--- /dev/null
+/*
+ * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+/*
+ * identPicker.cpp - Given a keychain, select from possible multiple
+ * SecIdentityRefs via stdio UI, and cook up a
+ * CFArray containing that identity and all certs needed
+ * for cert verification by an SSL peer. The resulting
+ * CFArrayRef is suitable for passing to SSLSetCertificate().
+ */
+
+#include "identPicker.h"
+#include <sys/param.h>
+#include <string.h>
+#include <stdio.h>
+#include <ctype.h>
+
+/*
+ * Safe gets().
+ * -- guaranteed no buffer overflow
+ * -- guaranteed NULL-terminated string
+ * -- handles empty string (i.e., response is just CR) properly
+ */
+static void getString(
+ char *buf,
+ unsigned bufSize)
+{
+ unsigned dex;
+ char c;
+ char *cp = buf;
+
+ for(dex=0; dex<bufSize-1; dex++) {
+ c = getchar();
+ if(!isprint(c)) {
+ break;
+ }
+ switch(c) {
+ case '\n':
+ case '\r':
+ goto done;
+ default:
+ *cp++ = c;
+ }
+ }
+done:
+ *cp = '\0';
+}
+
+/*
+ * Obtain the printable name of a SecKeychainItemRef as a C string.
+ * Caller must free() the result.
+ */
+static char *kcItemPrintableName(
+ SecKeychainItemRef certRef)
+{
+ char *crtn = NULL;
+
+ /* just search for the one attr we want */
+ UInt32 tag = kSecLabelItemAttr;
+ SecKeychainAttributeInfo attrInfo;
+ attrInfo.count = 1;
+ attrInfo.tag = &tag;
+ attrInfo.format = NULL;
+ SecKeychainAttributeList *attrList = NULL;
+ SecKeychainAttribute *attr = NULL;
+
+ OSStatus ortn = SecKeychainItemCopyAttributesAndData(
+ (SecKeychainItemRef)certRef,
+ &attrInfo,
+ NULL, // itemClass
+ &attrList,
+ NULL, // length - don't need the data
+ NULL); // outData
+ if(ortn) {
+ cssmPerror("SecKeychainItemCopyAttributesAndData", ortn);
+ /* may want to be a bit more robust here, but this should
+ * never happen */
+ return strdup("Unnamed KeychainItem");
+ }
+ /* subsequent errors to errOut: */
+
+ if((attrList == NULL) || (attrList->count != 1)) {
+ printf("***Unexpected result fetching label attr\n");
+ crtn = strdup("Unnamed KeychainItem");
+ goto errOut;
+ }
+ /* We're assuming 8-bit ASCII attribute data here... */
+ attr = attrList->attr;
+ crtn = (char *)malloc(attr->length + 1);
+ memmove(crtn, attr->data, attr->length);
+ crtn[attr->length] = '\0';
+
+errOut:
+ SecKeychainItemFreeAttributesAndData(attrList, NULL);
+ return crtn;
+}
+
+/*
+ * Get the final term of a keychain's path as a C string. Caller must free()
+ * the result.
+ */
+static char *kcFileName(
+ SecKeychainRef kcRef)
+{
+ char fullPath[MAXPATHLEN + 1];
+ OSStatus ortn;
+ UInt32 pathLen = MAXPATHLEN;
+
+ ortn = SecKeychainGetPath(kcRef, &pathLen, fullPath);
+ if(ortn) {
+ cssmPerror("SecKeychainGetPath", ortn);
+ return strdup("orphan keychain");
+ }
+
+ /* NULL terminate the path string and search for final '/' */
+ fullPath[pathLen] = '\0';
+ char *lastSlash = NULL;
+ char *thisSlash = fullPath;
+ do {
+ thisSlash = strchr(thisSlash, '/');
+ if(thisSlash == NULL) {
+ /* done */
+ break;
+ }
+ thisSlash++;
+ lastSlash = thisSlash;
+ } while(thisSlash != NULL);
+ if(lastSlash == NULL) {
+ /* no slashes, odd, but handle it */
+ return strdup(fullPath);
+ }
+ else {
+ return strdup(lastSlash);
+ }
+}
+
+/*
+ * Determine if specified SecCertificateRef is a self-signed cert.
+ * We do this by comparing the subject and issuerr names; no cryptographic
+ * verification is performed.
+ *
+ * Returns true if the cert appears to be a root.
