-/*
- * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * SecItem.c - CoreFoundation-based constants and functions for
- access to Security items (certificates, keys, identities, and
- passwords.)
- */
-
-#include <Security/SecBasePriv.h>
-#include <Security/SecItem.h>
-#include <Security/SecItemPriv.h>
-#include <Security/SecItemInternal.h>
-#ifndef SECITEM_SHIM_OSX
-#include <Security/SecKey.h>
-#include <Security/SecKeyPriv.h>
-#include <Security/SecCertificateInternal.h>
-#include <Security/SecIdentity.h>
-#include <Security/SecIdentityPriv.h>
-#include <Security/SecRandom.h>
-#include <Security/SecBasePriv.h>
-#endif // *** END SECITEM_SHIM_OSX ***
-#include <Security/SecTask.h>
-#include <errno.h>
-#include <limits.h>
-#include <sqlite3.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/param.h>
-#include <sys/stat.h>
-#include <Security/SecBase.h>
-#include <CoreFoundation/CFData.h>
-#include <CoreFoundation/CFDate.h>
-#include <CoreFoundation/CFDictionary.h>
-#include <CoreFoundation/CFNumber.h>
-#include <CoreFoundation/CFString.h>
-#include <CoreFoundation/CFURL.h>
-#include <CommonCrypto/CommonDigest.h>
-#include <libkern/OSByteOrder.h>
-#include <utilities/array_size.h>
-#include <utilities/debugging.h>
-#include <utilities/SecCFError.h>
-#include <utilities/SecCFWrappers.h>
-#include <utilities/SecIOFormat.h>
-#include <utilities/SecXPCError.h>
-#include <utilities/der_plist.h>
-#include <assert.h>
-
-#include <Security/SecInternal.h>
-#include <TargetConditionals.h>
-#include "securityd_client.h"
-#include "SecuritydXPC.h"
-#include <AssertMacros.h>
-#include <asl.h>
-#include <sys/types.h>
-#include <pwd.h>
-#include <grp.h>
-#include <unistd.h>
-#ifndef SECITEM_SHIM_OSX
-#include <libDER/asn1Types.h>
-#endif // *** END SECITEM_SHIM_OSX ***
-
-/* label when certificate data is joined with key data */
-#define CERTIFICATE_DATA_COLUMN_LABEL "certdata"
-
-#include <utilities/SecDb.h>
-#include <IOKit/IOReturn.h>
-
-/* Return an OSStatus for a sqlite3 error code. */
-static OSStatus osstatus_for_s3e(int s3e)
-{
- if (s3e > 0 && s3e <= SQLITE_DONE) switch (s3e)
- {
- case SQLITE_OK:
- return 0;
- case SQLITE_ERROR:
- return errSecNotAvailable; /* errSecDuplicateItem; */
- case SQLITE_FULL: /* Happens if we run out of uniqueids */
- return errSecNotAvailable; /* TODO: Replace with a better error code. */
- case SQLITE_PERM:
- case SQLITE_READONLY:
- return errSecNotAvailable;
- case SQLITE_CANTOPEN:
- return errSecNotAvailable;
- case SQLITE_EMPTY:
- return errSecNotAvailable;
- case SQLITE_CONSTRAINT:
- return errSecDuplicateItem;
- case SQLITE_ABORT:
- return -1;
- case SQLITE_MISMATCH:
- return errSecNoSuchAttr;
- case SQLITE_AUTH:
- return errSecNotAvailable;
