--- /dev/null
+/*
+ * Copyright (c) 2003-2008 Apple Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please
+ * obtain a copy of the License at http://www.apple.com/publicsource and
+ * read it before using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ */
+
+/*
+ * identPicker.cp - Given a keychain, select from possible multiple
+ * SecIdentityRefs via stdio UI, and cook up a
+ * CFArray containing that identity and all certs needed
+ * for cert verification by an SSL peer. The resulting
+ * CFArrayRef is suitable for passing to SSLSetCertificate().
+ */
+
+#include "identPicker.h"
+#include "sslAppUtils.h"
+#include <sys/param.h>
+#include <string.h>
+#include <stdio.h>
+#include <ctype.h>
+
+/*
+ * Safe gets().
+ * -- guaranteed no buffer overflow
+ * -- guaranteed NULL-terminated string
+ * -- handles empty string (i.e., response is just CR) properly
+ */
+void getString(
+ char *buf,
+ unsigned bufSize)
+{
+ unsigned dex;
+ char c;
+ char *cp = buf;
+
+ for(dex=0; dex<bufSize-1; dex++) {
+ c = getchar();
+ if(!isprint(c)) {
+ break;
+ }
+ switch(c) {
+ case '\n':
+ case '\r':
+ goto done;
+ default:
+ *cp++ = c;
+ }
+ }
+done:
+ *cp = '\0';
+}
+
+/*
+ * Obtain the printable name of a SecKeychainItemRef as a C string.
+ * Caller must free() the result.
+ */
+char *kcItemPrintableName(
+ SecKeychainItemRef itemRef)
+{
+ char *crtn = NULL;
+
+ /* just search for the one attr we want */
+ UInt32 tag = kSecLabelItemAttr;
+ SecKeychainAttributeInfo attrInfo;
+ attrInfo.count = 1;
+ attrInfo.tag = &tag;
+ attrInfo.format = NULL;
+ SecKeychainAttributeList *attrList = NULL;
+ SecKeychainAttribute *attr = NULL;
+
+ OSStatus ortn = SecKeychainItemCopyAttributesAndData(
+ itemRef,
+ &attrInfo,
+ NULL, // itemClass
+ &attrList,
+ NULL, // length - don't need the data
+ NULL); // outData
+ if(ortn) {
+ cssmPerror("SecKeychainItemCopyAttributesAndData", ortn);
+ /* may want to be a bit more robust here, but this should
+ * never happen */
+ return strdup("Unnamed KeychainItem");
+ }
+ /* subsequent errors to errOut: */
+
+ if((attrList == NULL) || (attrList->count != 1)) {
+ printf("***Unexpected result fetching label attr\n");
+ crtn = strdup("Unnamed KeychainItem");
+ goto errOut;
+ }
+ /* We're assuming 8-bit ASCII attribute data here... */
+ attr = attrList->attr;
+ crtn = (char *)malloc(attr->length + 1);
+ memmove(crtn, attr->data, attr->length);
+ crtn[attr->length] = '\0';
+
+errOut:
+ SecKeychainItemFreeAttributesAndData(attrList, NULL);
+ return crtn;
+}
+
+/*
+ * Get the final term of a keychain's path as a C string. Caller must free()
+ * the result.
+ */
+char *kcFileName(
+ SecKeychainRef kcRef)
+{
+ char fullPath[MAXPATHLEN + 1];
+ OSStatus ortn;
+ UInt32 pathLen = MAXPATHLEN;
+
+ ortn = SecKeychainGetPath(kcRef, &pathLen, fullPath);
+ if(ortn) {
+ cssmPerror("SecKeychainGetPath", ortn);
+ return strdup("orphan keychain");
+ }
+
+ /* NULL terminate the path string and search for final '/' */
+ fullPath[pathLen] = '\0';
+ char *lastSlash = NULL;
+ char *thisSlash = fullPath;
+ do {
+ thisSlash = strchr(thisSlash, '/');
+ if(thisSlash == NULL) {
+ /* done */
+ break;
+ }
+ thisSlash++;
+ lastSlash = thisSlash;
+ } while(thisSlash != NULL);
+ if(lastSlash == NULL) {
+ /* no slashes, odd, but handle it */
+ return strdup(fullPath);
+ }
+ else {
+ return strdup(lastSlash);
+ }
+}
+
+/*
+ * Obtain the final term of a keychain item's keychain path as a C string.
+ * Caller must free() the result.
+ * May well return NULL indicating the item has no keychain (e.g. az floating cert).
+ */
+char *kcItemKcFileName(SecKeychainItemRef itemRef)
+{
+ OSStatus ortn;
+ SecKeychainRef kcRef = NULL;
+
+ ortn = SecKeychainItemCopyKeychain(itemRef, &kcRef);
+ if(ortn) {
+ return NULL;
+ }
+ char *rtnStr = kcFileName(kcRef);
+ CFRelease(kcRef);
+ return rtnStr;
+}
+
+/*
+ * Given an array of SecIdentityRefs:
+ * -- display a printable name of each identity's cert;
+ * -- prompt user to select which one to use;
+ *
+ * Returns CFIndex of desired identity. A return of <0 indicates
+ * "none - abort".