+ */
+static bool isCertRefRoot(
+ SecCertificateRef certRef)
+{
+ /* just search for the two attrs we want */
+ UInt32 tags[2] = {kSecSubjectItemAttr, kSecIssuerItemAttr};
+ SecKeychainAttributeInfo attrInfo;
+ attrInfo.count = 2;
+ attrInfo.tag = tags;
+ attrInfo.format = NULL;
+ SecKeychainAttributeList *attrList = NULL;
+ SecKeychainAttribute *attr1 = NULL;
+ SecKeychainAttribute *attr2 = NULL;
+ bool brtn = false;
+
+ OSStatus ortn = SecKeychainItemCopyAttributesAndData(
+ (SecKeychainItemRef)certRef,
+ &attrInfo,
+ NULL, // itemClass
+ &attrList,
+ NULL, // length - don't need the data
+ NULL); // outData
+ if(ortn) {
+ cssmPerror("SecKeychainItemCopyAttributesAndData", ortn);
+ /* may want to be a bit more robust here, but this should
+ * never happen */
+ return false;
+ }
+ /* subsequent errors to errOut: */
+
+ if((attrList == NULL) || (attrList->count != 2)) {
+ printf("***Unexpected result fetching label attr\n");
+ goto errOut;
+ }
+
+ /* rootness is just byte-for-byte compare of the two names */
+ attr1 = &attrList->attr[0];
+ attr2 = &attrList->attr[1];
+ if(attr1->length == attr2->length) {
+ if(memcmp(attr1->data, attr2->data, attr1->length) == 0) {
+ brtn = true;
+ }
+ }
+errOut:
+ SecKeychainItemFreeAttributesAndData(attrList, NULL);
+ return brtn;
+}
+
+
+/*
+ * Given a SecIdentityRef, do our best to construct a complete, ordered, and
+ * verified cert chain, returning the result in a CFArrayRef. The result is
+ * suitable for use when calling SSLSetCertificate().
+ */
+static OSStatus completeCertChain(
+ SecIdentityRef identity,
+ SecCertificateRef trustedAnchor, // optional additional trusted anchor
+ bool includeRoot, // include the root in outArray
+ CFArrayRef *outArray) // created and RETURNED
+{
+ CFMutableArrayRef certArray;
+ SecTrustRef secTrust = NULL;
+ SecPolicyRef policy = NULL;
+ SecPolicySearchRef policySearch = NULL;
+ SecTrustResultType secTrustResult;
+ CSSM_TP_APPLE_EVIDENCE_INFO *dummyEv; // not used
+ CFArrayRef certChain = NULL; // constructed chain
+ CFIndex numResCerts;
+
+ certArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ CFArrayAppendValue(certArray, identity);
+
+ /*
+ * Case 1: identity is a root; we're done. Note that this case
+ * overrides the includeRoot argument.
+ */
+ SecCertificateRef certRef;
+ OSStatus ortn = SecIdentityCopyCertificate(identity, &certRef);
+ if(ortn) {
+ /* should never happen */
+ cssmPerror("SecIdentityCopyCertificate", ortn);
+ return ortn;
+ }
+ bool isRoot = isCertRefRoot(certRef);
+ if(isRoot) {
+ *outArray = certArray;
+ CFRelease(certRef);
+ return noErr;
+ }
+
+ /*
+ * Now use SecTrust to get a complete cert chain, using all of the
+ * user's keychains to look for intermediate certs.
+ * NOTE this does NOT handle root certs which are not in the system
+ * root cert DB. (The above case, where the identity is a root cert, does.)
+ */
+ CFMutableArrayRef subjCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks);
+ CFArraySetValueAtIndex(subjCerts, 0, certRef);
+
+ /* the array owns the subject cert ref now */
+ CFRelease(certRef);
+
+ /* Get a SecPolicyRef for generic X509 cert chain verification */
+ ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
+ &CSSMOID_APPLE_X509_BASIC,
+ NULL, // value
+ &policySearch);
+ if(ortn) {
+ cssmPerror("SecPolicySearchCreate", ortn);
+ goto errOut;
+ }
+ ortn = SecPolicySearchCopyNext(policySearch, &policy);
+ if(ortn) {
+ cssmPerror("SecPolicySearchCopyNext", ortn);
+ goto errOut;
+ }
+
+ /* build a SecTrustRef for specified policy and certs */
+ ortn = SecTrustCreateWithCertificates(subjCerts,
+ policy, &secTrust);
+ if(ortn) {
+ cssmPerror("SecTrustCreateWithCertificates", ortn);
+ goto errOut;
+ }
+
+ if(trustedAnchor) {
+ /*
+ * Tell SecTrust to trust this one in addition to the current
+ * trusted system-wide anchors.
