--- /dev/null
+/*
+ * rootStoreTool.cpp - exercise SecTrustSettings API
+ */
+
+#include <stdlib.h>
+#include <strings.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <Security/Security.h>
+#include <Security/SecTrustSettings.h>
+#include <Security/SecTrustPriv.h>
+#include <Security/TrustSettingsSchema.h>
+#include <Security/SecTrustSettingsPriv.h>
+#include <Security/cssmapplePriv.h>
+#include <Security/SecPolicyPriv.h>
+#include <security_cdsa_utils/cuFileIo.h>
+#include <security_utilities/cfutilities.h>
+#include <security_cdsa_utils/cuPrintCert.h>
+#include <security_cdsa_utils/cuOidParser.h>
+#include "parseTrustedRootList.h"
+#include <Security/TrustSettingsSchema.h> /* private header */
+#include "rootUtils.h"
+#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
+#include <pthread.h>
+#include <sys/param.h>
+
+static void usage(char **argv)
+{
+ printf("usage: %s op [options]\n", argv[0]);
+ printf("Op values:\n");
+ printf(" a -- add cert\n");
+ printf(" p -- parse TrustSettings record\n");
+ printf(" r -- get certs from TS & display\n");
+ printf(" d -- delete entries from TS interactively\n");
+ printf(" D -- delete ALL certs from TS (requires -R argument)\n");
+ printf(" R -- remove legacy User Trust setting\n");
+
+ printf("Options:\n");
+ printf(" -c certFile -- specify cert\n");
+ printf(" -s -- system TrustSettings; default is user\n");
+ printf(" -d -- Admin TrustSettings; default is user\n");
+ printf(" -t settingsFile -- settings from file; default is user\n");
+ printf(" -T settingsFileOut -- settings to file\n");
+ printf(" -a appPath -- specify app constraints\n");
+ printf(" -p policy -- specify policy constraint\n");
+ printf(" policy = ssl, smime, swuSign, codeSign, IPSec, iChat\n");
+ printf(" -P appPath policy -- specify app AND policy constraint\n");
+ printf(" -e emailAddress -- specify SMIME policy plus email address\n");
+ printf(" -L hostname -- specify SSL policy plus hostname\n");
+ printf(" -r resultType -- resultType = trust, trustAsRoot, deny, unspecified\n");
+ printf(" -w allowErr -- allowed error, an integer; implies result unspecified\n");
+ printf(" -W allowErr policy -- allowed error AND policy AND implies result unspecified\n");
+ printf(" -u keyUsage -- key usage, an integer\n");
+ printf(" -k keychain -- Default is default keychain.\n");
+ printf(" -R -- Really. For Delete All op.\n");
+ printf(" -v -- verbose cert display\n");
+ printf(" -A -- add cert to keychain\n");
+ printf(" -U -- use SecTrustSetUserTrust\n");
+ printf(" -2 -- use SecTrustSetUserTrustLegacy\n");
+ printf(" -l -- loop and pause for malloc debug\n");
+ printf(" -h -- help\n");
+ exit(1);
+}
+
+/*
+ * Start up a CFRunLoop. This is needed to field keychain event callbacks, used
+ * to maintain root cert cache coherency. This operation is only needed in command
+ * line tools; regular GUI apps already have a CFRunLoop.
