--- /dev/null
+/*
+ * Copyright (c) 2002-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <Security/SecCertificate.h>
+#include <Security/SecCertificatePriv.h>
+#include <security_keychain/Certificate.h>
+#include <security_keychain/Item.h>
+#include <security_keychain/KCCursor.h>
+#include <Security/cssmapi.h>
+#include <Security/cssmapple.h>
+#include <security_cdsa_client/cspclient.h>
+#include <security_cdsa_client/clclient.h>
+#include <security_cdsa_client/tpclient.h>
+#include <Security/cssmtype.h>
+
+#include "SecBridge.h"
+
+// %%% used by SecCertificate{Copy,Set}Preference
+#include <Security/SecKeychainItemPriv.h>
+#include <Security/SecIdentityPriv.h>
+#include <security_keychain/KCCursor.h>
+#include <security_cdsa_utilities/Schema.h>
+#include <sys/param.h>
+#include "CertificateValues.h"
+#include "SecCertificateP.h"
+#include "SecCertificatePrivP.h"
+
+#include "AppleBaselineEscrowCertificates.h"
+
+
+extern CSSM_KEYUSE ConvertArrayToKeyUsage(CFArrayRef usage);
+
+#define SEC_CONST_DECL(k,v) CFTypeRef k = (CFTypeRef)(CFSTR(v));
+
+SEC_CONST_DECL (kSecCertificateProductionEscrowKey, "ProductionEscrowKey");
+SEC_CONST_DECL (kSecCertificateProductionPCSEscrowKey, "ProductionPCSEscrowKey");
+SEC_CONST_DECL (kSecCertificateEscrowFileName, "AppleESCertificates");
+
+
+using namespace CssmClient;
+
+CFTypeID
+SecCertificateGetTypeID(void)
+{
+ BEGIN_SECAPI
+
+ return gTypes().Certificate.typeID;
+
+ END_SECAPI1(_kCFRuntimeNotATypeID)
+}
+
+
+OSStatus
+SecCertificateCreateFromData(const CSSM_DATA *data, CSSM_CERT_TYPE type, CSSM_CERT_ENCODING encoding, SecCertificateRef *certificate)
+{
+ BEGIN_SECAPI
+
+ SecPointer<Certificate> certificatePtr(new Certificate(Required(data), type, encoding));
+ Required(certificate) = certificatePtr->handle();
+
+ END_SECAPI
+}
+
+/* new in 10.6 */
+SecCertificateRef
+SecCertificateCreateWithData(CFAllocatorRef allocator, CFDataRef data)
+{
+ SecCertificateRef certificate = NULL;
+ OSStatus __secapiresult;
+ try {
+ CSSM_DATA cssmCertData;
+ cssmCertData.Length = (data) ? (CSSM_SIZE)CFDataGetLength(data) : 0;
+ cssmCertData.Data = (data) ? (uint8 *)CFDataGetBytePtr(data) : NULL;
+
+ //NOTE: there isn't yet a Certificate constructor which accepts a CFAllocatorRef
+ SecPointer<Certificate> certificatePtr(new Certificate(cssmCertData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER));
+ certificate = certificatePtr->handle();
+
+ __secapiresult=errSecSuccess;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return certificate;
+}
+
+OSStatus
+SecCertificateAddToKeychain(SecCertificateRef certificate, SecKeychainRef keychain)
+{
+ BEGIN_SECAPI
+
+ Item item(Certificate::required(certificate));
+ Keychain::optional(keychain)->add(item);
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateGetData(SecCertificateRef certificate, CSSM_DATA_PTR data)
+{
+ BEGIN_SECAPI
+
+ Required(data) = Certificate::required(certificate)->data();
+
+ END_SECAPI
+}
+
+/* new in 10.6 */
+CFDataRef
+SecCertificateCopyData(SecCertificateRef certificate)
+{
+ CFDataRef data = NULL;
+ OSStatus __secapiresult = errSecSuccess;
+ try {
+ CssmData output = Certificate::required(certificate)->data();
+ CFIndex length = (CFIndex)output.length();
+ const UInt8 *bytes = (const UInt8 *)output.data();
+ if (length && bytes) {
+ data = CFDataCreate(NULL, bytes, length);
+ }
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return data;
+}
+
+CFDataRef
+SecCertificateGetSHA1Digest(SecCertificateRef certificate)
+{
+ CFDataRef data = NULL;
+ OSStatus __secapiresult = errSecSuccess;
+ try {
+ data = Certificate::required(certificate)->sha1Hash();
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return data;
+}
+
+CFArrayRef
+SecCertificateCopyDNSNames(SecCertificateRef certificate)
+{
+ CFArrayRef names = NULL;
+ OSStatus __secapiresult = errSecSuccess;
+ try {
+ names = Certificate::required(certificate)->copyDNSNames();
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return names;
+}
+
+OSStatus
+SecCertificateGetType(SecCertificateRef certificate, CSSM_CERT_TYPE *certificateType)
+{
+ BEGIN_SECAPI
+
+ Required(certificateType) = Certificate::required(certificate)->type();
+
+ END_SECAPI
+}
+
+
+OSStatus
+SecCertificateGetSubject(SecCertificateRef certificate, const CSSM_X509_NAME **subject)
+{
+ BEGIN_SECAPI
+
+ Required(subject) = Certificate::required(certificate)->subjectName();
+
+ END_SECAPI
+}
+
+
+OSStatus
+SecCertificateGetIssuer(SecCertificateRef certificate, const CSSM_X509_NAME **issuer)
+{
+ BEGIN_SECAPI
+
+ Required(issuer) = Certificate::required(certificate)->issuerName();
+
+ END_SECAPI
+}
+
+
+OSStatus
+SecCertificateGetCLHandle(SecCertificateRef certificate, CSSM_CL_HANDLE *clHandle)
+{
+ BEGIN_SECAPI
+
+ Required(clHandle) = Certificate::required(certificate)->clHandle();
+
+ END_SECAPI
+}
+
+/*
+ * Private API to infer a display name for a SecCertificateRef which
+ * may or may not be in a keychain.
