--- /dev/null
+/*
+ * parseTrustedRootList.cpp - parse the contents of a TrustedRootList record.
+ *
+ * Created May 26 2005 by dmitch.
+ */
+
+#include <stdlib.h>
+#include <strings.h>
+#include <stdio.h>
+#include <unistd.h>
+#include "parseTrustedRootList.h"
+#include "rootUtils.h"
+
+#include <Security/TrustSettingsSchema.h> /* private header */
+#include <Security/SecTrustSettings.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <security_utilities/cfutilities.h>
+
+/*
+ * Data is obtained from a SecKeychainItemRef; it's expected to be the XML encoding
+ * of a CFPropertyList (specifically of a CFDictionaryRef).
+ */
+int parseTrustedRootList(
+ CFDataRef plistData)
+{
+ /* First decode the XML */
+ CFStringRef errStr = NULL;
+ CFRef<CFPropertyListRef> rawPropList;
+ int ourRtn = 0;
+ OidParser parser;
+
+ rawPropList.take(CFPropertyListCreateFromXMLData(
+ NULL,
+ plistData,
+ kCFPropertyListImmutable,
+ &errStr));
+ CFPropertyListRef cfRawPropList = rawPropList;
+ if(cfRawPropList == NULL) {
+ printf("***parseTrustedRootList: Error decoding TrustedRootList XML data\n");
+ if(errStr != NULL) {
+ printf("Error string: "); CFShow(errStr);
+ CFRelease(errStr);
+ }
+ return -1;
+ }
+ if(errStr != NULL) {
+ CFRelease(errStr);
+ }
+
+ CFDictionaryRef topDict = (CFDictionaryRef)cfRawPropList;
+ if(CFGetTypeID(topDict) != CFDictionaryGetTypeID()) {
+ printf("***parseTrustedRootList: malformed propList");
+ return -1;
+ }
+
+ printf("=== Parsed User Trust Record ===\n");
+
+ /* that dictionary has two entries */
+ CFNumberRef cfVers = (CFNumberRef)CFDictionaryGetValue(topDict, kTrustRecordVersion);
+ if((cfVers == NULL) || (CFGetTypeID(cfVers) != CFNumberGetTypeID())) {
+ printf("***parseTrustedRootList: malformed version");
+ }
+ else {
+ SInt32 vers;
+ if(!CFNumberGetValue(cfVers, kCFNumberSInt32Type, &vers)) {
+ printf("***parseTrustedRootList: malformed version");
+ }
+ else {
+ printf("Version = %ld\n", vers);
+ }
+ }
+
+ CFDictionaryRef certsDict = (CFDictionaryRef)CFDictionaryGetValue(topDict,
+ kTrustRecordTrustList);
+ if((certsDict == NULL) || (CFGetTypeID(certsDict) != CFDictionaryGetTypeID())) {
+ printf("***parseTrustedRootList: malformed mTrustArray");
+ return -1;
+ }
+
+ CFIndex numCerts = CFDictionaryGetCount(certsDict);
+ const void *dictKeys[numCerts];
+ const void *dictValues[numCerts];
+ CFDictionaryGetKeysAndValues(certsDict, dictKeys, dictValues);
+
+ CFDataRef certApp;
+ CFDataRef certPolicy;
+ CFDictionaryRef ucDict;
+ CFArrayRef usageConstraints;
+ CFDataRef cfd;
+ CFIndex numUsageConstraints;
+ CFStringRef policyStr;
+ CFNumberRef cfNum;
+ CFDateRef modDate;
+
+ printf("Number of cert entries: %ld\n", numCerts);
+
+ for(CFIndex dex=0; dex<numCerts; dex++) {
+ printf("Cert %ld:\n", dex);
+ indentIncr();
+
+ /* per-cert key is ASCII representation of SHA1(cert) */
+ CFStringRef certHashStr = (CFStringRef)dictKeys[dex];
+ if(CFGetTypeID(certHashStr) != CFStringGetTypeID()) {
+ printf("***parseTrustedRootList: malformed certsDict key");
+ ourRtn = -1;
+ goto nextCert;
+ }
+ indent(); printf("Cert Hash : ");
+ printCfStr(certHashStr);
+ printf("\n");
+
+ /* get per-cert dictionary */
+ CFDictionaryRef certDict = (CFDictionaryRef)dictValues[dex];
+ if(CFGetTypeID(certDict) != CFDictionaryGetTypeID()) {
+ printf("***parseTrustedRootList: malformed certDict");
+ ourRtn = -1;
+ goto nextCert;
+ }
+
+ /*
+ * That dictionary has exactly four entries...but the first
+ *
+ * First, the issuer. This is in non-normalized form.
