+++ /dev/null
-/*
- * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include <SecBase.h>
-#include <Security/SecAccess.h>
-#include <Security/SecAccessPriv.h>
-#include <Security/SecTrustedApplication.h>
-#include <Security/SecTrustedApplicationPriv.h>
-#include <security_keychain/Access.h>
-#include "SecBridge.h"
-#include <sys/param.h>
-
-#undef secdebug
-#include <utilities/SecCFWrappers.h>
-
-
-/* No restrictions. Permission to perform all operations on
- the resource or available to an ACL owner. */
-
-
-CFTypeRef kSecACLAuthorizationAny = (CFTypeRef)(CFSTR("ACLAuthorizationAny"));
-
-CFTypeRef kSecACLAuthorizationLogin = (CFTypeRef)(CFSTR("ACLAuthorizationLogin"));
-CFTypeRef kSecACLAuthorizationGenKey = (CFTypeRef)(CFSTR("ACLAuthorizationGenKey"));
-CFTypeRef kSecACLAuthorizationDelete = (CFTypeRef)(CFSTR("ACLAuthorizationDelete"));
-CFTypeRef kSecACLAuthorizationExportWrapped = (CFTypeRef)(CFSTR("ACLAuthorizationExportWrapped"));
-CFTypeRef kSecACLAuthorizationExportClear = (CFTypeRef)(CFSTR("ACLAuthorizationExportClear"));
-CFTypeRef kSecACLAuthorizationImportWrapped = (CFTypeRef)(CFSTR("ACLAuthorizationImportWrapped"));
-CFTypeRef kSecACLAuthorizationImportClear = (CFTypeRef)(CFSTR("ACLAuthorizationImportClear"));
-CFTypeRef kSecACLAuthorizationSign = (CFTypeRef)(CFSTR("ACLAuthorizationSign"));
-CFTypeRef kSecACLAuthorizationEncrypt = (CFTypeRef)(CFSTR("ACLAuthorizationEncrypt"));
-CFTypeRef kSecACLAuthorizationDecrypt = (CFTypeRef)(CFSTR("ACLAuthorizationDecrypt"));
-CFTypeRef kSecACLAuthorizationMAC = (CFTypeRef)(CFSTR("ACLAuthorizationMAC"));
-CFTypeRef kSecACLAuthorizationDerive = (CFTypeRef)(CFSTR("ACLAuthorizationDerive"));
-
-/* Defined authorization tag values for Keychain */
-
-
-
-CFTypeRef kSecACLAuthorizationKeychainCreate = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainCreate"));
-CFTypeRef kSecACLAuthorizationKeychainDelete = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainDelete"));
-CFTypeRef kSecACLAuthorizationKeychainItemRead = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemRead"));
-CFTypeRef kSecACLAuthorizationKeychainItemInsert = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemInsert"));
-CFTypeRef kSecACLAuthorizationKeychainItemModify = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemModify"));
-CFTypeRef kSecACLAuthorizationKeychainItemDelete = (CFTypeRef)(CFSTR("ACLAuthorizationKeychainItemDelete"));
-
-CFTypeRef kSecACLAuthorizationChangeACL = (CFTypeRef)(CFSTR("ACLAuthorizationChangeACL"));
-CFTypeRef kSecACLAuthorizationChangeOwner = (CFTypeRef)(CFSTR("ACLAuthorizationChangeOwner"));
-
-
-static CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName);
-
-static CFStringRef gKeys[] =
-{
- (CFStringRef)kSecACLAuthorizationAny,
- (CFStringRef)kSecACLAuthorizationLogin,
- (CFStringRef)kSecACLAuthorizationGenKey,
- (CFStringRef)kSecACLAuthorizationDelete,
- (CFStringRef)kSecACLAuthorizationExportWrapped,
- (CFStringRef)kSecACLAuthorizationExportClear,
- (CFStringRef)kSecACLAuthorizationImportWrapped,
- (CFStringRef)kSecACLAuthorizationImportClear,
- (CFStringRef)kSecACLAuthorizationSign,
- (CFStringRef)kSecACLAuthorizationEncrypt,
- (CFStringRef)kSecACLAuthorizationDecrypt,
- (CFStringRef)kSecACLAuthorizationMAC,
- (CFStringRef)kSecACLAuthorizationDerive,
-
- /* Defined authorization tag values for Keychain */
- (CFStringRef)kSecACLAuthorizationKeychainCreate,
- (CFStringRef)kSecACLAuthorizationKeychainDelete,
- (CFStringRef)kSecACLAuthorizationKeychainItemRead,
- (CFStringRef)kSecACLAuthorizationKeychainItemInsert,
- (CFStringRef)kSecACLAuthorizationKeychainItemModify,