+ */
+OSStatus
+SecCertificateInferLabel(SecCertificateRef certificate, CFStringRef *label)
+{
+ BEGIN_SECAPI
+
+ Certificate::required(certificate)->inferLabel(false,
+ &Required(label));
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateCopyPublicKey(SecCertificateRef certificate, SecKeyRef *key)
+{
+ BEGIN_SECAPI
+
+ Required(key) = Certificate::required(certificate)->publicKey()->handle();
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateGetAlgorithmID(SecCertificateRef certificate, const CSSM_X509_ALGORITHM_IDENTIFIER **algid)
+{
+ BEGIN_SECAPI
+
+ Required(algid) = Certificate::required(certificate)->algorithmID();
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateCopyCommonName(SecCertificateRef certificate, CFStringRef *commonName)
+{
+ BEGIN_SECAPI
+
+ Required(commonName) = Certificate::required(certificate)->commonName();
+
+ END_SECAPI
+}
+
+/* new in 10.6 */
+CFStringRef
+SecCertificateCopySubjectSummary(SecCertificateRef certificate)
+{
+ CFStringRef summary = NULL;
+ OSStatus __secapiresult;
+ try {
+ Certificate::required(certificate)->inferLabel(false, &summary);
+
+ __secapiresult=errSecSuccess;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return summary;
+}
+
+CFStringRef
+SecCertificateCopyIssuerSummary(SecCertificateRef certificate)
+{
+ CFStringRef issuerStr = NULL;
+ SecCertificateRefP certP = NULL;
+ CFDataRef certData = SecCertificateCopyData(certificate);
+ if (certData) {
+ certP = SecCertificateCreateWithDataP(NULL, certData);
+ CFRelease(certData);
+ }
+ if (certP) {
+ issuerStr = SecCertificateCopyIssuerSummaryP(certP);
+ CFRelease(certP);
+ }
+ return issuerStr;
+}
+
+OSStatus
+SecCertificateCopySubjectComponent(SecCertificateRef certificate, const CSSM_OID *component, CFStringRef *result)
+{
+ BEGIN_SECAPI
+
+ Required(result) = Certificate::required(certificate)->distinguishedName(&CSSMOID_X509V1SubjectNameCStruct, component);
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateGetCommonName(SecCertificateRef certificate, CFStringRef *commonName)
+{
+ // deprecated SPI signature; replaced by SecCertificateCopyCommonName
+ return SecCertificateCopyCommonName(certificate, commonName);
+}
+
+OSStatus
+SecCertificateGetEmailAddress(SecCertificateRef certificate, CFStringRef *emailAddress)
+{
+ BEGIN_SECAPI
+
+ Required(emailAddress) = Certificate::required(certificate)->copyFirstEmailAddress();
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateCopyEmailAddresses(SecCertificateRef certificate, CFArrayRef *emailAddresses)
+{
+ BEGIN_SECAPI
+
+ Required(emailAddresses) = Certificate::required(certificate)->copyEmailAddresses();
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateCopyFieldValues(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR **fieldValues)
+{
+/* Return a zero terminated list of CSSM_DATA_PTR's with the values of the field specified by field. Caller must call releaseFieldValues to free the storage allocated by this call. */
+ BEGIN_SECAPI
+
+ Required(fieldValues) = Certificate::required(certificate)->copyFieldValues(Required(field));
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateReleaseFieldValues(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR *fieldValues)
+{
+ BEGIN_SECAPI
+
+ Certificate::required(certificate)->releaseFieldValues(Required(field), fieldValues);
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateCopyFirstFieldValue(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR *fieldValue)
+{
+ BEGIN_SECAPI
+
+ Required(fieldValue) = Certificate::required(certificate)->copyFirstFieldValue(Required(field));
