+/*
+ * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+//
+// Policy.cpp - Working with Policies
+//
+#include <security_keychain/Policies.h>
+#include <security_utilities/debugging.h>
+#include <Security/oidsalg.h>
+#include <sys/param.h>
+
+/* Oids longer than this are considered invalid. */
+#define MAX_OID_SIZE 32
+
+//%%FIXME: need to use a common copy of this utility function
+static
+CFStringRef SecDERItemCopyOIDDecimalRepresentation(uint8 *oid, size_t oidLen)
+{
+ if (oidLen == 0)
+ return CFSTR("<NULL>");
+
+ if (oidLen > MAX_OID_SIZE)
+ return CFSTR("Oid too long");
+
+ CFMutableStringRef result = CFStringCreateMutable(kCFAllocatorDefault, 0);
+
+ // The first two levels are encoded into one byte, since the root level
+ // has only 3 nodes (40*x + y). However if x = joint-iso-itu-t(2) then
+ // y may be > 39, so we have to add special-case handling for this.
+ uint32_t x = oid[0] / 40;
+ uint32_t y = oid[0] % 40;
+ if (x > 2)
+ {
+ // Handle special case for large y if x = 2
+ y += (x - 2) * 40;
+ x = 2;
+ }
+ CFStringAppendFormat(result, NULL, CFSTR("%u.%u"), x, y);
+
+ unsigned long value = 0;
+ for (x = 1; x < oidLen; ++x)
+ {
+ value = (value << 7) | (oid[x] & 0x7F);
+ /* @@@ value may not span more than 4 bytes. */
+ /* A max number of 20 values is allowed. */
+ if (!(oid[x] & 0x80))
+ {
+ CFStringAppendFormat(result, NULL, CFSTR(".%lu"), value);
+ value = 0;
+ }
+ }
+ return result;
+}
+
+
+using namespace KeychainCore;
+
+Policy::Policy(TP supportingTp, const CssmOid &policyOid)
+ : mTp(supportingTp),
+ mOid(Allocator::standard(), policyOid),
+ mValue(Allocator::standard()),
+ mAuxValue(Allocator::standard())
+{
+ // value is as yet unimplemented
+ secdebug("policy", "Policy() this %p", this);
+}
+
+Policy::~Policy() throw()
+{
+ secdebug("policy", "~Policy() this %p", this);
+}
+
+void Policy::setValue(const CssmData &value)
+{
+ StLock<Mutex>_(mMutex);
+ mValue = value;
+ mAuxValue.reset();
+
+ // Certain policy values may contain an embedded pointer. Ask me how I feel about that.
+ if (mOid == CSSMOID_APPLE_TP_SSL ||
+ mOid == CSSMOID_APPLE_TP_EAP ||
+ mOid == CSSMOID_APPLE_TP_IP_SEC ||
+ mOid == CSSMOID_APPLE_TP_APPLEID_SHARING)
+ {
+ CSSM_APPLE_TP_SSL_OPTIONS *opts = (CSSM_APPLE_TP_SSL_OPTIONS *)value.data();
+ if (opts->Version == CSSM_APPLE_TP_SSL_OPTS_VERSION)
+ {
+ if (opts->ServerNameLen > 0)
+ {
+ // Copy auxiliary data, then update the embedded pointer to reference our copy
+ mAuxValue.copy(const_cast<char*>(opts->ServerName), opts->ServerNameLen);
+ mValue.get().interpretedAs<CSSM_APPLE_TP_SSL_OPTIONS>()->ServerName =
+ reinterpret_cast<char*>(mAuxValue.data());
+ }
+ else
+ {
+ // Clear the embedded pointer!
+ mValue.get().interpretedAs<CSSM_APPLE_TP_SSL_OPTIONS>()->ServerName =
+ reinterpret_cast<char*>(NULL);
+ }
+ }
+ }
+ else if (mOid == CSSMOID_APPLE_TP_SMIME ||
+ mOid == CSSMOID_APPLE_TP_ICHAT ||
+ mOid == CSSMOID_APPLE_TP_PASSBOOK_SIGNING)
+ {
+ CSSM_APPLE_TP_SMIME_OPTIONS *opts = (CSSM_APPLE_TP_SMIME_OPTIONS *)value.data();
+ if (opts->Version == CSSM_APPLE_TP_SMIME_OPTS_VERSION)
+ {
+ if (opts->SenderEmailLen > 0)
+ {
+ // Copy auxiliary data, then update the embedded pointer to reference our copy
+ mAuxValue.copy(const_cast<char*>(opts->SenderEmail), opts->SenderEmailLen);
+ mValue.get().interpretedAs<CSSM_APPLE_TP_SMIME_OPTIONS>()->SenderEmail =
+ reinterpret_cast<char*>(mAuxValue.data());
+ }
+ else
+ {
+ // Clear the embedded pointer!
+ mValue.get().interpretedAs<CSSM_APPLE_TP_SMIME_OPTIONS>()->SenderEmail =
+ reinterpret_cast<char*>(NULL);
+ }
+ }
+ }
+}
+
+void Policy::setProperties(CFDictionaryRef properties)
+{
+ // Set the policy value based on the provided dictionary keys.