+ */
+static CFIndex pickIdent(
+ CFArrayRef idArray)
+{
+ CFIndex count = CFArrayGetCount(idArray);
+ CFIndex dex;
+ OSStatus ortn;
+
+ if(count == 0) {
+ printf("***sslIdentPicker screwup: no identities found\n");
+ return -1;
+ }
+ for(dex=0; dex<count; dex++) {
+ SecIdentityRef idRef = (SecIdentityRef)CFArrayGetValueAtIndex(idArray, dex);
+ SecCertificateRef certRef;
+ ortn = SecIdentityCopyCertificate(idRef, &certRef);
+ if(ortn) {
+ /* should never happen */
+ cssmPerror("SecIdentityCopyCertificate", ortn);
+ return -1;
+ }
+
+ /* get printable name of cert and the keychain it's in */
+ char *certLabel = kcItemPrintableName((SecKeychainItemRef)certRef);
+ SecKeychainRef kcRef;
+ char *kcLabel;
+ ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)certRef, &kcRef);
+ if(ortn) {
+ cssmPerror("SecKeychainItemCopyKeychain", ortn);
+ kcLabel = (char *)"Unnamed keychain";
+ }
+ else {
+ kcLabel = kcFileName(kcRef);
+ }
+ printf("[%ld] keychain : %s\n", dex, kcLabel);
+ printf(" cert : %s\n", certLabel);
+ free(certLabel);
+ if(ortn == noErr) {
+ free(kcLabel);
+ }
+ CFRelease(certRef);
+ }
+
+ while(1) {
+ fpurge(stdin);
+ printf("\nEnter Certificate number or CR to quit : ");
+ fflush(stdout);
+ char resp[64];
+ getString(resp, sizeof(resp));
+ if(resp[0] == '\0') {
+ return -1;
+ }
+ int ires = atoi(resp);
+ if((ires >= 0) && (ires < count)) {
+ return (CFIndex)ires;
+ }
+ printf("***Invalid entry. Type a number between 0 and %ld\n",
+ count-1);
+ }
+ return -1;
+}
+
+OSStatus sslSimpleIdentPicker(
+ SecKeychainRef kcRef, // NULL means use default list
+ SecIdentityRef *ident) // RETURNED
+{
+ OSStatus ortn;
+ CFMutableArrayRef idArray = NULL; // holds all SecIdentityRefs found
+
+ /* Search for all identities */
+ *ident = NULL;
+ SecIdentitySearchRef srchRef = nil;
+ ortn = SecIdentitySearchCreate(kcRef,
+ 0, // keyUsage - any
+ &srchRef);
+ if(ortn) {
+ cssmPerror("SecIdentitySearchCreate", (CSSM_RETURN)ortn);
+ printf("Cannot find signing key in keychain.\n");
+ return ortn;
+ }
+
+ /* get all identities, stuff them into idArray */
+ SecIdentityRef identity = nil;
+ idArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ do {
+ ortn = SecIdentitySearchCopyNext(srchRef, &identity);
+ if(ortn != noErr) {
+ break;
+ }
+ CFArrayAppendValue(idArray, identity);
+
+ /* the array has the retain count we need */
+ CFRelease(identity);
+ } while(ortn == noErr);
+ CFRelease(srchRef);
+
+ switch(ortn) {
+ case errSecItemNotFound:
+ if(CFArrayGetCount(idArray) == 0) {
+ printf("No signing keys found in keychain.\n");
+ return errSecItemNotFound;
+ }
+ else {
+ /* found at least one; proceed */
+ break;
+ }
+ default:
+ cssmPerror("SecIdentitySearchCopyNext", (CSSM_RETURN)ortn);
+ printf("Cannot find signing key in keychain.\n");
+ return ortn;
+ }
+
+ /*
+ * If there is just one, use it without asking
+ */
+ CFIndex whichId;
+ if(CFArrayGetCount(idArray) == 1) {
+ whichId = 0;
+ }
+ else {
+ whichId = pickIdent(idArray);
+ if(whichId < 0) {
+ return CSSMERR_CSSM_USER_CANCELED;
+ }
+ }
+
+ /* keep this one, free the rest */
+ identity = (SecIdentityRef)CFArrayGetValueAtIndex(idArray, whichId);
+ CFRetain(identity);
+ CFRelease(idArray);
+ *ident = identity;
+ return noErr;
+}
+
+OSStatus sslIdentPicker(
+ SecKeychainRef kcRef, // NULL means use default list
+ SecCertificateRef trustedAnchor, // optional additional trusted anchor
+ bool includeRoot, // true --> root is appended to outArray
+ // false --> root not included
+ const CSSM_OID *vfyPolicy, // optional - if NULL, use SSL
+ CFArrayRef *outArray) // created and RETURNED
+{
+ OSStatus ortn;
+ SecIdentityRef identity;
+
+ ortn = sslSimpleIdentPicker(kcRef, &identity);
+ if(ortn) {
+ return ortn;
+ }
+ return sslCompleteCertChain(identity, trustedAnchor, includeRoot,
+ vfyPolicy, outArray);
+}
+
projects / apple / security.git / blobdiff