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateReleaseFirstFieldValue(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR fieldValue)
+{
+ BEGIN_SECAPI
+
+ Certificate::required(certificate)->releaseFieldValue(Required(field), fieldValue);
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateFindByIssuerAndSN(CFTypeRef keychainOrArray,const CSSM_DATA *issuer,
+ const CSSM_DATA *serialNumber, SecCertificateRef *certificate)
+{
+ BEGIN_SECAPI
+
+ StorageManager::KeychainList keychains;
+ globals().storageManager.optionalSearchList(keychainOrArray, keychains);
+ Required(certificate) = Certificate::findByIssuerAndSN(keychains, CssmData::required(issuer), CssmData::required(serialNumber))->handle();
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateFindBySubjectKeyID(CFTypeRef keychainOrArray, const CSSM_DATA *subjectKeyID,
+ SecCertificateRef *certificate)
+{
+ BEGIN_SECAPI
+
+ StorageManager::KeychainList keychains;
+ globals().storageManager.optionalSearchList(keychainOrArray, keychains);
+ Required(certificate) = Certificate::findBySubjectKeyID(keychains, CssmData::required(subjectKeyID))->handle();
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateFindByEmail(CFTypeRef keychainOrArray, const char *emailAddress, SecCertificateRef *certificate)
+{
+ BEGIN_SECAPI
+
+ StorageManager::KeychainList keychains;
+ globals().storageManager.optionalSearchList(keychainOrArray, keychains);
+ Required(certificate) = Certificate::findByEmail(keychains, emailAddress)->handle();
+
+ END_SECAPI
+}
+
+OSStatus
+SecKeychainSearchCreateForCertificateByIssuerAndSN(CFTypeRef keychainOrArray, const CSSM_DATA *issuer,
+ const CSSM_DATA *serialNumber, SecKeychainSearchRef *searchRef)
+{
+ BEGIN_SECAPI
+
+ Required(searchRef);
+
+ StorageManager::KeychainList keychains;
+ globals().storageManager.optionalSearchList(keychainOrArray, keychains);
+ KCCursor cursor(Certificate::cursorForIssuerAndSN(keychains, CssmData::required(issuer), CssmData::required(serialNumber)));
+ *searchRef = cursor->handle();
+
+ END_SECAPI
+}
+
+OSStatus
+SecKeychainSearchCreateForCertificateByIssuerAndSN_CF(CFTypeRef keychainOrArray, CFDataRef issuer,
+ CFDataRef serialNumber, SecKeychainSearchRef *searchRef)
+{
+ BEGIN_SECAPI
+
+ Required(searchRef);
+
+ StorageManager::KeychainList keychains;
+ globals().storageManager.optionalSearchList(keychainOrArray, keychains);
+ Required(issuer);
+ Required(serialNumber);
+ KCCursor cursor(Certificate::cursorForIssuerAndSN_CF(keychains, issuer, serialNumber));
+ *searchRef = cursor->handle();
+
+ END_SECAPI
+}
+
+OSStatus
+SecKeychainSearchCreateForCertificateBySubjectKeyID(CFTypeRef keychainOrArray, const CSSM_DATA *subjectKeyID,
+ SecKeychainSearchRef *searchRef)
+{
+ BEGIN_SECAPI
+
+ Required(searchRef);
+
+ StorageManager::KeychainList keychains;
+ globals().storageManager.optionalSearchList(keychainOrArray, keychains);
+ KCCursor cursor(Certificate::cursorForSubjectKeyID(keychains, CssmData::required(subjectKeyID)));
+ *searchRef = cursor->handle();
+
+ END_SECAPI
+}
+
+OSStatus
+SecKeychainSearchCreateForCertificateByEmail(CFTypeRef keychainOrArray, const char *emailAddress,
+ SecKeychainSearchRef *searchRef)
+{
+ BEGIN_SECAPI
+
+ Required(searchRef);
+
+ StorageManager::KeychainList keychains;
+ globals().storageManager.optionalSearchList(keychainOrArray, keychains);
+ KCCursor cursor(Certificate::cursorForEmail(keychains, emailAddress));
+ *searchRef = cursor->handle();
+
+ END_SECAPI
+}
+
+/* NOT EXPORTED YET; copied from SecurityInterface but could be useful in the future.