+ */
+
+/* first we need something to register so we *have* a run loop */
+static OSStatus kcCacheCallback (
+ SecKeychainEvent keychainEvent,
+ SecKeychainCallbackInfo *info,
+ void *context)
+{
+ return noErr;
+}
+
+/* main thread has to wait for this to be set to know a run loop has been set up */
+static int runLoopInitialized = 0;
+
+/* this is the thread which actually runs the CFRunLoop */
+void *cfRunLoopThread(void *arg)
+{
+ OSStatus ortn = SecKeychainAddCallback(kcCacheCallback,
+ kSecTrustSettingsChangedEventMask, NULL);
+ if(ortn) {
+ printf("registerCacheCallbacks: SecKeychainAddCallback returned %ld", ortn);
+ /* Not sure how this could ever happen - maybe if there is no run loop active? */
+ return NULL;
+ }
+ runLoopInitialized = 1;
+ CFRunLoopRun();
+ /* should not be reached */
+ printf("\n*** Hey! CFRunLoopRun() exited!***\n");
+ return NULL;
+}
+
+static int startCFRunLoop()
+{
+ pthread_t runLoopThread;
+
+ int result = pthread_create(&runLoopThread, NULL, cfRunLoopThread, NULL);
+ if(result) {
+ printf("***pthread_create returned %d, aborting\n", result);
+ return -1;
+ }
+ return 0;
+}
+
+static SecCertificateRef certFromFile(
+ const char *fileName)
+{
+ unsigned char *cp = NULL;
+ unsigned len = 0;
+ if(readFile(fileName, &cp, &len)) {
+ printf("***Error reading file %s\n", fileName);
+ return NULL;
+ }
+ SecCertificateRef certRef;
+ CSSM_DATA certData = {len, cp};
+ OSStatus ortn = SecCertificateCreateFromData(&certData,
+ CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER, &certRef);
+ if(ortn) {
+ cssmPerror("SecCertificateCreateFromData", ortn);
+ return NULL;
+ }
+ free(cp);
+ return certRef;
+}
+
+/*
+ * Display usage constraints array as obtained from
+ * SecTrustSettingsCopyTrustSettings().
+ */
+static int displayTrustSettings(
+ CFArrayRef trustSettings,
+ OidParser &parser)
+{
+ /* must always be there though it may be empty */
+ if(trustSettings == NULL) {
+ printf("***displayTrustSettings: missing trust settings array");
+ return -1;
+ }
+ if(CFGetTypeID(trustSettings) != CFArrayGetTypeID()) {
+ printf("***displayTrustSettings: malformed trust settings array");
+ return -1;
+ }
+
+ int ourRtn = 0;
+ CFIndex numUseConstraints = CFArrayGetCount(trustSettings);
+ indentIncr();
+ indent(); printf("Number of trust settings : %ld\n", numUseConstraints);
+ OSStatus ortn;
+ SecPolicyRef certPolicy;
+ SecTrustedApplicationRef certApp;
+ CFDictionaryRef ucDict;
+ CFStringRef policyStr;
+ CFNumberRef cfNum;
+
+ /* grind thru the trust settings dictionaries */
+ for(CFIndex ucDex=0; ucDex<numUseConstraints; ucDex++) {
+ indent(); printf("Trust Setting %ld:\n", ucDex);
+ indentIncr();
+
+ ucDict = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings, ucDex);
+ if(CFGetTypeID(ucDict) != CFDictionaryGetTypeID()) {
+ printf("***displayTrustSettings: malformed usage constraints dictionary");
+ ourRtn = -1;
+ goto nextAp;
+ }
+
+ /* policy - optional */
+ certPolicy = (SecPolicyRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicy);
+ if(certPolicy != NULL) {