- case SQLITE_NOMEM:
- return -2; /* TODO: Replace with a real error code. */
- case SQLITE_INTERNAL:
- default:
- return errSecNotAvailable; /* TODO: Replace with a real error code. */
- }
- return s3e;
-}
-
-static OSStatus osstatus_for_kern_return(CFIndex kernResult)
-{
- switch (kernResult)
- {
- case KERN_SUCCESS:
- return errSecSuccess;
- case kIOReturnNotReadable:
- case kIOReturnNotWritable:
- return errSecAuthFailed;
- case kIOReturnNotPermitted:
- case kIOReturnNotPrivileged:
- case kIOReturnLockedRead:
- case kIOReturnLockedWrite:
- return errSecInteractionNotAllowed;
- case kIOReturnError:
- return errSecDecode;
- case kIOReturnBadArgument:
- return errSecParam;
- default:
- return errSecNotAvailable; /* TODO: Replace with a real error code. */
- }
-}
-
-static OSStatus osstatus_for_xpc_error(CFIndex xpcError) {
- switch (xpcError)
- {
- case kSecXPCErrorSuccess:
- return errSecSuccess;
- case kSecXPCErrorUnexpectedType:
- case kSecXPCErrorUnexpectedNull:
- return errSecParam;
- case kSecXPCErrorConnectionFailed:
- return errSecNotAvailable;
- case kSecXPCErrorUnknown:
- default:
- return errSecInternal;
- }
-}
-
-static OSStatus osstatus_for_der_error(CFIndex derError) {
- switch (derError)
- {
- case kSecDERErrorUnknownEncoding:
- //case kSecDERErrorUnsupportedDERType:
- return errSecDecode;
- case kSecDERErrorUnsupportedCFObject:
- case kSecDERErrorUnsupportedNumberType:
- return errSecParam;
- case kSecDERErrorAllocationFailure:
- case kSecDERErrorUnderlyingError:
- return errSecAllocate;
- default:
- return errSecInternal;
- }
-}
-
-// Convert from securityd error codes to OSStatus for legacy API.
-OSStatus SecErrorGetOSStatus(CFErrorRef error) {
- OSStatus status;
- if (error == NULL) {
- status = errSecSuccess;
- } else {
- CFStringRef domain = CFErrorGetDomain(error);
- if (domain == NULL) {
- secerror("No error domain for error: %@", error);
- status = errSecInternal;
- } else if (CFEqual(kSecErrorDomain, domain)) {
- status = (OSStatus)CFErrorGetCode(error);
- } else if (CFEqual(kSecDbErrorDomain, domain)) {
- status = osstatus_for_s3e((int)CFErrorGetCode(error));
- } else if (CFEqual(kSecErrnoDomain, domain)) {
- status = (OSStatus)CFErrorGetCode(error);
- } else if (CFEqual(kSecKernDomain, domain)) {
- status = osstatus_for_kern_return(CFErrorGetCode(error));
- } else if (CFEqual(sSecXPCErrorDomain, domain)) {
- status = osstatus_for_xpc_error(CFErrorGetCode(error));
- } else if (CFEqual(sSecDERErrorDomain, domain)) {
- status = osstatus_for_der_error(CFErrorGetCode(error));
- } else {
- secerror("unknown error domain: %@ for error: %@", domain, error);
- status = errSecInternal;
- }
- }
- return status;
-}
-
-// Wrapper to provide a CFErrorRef for legacy API.