+ */
+ cfd = (CFDataRef)CFDictionaryGetValue(certDict, kTrustRecordIssuer);
+ if(cfd == NULL) {
+ printf("***parseTrustedRootList: missing issuer");
+ ourRtn = -1;
+ goto nextCert;
+ }
+ if(CFGetTypeID(cfd) != CFDataGetTypeID()) {
+ printf("***parseTrustedRootList: malformed issuer");
+ ourRtn = -1;
+ goto nextCert;
+ }
+ indent();
+ if(CFDataGetLength(cfd) == 0) {
+ /* that's for a default setting */
+ printf("Issuer : <none>\n");
+ }
+ else {
+ printf("Issuer : \n");
+ indentIncr(); printCfName(cfd, parser);
+ indentDecr();
+ }
+
+ /* Serial number */
+ cfd = (CFDataRef)CFDictionaryGetValue(certDict, kTrustRecordSerialNumber);
+ if(cfd == NULL) {
+ printf("***parseTrustedRootList: missing serial number");
+ ourRtn = -1;
+ goto nextCert;
+ }
+ if(CFGetTypeID(cfd) != CFDataGetTypeID()) {
+ printf("***parseTrustedRootList: malformed serial number");
+ ourRtn = -1;
+ goto nextCert;
+ }
+ indent(); printData("Serial Number ", cfd, PD_Hex, parser);
+
+ /* modification date */
+ modDate = (CFDateRef)CFDictionaryGetValue(certDict, kTrustRecordModDate);
+ if(modDate == NULL) {
+ printf("***parseTrustedRootList: missing modification date");
+ ourRtn = -1;
+ goto nextCert;
+ }
+ if(CFGetTypeID(modDate) != CFDateGetTypeID()) {
+ printf("***parseTrustedRootList: malformed modification date");
+ ourRtn = -1;
+ goto nextCert;
+ }
+ indent();
+ printf("Modification Date : ");
+ printCFDate(modDate);
+ printf("\n");
+
+ /*
+ * Array of usageConstraint dictionaries - the array itself must be there,
+ * though it might be empty.
+ */
+ usageConstraints = (CFArrayRef)CFDictionaryGetValue(certDict,
+ kTrustRecordTrustSettings);
+ numUsageConstraints = 0;
+ if(usageConstraints != NULL) {
+ if(CFGetTypeID(usageConstraints) != CFArrayGetTypeID()) {
+ printf("***parseTrustedRootList: malformed Usage Constraints array");
+ ourRtn = -1;
+ goto nextCert;
+ }
+
+ numUsageConstraints = CFArrayGetCount(usageConstraints);
+ }
+ indent(); printf("Num usage constraints : ");
+ if(usageConstraints) {
+ printf("%ld\n", numUsageConstraints);
+ }
+ else {
+ printf("<not present>\n");
+ }
+
+ /* grind thru the usageConstraint dictionaries */
+ for(CFIndex apDex=0; apDex<numUsageConstraints; apDex++) {
+ indent(); printf("Usage constraint %ld:\n", apDex);
+ indentIncr();
+
+ ucDict = (CFDictionaryRef)CFArrayGetValueAtIndex(usageConstraints, apDex);
+ if(CFGetTypeID(ucDict) != CFDictionaryGetTypeID()) {
+ printf("***parseTrustedRootList: malformed usageConstraint dictionary");
+ ourRtn = -1;
+ goto nextAp;
+ }
+
+ /* policy - optional - an OID */
+ certPolicy = (CFDataRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicy);
+ if(certPolicy != NULL) {
+ if(CFGetTypeID(certPolicy) != CFDataGetTypeID()) {
+ printf("***parseTrustedRootList: malformed certPolicy");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printData("Policy OID ", certPolicy, PD_OID, parser);
+ }
+
+ /* app - optional - data - opaque */
+ certApp = (CFDataRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsApplication);
+ if(certApp != NULL) {
+ if(CFGetTypeID(certApp) != CFDataGetTypeID()) {
+ printf("***parseTrustedRootList: malformed certApp");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printData("Application ", certApp, PD_Hex, parser);
+ }
+
+ /* policy string */
+ policyStr = (CFStringRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicyString);
+ if(policyStr != NULL) {
+ if(CFGetTypeID(policyStr) != CFStringGetTypeID()) {
+ printf("***parseTrustedRootList: malformed policyStr");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printf("Policy String : ");
+ printCfStr(policyStr); printf("\n");
+ }
+
+ /* Allowed error */
+ cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsAllowedError);
+ if(cfNum != NULL) {
+ if(CFGetTypeID(cfNum) != CFNumberGetTypeID()) {
+ printf("***parseTrustedRootList: malformed allowedError");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printf("Allowed Error : ");
+ printCssmErr(cfNum); printf("\n");
+ }
+
+ /* ResultType */
+ cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsResult);
+ if(cfNum != NULL) {
+ if(CFGetTypeID(cfNum) != CFNumberGetTypeID()) {
+ printf("***parseTrustedRootList: malformed Result");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printf("Result Type : ");
+ printResult(cfNum); printf("\n");
+ }
+
+ /* key usage */
+ cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsKeyUsage);
+ if(cfNum != NULL) {
+ if(CFGetTypeID(cfNum) != CFNumberGetTypeID()) {
+ printf("***parseTrustedRootList: malformed keyUsage");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printf("Key Usage : ");
+ printKeyUsage(cfNum); printf("\n");
+ }
+
+ nextAp:
+ indentDecr();
+ }
+
+ nextCert:
+ indentDecr();
+ } /* for each cert dictionary in top-level array */
+
+ printf("=== End of Parsed User Trust Record ===\n");
+ return ourRtn;
+
+}
+
+
projects / apple / security.git / blobdiff