemoveValue(certDict, kTrustRecordIssuer);
+ }
+
+ /* serial number */
+ cfd = (CFDataRef)CFDictionaryGetValue(certDict, kTrustRecordSerialNumber);
+ if(cfd == NULL) {
+ trustSettingsDbg("TrustSettings::validatePropList: missing serial number");
+ abort("missing serial number", errSecInvalidTrustedRootRecord);
+ }
+ if(CFGetTypeID(cfd) != CFDataGetTypeID()) {
+ trustSettingsDbg("TrustSettings::validatePropList: malformed serial number");
+ abort("malformed serial number", errSecInvalidTrustedRootRecord);
+ }
+ if(trim) {
+ CFDictionaryRemoveValue(certDict, kTrustRecordSerialNumber);
+ }
+
+ /* modification date */
+ CFDateRef modDate = (CFDateRef)CFDictionaryGetValue(certDict, kTrustRecordModDate);
+ if(modDate == NULL) {
+ trustSettingsDbg("TrustSettings::validatePropList: missing modDate");
+ abort("missing modDate", errSecInvalidTrustedRootRecord);
+ }
+ if(CFGetTypeID(modDate) != CFDateGetTypeID()) {
+ trustSettingsDbg("TrustSettings::validatePropList: malformed modDate");
+ abort("malformed modDate", errSecInvalidTrustedRootRecord);
+ }
+ if(trim) {
+ CFDictionaryRemoveValue(certDict, kTrustRecordModDate);
+ }
+
+ /* the actual trust settings */
+ CFArrayRef trustSettings = (CFArrayRef)CFDictionaryGetValue(certDict,
+ kTrustRecordTrustSettings);
+ if(trustSettings == NULL) {
+ /* optional; this cert's entry is good */
+ continue;
+ }
+ if(CFGetTypeID(trustSettings) != CFArrayGetTypeID()) {
+ trustSettingsDbg("TrustSettings::validatePropList: malformed useConstraint"
+ "array");
+ abort("malformed useConstraint array", errSecInvalidTrustedRootRecord);
+ }
+
+ /* Now validate the usageConstraint array contents */
+ if(!validateTrustSettingsArray(trustSettings)) {
+ abort("malformed useConstraint array", errSecInvalidTrustedRootRecord);
+ }
+ } /* for each cert dictionary in top-level array */
+
+ if(trim) {
+ /* we don't need the top-level dictionary any more */
+ CFRelease(mPropList);
+ mPropList = NULL;
+ }
+}
+
+/*
+ * Obtain non-normalized issuer and serial number for specified cert, both
+ * returned as CFDataRefs owned by caller.
+ */
+void TrustSettings::copyIssuerAndSerial(
+ SecCertificateRef certRef,
+ CFDataRef *issuer, /* optional, RETURNED */
+ CFDataRef *serial) /* RETURNED */
+{
+#if SECTRUST_OSX
+ CFRef<SecCertificateRef> certificate = SecCertificateCreateItemImplInstance(certRef);
+#else
+ CFRef<SecCertificateRef> certificate = (SecCertificateRef) ((certRef) ? CFRetain(certRef) : NULL);
+#endif
+
+ SecPointer<Certificate> cert = Certificate::required(certificate);
+ CSSM_DATA_PTR fieldVal;
+
+ if(issuer != NULL) {
+ fieldVal = cert->copyFirstFieldValue(CSSMOID_X509V1IssuerNameStd);
+ *issuer = CFDataCreate(NULL, fieldVal->Data, fieldVal->Length);
+ cert->releaseFieldValue(CSSMOID_X509V1IssuerNameStd, fieldVal);
+ }
+
+ fieldVal = cert->copyFirstFieldValue(CSSMOID_X509V1SerialNumber);
+ *serial = CFDataCreate(NULL, fieldVal->Data, fieldVal->Length);
+ cert->releaseFieldValue(CSSMOID_X509V1SerialNumber, fieldVal);
+}
+
+void TrustSettings::abort(
+ const char *why,
+ OSStatus err)
+{
+ Syslog::error("TrustSettings: %s", why);
+ MacOSError::throwMe(err);
+}
+
projects / apple / security.git / blobdiff