-OSStatus SecOSStatusWith(bool (^perform)(CFErrorRef *error)) {
- CFErrorRef error = NULL;
- OSStatus status;
- if (perform(&error)) {
- assert(error == NULL);
- status = errSecSuccess;
- } else {
- assert(error);
- status = SecErrorGetOSStatus(error);
- if (status != errSecItemNotFound) // Occurs in normal operation, so exclude
- secerror("error:[%" PRIdOSStatus "] %@", status, error);
- CFReleaseNull(error);
- }
- return status;
-}
-
-
-/* IPC uses CFPropertyList to un/marshall input/output data and can handle:
- CFData, CFString, CFArray, CFDictionary, CFDate, CFBoolean, and CFNumber
-
- Currently in need of conversion below:
- @@@ kSecValueRef allows SecKeychainItemRef and SecIdentityRef
- @@@ kSecMatchPolicy allows a query with a SecPolicyRef
- @@@ kSecUseItemList allows a query against a list of itemrefs, this isn't
- currently implemented at all, but when it is needs to short circuit to
- local evaluation, different from the sql query abilities
-*/
-
-#ifndef SECITEM_SHIM_OSX
-static CFDictionaryRef
-SecItemCopyAttributeDictionary(CFTypeRef ref) {
- CFDictionaryRef refDictionary = NULL;
- CFTypeID typeID = CFGetTypeID(ref);
- if (typeID == SecKeyGetTypeID()) {
- refDictionary = SecKeyCopyAttributeDictionary((SecKeyRef)ref);
- } else if (typeID == SecCertificateGetTypeID()) {
- refDictionary =
- SecCertificateCopyAttributeDictionary((SecCertificateRef)ref);
- } else if (typeID == SecIdentityGetTypeID()) {
- assert(false);
- SecIdentityRef identity = (SecIdentityRef)ref;
- SecCertificateRef cert = NULL;
- SecKeyRef key = NULL;
- if (!SecIdentityCopyCertificate(identity, &cert) &&
- !SecIdentityCopyPrivateKey(identity, &key))
- {
- CFDataRef data = SecCertificateCopyData(cert);
- CFDictionaryRef key_dict = SecKeyCopyAttributeDictionary(key);
-
- if (key_dict && data) {
- refDictionary = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, key_dict);
- CFDictionarySetValue((CFMutableDictionaryRef)refDictionary,
- CFSTR(CERTIFICATE_DATA_COLUMN_LABEL), data);
- }
- CFReleaseNull(key_dict);
- CFReleaseNull(data);
- }
- CFReleaseNull(cert);
- CFReleaseNull(key);
- } else {
- refDictionary = NULL;
- }
- return refDictionary;
-}
-
-static CFTypeRef
-SecItemCreateFromAttributeDictionary(CFDictionaryRef refAttributes) {
- CFTypeRef ref = NULL;
- CFStringRef class = CFDictionaryGetValue(refAttributes, kSecClass);
- if (CFEqual(class, kSecClassCertificate)) {
- ref = SecCertificateCreateFromAttributeDictionary(refAttributes);
- } else if (CFEqual(class, kSecClassKey)) {
- ref = SecKeyCreateFromAttributeDictionary(refAttributes);
- } else if (CFEqual(class, kSecClassIdentity)) {
- CFAllocatorRef allocator = NULL;
- CFDataRef data = CFDictionaryGetValue(refAttributes, CFSTR(CERTIFICATE_DATA_COLUMN_LABEL));
- SecCertificateRef cert = SecCertificateCreateWithData(allocator, data);
- SecKeyRef key = SecKeyCreateFromAttributeDictionary(refAttributes);
- if (key && cert)
- ref = SecIdentityCreate(allocator, cert, key);
- CFReleaseSafe(cert);
- CFReleaseSafe(key);
-#if 0
- /* We don't support SecKeychainItemRefs yet. */
- } else if (CFEqual(class, kSecClassGenericPassword)) {
- } else if (CFEqual(class, kSecClassInternetPassword)) {
- } else if (CFEqual(class, kSecClassAppleSharePassword)) {
-#endif
- } else {
- ref = NULL;
- }
- return ref;
-}
-#else
-
-extern CFTypeRef SecItemCreateFromAttributeDictionary(CFDictionaryRef refAttributes);
-
-#endif
-
-/* Turn the returned dictionary that contains all the attributes to create a
- ref into the exact result the client asked for */
-static CFTypeRef makeRef(CFTypeRef ref, bool return_data, bool return_attributes)
-{
- CFTypeRef result = NULL;
- if (!ref || (CFGetTypeID(ref) != CFDictionaryGetTypeID()))
- return NULL;
-
- CFTypeRef return_ref = SecItemCreateFromAttributeDictionary(ref);