+ if(CFGetTypeID(certPolicy) != SecPolicyGetTypeID()) {
+ printf("***displayTrustSettings: malformed certPolicy");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ CSSM_OID policyOid;
+ ortn = SecPolicyGetOID(certPolicy, &policyOid);
+ if(ortn) {
+ cssmPerror("SecPolicyGetOID", ortn);
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printf("Policy OID : ");
+ printOid(policyOid.Data, policyOid.Length, parser);
+ printf("\n");
+ }
+
+ /* app - optional */
+ certApp = (SecTrustedApplicationRef)CFDictionaryGetValue(ucDict,
+ kSecTrustSettingsApplication);
+ if(certApp != NULL) {
+ if(CFGetTypeID(certApp) != SecTrustedApplicationGetTypeID()) {
+ printf("***displayTrustSettings: malformed certApp");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ CFRef<CFDataRef> appPath;
+ ortn = SecTrustedApplicationCopyData(certApp, appPath.take());
+ if(ortn) {
+ cssmPerror("SecTrustedApplicationCopyData", ortn);
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printf("Application : %s", CFDataGetBytePtr(appPath));
+ printf("\n");
+ }
+
+ /* policy string */
+ policyStr = (CFStringRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsPolicyString);
+ if(policyStr != NULL) {
+ if(CFGetTypeID(policyStr) != CFStringGetTypeID()) {
+ printf("***displayTrustSettings: malformed policyStr");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printf("Policy String : ");
+ printCfStr(policyStr); printf("\n");
+ }
+
+ /* Allowed error */
+ cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsAllowedError);
+ if(cfNum != NULL) {
+ if(CFGetTypeID(cfNum) != CFNumberGetTypeID()) {
+ printf("***displayTrustSettings: malformed allowedError");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printf("Allowed Error : ");
+ printCssmErr(cfNum); printf("\n");
+ }
+
+ /* Result */
+ cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsResult);
+ if(cfNum != NULL) {
+ if(CFGetTypeID(cfNum) != CFNumberGetTypeID()) {
+ printf("***displayTrustSettings: malformed Result");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printf("Result Type : ");
+ printResult(cfNum); printf("\n");
+ }
+
+ /* key usage */
+ cfNum = (CFNumberRef)CFDictionaryGetValue(ucDict, kSecTrustSettingsKeyUsage);
+ if(cfNum != NULL) {
+ if(CFGetTypeID(cfNum) != CFNumberGetTypeID()) {
+ printf("***displayTrustSettings: malformed keyUsage");
+ ourRtn = -1;
+ goto nextAp;
+ }
+ indent(); printf("Key Usage : ");
+ printKeyUsage(cfNum); printf("\n");
+ }
+
+ nextAp:
+ indentDecr();
+ }
+ indentDecr();
+ return ourRtn;
+}
+
+/* convert an OID to a SecPolicyRef */
+static SecPolicyRef oidToPolicy(
+ const CSSM_OID &oid)
+{
+ SecPolicyRef policyRef = NULL;
+
+ OSStatus ortn = SecPolicyCopy(CSSM_CERT_X_509v3, &oid, &policyRef);
+ if(ortn) {
+ cssmPerror("SecPolicyCopy", ortn);
+ return NULL;
+ }
+ return policyRef;
+}
+
+/* Convert cmdline policy string to SecPolicyRef */
+static SecPolicyRef policyStringToPolicy(
+ const char *policy)
+{
+ if(policy == NULL) {
+ return NULL;
+ }
+ const CSSM_OID *oid = NULL;
+ if(!strcmp(policy, "ssl")) {
+ oid = &CSSMOID_APPLE_TP_SSL;
+ }