+CSSM_CSP_HANDLE
+SecGetAppleCSPHandle()
+{
+ BEGIN_SECAPI
+ return CSP(gGuidAppleCSP)->handle();
+ END_SECAPI1(NULL);
+}
+
+CSSM_CL_HANDLE
+SecGetAppleCLHandle()
+{
+ BEGIN_SECAPI
+ return CL(gGuidAppleX509CL)->handle();
+ END_SECAPI1(NULL);
+}
+*/
+
+CSSM_RETURN
+SecDigestGetData (CSSM_ALGORITHMS alg, CSSM_DATA* digest, const CSSM_DATA* data)
+{
+ BEGIN_SECAPI
+ // sanity checking
+ if (!digest || !digest->Data || !digest->Length || !data || !data->Data || !data->Length)
+ return errSecParam;
+
+ CSP csp(gGuidAppleCSP);
+ Digest context(csp, alg);
+ CssmData input(data->Data, data->Length);
+ CssmData output(digest->Data, digest->Length);
+
+ context.digest(input, output);
+ digest->Length = output.length();
+
+ return CSSM_OK;
+ END_SECAPI1(1);
+}
+
+/* determine whether a cert is self-signed */
+OSStatus SecCertificateIsSelfSigned(
+ SecCertificateRef certificate,
+ Boolean *isSelfSigned) /* RETURNED */
+{
+ BEGIN_SECAPI
+
+ *isSelfSigned = Certificate::required(certificate)->isSelfSigned();
+
+ END_SECAPI
+}
+
+OSStatus
+SecCertificateCopyPreference(
+ CFStringRef name,
+ CSSM_KEYUSE keyUsage,
+ SecCertificateRef *certificate)
+{
+ BEGIN_SECAPI
+
+ Required(name);
+ Required(certificate);
+ StorageManager::KeychainList keychains;
+ globals().storageManager.getSearchList(keychains);
+ KCCursor cursor(keychains, kSecGenericPasswordItemClass, NULL);
+
+ char idUTF8[MAXPATHLEN];
+ if (!CFStringGetCString(name, idUTF8, sizeof(idUTF8)-1, kCFStringEncodingUTF8))
+ idUTF8[0] = (char)'\0';
+ CssmData service(const_cast<char *>(idUTF8), strlen(idUTF8));
+ FourCharCode itemType = 'cprf';
+ cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecServiceItemAttr), service);
+ cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecTypeItemAttr), itemType);
+ if (keyUsage)
+ cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecScriptCodeItemAttr), (sint32)keyUsage);
+
+ Item prefItem;
+ if (!cursor->next(prefItem))
+ MacOSError::throwMe(errSecItemNotFound);
+
+ // get persistent certificate reference
+ SecKeychainAttribute itemAttrs[] = { { kSecGenericItemAttr, 0, NULL } };
+ SecKeychainAttributeList itemAttrList = { sizeof(itemAttrs) / sizeof(itemAttrs[0]), itemAttrs };
+ prefItem->getContent(NULL, &itemAttrList, NULL, NULL);
+
+ // find certificate, given persistent reference data
+ CFDataRef pItemRef = CFDataCreateWithBytesNoCopy(NULL, (const UInt8 *)itemAttrs[0].data, itemAttrs[0].length, kCFAllocatorNull);
+ SecKeychainItemRef certItemRef = nil;
+ OSStatus status = SecKeychainItemCopyFromPersistentReference(pItemRef, &certItemRef); //%%% need to make this a method of ItemImpl
+ prefItem->freeContent(&itemAttrList, NULL);
+ if (pItemRef)
+ CFRelease(pItemRef);
+ if (status)
+ return status;
+
+ *certificate = (SecCertificateRef)certItemRef;
+
+ END_SECAPI
+}
+
+SecCertificateRef
+SecCertificateCopyPreferred(
+ CFStringRef name,
+ CFArrayRef keyUsage)
+{
+ // This function will look for a matching preference in the following order:
+ // - matches the name and the supplied key use
+ // - matches the name and the special 'ANY' key use
+ // - matches the name with no key usage constraint
+
+ SecCertificateRef certRef = NULL;
+ CSSM_KEYUSE keyUse = ConvertArrayToKeyUsage(keyUsage);
+ OSStatus status = SecCertificateCopyPreference(name, keyUse, &certRef);
+ if (status != errSecSuccess && keyUse != CSSM_KEYUSE_ANY)
+ status = SecCertificateCopyPreference(name, CSSM_KEYUSE_ANY, &certRef);
+ if (status != errSecSuccess && keyUse != 0)
+ status = SecCertificateCopyPreference(name, 0, &certRef);
+
+ return certRef;
+}
+
+static OSStatus
+SecCertificateFindPreferenceItemWithNameAndKeyUsage(
+ CFTypeRef keychainOrArray,
+ CFStringRef name,
+ int32_t keyUsage,
+ SecKeychainItemRef *itemRef)
+{
+ BEGIN_SECAPI
+
+ StorageManager::KeychainList keychains;
+ globals().storageManager.optionalSearchList(keychainOrArray, keychains);
+ KCCursor cursor(keychains, kSecGenericPasswordItemClass, NULL);
+
+ char idUTF8[MAXPATHLEN];
+ idUTF8[0] = (char)'\0';
+ if (name)
+ {
+ if (!CFStringGetCString(name, idUTF8, sizeof(idUTF8)-1, kCFStringEncodingUTF8))
+ idUTF8[0] = (char)'\0';
+ }
+ size_t idUTF8Len = strlen(idUTF8);
+ if (!idUTF8Len)
+ MacOSError::throwMe(errSecParam);
+
+ CssmData service(const_cast<char *>(idUTF8), idUTF8Len);
+ cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecServiceItemAttr), service);
+ cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecTypeItemAttr), (FourCharCode)'cprf');
+ if (keyUsage)
+ cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecScriptCodeItemAttr), (sint32)keyUsage);
+
+ Item item;
+ if (!cursor->next(item))
+ MacOSError::throwMe(errSecItemNotFound);
+
+ if (itemRef)
+ *itemRef=item->handle();
+
+ END_SECAPI
+}
+
+static
+OSStatus SecCertificateDeletePreferenceItemWithNameAndKeyUsage(
+ CFTypeRef keychainOrArray,
+ CFStringRef name,
+ int32_t keyUsage)
+{
+ // when a specific key usage is passed, we'll only match & delete that pref;
+ // when a key usage of 0 is passed, all matching prefs should be deleted.