-
- if (return_data || return_attributes) {
- if (return_attributes)
- result = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, ref);
- else
- result = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-
- if (return_ref) {
- CFDictionarySetValue((CFMutableDictionaryRef)result, kSecValueRef, return_ref);
- CFRelease(return_ref);
- }
-
- if (!return_data)
- CFDictionaryRemoveValue((CFMutableDictionaryRef)result, kSecValueData);
- } else
- result = return_ref;
-
- return result;
-}
-
-OSStatus
-SecItemCopyDisplayNames(CFArrayRef items, CFArrayRef *displayNames)
-{
- // @@@ TBI
- return -1 /* errSecUnimplemented */;
-}
-
-#ifndef SECITEM_SHIM_OSX
-static void merge_dictionary_by_overwrite(const void *key, const void *value, void *context)
-{
- if (!CFEqual(key, kSecValueRef))
- CFDictionarySetValue((CFMutableDictionaryRef)context, key, value);
-}
-
-static void copy_applier(const void *key, const void *value, void *context)
-{
- CFDictionarySetValue(context, key, value);
-}
-
-static OSStatus cook_query(CFDictionaryRef query, CFMutableDictionaryRef *explode)
-{
- /* If a ref was specified we get it's attribute dictionary and parse it. */
- CFMutableDictionaryRef args = NULL;
- CFTypeRef value = CFDictionaryGetValue(query, kSecValueRef);
- if (value) {
- CFDictionaryRef refAttributes = SecItemCopyAttributeDictionary(value);
- if (!refAttributes)
- return errSecValueRefUnsupported;
-
- /* Replace any attributes we already got from the ref with the ones
- from the attributes dictionary the caller passed us. This allows
- a caller to add an item using attributes from the ref and still
- override some of them in the dictionary directly. */
- args = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, refAttributes);
- CFRelease(refAttributes);
- CFDictionaryApplyFunction(query, merge_dictionary_by_overwrite, args);
- }
- value = CFDictionaryGetValue(query, kSecAttrIssuer);
- if (value) {
- /* convert DN to canonical issuer, if value is DN (top level sequence) */
- const DERItem name = { (unsigned char *)CFDataGetBytePtr(value), CFDataGetLength(value) };
- DERDecodedInfo content;
- if (!DERDecodeItem(&name, &content) &&
- (content.tag == ASN1_CONSTR_SEQUENCE))
- {
- CFDataRef canonical_issuer = createNormalizedX501Name(kCFAllocatorDefault, &content.content);
- if (canonical_issuer) {
- if (!args) {
- args = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- /* This is necessary because we rely on non NULL callbacks */
- CFDictionaryApplyFunction(query, copy_applier, args);
- }
- /* Overwrite with new issuer */
- CFDictionarySetValue(args, kSecAttrIssuer, canonical_issuer);
- CFRelease(canonical_issuer);
- }
- }
- }
- *explode = args;
- return errSecSuccess;
-}
-
-typedef OSStatus (*secitem_operation)(CFDictionaryRef attributes, CFTypeRef *result);
-
-static bool explode_identity(CFDictionaryRef attributes, secitem_operation operation,
- OSStatus *return_status, CFTypeRef *return_result)
-{
- bool handled = false;
- CFTypeRef value = CFDictionaryGetValue(attributes, kSecValueRef);
- if (value) {
- CFTypeID typeID = CFGetTypeID(value);
- if (typeID == SecIdentityGetTypeID()) {
- handled = true;
- OSStatus status = errSecSuccess;
- SecIdentityRef identity = (SecIdentityRef)value;
- SecCertificateRef cert = NULL;
- SecKeyRef key = NULL;
- if (!SecIdentityCopyCertificate(identity, &cert) &&
- !SecIdentityCopyPrivateKey(identity, &key))
- {
- CFMutableDictionaryRef partial_query =
- CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, attributes);
- CFDictionarySetValue(partial_query, kSecValueRef, cert);
- CFTypeRef result = NULL;
- bool duplicate_cert = false;
- /* an identity is first and foremost a key, but it can have multiple