+ */
+ CFMutableArrayRef newAnchors;
+ CFArrayRef currAnchors;
+
+ ortn = SecTrustCopyAnchorCertificates(&currAnchors);
+ if(ortn) {
+ /* should never happen */
+ cssmPerror("SecTrustCopyAnchorCertificates", ortn);
+ goto errOut;
+ }
+ newAnchors = CFArrayCreateMutableCopy(NULL,
+ CFArrayGetCount(currAnchors) + 1,
+ currAnchors);
+ CFRelease(currAnchors);
+ CFArrayAppendValue(newAnchors, trustedAnchor);
+ ortn = SecTrustSetAnchorCertificates(secTrust, newAnchors);
+ CFRelease(newAnchors);
+ if(ortn) {
+ cssmPerror("SecTrustSetAnchorCertificates", ortn);
+ goto errOut;
+ }
+ }
+ /* evaluate: GO */
+ ortn = SecTrustEvaluate(secTrust, &secTrustResult);
+ if(ortn) {
+ cssmPerror("SecTrustEvaluate", ortn);
+ goto errOut;
+ }
+ switch(secTrustResult) {
+ case kSecTrustResultUnspecified:
+ /* cert chain valid, no special UserTrust assignments */
+ case kSecTrustResultProceed:
+ /* cert chain valid AND user explicitly trusts this */
+ break;
+ default:
+ /*
+ * Cert chain construction failed.
+ * Just go with the single subject cert we were given.
+ */
+ printf("***Warning: could not construct completed cert chain\n");
+ ortn = noErr;
+ goto errOut;
+ }
+
+ /* get resulting constructed cert chain */
+ ortn = SecTrustGetResult(secTrust, &secTrustResult, &certChain, &dummyEv);
+ if(ortn) {
+ cssmPerror("SecTrustEvaluate", ortn);
+ goto errOut;
+ }
+
+ /*
+ * Copy certs from constructed chain to our result array, skipping
+ * the leaf (which is already there, as a SecIdentityRef) and possibly
+ * a root.
+ */
+ numResCerts = CFArrayGetCount(certChain);
+ if(numResCerts < 2) {
+ /*
+ * Can't happen: if subject was a root, we'd already have returned.
+ * If chain doesn't verify to a root, we'd have bailed after
+ * SecTrustEvaluate().
+ */
+ printf("***sslCompleteCertChain screwup: numResCerts %d\n",
+ (int)numResCerts);
+ ortn = noErr;
+ goto errOut;
+ }
+ if(!includeRoot) {
+ /* skip the last (root) cert) */
+ numResCerts--;
+ }
+ for(CFIndex dex=1; dex<numResCerts; dex++) {
+ certRef = (SecCertificateRef)CFArrayGetValueAtIndex(certChain, dex);
+ CFArrayAppendValue(certArray, certRef);
+ }
+errOut:
+ /* clean up */
+ if(secTrust) {
+ CFRelease(secTrust);
+ }
+ if(subjCerts) {
+ CFRelease(subjCerts);
+ }
+ if(policy) {
+ CFRelease(policy);
+ }
+ if(policySearch) {
+ CFRelease(policySearch);
+ }
+ *outArray = certArray;
+ return ortn;
+}
+
+
+/*
+ * Given an array of SecIdentityRefs:
+ * -- display a printable name of each identity's cert;
+ * -- prompt user to select which one to use;
+ *
+ * Returns CFIndex of desired identity. A return of <0 indicates
+ * "none - abort".