+ // maxUsages represents the most matches there could theoretically be, so
+ // cut things off at that point if we're still finding items (if they can't
+ // be deleted for some reason, we'd never break out of the loop.)
+
+ OSStatus status;
+ SecKeychainItemRef item = NULL;
+ int count = 0, maxUsages = 12;
+ while (++count <= maxUsages &&
+ (status = SecCertificateFindPreferenceItemWithNameAndKeyUsage(keychainOrArray, name, keyUsage, &item)) == errSecSuccess) {
+ status = SecKeychainItemDelete(item);
+ CFRelease(item);
+ item = NULL;
+ }
+
+ // it's not an error if the item isn't found
+ return (status == errSecItemNotFound) ? errSecSuccess : status;
+}
+
+OSStatus SecCertificateSetPreference(
+ SecCertificateRef certificate,
+ CFStringRef name,
+ CSSM_KEYUSE keyUsage,
+ CFDateRef date)
+{
+ if (!name) {
+ return errSecParam;
+ }
+ if (!certificate) {
+ // treat NULL certificate as a request to clear the preference
+ // (note: if keyUsage is 0, this clears all key usage prefs for name)
+ return SecCertificateDeletePreferenceItemWithNameAndKeyUsage(NULL, name, keyUsage);
+ }
+
+ BEGIN_SECAPI
+
+ // determine the account attribute
+ //
+ // This attribute must be synthesized from certificate label + pref item type + key usage,
+ // as only the account and service attributes can make a generic keychain item unique.
+ // For 'iprf' type items (but not 'cprf'), we append a trailing space. This insures that
+ // we can save a certificate preference if an identity preference already exists for the
+ // given service name, and vice-versa.
+ // If the key usage is 0 (i.e. the normal case), we omit the appended key usage string.
+ //
+ CFStringRef labelStr = nil;
+ Certificate::required(certificate)->inferLabel(false, &labelStr);
+ if (!labelStr) {
+ MacOSError::throwMe(errSecDataTooLarge); // data is "in a format which cannot be displayed"
+ }
+ CFIndex accountUTF8Len = CFStringGetMaximumSizeForEncoding(CFStringGetLength(labelStr), kCFStringEncodingUTF8) + 1;
+ const char *templateStr = "%s [key usage 0x%X]";
+ const int keyUsageMaxStrLen = 8;
+ accountUTF8Len += strlen(templateStr) + keyUsageMaxStrLen;
+ char accountUTF8[accountUTF8Len];
+ if (!CFStringGetCString(labelStr, accountUTF8, accountUTF8Len-1, kCFStringEncodingUTF8))
+ accountUTF8[0] = (char)'\0';
+ if (keyUsage)
+ snprintf(accountUTF8, accountUTF8Len-1, templateStr, accountUTF8, keyUsage);
+ CssmData account(const_cast<char *>(accountUTF8), strlen(accountUTF8));
+ CFRelease(labelStr);
+
+ // service attribute (name provided by the caller)
+ CFIndex serviceUTF8Len = CFStringGetMaximumSizeForEncoding(CFStringGetLength(name), kCFStringEncodingUTF8) + 1;;
+ char serviceUTF8[serviceUTF8Len];
+ if (!CFStringGetCString(name, serviceUTF8, serviceUTF8Len-1, kCFStringEncodingUTF8))
+ serviceUTF8[0] = (char)'\0';
+ CssmData service(const_cast<char *>(serviceUTF8), strlen(serviceUTF8));
+
+ // look for existing preference item, in case this is an update
+ StorageManager::KeychainList keychains;
+ globals().storageManager.getSearchList(keychains);
+ KCCursor cursor(keychains, kSecGenericPasswordItemClass, NULL);
+ FourCharCode itemType = 'cprf';
+ cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecServiceItemAttr), service);
+ cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecTypeItemAttr), itemType);
+ if (keyUsage)
+ cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecScriptCodeItemAttr), (sint32)keyUsage);
+ if (date)
+ ; // %%%TBI
+
+ Item item(kSecGenericPasswordItemClass, 'aapl', 0, NULL, false);
+ bool add = (!cursor->next(item));
+ // at this point, we either have a new item to add or an existing item to update
+
+ // set item attribute values
+ item->setAttribute(Schema::attributeInfo(kSecServiceItemAttr), service);