- certs associated with it: so we identify it by the cert */
- status = operation(partial_query, return_result ? &result : NULL);
- if ((operation == (secitem_operation)SecItemAdd) &&
- (status == errSecDuplicateItem)) {
- duplicate_cert = true;
- status = errSecSuccess;
- }
-
- if (!status || status == errSecItemNotFound) {
- bool skip_key_operation = false;
-
- /* if the key is still in use, skip deleting it */
- if (operation == (secitem_operation)SecItemDelete) {
- // find certs with cert.pkhh == keys.klbl
- CFDictionaryRef key_dict = NULL, query_dict = NULL;
- CFDataRef pkhh = NULL;
-
- key_dict = SecKeyCopyAttributeDictionary(key);
- if (key_dict)
- pkhh = (CFDataRef)CFDictionaryGetValue(key_dict, kSecAttrApplicationLabel);
- const void *keys[] = { kSecClass, kSecAttrPublicKeyHash };
- const void *vals[] = { kSecClassCertificate, pkhh };
- if (pkhh)
- query_dict = CFDictionaryCreate(NULL, keys,
- vals, (array_size(keys)),
- NULL, NULL);
- if (query_dict)
- if (errSecSuccess == SecItemCopyMatching(query_dict, NULL))
- skip_key_operation = true;
- CFReleaseSafe(query_dict);
- CFReleaseSafe(key_dict);
- }
-
- if (!skip_key_operation) {
- /* now perform the operation for the key */
- CFDictionarySetValue(partial_query, kSecValueRef, key);
- CFDictionarySetValue(partial_query, kSecReturnPersistentRef, kCFBooleanFalse);
- status = operation(partial_query, NULL);
- if ((operation == (secitem_operation)SecItemAdd) &&
- (status == errSecDuplicateItem) &&
- !duplicate_cert)
- status = errSecSuccess;
- }
-
- /* add and copy matching for an identityref have a persistent ref result */
- if (result) {
- if (!status) {
- /* result is a persistent ref to a cert */
- sqlite_int64 rowid;
- if (_SecItemParsePersistentRef(result, NULL, &rowid)) {
- *return_result = _SecItemMakePersistentRef(kSecClassIdentity, rowid);
- }
- }
- CFRelease(result);
- }
- }
- CFReleaseNull(partial_query);
- }
- else
- status = errSecInvalidItemRef;
-
- CFReleaseNull(cert);
- CFReleaseNull(key);
- *return_status = status;
- }
- } else {
- value = CFDictionaryGetValue(attributes, kSecClass);
- if (value && CFEqual(kSecClassIdentity, value) &&
- (operation == (secitem_operation)SecItemDelete)) {
- CFMutableDictionaryRef dict = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, attributes);
- CFDictionaryRemoveValue(dict, kSecClass);
- CFDictionarySetValue(dict, kSecClass, kSecClassCertificate);
- OSStatus status = SecItemDelete(dict);
- if (!status) {
- CFDictionarySetValue(dict, kSecClass, kSecClassKey);
- status = SecItemDelete(dict);
- }
- CFRelease(dict);
- *return_status = status;
- handled = true;
- }
- }
- return handled;
-}
-
-static void infer_cert_label(CFDictionaryRef attributes, CFMutableDictionaryRef args)
-{
- if (!args || !attributes)
- return;
-
- if (CFDictionaryContainsKey(attributes, kSecAttrLabel))
- return;
-
- CFTypeRef value_ref = CFDictionaryGetValue(attributes, kSecValueRef);
- if (!value_ref || (CFGetTypeID(value_ref) != SecCertificateGetTypeID()))
- return;
-
- SecCertificateRef certificate = (SecCertificateRef)value_ref;
- CFStringRef label = SecCertificateCopySubjectSummary(certificate);
- if (label) {
- CFDictionarySetValue(args, kSecAttrLabel, label);
- CFReleaseNull(label);
- }
-}
-
-/* A persistent ref is just the class and the rowid of the record. */
-CF_RETURNS_RETAINED CFDataRef _SecItemMakePersistentRef(CFTypeRef class, sqlite_int64 rowid)
-{
- uint8_t bytes[sizeof(sqlite_int64) + 4];
- if (rowid < 0)
- return NULL;
- if (CFStringGetCString(class, (char *)bytes, 4 + 1 /*null-term*/,
- kCFStringEncodingUTF8))
- {
- OSWriteBigInt64(bytes + 4, 0, rowid);
- return CFDataCreate(NULL, bytes, sizeof(bytes));
- }
- return NULL;
-}
-
-/* AUDIT[securityd](done):
- persistent_ref (ok) is a caller provided, non NULL CFTypeRef.
