--- /dev/null
+/*
+ * Copyright (c) 2002-2008,2011-2012 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ *
+ * IdentityCursor.cpp -- Working with IdentityCursor
+ */
+
+#include <security_keychain/IdentityCursor.h>
+#include <security_keychain/Identity.h>
+#include <security_keychain/Trust.h>
+#include <security_keychain/Item.h>
+#include <security_keychain/Certificate.h>
+#include <security_keychain/KeyItem.h>
+#include <security_keychain/Globals.h>
+#include <security_cdsa_utilities/Schema.h>
+#include <security_cdsa_utilities/KeySchema.h>
+#include <Security/oidsalg.h>
+#include <Security/SecKeychainItemPriv.h>
+#include <security_utilities/simpleprefs.h>
+#include <sys/param.h>
+
+using namespace KeychainCore;
+
+IdentityCursorPolicyAndID::IdentityCursorPolicyAndID(const StorageManager::KeychainList &searchList, CSSM_KEYUSE keyUsage, CFStringRef idString, SecPolicyRef policy, bool returnOnlyValidIdentities) :
+ IdentityCursor(searchList, keyUsage),
+ mPolicy(policy),
+ mIDString(idString),
+ mReturnOnlyValidIdentities(returnOnlyValidIdentities),
+ mPreferredIdentityChecked(false),
+ mPreferredIdentity(nil)
+{
+ if (mPolicy)
+ CFRetain(mPolicy);
+
+ if (mIDString)
+ CFRetain(mIDString);
+}
+
+IdentityCursorPolicyAndID::~IdentityCursorPolicyAndID() throw()
+{
+ if (mPolicy)
+ CFRelease(mPolicy);
+
+ if (mIDString)
+ CFRelease(mIDString);
+}
+
+void
+IdentityCursorPolicyAndID::findPreferredIdentity()
+{
+ char idUTF8[MAXPATHLEN];
+ if (!mIDString || !CFStringGetCString(mIDString, idUTF8, sizeof(idUTF8)-1, kCFStringEncodingUTF8))
+ idUTF8[0] = (char)'\0';
+ uint32_t iprfValue = 'iprf'; // value is specified in host byte order, since kSecTypeItemAttr has type uint32 in the db schema
+ SecKeychainAttribute sAttrs[] = {
+ { kSecTypeItemAttr, sizeof(uint32_t), &iprfValue },
+ { kSecServiceItemAttr, (UInt32)strlen(idUTF8), (char *)idUTF8 }
+ };
+ SecKeychainAttributeList sAttrList = { sizeof(sAttrs) / sizeof(sAttrs[0]), sAttrs };
+
+// StorageManager::KeychainList keychains;
+// globals().storageManager.optionalSearchList((CFTypeRef)nil, keychains);
+
+ Item item;
+ KCCursor cursor(mSearchList /*keychains*/, kSecGenericPasswordItemClass, &sAttrList);
+ if (!cursor->next(item))
+ return;
+
+ // get persistent certificate reference
+ SecKeychainAttribute itemAttrs[] = { { kSecGenericItemAttr, 0, NULL } };
+ SecKeychainAttributeList itemAttrList = { sizeof(itemAttrs) / sizeof(itemAttrs[0]), itemAttrs };
+ item->getContent(NULL, &itemAttrList, NULL, NULL);
+
+ // find certificate, given persistent reference data
+ CFDataRef pItemRef = CFDataCreateWithBytesNoCopy(NULL, (const UInt8 *)itemAttrs[0].data, itemAttrs[0].length, kCFAllocatorNull);
+ SecKeychainItemRef certItemRef = nil;
+ OSStatus status = SecKeychainItemCopyFromPersistentReference(pItemRef, &certItemRef);
+ if (pItemRef)
+ CFRelease(pItemRef);
+ item->freeContent(&itemAttrList, NULL);
+ if (status || !certItemRef)
+ return;
+
+ // create identity reference, given certificate
+ Item certItem = ItemImpl::required(SecKeychainItemRef(certItemRef));
+ SecPointer<Certificate> certificate(static_cast<Certificate *>(certItem.get()));
+ SecPointer<Identity> identity(new Identity(mSearchList /*keychains*/, certificate));
+
+ mPreferredIdentity = identity;
+
+ if (certItemRef)
+ CFRelease(certItemRef);
+}
+
+bool
+IdentityCursorPolicyAndID::next(SecPointer<Identity> &identity)
+{
+ SecPointer<Identity> currIdentity;
+ Boolean identityOK = true;
+
+ if (!mPreferredIdentityChecked)
+ {
+ try
+ {
+ findPreferredIdentity();
+ }
+ catch(...) {}
+ mPreferredIdentityChecked = true;
+ if (mPreferredIdentity)
+ {
+ identity = mPreferredIdentity;
+ return true;
+ }
+ }
+
+ for (;;)
+ {
+ bool result = IdentityCursor::next(currIdentity); // base class finds the next identity by keyUsage
+ if ( result )
+ {
+ if (mPreferredIdentity && (currIdentity == mPreferredIdentity))
+ {
+ identityOK = false; // we already returned this one, move on to the next
+ continue;
+ }
+
+ // If there was no policy specified, we're done.