+ item->setAttribute(Schema::attributeInfo(kSecTypeItemAttr), itemType);
+ item->setAttribute(Schema::attributeInfo(kSecAccountItemAttr), account);
+ item->setAttribute(Schema::attributeInfo(kSecScriptCodeItemAttr), (sint32)keyUsage);
+ item->setAttribute(Schema::attributeInfo(kSecLabelItemAttr), service);
+
+ // date
+ if (date)
+ ; // %%%TBI
+
+ // generic attribute (store persistent certificate reference)
+ CFDataRef pItemRef = nil;
+ Certificate::required(certificate)->copyPersistentReference(pItemRef);
+ if (!pItemRef) {
+ MacOSError::throwMe(errSecInvalidItemRef);
+ }
+ const UInt8 *dataPtr = CFDataGetBytePtr(pItemRef);
+ CFIndex dataLen = CFDataGetLength(pItemRef);
+ CssmData pref(const_cast<void *>(reinterpret_cast<const void *>(dataPtr)), dataLen);
+ item->setAttribute(Schema::attributeInfo(kSecGenericItemAttr), pref);
+ CFRelease(pItemRef);
+
+ if (add) {
+ Keychain keychain = nil;
+ try {
+ keychain = globals().storageManager.defaultKeychain();
+ if (!keychain->exists())
+ MacOSError::throwMe(errSecNoSuchKeychain); // Might be deleted or not available at this time.
+ }
+ catch(...) {
+ keychain = globals().storageManager.defaultKeychainUI(item);
+ }
+
+ try {
+ keychain->add(item);
+ }
+ catch (const MacOSError &err) {
+ if (err.osStatus() != errSecDuplicateItem)
+ throw; // if item already exists, fall through to update
+ }
+ }
+ item->update();
+
+ END_SECAPI
+}
+
+OSStatus SecCertificateSetPreferred(
+ SecCertificateRef certificate,
+ CFStringRef name,
+ CFArrayRef keyUsage)
+{
+ CSSM_KEYUSE keyUse = ConvertArrayToKeyUsage(keyUsage);
+ return SecCertificateSetPreference(certificate, name, keyUse, NULL);
+}
+
+CFDictionaryRef SecCertificateCopyValues(SecCertificateRef certificate, CFArrayRef keys, CFErrorRef *error)
+{
+ CFDictionaryRef result = NULL;
+ OSStatus __secapiresult;
+ try
+ {
+ CertificateValues cv(certificate);
+ result = cv.copyFieldValues(keys,error);
+ __secapiresult=0;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return result;
+}
+
+CFStringRef SecCertificateCopyLongDescription(CFAllocatorRef alloc, SecCertificateRef certificate, CFErrorRef *error)
+{
+ return SecCertificateCopyShortDescription(alloc, certificate, error);
+}
+
+CFStringRef SecCertificateCopyShortDescription(CFAllocatorRef alloc, SecCertificateRef certificate, CFErrorRef *error)
+{
+ CFStringRef result = NULL;
+ OSStatus __secapiresult;
+ try
+ {
+ __secapiresult = SecCertificateInferLabel(certificate, &result);
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ if (error!=NULL && __secapiresult!=errSecSuccess)
+ {
+ *error = CFErrorCreate(kCFAllocatorDefault, kCFErrorDomainOSStatus,
+ __secapiresult ? __secapiresult : CSSM_ERRCODE_INTERNAL_ERROR, NULL);
+ }
+ return result;
+}
+
+CFDataRef SecCertificateCopySerialNumber(SecCertificateRef certificate, CFErrorRef *error)
+{
+ CFDataRef result = NULL;
+ OSStatus __secapiresult;
+ try
+ {
+ CertificateValues cv(certificate);
+ result = cv.copySerialNumber(error);
+ __secapiresult=0;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return result;
+}
+
+CFDataRef SecCertificateCopyNormalizedIssuerContent(SecCertificateRef certificate, CFErrorRef *error)
+{
+ CFDataRef result = NULL;
+ OSStatus __secapiresult;
+ try
+ {
+ CertificateValues cv(certificate);
+ result = cv.copyNormalizedIssuerContent(error);
+ __secapiresult=0;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return result;
+}
+
+CFDataRef SecCertificateCopyNormalizedSubjectContent(SecCertificateRef certificate, CFErrorRef *error)
+{
+ CFDataRef result = NULL;
+ OSStatus __secapiresult;
+ try
+ {
+ CertificateValues cv(certificate);
+ result = cv.copyNormalizedSubjectContent(error);