+ if (properties == NULL)
+ return;
+
+ if (mOid == CSSMOID_APPLE_TP_SSL ||
+ mOid == CSSMOID_APPLE_TP_EAP ||
+ mOid == CSSMOID_APPLE_TP_IP_SEC ||
+ mOid == CSSMOID_APPLE_TP_APPLEID_SHARING)
+ {
+ CSSM_APPLE_TP_SSL_OPTIONS options = { CSSM_APPLE_TP_SSL_OPTS_VERSION, 0, NULL, 0 };
+ char *buf = NULL;
+ CFStringRef nameStr = NULL;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyName, (const void **)&nameStr)) {
+ buf = (char *)malloc(MAXPATHLEN);
+ if (buf) {
+ if (CFStringGetCString(nameStr, buf, MAXPATHLEN, kCFStringEncodingUTF8)) {
+ options.ServerName = buf;
+ options.ServerNameLen = (unsigned)(strlen(buf)+1); // include terminating null
+ }
+ }
+ }
+ CFBooleanRef clientRef = NULL;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyClient, (const void **)&clientRef)
+ && CFBooleanGetValue(clientRef) == true)
+ options.Flags |= CSSM_APPLE_TP_SSL_CLIENT;
+
+ const CssmData value((uint8*)&options, sizeof(options));
+ this->setValue(value);
+
+ if (buf) free(buf);
+ }
+ else if (mOid == CSSMOID_APPLE_TP_SMIME ||
+ mOid == CSSMOID_APPLE_TP_ICHAT ||
+ mOid == CSSMOID_APPLE_TP_PASSBOOK_SIGNING)
+ {
+ CSSM_APPLE_TP_SMIME_OPTIONS options = { CSSM_APPLE_TP_SMIME_OPTS_VERSION, 0, 0, NULL };
+ char *buf = NULL;
+ CFStringRef nameStr = NULL;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyName, (const void **)&nameStr)) {
+ buf = (char *)malloc(MAXPATHLEN);
+ if (buf) {
+ if (CFStringGetCString(nameStr, buf, MAXPATHLEN, kCFStringEncodingUTF8)) {
+ CFStringRef teamIDStr = NULL;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyTeamIdentifier, (const void **)&teamIDStr)) {
+ char *buf2 = (char *)malloc(MAXPATHLEN);
+ if (buf2) {
+ if (CFStringGetCString(teamIDStr, buf2, MAXPATHLEN, kCFStringEncodingUTF8)) {
+ /* append tab separator and team identifier */
+ strlcat(buf, "\t", MAXPATHLEN);
+ strlcat(buf, buf2, MAXPATHLEN);
+ }
+ free(buf2);
+ }
+ }
+ options.SenderEmail = buf;
+ options.SenderEmailLen = (unsigned)(strlen(buf)+1); // include terminating null
+ }
+ }
+ }
+ CFBooleanRef kuRef = NULL;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_DigitalSignature, (const void **)&kuRef)
+ && CFBooleanGetValue(kuRef) == true)
+ options.IntendedUsage |= CE_KU_DigitalSignature;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_NonRepudiation, (const void **)&kuRef)
+ && CFBooleanGetValue(kuRef) == true)
+ options.IntendedUsage |= CE_KU_NonRepudiation;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_KeyEncipherment, (const void **)&kuRef)
+ && CFBooleanGetValue(kuRef) == true)
+ options.IntendedUsage |= CE_KU_KeyEncipherment;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_DataEncipherment, (const void **)&kuRef)
+ && CFBooleanGetValue(kuRef) == true)
+ options.IntendedUsage |= CE_KU_DataEncipherment;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_KeyAgreement, (const void **)&kuRef)
+ && CFBooleanGetValue(kuRef) == true)
+ options.IntendedUsage |= CE_KU_KeyAgreement;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_KeyCertSign, (const void **)&kuRef)
+ && CFBooleanGetValue(kuRef) == true)
+ options.IntendedUsage |= CE_KU_KeyCertSign;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_CRLSign, (const void **)&kuRef)
+ && CFBooleanGetValue(kuRef) == true)
+ options.IntendedUsage |= CE_KU_CRLSign;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_EncipherOnly, (const void **)&kuRef)
+ && CFBooleanGetValue(kuRef) == true)
+ options.IntendedUsage |= CE_KU_EncipherOnly;
+ if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_DecipherOnly, (const void **)&kuRef)
+ && CFBooleanGetValue(kuRef) == true)
+ options.IntendedUsage |= CE_KU_DecipherOnly;
+
+ const CssmData value((uint8*)&options, sizeof(options));
+ this->setValue(value);
+
+ if (buf) free(buf);
+ }
+
+}
+
+CFDictionaryRef Policy::properties()
+{
+ // Builds and returns a dictionary which the caller must release.