- */
-bool _SecItemParsePersistentRef(CFDataRef persistent_ref, CFStringRef *return_class, sqlite_int64 *return_rowid)
-{
- bool valid_ref = false;
- if (CFGetTypeID(persistent_ref) == CFDataGetTypeID() &&
- CFDataGetLength(persistent_ref) == (CFIndex)(sizeof(sqlite_int64) + 4)) {
- const uint8_t *bytes = CFDataGetBytePtr(persistent_ref);
- sqlite_int64 rowid = OSReadBigInt64(bytes + 4, 0);
-
- CFStringRef class = CFStringCreateWithBytes(kCFAllocatorDefault,
- bytes, CFStringGetLength(kSecClassGenericPassword),
- kCFStringEncodingUTF8, true);
- const void *valid_classes[] = { kSecClassGenericPassword,
- kSecClassInternetPassword,
- kSecClassAppleSharePassword,
- kSecClassCertificate,
- kSecClassKey,
- kSecClassIdentity };
-
- unsigned i;
- for (i=0; i< array_size(valid_classes); i++) {
- if (CFEqual(valid_classes[i], class)) {
- if (return_class)
- *return_class = valid_classes[i];
- if (return_rowid)
- *return_rowid = rowid;
- valid_ref = true;
- break;
- }
- }
- CFRelease(class);
- }
- return valid_ref;
-}
-
-#endif // *** END SECITEM_SHIM_OSX ***
-
-static bool cf_bool_value(CFTypeRef cf_bool)
-{
- return (cf_bool && CFEqual(kCFBooleanTrue, cf_bool));
-}
-
-
-static void
-result_post(CFDictionaryRef query, CFTypeRef raw_result, CFTypeRef *result) {
- if (!raw_result)
- return;
-
- if (!result) {
- CFRelease(raw_result);
- return;
- }
-
- bool return_ref = cf_bool_value(CFDictionaryGetValue(query, kSecReturnRef));
- bool return_data = cf_bool_value(CFDictionaryGetValue(query, kSecReturnData));
- bool return_attributes = cf_bool_value(CFDictionaryGetValue(query, kSecReturnAttributes));
-
- if (return_ref) {
- if (CFGetTypeID(raw_result) == CFArrayGetTypeID()) {
- CFIndex i, count = CFArrayGetCount(raw_result);
- CFMutableArrayRef tmp_array = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks);
- for (i = 0; i < count; i++) {
- CFTypeRef ref = makeRef(CFArrayGetValueAtIndex(raw_result, i), return_data, return_attributes);
- if (ref) {
- CFArrayAppendValue(tmp_array, ref);
- CFRelease(ref);
- }
- }
- *result = tmp_array;
- } else
- *result = makeRef(raw_result, return_data, return_attributes);
-
- CFRelease(raw_result);
- } else
- *result = raw_result;
-}
-
-#if SECITEM_SHIM_OSX
-/* TODO: Should be in some header */
-OSStatus SecItemAdd_ios(CFDictionaryRef attributes, CFTypeRef *result);
-OSStatus SecItemCopyMatching_ios(CFDictionaryRef query, CFTypeRef *result);
-OSStatus SecItemUpdate_ios(CFDictionaryRef query, CFDictionaryRef attributesToUpdate);
-OSStatus SecItemDelete_ios(CFDictionaryRef query);
-#endif
-
-static bool cftype_to_bool_cftype_error_request(enum SecXPCOperation op, CFTypeRef attributes, CFTypeRef *result, CFErrorRef *error)
-{
- return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
- return SecXPCDictionarySetPList(message, kSecXPCKeyQuery, attributes, error);
- }, ^bool(xpc_object_t response, CFErrorRef *error) {
- if (result) {
- return SecXPCDictionaryCopyPListOptional(response, kSecXPCKeyResult, result, error);
- }
- return true;
- });
-}
-
-static bool cftype_ag_to_bool_cftype_error_request(enum SecXPCOperation op, CFTypeRef attributes, __unused CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error) {