- (CFStringRef)kSecACLAuthorizationKeychainItemDelete,
-
- (CFStringRef)kSecACLAuthorizationChangeACL,
- (CFStringRef)kSecACLAuthorizationChangeOwner
-
-};
-
-static sint32 gValues[] =
-{
- CSSM_ACL_AUTHORIZATION_ANY,
- CSSM_ACL_AUTHORIZATION_LOGIN,
- CSSM_ACL_AUTHORIZATION_GENKEY,
- CSSM_ACL_AUTHORIZATION_DELETE,
- CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED,
- CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR,
- CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED,
- CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR,
- CSSM_ACL_AUTHORIZATION_SIGN,
- CSSM_ACL_AUTHORIZATION_ENCRYPT,
- CSSM_ACL_AUTHORIZATION_DECRYPT,
- CSSM_ACL_AUTHORIZATION_MAC,
- CSSM_ACL_AUTHORIZATION_DERIVE,
- CSSM_ACL_AUTHORIZATION_DBS_CREATE,
- CSSM_ACL_AUTHORIZATION_DBS_DELETE,
- CSSM_ACL_AUTHORIZATION_DB_READ,
- CSSM_ACL_AUTHORIZATION_DB_INSERT,
- CSSM_ACL_AUTHORIZATION_DB_MODIFY,
- CSSM_ACL_AUTHORIZATION_DB_DELETE,
- CSSM_ACL_AUTHORIZATION_CHANGE_ACL,
- CSSM_ACL_AUTHORIZATION_CHANGE_OWNER
-};
-
-static
-CFDictionaryRef CreateStringToNumDictionary()
-{
- int numItems = (sizeof(gValues) / sizeof(sint32));
- CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-
- for (int iCnt = 0; iCnt < numItems; iCnt++)
- {
- sint32 aNumber = gValues[iCnt];
- CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);
-
- CFStringRef aString = gKeys[iCnt];
- CFDictionaryAddValue(tempDict, aString, aNum);
- CFRelease(aNum);
- }
-
- CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
- CFRelease(tempDict);
- return result;
-
-}
-
-static
-CFDictionaryRef CreateNumToStringDictionary()
-{
- int numItems = (sizeof(gValues) / sizeof(sint32));
-
- CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-
- for (int iCnt = 0; iCnt < numItems; iCnt++)
- {
- sint32 aNumber = gValues[iCnt];
- CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);
-
- CFStringRef aString = gKeys[iCnt];
- CFDictionaryAddValue(tempDict, aNum, aString);
- CFRelease(aNum);
-
- }
-
- CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
- CFRelease(tempDict);
- return result;
-}
-
-
-/* TODO: This should be in some header */
-sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr);
-sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr)
-{
- if (NULL == aclStr)
- {
-#ifndef NDEBUG
- CFShow(CFSTR("GetACLAuthorizationTagFromString aclStr is NULL"));
-#endif
- return 0;
- }
-
- static CFDictionaryRef gACLMapping = NULL;
-
- if (NULL == gACLMapping)
- {
- gACLMapping = CreateStringToNumDictionary();
- }
-
- sint32 result = 0;
- CFNumberRef valueResult = (CFNumberRef)CFDictionaryGetValue(gACLMapping, aclStr);
- if (NULL != valueResult)
- {
- if (!CFNumberGetValue(valueResult, kCFNumberSInt32Type, &result))
- {
- return 0;
- }
-
- }
- else
- {
- return 0;
- }
-
- return result;
-
-}
-
-/* TODO: This should be in some header */
-CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag);
-CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag)
-{
- static CFDictionaryRef gTagMapping = NULL;
- CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tag);
-
- if (NULL == gTagMapping)
- {
- gTagMapping = CreateNumToStringDictionary();
- }
-
- CFStringRef result = (CFStringRef)kSecACLAuthorizationAny;
-
- if (NULL != gTagMapping && CFDictionaryContainsKey(gTagMapping, aNum))
- {
- result = (CFStringRef)CFDictionaryGetValue(gTagMapping, aNum);
- }
- return result;
-}
-
-//
-// CF boilerplate
-//
-CFTypeID SecAccessGetTypeID(void)
-{
- BEGIN_SECAPI
- return gTypes().Access.typeID;
- END_SECAPI1(_kCFRuntimeNotATypeID)
-}
-
-
-//
-// API bridge calls
-//
-/*!