+ else if(!strcmp(policy, "smime")) {
+ oid = &CSSMOID_APPLE_TP_SMIME;
+ }
+ else if(!strcmp(policy, "codeSign")) {
+ oid = &CSSMOID_APPLE_TP_CODE_SIGNING;
+ }
+ else if(!strcmp(policy, "swuSign")) {
+ oid = &CSSMOID_APPLE_TP_SW_UPDATE_SIGNING;
+ }
+ else if(!strcmp(policy, "IPSec")) {
+ oid = &CSSMOID_APPLE_TP_IP_SEC;
+ }
+ else if(!strcmp(policy, "iChat")) {
+ oid = &CSSMOID_APPLE_TP_ICHAT;
+ }
+ else {
+ printf("***Unknown policy string (%s)\n", policy);
+ return NULL;
+ }
+
+ /* OID to SecPolicyRef */
+ return oidToPolicy(*oid);
+}
+
+static int appendConstraintToArray(
+ const char *appPath, /* optional, "-" means ensure apArray is nonempty */
+ const char *policy, /* optional (ssl/smime), "-" as above */
+ const char *policyStr, /* optional policy string */
+ const SInt32 *allowErr, /* optional allowed error */
+ const char *resultType, /* optional allow/confirm/deny */
+ SecTrustSettingsKeyUsage keyUse, /* optional key use */
+ CFMutableArrayRef &array) /* result RETURNED here, created if necessary */
+{
+ if(array == NULL) {
+ array = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
+ }
+
+ CFMutableDictionaryRef outDict = CFDictionaryCreateMutable(NULL,
+ 0, // capacity
+ &kCFTypeDictionaryKeyCallBacks,
+ &kCFTypeDictionaryValueCallBacks);
+
+ if((policy != NULL) && (strcmp(policy, "-"))) {
+
+ /* policy string to SecPolicyRef */
+ SecPolicyRef policyRef = policyStringToPolicy(policy);
+ if(policyRef == NULL) {
+ return -1;
+ }
+ CFDictionaryAddValue(outDict, kSecTrustSettingsPolicy, policyRef);
+ CFRelease(policyRef);
+ }
+
+ /* app string to SecTrustedApplicationRef */
+ if((appPath != NULL) && (strcmp(appPath, "-"))) {
+ SecTrustedApplicationRef appRef;
+ OSStatus ortn = SecTrustedApplicationCreateFromPath(appPath, &appRef);
+ if(ortn) {
+ cssmPerror("SecTrustedApplicationCreateFromPath", ortn);
+ return -1;
+ }
+ CFDictionaryAddValue(outDict, kSecTrustSettingsApplication, appRef);
+ CFRelease(appRef);
+ }
+
+ if(policyStr != NULL) {
+ CFStringRef pstr = CFStringCreateWithCString(NULL, policyStr, kCFStringEncodingASCII);
+ CFDictionaryAddValue(outDict, kSecTrustSettingsPolicyString, pstr);
+ CFRelease(pstr);
+ }
+
+ if(allowErr != NULL) {
+ CFNumberRef cfNum = CFNumberCreate(NULL, kCFNumberSInt32Type, allowErr);
+ CFDictionaryAddValue(outDict, kSecTrustSettingsAllowedError, cfNum);
+ CFRelease(cfNum);
+ }
+
+ if(keyUse != 0) {
+ SInt32 ku = (SInt32)ku;
+ CFNumberRef cfNum = CFNumberCreate(NULL, kCFNumberSInt32Type, &ku);
+ CFDictionaryAddValue(outDict, kSecTrustSettingsKeyUsage, cfNum);
+ CFRelease(cfNum);
+ }
+
+ if(resultType != NULL) {
+ SInt32 n;
+
+ if(!strcmp(resultType, "trust")) {
+ n = kSecTrustSettingsResultTrustRoot;
+ }
+ else if(!strcmp(resultType, "trustAsRoot")) {
+ n = kSecTrustSettingsResultTrustAsRoot;
+ }
+ else if(!strcmp(resultType, "deny")) {
+ n = kSecTrustSettingsResultDeny;
+ }
+ else if(!strcmp(resultType, "unspecified")) {
+ n = kSecTrustSettingsResultUnspecified;
+ }
+ else {
+ printf("***unknown resultType spec (%s)\n", resultType);
+ return -1;
+ }