+ if ( !mPolicy )
+ {
+ identityOK = true; // return this identity
+ break;
+ }
+
+ // To reduce the number of (potentially expensive) trust evaluations performed, we need
+ // to do some pre-processing to filter out certs that don't match the search criteria.
+ // Rather than try to duplicate the TP's policy logic here, we'll just call the TP with
+ // a single-element certificate array, no anchors, and no keychains to search.
+
+ SecPointer<Certificate> certificate = currIdentity->certificate();
+ CFRef<SecCertificateRef> certRef(certificate->handle());
+ CFRef<CFMutableArrayRef> anchorsArray(CFArrayCreateMutable(NULL, 1, NULL));
+ CFRef<CFMutableArrayRef> certArray(CFArrayCreateMutable(NULL, 1, NULL));
+ if ( !certArray || !anchorsArray )
+ {
+ identityOK = false; // skip this and move on to the next one
+ continue;
+ }
+ CFArrayAppendValue(certArray, certRef);
+
+ SecPointer<Trust> trustLite = new Trust(certArray, mPolicy);
+ StorageManager::KeychainList emptyList;
+ // Set the anchors and keychain search list to be empty
+ trustLite->anchors(anchorsArray);
+ trustLite->searchLibs(emptyList);
+ trustLite->evaluate();
+ SecTrustResultType trustResult = trustLite->result();
+
+ if (trustResult == kSecTrustResultRecoverableTrustFailure ||
+ trustResult == kSecTrustResultFatalTrustFailure)
+ {
+ CFArrayRef certChain = NULL;
+ CSSM_TP_APPLE_EVIDENCE_INFO *statusChain = NULL, *evInfo = NULL;
+ trustLite->buildEvidence(certChain, TPEvidenceInfo::overlayVar(statusChain));
+ if (statusChain)
+ evInfo = &statusChain[0];
+ if (!evInfo || evInfo->NumStatusCodes > 0) // per-cert codes means we can't use this cert for this policy
+ trustResult = kSecTrustResultInvalid; // handled below
+ if (certChain)
+ CFRelease(certChain);
+ }
+ if (trustResult == kSecTrustResultInvalid)
+ {
+ identityOK = false; // move on to the next one
+ continue;
+ }
+
+ // If trust evaluation isn't requested, we're done.
+ if ( !mReturnOnlyValidIdentities )
+ {
+ identityOK = true; // return this identity
+ break;
+ }
+
+ // Perform a full trust evaluation on the certificate with the specified policy.
+ SecPointer<Trust> trust = new Trust(certArray, mPolicy);
+ trust->evaluate();
+ trustResult = trust->result();
+
+ if (trustResult == kSecTrustResultInvalid ||
+ trustResult == kSecTrustResultRecoverableTrustFailure ||
+ trustResult == kSecTrustResultFatalTrustFailure)
+ {
+ identityOK = false; // move on to the next one
+ continue;
+ }
+
+ identityOK = true; // this one was OK; return it.
+ break;
+ }
+ else
+ {
+ identityOK = false; // no more left.