+ */
+static CFIndex pickIdent(
+ CFArrayRef idArray)
+{
+ CFIndex count = CFArrayGetCount(idArray);
+ CFIndex dex;
+ OSStatus ortn;
+
+ if(count == 0) {
+ printf("***sslIdentPicker screwup: no identities found\n");
+ return -1;
+ }
+ for(dex=0; dex<count; dex++) {
+ SecIdentityRef idRef = (SecIdentityRef)CFArrayGetValueAtIndex(idArray, dex);
+ SecCertificateRef certRef;
+ ortn = SecIdentityCopyCertificate(idRef, &certRef);
+ if(ortn) {
+ /* should never happen */
+ cssmPerror("SecIdentityCopyCertificate", ortn);
+ return -1;
+ }
+
+ /* get printable name of cert and the keychain it's in */
+ char *certLabel = kcItemPrintableName((SecKeychainItemRef)certRef);
+ SecKeychainRef kcRef;
+ char *kcLabel;
+ ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)certRef, &kcRef);
+ if(ortn) {
+ cssmPerror("SecKeychainItemCopyKeychain", ortn);
+ kcLabel = "Unnamed keychain";
+ }
+ else {
+ kcLabel = kcFileName(kcRef);
+ }
+ printf("[%d] keychain : %s\n", (int)dex, kcLabel);
+ printf(" cert : %s\n", certLabel);
+ free(certLabel);
+ if(ortn == noErr) {
+ free(kcLabel);
+ }
+ CFRelease(certRef);
+ }
+
+ while(1) {
+ fpurge(stdin);
+ printf("\nEnter Certificate number or CR to quit : ");
+ fflush(stdout);
+ char resp[64];
+ getString(resp, sizeof(resp));
+ if(resp[0] == '\0') {
+ return -1;
+ }
+ int ires = atoi(resp);
+ if((ires >= 0) && (ires < count)) {
+ return (CFIndex)ires;
+ }
+ printf("***Invalid entry. Type a number between 0 and %d\n",
+ (int)(count-1));
+ }
+ return -1;
+}
+
+OSStatus simpleIdentPicker(
+ SecKeychainRef kcRef, // NULL means use default list
+ SecIdentityRef *ident) // RETURNED
+{
+ OSStatus ortn;
+ CFMutableArrayRef idArray = NULL; // holds all SecIdentityRefs found
+
+ /* Search for all identities */
+ *ident = NULL;
+ SecIdentitySearchRef srchRef = nil;
+ ortn = SecIdentitySearchCreate(kcRef,
+ 0, // keyUsage - any
+ &srchRef);
+ if(ortn) {
+ cssmPerror("SecIdentitySearchCreate", (CSSM_RETURN)ortn);
+ printf("Cannot find signing key in keychain.\n");
+ return ortn;
+ }
+
+ /* get all identities, stuff them into idArray */
+ SecIdentityRef identity = nil;
+ idArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ do {
+ ortn = SecIdentitySearchCopyNext(srchRef, &identity);
+ if(ortn != noErr) {
+ break;
+ }
+ CFArrayAppendValue(idArray, identity);
+
+ /* the array has the retain count we need */
+ CFRelease(identity);
+ } while(ortn == noErr);
+
+ switch(ortn) {
+ case errSecItemNotFound:
+ if(CFArrayGetCount(idArray) == 0) {
+ printf("No signing keys found in keychain.\n");
+ return errSecItemNotFound;
+ }
+ else {
+ /* found at least one; proceed */
+ break;
+ }
+ default:
+ cssmPerror("SecIdentitySearchCopyNext", (CSSM_RETURN)ortn);
+ printf("Cannot find signing key in keychain.\n");
+ return ortn;
+ }
+
+ /*
+ * If there is just one, use it without asking
+ */
+ CFIndex whichId;
+ if(CFArrayGetCount(idArray) == 1) {
+ whichId = 0;
+ }
+ else {
+ whichId = pickIdent(idArray);
+ if(whichId < 0) {
+ return CSSMERR_CSSM_USER_CANCELED;
+ }
+ }
+
+ /* keep this one, free the rest */
+ identity = (SecIdentityRef)CFArrayGetValueAtIndex(idArray, whichId);
+ CFRetain(identity);
+ CFRelease(idArray);
+ *ident = identity;
+ return noErr;
+}
+
+OSStatus identPicker(
+ SecKeychainRef kcRef, // NULL means use default list
+ SecCertificateRef trustedAnchor, // optional additional trusted anchor
+ bool includeRoot, // true --> root is appended to outArray
+ // false --> root not included
+ CFArrayRef *outArray) // created and RETURNED
+{
+ OSStatus ortn;
+ SecIdentityRef identity;
+
+ ortn = simpleIdentPicker(kcRef, &identity);
+ if(ortn) {
+ return ortn;
+ }
+ return completeCertChain(identity, trustedAnchor, includeRoot, outArray);
+}
+
projects / apple / security.git / blobdiff