+ CFNumberRef cfNum = CFNumberCreate(NULL, kCFNumberSInt32Type, &n);
+ CFDictionaryAddValue(outDict, kSecTrustSettingsResult, cfNum);
+ CFRelease(cfNum);
+ }
+
+ /* append dictionary to output */
+ CFArrayAppendValue(array, outDict);
+ /* array owns the dictionary now */
+ CFRelease(outDict);
+ return 0;
+}
+
+/* read a file --> CFDataRef */
+CFDataRef readFileCFData(
+ const char *fileName)
+{
+ int rtn;
+ unsigned char *fileData = NULL;
+ unsigned fileDataLen = 0;
+
+ rtn = readFile(fileName, &fileData, &fileDataLen);
+ if(rtn) {
+ printf("Error (%d) reading %s.\n", rtn, fileName);
+ return NULL;
+ }
+ CFDataRef cfd = CFDataCreate(NULL, (const UInt8 *)fileData, fileDataLen);
+ free(fileData);
+ return cfd;
+}
+
+static int fetchParseTrustRecord(
+ SecTrustSettingsDomain domain,
+ char *settingsFile) /* optional, ignore domain if present */
+{
+ CFDataRef trustSettings = NULL;
+
+ if(settingsFile) {
+ trustSettings = readFileCFData(settingsFile);
+ if(trustSettings == NULL) {
+ return -1;
+ }
+ }
+ else {
+ OSStatus ortn = SecTrustSettingsCreateExternalRepresentation(domain, &trustSettings);
+ if(ortn) {
+ cssmPerror("SecTrustSettingsCreateExternalRepresentation", ortn);
+ return -1;
+ }
+ }
+ int rtn = parseTrustedRootList(trustSettings);
+ CFRelease(trustSettings);
+ return rtn;
+}
+
+static int copyCertsAndDisplay(
+ bool verbose,
+ SecTrustSettingsDomain domain)
+{
+ OSStatus ortn;
+
+ auto_ptr<OidParser> parser(NULL);
+
+ if(verbose) {
+ parser.reset(new OidParser);
+ }
+
+ CFArrayRef certArray = NULL;
+ ortn = SecTrustSettingsCopyCertificates(domain, &certArray);
+ if(ortn) {
+ cssmPerror("SecTrustSettingsCopyCertificates", ortn);
+ return ortn;
+ }
+
+ CFIndex numCerts = CFArrayGetCount(certArray);
+ indent();
+ printf("Num certs = %ld\n", numCerts);
+ int ourRtn = 0;
+ for(CFIndex dex=0; dex<numCerts; dex++) {
+ SecCertificateRef certRef = (SecCertificateRef)CFArrayGetValueAtIndex(certArray, dex);
+ if(CFGetTypeID(certRef) != SecCertificateGetTypeID()) {
+ printf("***Bad CFGetTypeID for cert\n");
+ return -1;
+ }
+ indent();
+ printf("Cert %ld: ", dex);
+ printCertLabel(certRef);
+ printf("\n");
+ if(verbose) {
+ CFRef<CFArrayRef> appPolicies;
+ ortn = SecTrustSettingsCopyTrustSettings(certRef, domain, appPolicies.take());
+ if(ortn) {
+ cssmPerror("SecRootCertificateCopyAppPolicyConstraints", ortn);
+ ourRtn = -1;
+ continue;
+ }
+ if(displayTrustSettings(appPolicies, *parser.get())) {
+ ourRtn = -1;
+ }
+ }
+ }
+ CFRelease(certArray);
+ return ourRtn;
+}
+
+static int deleteCerts(
+ SecTrustSettingsDomain domain,
+ bool deleteAll)
+{
+ OSStatus ortn;
+
+ CFArrayRef certArray = NULL;
+ ortn = SecTrustSettingsCopyCertificates(domain, &certArray);
+ if(ortn) {
+ cssmPerror("SecTrustSettingsCopyCertificates", ortn);
+ return ortn;
+ }
+
+ CFIndex numCerts = CFArrayGetCount(certArray);
+ unsigned numDeleted = 0;
+
+ for(CFIndex dex=0; dex<numCerts; dex++) {
+ SecCertificateRef certRef = (SecCertificateRef)CFArrayGetValueAtIndex(certArray, dex);
+ if(CFGetTypeID(certRef) != SecCertificateGetTypeID()) {