- * Create a new SecAccessRef that is set to the default configuration
- * of a (newly created) security object.
- */
-OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedList, SecAccessRef *accessRef)
-{
- BEGIN_SECAPI
- Required(descriptor);
- SecPointer<Access> access;
- if (trustedList) {
- CFIndex length = CFArrayGetCount(trustedList);
- ACL::ApplicationList trusted;
- for (CFIndex n = 0; n < length; n++)
- trusted.push_back(TrustedApplication::required(
- SecTrustedApplicationRef(CFArrayGetValueAtIndex(trustedList, n))));
- access = new Access(cfString(descriptor), trusted);
- } else {
- access = new Access(cfString(descriptor));
- }
- Required(accessRef) = access->handle();
- END_SECAPI
-}
-
-
-/*!
- */
-OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner,
- uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls,
- SecAccessRef *accessRef)
-{
- BEGIN_SECAPI
- Required(accessRef); // preflight
- SecPointer<Access> access = new Access(Required(owner), aclCount, &Required(acls));
- *accessRef = access->handle();
- END_SECAPI
-}
-
-SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef acls, CFErrorRef *error)
-{
- SecAccessRef result = NULL;
-
- CSSM_ACL_PROCESS_SUBJECT_SELECTOR selector =
- {
- CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION, // selector version
- ownerType,
- userId,
- groupId
- };
-
- CSSM_LIST_ELEMENT subject2 = { NULL, 0 };
- subject2.Element.Word.Data = (UInt8 *)&selector;
- subject2.Element.Word.Length = sizeof(selector);
- CSSM_LIST_ELEMENT subject1 =
- {
- &subject2, CSSM_ACL_SUBJECT_TYPE_PROCESS, CSSM_LIST_ELEMENT_WORDID
- };
-
- CFIndex numAcls = 0;
-
- if (NULL != acls)
- {
- numAcls = CFArrayGetCount(acls);
- }
-
-#ifndef NDEBUG
- CFStringRef debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
- CFSTR("SecAccessCreateWithOwnerAndACL: processing %d acls"), (int)numAcls);
- CFShow(debugStr);
- CFRelease(debugStr);
-#endif
-
- CSSM_ACL_AUTHORIZATION_TAG rights[numAcls];
- memset(rights, 0, sizeof(rights));
-
- for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
- {
- CFStringRef aclStr = (CFStringRef)CFArrayGetValueAtIndex(acls, iCnt);
-
-#ifndef NDEBUG
- debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
- CFSTR("SecAccessCreateWithOwnerAndACL: acls[%d] = %@"), (int)iCnt, aclStr);
-
- CFShow(debugStr);
- CFRelease(debugStr);
-#endif
-
- CSSM_ACL_AUTHORIZATION_TAG aTag = GetACLAuthorizationTagFromString(aclStr);
-
-#ifndef NDEBUG
- debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
- CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, aTag);
-
- CFShow(debugStr);
- CFRelease(debugStr);
-#endif
-
- rights[iCnt] = aTag;
- }
-
-
- for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
- {
-#ifndef NDEBUG
- debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
- CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, rights[iCnt]);
-
- CFShow(debugStr);
- CFRelease(debugStr);
-#endif
-
-
- }
-
- CSSM_ACL_OWNER_PROTOTYPE owner =
- {
- // TypedSubject
- { CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
- // Delegate
- false
- };
-
-
- // ACL entries (any number, just one here)
- CSSM_ACL_ENTRY_INFO acl_rights[] =
- {
- {
- // prototype
- {
- // TypedSubject
- { CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
- false, // Delegate
- // rights for this entry
- { (uint32)(sizeof(rights) / sizeof(rights[0])), rights },
- // rest is defaulted
- }
- }
- };
-
- OSStatus err = SecAccessCreateFromOwnerAndACL(&owner,
- sizeof(acl_rights) / sizeof(acl_rights[0]), acl_rights, &result);
-
- if (errSecSuccess != err)
- {
- result = NULL;
- if (NULL != error)
- {
- *error = CFErrorCreate(kCFAllocatorDefault, CFSTR("FIX ME"), err, NULL);
- }
- }
- return result;
-}
-
-
-/*!
