--- /dev/null
+/*
+ * Copyright (c) 2007-2009,2012-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*
+ * SecTrustStore.c - CertificateSource API to a system root certificate store
+ */
+#include <Security/SecTrustStore.h>
+
+#include <Security/SecCertificateInternal.h>
+#include <Security/SecInternal.h>
+#include <Security/SecuritydXPC.h>
+#include <CoreFoundation/CFString.h>
+#include <AssertMacros.h>
+#include <ipc/securityd_client.h>
+#include "SecFramework.h"
+#include <sys/stat.h>
+#include <stdio.h>
+#include <dirent.h>
+#include "SecTrustPriv.h"
+#include <utilities/SecCFError.h>
+#include "utilities/SecDb.h"
+
+static CFStringRef kSecTrustStoreUserName = CFSTR("user");
+
+SecTrustStoreRef SecTrustStoreForDomain(SecTrustStoreDomain domain) {
+ CFStringRef domainName;
+ if (domain == kSecTrustStoreDomainUser) {
+ domainName = kSecTrustStoreUserName;
+ } else {
+ return NULL;
+ }
+
+ if (gSecurityd) {
+ return gSecurityd->sec_trust_store_for_domain(domainName, NULL);
+ } else {
+ return (SecTrustStoreRef)domainName;
+ }
+}
+
+static bool string_data_to_bool_error(enum SecXPCOperation op, SecTrustStoreRef ts, CFDataRef digest, CFErrorRef *error)
+{
+ return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
+ return SecXPCDictionarySetString(message, kSecXPCKeyDomain, (CFStringRef)ts, error) &&
+ SecXPCDictionarySetData(message, kSecXPCKeyDigest, digest, error);
+ }, NULL);
+}
+
+static bool string_data_to_bool_bool_error(enum SecXPCOperation op, SecTrustStoreRef ts, CFDataRef digest, bool *result, CFErrorRef *error)
+{
+ return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
+ return SecXPCDictionarySetString(message, kSecXPCKeyDomain, (CFStringRef)ts, error) &&
+ SecXPCDictionarySetData(message, kSecXPCKeyDigest, digest, error);
+ }, ^bool(xpc_object_t response, CFErrorRef *error) {
+ if (result)
+ *result = xpc_dictionary_get_bool(response, kSecXPCKeyResult);
+ return true;
+ });
+}
+
+Boolean SecTrustStoreContains(SecTrustStoreRef ts,
+ SecCertificateRef certificate) {
+ CFDataRef digest;
+ bool ok = false;
+ __block bool contains = false;
+
+ require(ts, errOut);
+ require(digest = SecCertificateGetSHA1Digest(certificate), errOut);
+ ok = (SecOSStatusWith(^bool (CFErrorRef *error) {
+ return SECURITYD_XPC(sec_trust_store_contains, string_data_to_bool_bool_error, ts, digest, &contains, error);
+ }) == errSecSuccess);
+
+errOut:
+ return ok && contains;
+}
+
+static bool SecXPCDictionarySetCertificate(xpc_object_t message, const char *key, SecCertificateRef certificate, CFErrorRef *error) {
+ if (certificate) {
+ xpc_dictionary_set_data(message, key, SecCertificateGetBytePtr(certificate),
+ SecCertificateGetLength(certificate));
+ return true;
+ }
+ return SecError(errSecParam, error, CFSTR("NULL certificate"));
+}
+
+
+static bool string_cert_cftype_to_error(enum SecXPCOperation op, SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef *error)
+{
+ return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
+ bool ok = false;
+ ok = SecXPCDictionarySetString(message, kSecXPCKeyDomain, (CFStringRef)ts, error) &&
+ SecXPCDictionarySetCertificate(message, kSecXPCKeyCertificate, certificate, error) &&
+ (!trustSettingsDictOrArray || SecXPCDictionarySetPList(message, kSecXPCKeySettings, trustSettingsDictOrArray, error));
+ return ok;
+ }, NULL);
+}
+
+OSStatus SecTrustStoreSetTrustSettings(SecTrustStoreRef ts,
+ SecCertificateRef certificate,
+ CFTypeRef trustSettingsDictOrArray) {
+ return SecOSStatusWith(^bool (CFErrorRef *error) {
+ return SECURITYD_XPC(sec_trust_store_set_trust_settings, string_cert_cftype_to_error, ts, certificate, trustSettingsDictOrArray, error);
+ });
+}
+
+OSStatus SecTrustStoreRemoveCertificate(SecTrustStoreRef ts,
+ SecCertificateRef certificate)
+{
+ CFDataRef digest;
+ OSStatus status = errSecParam;
+
+ require(ts, errOut);
+ require(digest = SecCertificateGetSHA1Digest(certificate), errOut);
+ require(gSecurityd || ts == (SecTrustStoreRef)kSecTrustStoreUserName, errOut);
+ status = SecOSStatusWith(^bool (CFErrorRef *error) {
+ return SECURITYD_XPC(sec_trust_store_remove_certificate, string_data_to_bool_error, ts, digest, error);
+ });
+
+errOut:
+ return status;
+}
+
+
+static CFIndex GetOTAAssetVersionNumber()
+{
+ CFIndex result = 0;
+ int version = 0;
+
+ if (errSecSuccess == SecTrustGetOTAPKIAssetVersionNumber(&version))
+ {
+ result = version;
+ }
+
+ return result;
+}
+
+
+
+OSStatus SecTrustStoreGetSettingsVersionNumber(SecTrustSettingsVersionNumber* p_settings_version_number)
+{
+ OSStatus status = errSecParam;
+ if (NULL == p_settings_version_number)
+ {
+ return status;
+ }
+
+ CFIndex versionNumber = GetOTAAssetVersionNumber();
+ *p_settings_version_number = (SecTrustSettingsVersionNumber)versionNumber;
+
+ return errSecSuccess;
+}
projects / apple / security.git / blobdiff