- return cftype_to_bool_cftype_error_request(op, attributes, result, error);
-}
-
-static bool dict_to_error_request(enum SecXPCOperation op, CFDictionaryRef query, CFErrorRef *error)
-{
- return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
- return SecXPCDictionarySetPList(message, kSecXPCKeyQuery, query, error);
- }, NULL);
-}
-
-static bool dict_ag_to_error_request(enum SecXPCOperation op, CFDictionaryRef query, __unused CFArrayRef accessGroups, CFErrorRef *error)
-{
- return dict_to_error_request(op, query, error);
-}
-
-static CFDataRef data_data_to_data_error_request(enum SecXPCOperation op, CFDataRef keybag, CFDataRef passcode, CFErrorRef *error) {
- __block CFDataRef result = NULL;
- securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
- return SecXPCDictionarySetDataOptional(message, kSecXPCKeyKeybag, keybag, error)
- && SecXPCDictionarySetDataOptional(message, kSecXPCKeyUserPassword, passcode, error);
- }, ^bool(xpc_object_t response, CFErrorRef *error) {
- return (result = SecXPCDictionaryCopyData(response, kSecXPCKeyResult, error));
- });
- return result;
-}
-
-static bool data_data_data_to_error_request(enum SecXPCOperation op, CFDataRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef *error) {
- return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
- return SecXPCDictionarySetData(message, kSecXPCKeyBackup, backup, error)
- && SecXPCDictionarySetData(message, kSecXPCKeyKeybag, keybag, error)
- && SecXPCDictionarySetDataOptional(message, kSecXPCKeyUserPassword, passcode, error);
- } , NULL);
-}
-
-static bool dict_data_data_to_error_request(enum SecXPCOperation op, CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef *error) {
- return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
- return SecXPCDictionarySetPList(message, kSecXPCKeyBackup, backup, error)
- && SecXPCDictionarySetData(message, kSecXPCKeyKeybag, keybag, error)
- && SecXPCDictionarySetDataOptional(message, kSecXPCKeyUserPassword, passcode, error);
- } , NULL);
-}
-
-static CFDictionaryRef data_data_dict_to_dict_error_request(enum SecXPCOperation op, CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef *error) {
- __block CFDictionaryRef dict = NULL;
- securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) {
- return SecXPCDictionarySetPListOptional(message, kSecXPCKeyBackup, backup, error)
- && SecXPCDictionarySetData(message, kSecXPCKeyKeybag, keybag, error)
- && SecXPCDictionarySetDataOptional(message, kSecXPCKeyUserPassword, passcode, error);
- }, ^bool(xpc_object_t response, CFErrorRef *error) {
- return (dict = SecXPCDictionaryCopyDictionary(response, kSecXPCKeyResult, error));
- });
- return dict;
-}
-
-OSStatus
-#if SECITEM_SHIM_OSX
-SecItemAdd_ios(CFDictionaryRef attributes, CFTypeRef *result)
-#else
-SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result)
-#endif // *** END SECITEM_SHIM_OSX ***
-{
- CFMutableDictionaryRef args = NULL;
- OSStatus status;
-
-#ifndef SECITEM_SHIM_OSX
- require_quiet(!explode_identity(attributes, (secitem_operation)SecItemAdd, &status, result), errOut);
- require_noerr_quiet(status = cook_query(attributes, &args), errOut);
- infer_cert_label(attributes, args);