- */
-OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef,
- CSSM_ACL_OWNER_PROTOTYPE_PTR *owner,
- uint32 *aclCount, CSSM_ACL_ENTRY_INFO_PTR *acls)
-{
- BEGIN_SECAPI
- Access::required(accessRef)->copyOwnerAndAcl(
- Required(owner), Required(aclCount), Required(acls));
- END_SECAPI
-}
-
-OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t* userId, gid_t* groupId, SecAccessOwnerType* ownerType, CFArrayRef* aclList)
-{
- CSSM_ACL_OWNER_PROTOTYPE_PTR owner = NULL;
- CSSM_ACL_ENTRY_INFO_PTR acls = NULL;
- uint32 aclCount = 0;
- OSStatus result = SecAccessGetOwnerAndACL(accessRef, &owner, &aclCount, &acls);
- if (errSecSuccess != result )
- {
- return result;
- }
-
- if (NULL != owner)
- {
- CSSM_LIST_ELEMENT_PTR listHead = owner->TypedSubject.Head;
- if (listHead != NULL && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
- {
- CSSM_LIST_ELEMENT_PTR nextElement = listHead->NextElement;
- if (listHead->WordID == CSSM_ACL_SUBJECT_TYPE_PROCESS && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
- {
- // nextElement contains the required data
- CSSM_ACL_PROCESS_SUBJECT_SELECTOR* selectorPtr = (CSSM_ACL_PROCESS_SUBJECT_SELECTOR*)nextElement->Element.Word.Data;
- if (NULL != selectorPtr)
- {
- if (NULL != userId)
- {
- *userId = (uid_t)selectorPtr->uid;
- }
-
- if (NULL != groupId)
- {
- *groupId = (gid_t)selectorPtr->gid;
- }
-
- if (NULL != ownerType)
- {
- *ownerType = (SecAccessOwnerType)selectorPtr->mask;
- }
- }
- }
-
- }
-
- }
-
- if (NULL != aclList)
- {
-#ifndef NDEBUG
- CFShow(CFSTR("SecAccessCopyOwnerAndACL: processing the ACL list"));
-#endif
-
- CFMutableArrayRef stringArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- CSSM_ACL_OWNER_PROTOTYPE_PTR protoPtr = NULL;
- uint32 numAcls = 0L;
- CSSM_ACL_ENTRY_INFO_PTR aclEntry = NULL;
-
- result = SecAccessGetOwnerAndACL(accessRef, &protoPtr, &numAcls, &aclEntry);
- if (errSecSuccess == result)
- {
-#ifndef NDEBUG
- CFStringRef tempStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SecAccessCopyOwnerAndACL: numAcls = %d"), numAcls);
- CFShow(tempStr);
- CFRelease(tempStr);
-#endif
-
- for (uint32 iCnt = 0; iCnt < numAcls; iCnt++)
- {
- CSSM_ACL_ENTRY_PROTOTYPE prototype = aclEntry[iCnt].EntryPublicInfo;
- CSSM_AUTHORIZATIONGROUP authGroup = prototype.Authorization;
- int numAuthTags = (int)authGroup.NumberOfAuthTags;
-
- for (int jCnt = 0; jCnt < numAuthTags; jCnt++)
- {
-
- sint32 aTag = authGroup.AuthTags[jCnt];
- CFStringRef aString = GetAuthStringFromACLAuthorizationTag(aTag);
-
- CFArrayAppendValue(stringArray, aString);
- }
- }
- }
-
- if (NULL != stringArray)
- {
- if (0 < CFArrayGetCount(stringArray))
- {
- *aclList = CFArrayCreateCopy(kCFAllocatorDefault, stringArray);
- }
- CFRelease(stringArray);
- }
- }
-
- return result;
-}
-
-/*!