+ __secapiresult=0;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return result;
+}
+
+CFDataRef SecCertificateCopyIssuerSequence(SecCertificateRef certificate)
+{
+ CFDataRef result = NULL;
+ OSStatus __secapiresult;
+ try
+ {
+ CertificateValues cv(certificate);
+ result = cv.copyIssuerSequence(NULL);
+ __secapiresult=0;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return result;
+}
+
+CFDataRef SecCertificateCopySubjectSequence(SecCertificateRef certificate)
+{
+ CFDataRef result = NULL;
+ OSStatus __secapiresult;
+ try
+ {
+ CertificateValues cv(certificate);
+ result = cv.copySubjectSequence(NULL);
+ __secapiresult=0;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return result;
+}
+
+bool SecCertificateIsValid(SecCertificateRef certificate, CFAbsoluteTime verifyTime)
+{
+ bool result = NULL;
+ OSStatus __secapiresult;
+ try
+ {
+ CFErrorRef error = NULL;
+ CertificateValues cv(certificate);
+ result = cv.isValid(verifyTime, &error);
+ if (error) CFRelease(error);
+ __secapiresult=0;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return result;
+}
+
+/*
+ * deprecated function name
+ */
+bool SecCertificateIsValidX(SecCertificateRef certificate, CFAbsoluteTime verifyTime)
+{
+ return SecCertificateIsValid(certificate, verifyTime);
+}
+
+
+CFAbsoluteTime SecCertificateNotValidBefore(SecCertificateRef certificate)
+{
+ CFAbsoluteTime result = 0;
+ OSStatus __secapiresult;
+ try
+ {
+ CFErrorRef error = NULL;
+ CertificateValues cv(certificate);
+ result = cv.notValidBefore(&error);
+ if (error) CFRelease(error);
+ __secapiresult=0;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return result;
+}
+
+CFAbsoluteTime SecCertificateNotValidAfter(SecCertificateRef certificate)
+{
+ CFAbsoluteTime result = 0;
+ OSStatus __secapiresult;
+ try
+ {
+ CFErrorRef error = NULL;
+ CertificateValues cv(certificate);
+ result = cv.notValidAfter(&error);
+ if (error) CFRelease(error);
+ __secapiresult=0;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return result;
+}
+
+/* new in 10.8 */
+SecCertificateRef SecCertificateCreateWithBytes(CFAllocatorRef allocator,
+ const UInt8 *bytes, CFIndex length)
+{
+ SecCertificateRef certificate = NULL;
+ OSStatus __secapiresult;
+ try {
+ CSSM_DATA cssmCertData = { (CSSM_SIZE)length, (uint8 *)bytes };
+
+ //NOTE: there isn't yet a Certificate constructor which accepts a CFAllocatorRef
+ SecPointer<Certificate> certificatePtr(new Certificate(cssmCertData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER));
+ certificate = certificatePtr->handle();
+
+ __secapiresult=errSecSuccess;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return certificate;
+}
+
+/* new in 10.8 */
+CFIndex SecCertificateGetLength(SecCertificateRef certificate)
+{
+ CFIndex length = 0;
+ OSStatus __secapiresult;
+ try {
+ CssmData output = Certificate::required(certificate)->data();
+ length = (CFIndex)output.length();
+ __secapiresult=errSecSuccess;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return length;
+}
+
+/* new in 10.8 */
+const UInt8 *SecCertificateGetBytePtr(SecCertificateRef certificate)
+{
+ const UInt8 *bytes = NULL;
+ OSStatus __secapiresult;
+ try {
+ CssmData output = Certificate::required(certificate)->data();
+ bytes = (const UInt8 *)output.data();
+ __secapiresult=errSecSuccess;
+ }
+ catch (const MacOSError &err) { __secapiresult=err.osStatus(); }
+ catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); }
+ catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; }
+ catch (...) { __secapiresult=errSecInternalComponent; }
+ return bytes;
+}
+
+static CFArrayRef CopyEscrowCertificates(SecCertificateEscrowRootType escrowRootType, CFErrorRef *error)
+{
+ // Return array of CFDataRef certificates.