+ printf("***Bad CFGetTypeID for cert\n");
+ return -1;
+ }
+ bool doDelete = false;
+
+ if(deleteAll) {
+ printf("DELETING: ");
+ printCertLabel(certRef);
+ printf("\n");
+ doDelete = true;
+ }
+ else {
+ indent();
+ printf("Cert %ld: ", dex);
+ printCertLabel(certRef);
+ printf("\n");
+ fpurge(stdin);
+ printf("Delete (y/anything)? ");
+ char resp = getchar();
+ if(resp == 'y') {
+ doDelete = true;
+ }
+ }
+ if(doDelete) {
+ ortn = SecTrustSettingsRemoveTrustSettings(certRef, domain);
+ if(ortn) {
+ cssmPerror("SecTrustSettingsRemoveTrustSettings", ortn);
+ fpurge(stdin);
+ printf("Continue deleting (y/anything)? ");
+ char resp = getchar();
+ fflush(stdout);
+ if(resp != 'y') {
+ return ortn;
+ }
+ }
+ else {
+ numDeleted++;
+ }
+ }
+ }
+ CFRelease(certArray);
+ printf("...%u certs deleted\n", numDeleted);
+ return noErr;
+}
+
+/* add a cert to trust list */
+static int addCert(
+ SecCertificateRef certRef,
+ SecTrustSettingsDomain domain,
+ bool addToKc, // import cert to keychain
+ const char *kcName, // only for addToKC option
+ CFArrayRef trustSettings,
+ CFDataRef settingsIn, // optional, requires settingsFileOut
+ CFDataRef *settingsOut)
+{
+ OSStatus ortn;
+ char *domainName;
+
+ if(settingsIn && !settingsOut) {
+ printf("Modifying trust settings as file requires output file\n");
+ return -1;
+ }
+ switch(domain) {
+ case kSecTrustSettingsDomainSystem:
+ printf("***Can't modify system trust settings.\n");
+ return -1;
+ case kSecTrustSettingsDomainAdmin:
+ kcName = "/Library/Keychains/System.keychain";
+ domainName = "Admin";
+ break;
+ default:
+ domainName = "User";
+ break;
+ }
+ if(addToKc) {
+ SecKeychainRef kcRef = NULL;
+ if(kcName) {
+ ortn = SecKeychainOpen(kcName, &kcRef);
+ if(ortn) {
+ cssmPerror("SecKeychainOpen", ortn);
+ return -1;
+ }
+ }
+ ortn = SecCertificateAddToKeychain(certRef, kcRef);
+ if(ortn) {
+ cssmPerror("SecCertificateAddToKeychain", ortn);
+ return -1;
+ }
+ printf("...cert added to keychain %s\n", (kcName ? kcName : "<default>"));
+ }
+ if(settingsIn) {
+ ortn = SecTrustSettingsSetTrustSettingsExternal(settingsIn,
+ certRef, trustSettings, settingsOut);
+ if(ortn) {
+ cssmPerror("SecTrustSettingsSetTrustSettingsExternal", ortn);
+ return -1;
+ }
+ }
+ else {
+ ortn = SecTrustSettingsSetTrustSettings(certRef, domain, trustSettings);
+ if(ortn) {
+ cssmPerror("SecTrustSettingsSetTrustSettings", ortn);
+ return -1;
+ }
+ printf("...cert added to %s TrustList.\n", domainName);
+ }
+ return 0;
+}
+
+static int addCertLegacy(
+ SecCertificateRef certRef,
+ const char *policy,
+ const char *resultStr,
+ bool useLegacy)
+{
+ /* OID string to an OID pointer */
+ if(policy == NULL) {
+ printf("***You must specify a policy to set legacy User Trust\n");
+ return 1;
+ }
+ SecPolicyRef policyRef = policyStringToPolicy(policy);
+ if(policyRef == NULL) {
+ return -1;
+ }
+
+ /* result string to legacy SecTrustUserSetting */
+ SecTrustUserSetting setting = kSecTrustResultInvalid;
+ if(resultStr == NULL) {
+ setting = kSecTrustResultProceed;
+ }
+ else if(!strcmp(resultStr, "trust")) {