- */
-OSStatus SecAccessCopyACLList(SecAccessRef accessRef,
- CFArrayRef *aclList)
-{
- BEGIN_SECAPI
- Required(aclList) = Access::required(accessRef)->copySecACLs();
- END_SECAPI
-}
-
-
-/*!
- */
-OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef,
- CSSM_ACL_AUTHORIZATION_TAG action,
- CFArrayRef *aclList)
-{
- BEGIN_SECAPI
- Required(aclList) = Access::required(accessRef)->copySecACLs(action);
- END_SECAPI
-}
-
-CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag)
-{
- CFArrayRef result = NULL;
- CSSM_ACL_AUTHORIZATION_TAG tag = GetACLAuthorizationTagFromString((CFStringRef)authorizationTag);
- OSStatus err = SecAccessCopySelectedACLList(accessRef, tag, &result);
- if (errSecSuccess != err)
- {
- result = NULL;
- }
- return result;
-}
-
-CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName)
-{
- CFStringRef errorString = nil;
- CFURLRef bundleURL,trustedAppsURL = NULL;
- CFBundleRef secBundle = NULL;
- CFPropertyListRef trustedAppsPlist = NULL;
- CFDataRef xmlDataRef = NULL;
- SInt32 errorCode;
- CFArrayRef trustedAppList = NULL;
- CFMutableStringRef trustedAppListFileNameWithoutExtension = NULL;
-
- // Make a CFURLRef from the CFString representation of the bundleĆs path.
- bundleURL = CFURLCreateWithFileSystemPath(
- kCFAllocatorDefault,bundlePath,kCFURLPOSIXPathStyle,true);
-
- CFRange wholeStrRange;
-
- if (!bundleURL)
- goto xit;
-
- // Make a bundle instance using the URLRef.
- secBundle = CFBundleCreate(kCFAllocatorDefault,bundleURL);
- if (!secBundle)
- goto xit;
-
- trustedAppListFileNameWithoutExtension =
- CFStringCreateMutableCopy(NULL,CFStringGetLength(trustedAppListFileName),trustedAppListFileName);
- wholeStrRange = CFStringFind(trustedAppListFileName,CFSTR(".plist"),0);
-
- CFStringDelete(trustedAppListFileNameWithoutExtension,wholeStrRange);
-
- // Look for a resource in the bundle by name and type
- trustedAppsURL = CFBundleCopyResourceURL(secBundle,trustedAppListFileNameWithoutExtension,CFSTR("plist"),NULL);
- if (!trustedAppsURL)
- goto xit;
-
- if ( trustedAppListFileNameWithoutExtension )
- CFRelease(trustedAppListFileNameWithoutExtension);
-
- if (!CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault,trustedAppsURL,&xmlDataRef,NULL,NULL,&errorCode))
- goto xit;
-
- trustedAppsPlist = CFPropertyListCreateFromXMLData(kCFAllocatorDefault,xmlDataRef,kCFPropertyListImmutable,&errorString);
- trustedAppList = (CFArrayRef)trustedAppsPlist;
-
-xit:
- if (bundleURL)
- CFRelease(bundleURL);
- if (secBundle)
- CFRelease(secBundle);
- if (trustedAppsURL)
- CFRelease(trustedAppsURL);
- if (xmlDataRef)
- CFRelease(xmlDataRef);
- if (errorString)
- CFRelease(errorString);
-
- return trustedAppList;
-}
-
-OSStatus SecAccessCreateWithTrustedApplications(CFStringRef trustedApplicationsPListPath, CFStringRef accessLabel, Boolean allowAny, SecAccessRef* returnedAccess)
-{
- OSStatus err = errSecSuccess;
- SecAccessRef accessToReturn=nil;
- CFMutableArrayRef trustedApplications=nil;
-
- if (!allowAny) // use default access ("confirm access")
- {
- // make an exception list of applications you want to trust,
- // which are allowed to access the item without requiring user confirmation
- SecTrustedApplicationRef myself=NULL, someOther=NULL;
- CFArrayRef trustedAppListFromBundle=NULL;
-
- trustedApplications=CFArrayCreateMutable(kCFAllocatorDefault,0,&kCFTypeArrayCallBacks);
- err = SecTrustedApplicationCreateFromPath(NULL, &myself);
- if (!err)