+ CFMutableDictionaryRef properties = CFDictionaryCreateMutable(NULL, 0,
+ &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+ if (!properties) return NULL;
+
+ // kSecPolicyOid
+ CFStringRef oidStr = SecDERItemCopyOIDDecimalRepresentation((uint8*)mOid.data(), mOid.length());
+ if (oidStr) {
+ CFDictionarySetValue(properties, (const void *)kSecPolicyOid, (const void *)oidStr);
+ CFRelease(oidStr);
+ }
+
+ // kSecPolicyName
+ if (mAuxValue) {
+ CFStringRef nameStr = CFStringCreateWithBytes(NULL,
+ (const UInt8 *)reinterpret_cast<char*>(mAuxValue.data()),
+ (CFIndex)mAuxValue.length(), kCFStringEncodingUTF8, false);
+ if (nameStr) {
+ if (mOid == CSSMOID_APPLE_TP_PASSBOOK_SIGNING) {
+ CFArrayRef strs = CFStringCreateArrayBySeparatingStrings(kCFAllocatorDefault, nameStr, CFSTR("\t"));
+ if (strs) {
+ CFIndex count = CFArrayGetCount(strs);
+ if (count > 0)
+ CFDictionarySetValue(properties, (const void *)kSecPolicyName, (const void *)CFArrayGetValueAtIndex(strs, 0));
+ if (count > 1)
+ CFDictionarySetValue(properties, (const void *)kSecPolicyTeamIdentifier, (const void *)CFArrayGetValueAtIndex(strs, 1));
+ CFRelease(strs);
+ }
+ }
+ else {
+ CFDictionarySetValue(properties, (const void *)kSecPolicyName, (const void *)nameStr);
+ }
+ CFRelease(nameStr);
+ }
+ }
+
+ // kSecPolicyClient
+ if (mValue) {
+ if (mOid == CSSMOID_APPLE_TP_SSL ||
+ mOid == CSSMOID_APPLE_TP_EAP ||
+ mOid == CSSMOID_APPLE_TP_IP_SEC ||
+ mOid == CSSMOID_APPLE_TP_APPLEID_SHARING)
+ {
+ CSSM_APPLE_TP_SSL_OPTIONS *opts = (CSSM_APPLE_TP_SSL_OPTIONS *)mValue.data();
+ if (opts->Flags & CSSM_APPLE_TP_SSL_CLIENT) {
+ CFDictionarySetValue(properties, (const void *)kSecPolicyClient, (const void *)kCFBooleanTrue);
+ }
+ }
+ }
+
+ // key usage flags (currently only for S/MIME and iChat policies)
+ if (mValue) {
+ if (mOid == CSSMOID_APPLE_TP_SMIME ||
+ mOid == CSSMOID_APPLE_TP_ICHAT)
+ {
+ CSSM_APPLE_TP_SMIME_OPTIONS *opts = (CSSM_APPLE_TP_SMIME_OPTIONS *)mValue.data();
+ CE_KeyUsage usage = opts->IntendedUsage;
+ if (usage & CE_KU_DigitalSignature)
+ CFDictionarySetValue(properties, (const void *)kSecPolicyKU_DigitalSignature, (const void *)kCFBooleanTrue);
+ if (usage & CE_KU_NonRepudiation)
+ CFDictionarySetValue(properties, (const void *)kSecPolicyKU_NonRepudiation, (const void *)kCFBooleanTrue);
+ if (usage & CE_KU_KeyEncipherment)
+ CFDictionarySetValue(properties, (const void *)kSecPolicyKU_KeyEncipherment, (const void *)kCFBooleanTrue);
+ if (usage & CE_KU_DataEncipherment)
+ CFDictionarySetValue(properties, (const void *)kSecPolicyKU_DataEncipherment, (const void *)kCFBooleanTrue);
+ if (usage & CE_KU_KeyAgreement)
+ CFDictionarySetValue(properties, (const void *)kSecPolicyKU_KeyAgreement, (const void *)kCFBooleanTrue);
+ if (usage & CE_KU_KeyCertSign)
+ CFDictionarySetValue(properties, (const void *)kSecPolicyKU_KeyCertSign, (const void *)kCFBooleanTrue);
+ if (usage & CE_KU_CRLSign)
+ CFDictionarySetValue(properties, (const void *)kSecPolicyKU_CRLSign, (const void *)kCFBooleanTrue);
+ if (usage & CE_KU_EncipherOnly)
+ CFDictionarySetValue(properties, (const void *)kSecPolicyKU_EncipherOnly, (const void *)kCFBooleanTrue);
+ if (usage & CE_KU_DecipherOnly)
+ CFDictionarySetValue(properties, (const void *)kSecPolicyKU_DecipherOnly, (const void *)kCFBooleanTrue);
+ }
+ }
+ return properties;
+}
+
+
+bool Policy::operator < (const Policy& other) const
+{
+ //@@@ inefficient
+ return (oid() < other.oid()) ||
+ (oid() == other.oid() && value() < other.value());
+}
+
+bool Policy::operator == (const Policy& other) const
+{
+ return oid() == other.oid() && value() == other.value();
+}
projects / apple / security.git / blobdiff