+ setting = kSecTrustResultProceed;
+ }
+ else if(!strcmp(resultStr, "trustAsRoot")) {
+ setting = kSecTrustResultProceed;
+ }
+ else if(!strcmp(resultStr, "deny")) {
+ setting = kSecTrustResultDeny;
+ }
+ else if (!strcmp(resultStr, "unspecified")) {
+ setting = kSecTrustResultUnspecified;
+ }
+ else {
+ printf("***Can't map %s to a SecTrustUserSetting\n", resultStr);
+ return -1;
+ }
+ OSStatus ortn;
+ if(useLegacy) {
+ ortn = SecTrustSetUserTrustLegacy(certRef, policyRef, setting);
+ if(ortn) {
+ cssmPerror("SecTrustSetUserTrustLegacy", ortn);
+ }
+ else {
+ if(setting == kSecTrustResultUnspecified) {
+ printf("...User Trust removed via SecTrustSetUserTrustLegacy().\n");
+ }
+ else {
+ printf("...User Trust set via SecTrustSetUserTrustLegacy().\n");
+ }
+ }
+ }
+ else {
+ #if 1
+ printf("...Legacy implementation needs Makefile work to avoid deprecation error\n");
+ exit(1);
+ #else
+ ortn = SecTrustSetUserTrust(certRef, policyRef, setting);
+ if(ortn) {
+ cssmPerror("SecTrustSetUserTrust", ortn);
+ }
+ else {
+ printf("...trust setting set via SecTrustSetUserTrust().\n");
+ }
+ #endif
+ }
+ if(policyRef != NULL) {
+ CFRelease(policyRef);
+ }
+ return ortn;
+}
+
+int main(int argc, char **argv)
+{
+ int arg;
+ CFMutableArrayRef appPolicies = NULL;
+ CFDataRef settingsIn = NULL;
+ CFDataRef settingsOut = NULL;
+
+ /* user-spec'd variables */
+ bool loopPause = false;
+ bool really = false;
+ bool verbose = false;
+ char *kcName = NULL;
+ SecTrustSettingsDomain domain = kSecTrustSettingsDomainUser;
+ SecCertificateRef certRef = NULL;
+ bool addToKeychain = false;
+ char *settingsFileIn = NULL;
+ char *settingsFileOut = NULL;
+ bool userTrustLegacy = false;
+ char *policyStr = NULL;
+ char *resultStr = NULL;
+ bool userTrust = false;
+
+ extern char *optarg;
+ extern int optind;
+ optind = 2;
+ while ((arg = getopt(argc, argv, "c:sdt:T:a:p:P:e:L:r:w:W:k:u:RvAU2lh")) != -1) {
+ switch (arg) {
+ case 'c':
+ if(certRef) {
+ printf("***Only one cert at a time, please.\n");
+ usage(argv);
+ }
+ certRef = certFromFile(optarg);
+ if(certRef == NULL) {
+ exit(1);
+ }
+ break;
+ case 's':
+ domain = kSecTrustSettingsDomainSystem;
+ break;
+ case 'd':
+ domain = kSecTrustSettingsDomainAdmin;
+ break;
+ case 't':
+ settingsFileIn = optarg;
+ break;
+ case 'T':
+ settingsFileOut = optarg;
+ break;
+ case 'a':
+ if(appendConstraintToArray(optarg, NULL, NULL, NULL, NULL, 0, appPolicies)) {
+ exit(1);
+ }
+ break;
+ case 'p':
+ if(appendConstraintToArray(NULL, optarg, NULL, NULL, NULL, 0, appPolicies)) {
+ exit(1);
+ }
+ policyStr = optarg;
+ break;
+ case 'P':
+ /* this takes an additional argument */
+ if(optind > (argc - 1)) {
+ usage(argv);
+ }
+ if(appendConstraintToArray(optarg, argv[optind], NULL, NULL, NULL,
+ 0, appPolicies)) {
+ exit(1);
+ }
+ optind++;
+ break;
+ case 'e':
+ if(appendConstraintToArray(NULL, "smime", optarg, NULL, NULL,
+ 0, appPolicies)) {
+ exit(1);
+ }
+ policyStr = "smime";
+ break;
+ case 'L':
+ if(appendConstraintToArray(NULL, "ssl", optarg, NULL, NULL, 0, appPolicies)) {
+ exit(1);
+ }
+ policyStr = "ssl";