- CFArrayAppendValue(trustedApplications,myself);
-
- CFURLRef url = CFURLCreateWithFileSystemPath(NULL, trustedApplicationsPListPath, kCFURLPOSIXPathStyle, 0);
- CFStringRef leafStr = NULL;
- leafStr = CFURLCopyLastPathComponent(url);
-
- CFURLRef bndlPathURL = NULL;
- bndlPathURL = CFURLCreateCopyDeletingLastPathComponent(NULL, url);
- CFStringRef bndlPath = NULL;
- bndlPath = CFURLCopyFileSystemPath(bndlPathURL, kCFURLPOSIXPathStyle);
- trustedAppListFromBundle=copyTrustedAppListFromBundle(bndlPath, leafStr);
- if ( leafStr )
- CFRelease(leafStr);
- if ( bndlPath )
- CFRelease(bndlPath);
- if ( url )
- CFRelease(url);
- if ( bndlPathURL )
- CFRelease(bndlPathURL);
- if (trustedAppListFromBundle)
- {
- CFIndex ix,top;
- char buffer[MAXPATHLEN];
- top = CFArrayGetCount(trustedAppListFromBundle);
- for (ix=0;ix<top;ix++)
- {
- CFStringRef filename = (CFStringRef)CFArrayGetValueAtIndex(trustedAppListFromBundle,ix);
- CFIndex stringLength = CFStringGetLength(filename);
- CFIndex usedBufLen;
-
- if (stringLength != CFStringGetBytes(filename,CFRangeMake(0,stringLength),kCFStringEncodingUTF8,0,
- false,(UInt8 *)&buffer,MAXPATHLEN, &usedBufLen))
- break;
- buffer[usedBufLen] = 0;
- //
- // Support specification of trusted applications by either
- // a full pathname or a code requirement string.
- //
- if (buffer[0]=='/')
- {
- err = SecTrustedApplicationCreateFromPath(buffer,&someOther);
- }
- else
- {
- char *buf = NULL;
- CFStringRef reqStr = filename;
- CFArrayRef descArray = CFStringCreateArrayBySeparatingStrings(NULL, reqStr, CFSTR("\""));
- if (descArray && (CFArrayGetCount(descArray) > 1))
- {
- CFStringRef descStr = (CFStringRef) CFArrayGetValueAtIndex(descArray, 1);
- if (descStr)
- buf = CFStringToCString(descStr);
- }
- SecRequirementRef reqRef = NULL;
- err = SecRequirementCreateWithString(reqStr, kSecCSDefaultFlags, &reqRef);
- if (!err)
- err = SecTrustedApplicationCreateFromRequirement((const char *)buf, reqRef, &someOther);
- if (buf)
- free(buf);
- CFReleaseSafe(reqRef);
- CFReleaseSafe(descArray);
- }
- if (!err)
- CFArrayAppendValue(trustedApplications,someOther);
-
- if (someOther)
- CFReleaseNull(someOther);
- }
- CFRelease(trustedAppListFromBundle);
- }
- }
-
- err = SecAccessCreate((CFStringRef)accessLabel, (CFArrayRef)trustedApplications, &accessToReturn);
- if (!err)
- {
- if (allowAny) // change access to be wide-open for decryption ("always allow access")
- {
- // get the access control list for decryption operations
- CFArrayRef aclList=nil;
- err = SecAccessCopySelectedACLList(accessToReturn, CSSM_ACL_AUTHORIZATION_DECRYPT, &aclList);
- if (!err)
- {
- // get the first entry in the access control list
- SecACLRef aclRef=(SecACLRef)CFArrayGetValueAtIndex(aclList, 0);
- CFArrayRef appList=nil;
- CFStringRef promptDescription=nil;
- CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR promptSelector;
- err = SecACLCopySimpleContents(aclRef, &appList, &promptDescription, &promptSelector);
-
- // modify the default ACL to not require the passphrase, and have a nil application list
- promptSelector.flags &= ~CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE;
- err = SecACLSetSimpleContents(aclRef, NULL, promptDescription, &promptSelector);
-
- if (appList) CFRelease(appList);
- if (promptDescription) CFRelease(promptDescription);
- }
- }
- }
- *returnedAccess = accessToReturn;
- return err;
-}
projects / apple / security.git / blobdiff