-/*
- * Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-//
-// TrustStore.h - Abstract interface to permanent user trust assignments
-//
-#include <security_keychain/TrustItem.h>
-#include <security_cdsa_utilities/Schema.h>
-#include <security_keychain/SecCFTypes.h>
-
-#include <security_asn1/secasn1.h>
-#include <security_asn1/SecNssCoder.h>
-#include <Security/oidscert.h>
-
-
-namespace Security {
-namespace KeychainCore {
-
-
-//
-// Construct a UserTrustItem from attributes and initial content
-//
-UserTrustItem::UserTrustItem(Certificate *cert, Policy *policy, const TrustData &trustData) :
- ItemImpl(CSSM_DL_DB_RECORD_USER_TRUST,
- reinterpret_cast<SecKeychainAttributeList *>(NULL),
- UInt32(sizeof(trustData)),
- reinterpret_cast<const void *>(&trustData)),
- mCertificate(cert), mPolicy(policy)
-{
- secdebug("usertrust", "%p create(%p,%p) = %d",
- this, cert, policy, SecTrustUserSetting(trustData.trust));
-}
-
-
-//
-// Destroy it
-//
-UserTrustItem::~UserTrustItem()
-{
- secdebug("usertrust", "%p destroyed", this);
-}
-
-
-//
-// Retrieve the trust value from a UserTrustItem
-//
-UserTrustItem::TrustData UserTrustItem::trust()
-{
- StLock<Mutex>_(mMutex);
- CssmDataContainer data;
- getData(data);
- if (data.length() != sizeof(TrustData))
- MacOSError::throwMe(errSecInvalidTrustSetting);
- return *data.interpretedAs<TrustData>();
-}
-
-
-//
-// Add item to keychain
-//
-PrimaryKey UserTrustItem::add(Keychain &keychain)
-{
- StLock<Mutex>_(mMutex);
- // If we already have a Keychain we can't be added.
- if (mKeychain)
- MacOSError::throwMe(errSecDuplicateItem);
-
- populateAttributes();
-
- CSSM_DB_RECORDTYPE recordType = mDbAttributes->recordType();
-
- Db db(keychain->database());
- // add the item to the (regular) db
- try
- {
- mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get());
- secdebug("usertrust", "%p inserted", this);
- }
- catch (const CssmError &e)
- {
- if (e.osStatus() != CSSMERR_DL_INVALID_RECORDTYPE)
- throw;
-
- // Create the trust relation and try again.
- secdebug("usertrust", "adding schema relation for user trusts");
- db->createRelation(CSSM_DL_DB_RECORD_USER_TRUST, "CSSM_DL_DB_RECORD_USER_TRUST",
- Schema::UserTrustSchemaAttributeCount,
- Schema::UserTrustSchemaAttributeList,
- Schema::UserTrustSchemaIndexCount,
- Schema::UserTrustSchemaIndexList);
- keychain->keychainSchema()->didCreateRelation(
- CSSM_DL_DB_RECORD_USER_TRUST,
- "CSSM_DL_DB_RECORD_USER_TRUST",
- Schema::UserTrustSchemaAttributeCount,
- Schema::UserTrustSchemaAttributeList,
- Schema::UserTrustSchemaIndexCount,
- Schema::UserTrustSchemaIndexList);
-
- mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get());
- secdebug("usertrust", "%p inserted now", this);
- }
-
- mPrimaryKey = keychain->makePrimaryKey(recordType, mUniqueId);
- mKeychain = keychain;
- return mPrimaryKey;
-}
-
-
-void UserTrustItem::populateAttributes()
-{
- StLock<Mutex>_(mMutex);
- CssmAutoData encodedIndex(Allocator::standard());
- makeCertIndex(mCertificate, encodedIndex);
- const CssmOid &policyOid = mPolicy->oid();
-
- mDbAttributes->add(Schema::attributeInfo(kSecTrustCertAttr), encodedIndex.get());
- mDbAttributes->add(Schema::attributeInfo(kSecTrustPolicyAttr), policyOid);
-}
-
-
-//
-// An ad-hoc hold-and-destroy accessor for a single-valued certificate field
-//
-class CertField {
-public:
- CertField(Certificate *cert, const CSSM_OID &inField)
- : certificate(cert), field(inField)
- { mData = certificate->copyFirstFieldValue(field); }
-
- ~CertField() { certificate->releaseFieldValue(field, mData); }
-
- Certificate * const certificate;
- const CSSM_OID &field;
-
- operator bool () const { return mData && mData->Data; }
- CssmData &data() const { return CssmData::overlay(*mData); }
-
-private:
- CSSM_DATA_PTR mData;
-};
-
-
-//
-// Construct a trust item index.
-// This is an ASN.1 sequence of issuer and serial number.
-//
-struct IssuerAndSN {
- CSSM_DATA issuer;
- CSSM_DATA serial;
-};
-
-static const SecAsn1Template issuerAndSNTemplate[] = {
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(IssuerAndSN) },
- { SEC_ASN1_OCTET_STRING, offsetof(IssuerAndSN, issuer) },
- { SEC_ASN1_OCTET_STRING, offsetof(IssuerAndSN, serial) },
- { 0 }
-};
-
-void UserTrustItem::makeCertIndex(Certificate *cert, CssmOwnedData &encodedIndex)
-{
- CertField issuer(cert, CSSMOID_X509V1IssuerName);
- CertField serial(cert, CSSMOID_X509V1SerialNumber);
- IssuerAndSN index;
- index.issuer = issuer.data();
- index.serial = serial.data();
- if (SecNssEncodeItemOdata(&index, issuerAndSNTemplate, encodedIndex))
- CssmError::throwMe(CSSMERR_CSP_MEMORY_ERROR);
-}
-
-
-} // end namespace KeychainCore
-} // end namespace Security
projects / apple / security.git / blobdiff