+ break;
+ case 'r':
+ if(appendConstraintToArray(NULL, NULL, NULL, NULL, optarg, 0, appPolicies)) {
+ exit(1);
+ }
+ resultStr = optarg;
+ break;
+ case 'w':
+ {
+ SInt32 l = atol(optarg);
+ if(appendConstraintToArray(NULL, NULL, NULL, &l, "unspecified", 0, appPolicies)) {
+ exit(1);
+ }
+ break;
+ }
+ case 'W':
+ {
+ /* this takes an additional argument */
+ if(optind > (argc - 1)) {
+ usage(argv);
+ }
+ SInt32 l = atol(optarg);
+ if(appendConstraintToArray(NULL, argv[optind], NULL, &l, "unspecified", 0,
+ appPolicies)) {
+ exit(1);
+ }
+ optind++;
+ break;
+ }
+ case 'u':
+ {
+ SInt32 l = atol(optarg);
+ SecTrustSettingsKeyUsage ku = (SecTrustSettingsKeyUsage)l;
+ if(appendConstraintToArray(NULL, NULL, NULL, NULL, NULL, ku, appPolicies)) {
+ exit(1);
+ }
+ break;
+ }
+ case 'k':
+ kcName = optarg;
+ break;
+ case 'R':
+ really = true;
+ break;
+ case 'v':
+ verbose = true;
+ break;
+ case 'A':
+ addToKeychain = true;
+ break;
+ case 'l':
+ loopPause = true;
+ break;
+ case '2':
+ userTrustLegacy = true;
+ break;
+ case 'U':
+ userTrust = true;
+ break;
+ default:
+ case 'h':
+ usage(argv);
+ }
+ }
+ if(optind != argc) {
+ usage(argv);
+ }
+ if(startCFRunLoop()) {
+ /* enable reception of KC event messages */
+ exit(1);
+ }
+
+ /* give that thread a chance right now */
+ while(!runLoopInitialized) {
+ usleep(1000);
+ };
+
+ int ortn = 0;
+ do {
+ switch(argv[1][0]) {
+ case 'a':
+ if(certRef == NULL) {
+ printf("You must supply a cert.\n");
+ usage(argv);
+ }
+ if(settingsFileIn) {
+ if(!settingsFileOut) {
+ printf("Modifying trust settings as file requires output file\n");
+ return -1;
+ }
+ settingsIn = readFileCFData(settingsFileIn);
+ if(!settingsIn) {
+ return -1;
+ }
+ }
+ if(userTrustLegacy || userTrust) {
+ ortn = addCertLegacy(certRef, policyStr, resultStr, userTrustLegacy);
+ }
+ else {
+ ortn = addCert(certRef, domain, addToKeychain, kcName, appPolicies,
+ settingsIn, &settingsOut);
+ if((ortn == noErr) && (settingsOut != NULL)) {
+ unsigned len = CFDataGetLength(settingsOut);
+ if(writeFile(settingsFileOut, CFDataGetBytePtr(settingsOut), len)) {
+ printf("***Error writing settings to %s\n", settingsFileOut);
+ }
+ else {
+ printf("...wrote %u bytes to %s\n", len, settingsFileOut);
+ }
+ }
+ }
+ if(settingsIn) {
+ CFRelease(settingsIn);
+ }
+ if(settingsOut) {
+ CFRelease(settingsOut);
+ }
+ break;
+ case 'p':
+ ortn = fetchParseTrustRecord(domain, settingsFileIn);
+ break;
+ case 'r':
+ ortn = copyCertsAndDisplay(verbose, domain);
+ break;
+ case 'd':
+ ortn = deleteCerts(domain, false);
+ break;
+ case 'D':
+ if(!really) {
+ printf("I do not believe you. Specify -D option to delete all roots.\n");
+ exit(1);
+ }
+ ortn = deleteCerts(domain, true);
+ break;
+ case 'R':
+ ortn = addCertLegacy(certRef, policyStr, "unspecified", true);
+ break;
+ default:
+ usage(argv);
+ }
+ if(loopPause) {
+ fpurge(stdin);
+ printf("Pausing for MallocDebug. Hit CR to continue: ");
+ fflush(stdout);
+ getchar();
+ }
+ } while(loopPause);
+ return (int)ortn;
+}
projects / apple / security.git / blobdiff