+ break;
+ }
+ } // for(;;)
+
+ if ( identityOK )
+ {
+ identity = currIdentity; // caller will release the identity
+ return true;
+ }
+ else
+ {
+ return false;
+ }
+}
+
+
+IdentityCursor::IdentityCursor(const StorageManager::KeychainList &searchList, CSSM_KEYUSE keyUsage) :
+ mSearchList(searchList),
+ mKeyCursor(mSearchList, CSSM_DL_DB_RECORD_PRIVATE_KEY, NULL),
+ mMutex(Mutex::recursive)
+{
+ StLock<Mutex>_(mMutex);
+
+ // If keyUsage is CSSM_KEYUSE_ANY then we need a key that can do everything
+ if (keyUsage & CSSM_KEYUSE_ANY)
+ keyUsage = CSSM_KEYUSE_ENCRYPT | CSSM_KEYUSE_DECRYPT
+ | CSSM_KEYUSE_DERIVE | CSSM_KEYUSE_SIGN
+ | CSSM_KEYUSE_VERIFY | CSSM_KEYUSE_SIGN_RECOVER
+ | CSSM_KEYUSE_VERIFY_RECOVER | CSSM_KEYUSE_WRAP
+ | CSSM_KEYUSE_UNWRAP;
+
+ if (keyUsage & CSSM_KEYUSE_ENCRYPT)
+ mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Encrypt, true);
+ if (keyUsage & CSSM_KEYUSE_DECRYPT)
+ mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Decrypt, true);
+ if (keyUsage & CSSM_KEYUSE_DERIVE)
+ mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Derive, true);
+ if (keyUsage & CSSM_KEYUSE_SIGN)
+ mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Sign, true);
+ if (keyUsage & CSSM_KEYUSE_VERIFY)
+ mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Verify, true);
+ if (keyUsage & CSSM_KEYUSE_SIGN_RECOVER)
+ mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::SignRecover, true);
+ if (keyUsage & CSSM_KEYUSE_VERIFY_RECOVER)
+ mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::VerifyRecover, true);
+ if (keyUsage & CSSM_KEYUSE_WRAP)
+ mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Wrap, true);
+ if (keyUsage & CSSM_KEYUSE_UNWRAP)
+ mKeyCursor->add(CSSM_DB_EQUAL, KeySchema::Unwrap, true);
+}
+
+IdentityCursor::~IdentityCursor() throw()
+{
+}
+
+CFDataRef
+IdentityCursor::pubKeyHashForSystemIdentity(CFStringRef domain)
+{
+ StLock<Mutex>_(mMutex);
+
+ CFDataRef entryValue = nil;
+ auto_ptr<Dictionary> identDict;
+ Dictionary* d = Dictionary::CreateDictionary("com.apple.security.systemidentities", Dictionary::US_System);
+ if (d)
+ {
+ identDict.reset(d);
+ entryValue = identDict->getDataValue(domain);
+ if (entryValue == nil) {
+ /* try for default entry if we're not already looking for default */
+ if(!CFEqual(domain, kSecIdentityDomainDefault)) {
+ entryValue = identDict->getDataValue(kSecIdentityDomainDefault);
+ }
+ }
+ }
+
+ if (entryValue) {
+ CFRetain(entryValue);
+ }
+ return entryValue;
+}
+
+bool
+IdentityCursor::next(SecPointer<Identity> &identity)
+{
+ StLock<Mutex>_(mMutex);
+
+ for (;;)
+ {
+ if (!mCertificateCursor)
+ {
+ Item key;
+ if (!mKeyCursor->next(key))
+ return false;
+
+ mCurrentKey = static_cast<KeyItem *>(key.get());
+
+ CssmClient::DbUniqueRecord uniqueId = mCurrentKey->dbUniqueRecord();
+ CssmClient::DbAttributes dbAttributes(uniqueId->database(), 1);
+ dbAttributes.add(KeySchema::Label);
+ uniqueId->get(&dbAttributes, NULL);
+ const CssmData &keyHash = dbAttributes[0];
+
+ mCertificateCursor = KCCursor(mSearchList, CSSM_DL_DB_RECORD_X509_CERTIFICATE, NULL);
+ mCertificateCursor->add(CSSM_DB_EQUAL, Schema::kX509CertificatePublicKeyHash, keyHash);
+
+ // if we have entries for the system identities, exclude their public key hashes in the search
+ CFDataRef systemDefaultCertPubKeyHash = pubKeyHashForSystemIdentity(kSecIdentityDomainDefault);
+ if (systemDefaultCertPubKeyHash) {
+ CssmData pkHash((void *)CFDataGetBytePtr(systemDefaultCertPubKeyHash), CFDataGetLength(systemDefaultCertPubKeyHash));
+ mCertificateCursor->add(CSSM_DB_NOT_EQUAL, Schema::kX509CertificatePublicKeyHash, pkHash);
+ CFRelease(systemDefaultCertPubKeyHash);
+ }
+ CFDataRef kerbKDCCertPubKeyHash = pubKeyHashForSystemIdentity(kSecIdentityDomainKerberosKDC);
+ if (kerbKDCCertPubKeyHash) {
+ CssmData pkHash((void *)CFDataGetBytePtr(kerbKDCCertPubKeyHash), CFDataGetLength(kerbKDCCertPubKeyHash));
+ mCertificateCursor->add(CSSM_DB_NOT_EQUAL, Schema::kX509CertificatePublicKeyHash, pkHash);
+ CFRelease(kerbKDCCertPubKeyHash);
+ }
+ }
+
+ Item cert;
+ if (mCertificateCursor->next(cert))
+ {
+ SecPointer<Certificate> certificate(static_cast<Certificate *>(cert.get()));
+ identity = new Identity(mCurrentKey, certificate);
+ return true;
+ }
+ else
+ mCertificateCursor = KCCursor();
+ }
+}
projects / apple / security.git / blobdiff