+ CFArrayRef result = NULL;
+ int iCnt;
+ int numRoots = 0;
+
+ // Get the hard coded set of production roots
+ // static struct RootRecord* kProductionEscrowRoots[] = {&kOldEscrowRootRecord, &kProductionEscrowRootRecord};
+
+ struct RootRecord** pEscrowRoots = NULL;
+ switch (escrowRootType) {
+ case kSecCertificateBaselineEscrowRoot:
+ numRoots = kNumberOfBaseLineEscrowRoots;
+ pEscrowRoots = kBaseLineEscrowRoots;
+ break;
+ case kSecCertificateProductionEscrowRoot:
+ numRoots = kNumberOfBaseLineEscrowRoots; //%%% currently, production == baseline on OS X
+ pEscrowRoots = kBaseLineEscrowRoots;
+ break;
+ case kSecCertificateBaselinePCSEscrowRoot:
+ numRoots = kNumberOfBaseLinePCSEscrowRoots;
+ pEscrowRoots = kBaseLinePCSEscrowRoots;
+ break;
+ case kSecCertificateProductionPCSEscrowRoot:
+ numRoots = kNumberOfBaseLinePCSEscrowRoots; //%%% currently, production == baseline on OS X
+ pEscrowRoots = kBaseLinePCSEscrowRoots;
+ break;
+ default:
+ break;
+ }
+
+ CFDataRef productionCerts[numRoots];
+ struct RootRecord* pRootRecord = NULL;
+
+ for (iCnt = 0; pEscrowRoots != NULL && iCnt < numRoots; iCnt++)
+ {
+ pRootRecord = pEscrowRoots[iCnt];
+ if (NULL != pRootRecord && pRootRecord->_length > 0 && NULL != pRootRecord->_bytes)
+ {
+ productionCerts[iCnt] = CFDataCreate(kCFAllocatorDefault, pRootRecord->_bytes, pRootRecord->_length);
+ }
+ }
+ result = CFArrayCreate(kCFAllocatorDefault, (const void **)productionCerts, numRoots, &kCFTypeArrayCallBacks);
+ for (iCnt = 0; iCnt < numRoots; iCnt++)
+ {
+ if (NULL != productionCerts[iCnt])
+ {
+ CFRelease(productionCerts[iCnt]);
+ }
+ }
+
+ return result;
+}
+
+/* new in 10.9 */
+CFArrayRef SecCertificateCopyEscrowRoots(SecCertificateEscrowRootType escrowRootType)
+{
+ CFArrayRef result = NULL;
+ int iCnt;
+ int numRoots = 0;
+ CFDataRef certData = NULL;
+
+ // The request is for the base line certificates.
+ // Use the hard coded data to generate the return array
+ if (kSecCertificateBaselineEscrowRoot == escrowRootType)
+ {
+ // Get the hard coded set of roots
+ numRoots = kNumberOfBaseLineEscrowRoots;
+ SecCertificateRef baseLineCerts[numRoots];
+ struct RootRecord* pRootRecord = NULL;
+
+ for (iCnt = 0; iCnt < numRoots; iCnt++)
+ {
+ pRootRecord = kBaseLineEscrowRoots[iCnt];
+ if (NULL != pRootRecord && pRootRecord->_length > 0 && NULL != pRootRecord->_bytes)
+ {
+ certData = CFDataCreate(kCFAllocatorDefault, pRootRecord->_bytes, pRootRecord->_length);
+ if (NULL != certData)
+ {
+ baseLineCerts[iCnt] = SecCertificateCreateWithData(kCFAllocatorDefault, certData);
+ CFRelease(certData);
+ }
+ }
+ }
+ result = CFArrayCreate(kCFAllocatorDefault, (const void **)baseLineCerts, numRoots, &kCFTypeArrayCallBacks);
+ for (iCnt = 0; iCnt < numRoots; iCnt++)
+ {
+ if (NULL != baseLineCerts[iCnt])
+ {
+ CFRelease(baseLineCerts[iCnt]);
+ }
+ }
+ }
+ // The request is for the current certificates.
+ else
+ {
+ CFErrorRef error = NULL;
+ CFArrayRef cert_datas = CopyEscrowCertificates(escrowRootType, &error);
+ if (NULL != error || NULL == cert_datas || 0 == (numRoots = (int)CFArrayGetCount(cert_datas)))
+ {
+ if (NULL != error)
+ {
+ CFRelease(error);
+ }
+
+ if (NULL != cert_datas)
+ {
+ CFRelease(cert_datas);
+ }
+ return result;
+ }
+
+ SecCertificateRef assetCerts[numRoots];
+ for (iCnt = 0; iCnt < numRoots; iCnt++)
+ {
+ certData = (CFDataRef)CFArrayGetValueAtIndex(cert_datas, iCnt);
+ if (NULL != certData)
+ {
+ SecCertificateRef aCertRef = SecCertificateCreateWithData(kCFAllocatorDefault, certData);
+ assetCerts[iCnt] = aCertRef;
+ }
+ else
+ {
+ assetCerts[iCnt] = NULL;
+ }
+ }
+
+ if (numRoots > 0)
+ {
+ result = CFArrayCreate(kCFAllocatorDefault, (const void **)assetCerts, numRoots, &kCFTypeArrayCallBacks);
+ for (iCnt = 0; iCnt < numRoots; iCnt++)
+ {
+ if (NULL != assetCerts[iCnt])
+ {
+ CFRelease(assetCerts[iCnt]);
+ }
+ }
+ }
+ CFRelease(cert_datas);
+ }
+ return result;
+}
+
projects / apple / security.git / blobdiff