-#endif // *** END SECITEM_SHIM_OSX ***
- if (args)
- attributes = args;
-
- status = SecOSStatusWith(^bool (CFErrorRef *error) {
- CFTypeRef raw_result = NULL;
- if (!SECURITYD_XPC(sec_item_add, cftype_ag_to_bool_cftype_error_request, attributes, SecAccessGroupsGetCurrent(), &raw_result, error))
- return false;
-
- result_post(attributes, raw_result, result);
- return true;
- });
-
-#ifndef SECITEM_SHIM_OSX
-errOut:
-#endif // *** END SECITEM_SHIM_OSX ***
- CFReleaseSafe(args);
- return status;
-}
-
-
-OSStatus
-#if SECITEM_SHIM_OSX
-SecItemCopyMatching_ios(CFDictionaryRef inQuery, CFTypeRef *result)
-#else
-SecItemCopyMatching(CFDictionaryRef inQuery, CFTypeRef *result)
-#endif // *** END SECITEM_SHIM_OSX ***
-{
- __block CFDictionaryRef query = inQuery;
- __block CFMutableDictionaryRef args = NULL;
- OSStatus status;
-
-#ifndef SECITEM_SHIM_OSX
- require_quiet(!explode_identity(query, (secitem_operation)SecItemCopyMatching, &status, result), errOut);
- require_noerr_quiet(status = cook_query(query, &args), errOut);
-#endif // *** END SECITEM_SHIM_OSX ***
- if (args)
- query = args;
-
- status = SecOSStatusWith(^bool (CFErrorRef *error) {
- CFTypeRef raw_result = NULL;
- if (!SECURITYD_XPC(sec_item_copy_matching, cftype_ag_to_bool_cftype_error_request, query, SecAccessGroupsGetCurrent(), &raw_result, error))
- return false;
-
-#ifdef SECITEM_SHIM_OSX
- if ((!cf_bool_value(CFDictionaryGetValue(query, kSecReturnPersistentRef))) && cf_bool_value(CFDictionaryGetValue(query, kSecReturnRef))) {
- CFReleaseSafe(args);
- args = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, query);
- CFDictionaryAddValue(args, kSecReturnPersistentRef, kCFBooleanTrue);
- query = args;
- }
-#endif
- result_post(query, raw_result, result);
- return true;
- });
-
-#ifndef SECITEM_SHIM_OSX
-errOut:
-#endif // *** END SECITEM_SHIM_OSX ***
- CFReleaseSafe(args);
- return status;
-}
-
-OSStatus
-#if SECITEM_SHIM_OSX
-SecItemUpdate_ios(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
-#else
-SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate)
-#endif // *** END SECITEM_SHIM_OSX ***
-{
- CFMutableDictionaryRef args = NULL;
- __block OSStatus status; // TODO loose block once gSecurityd functions return CFErrorRefs
-#ifndef SECITEM_SHIM_OSX
- require_noerr_quiet(status = cook_query(query, &args), errOut);
-#endif
- if (args)
- query = args;
-
- status = SecOSStatusWith(^bool (CFErrorRef *error) {
- bool ok = false;
- if (gSecurityd) {
- // Ensure the dictionary passed to securityd has proper kCFTypeDictionaryKeyCallBacks.
- CFMutableDictionaryRef tmp = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, NULL);
- CFDictionaryForEach(attributesToUpdate, ^(const void *key, const void *value) { CFDictionaryAddValue(tmp, key, value); });
- ok = gSecurityd->sec_item_update(query, tmp, SecAccessGroupsGetCurrent(), error);
- CFRelease(tmp);
- } else {
- xpc_object_t message = securityd_create_message(sec_item_update_id, error);
- if (message) {
- if (SecXPCDictionarySetPList(message, kSecXPCKeyQuery, query, error) &&
- SecXPCDictionarySetPList(message, kSecXPCKeyAttributesToUpdate, attributesToUpdate, error)) {
- xpc_object_t reply = securityd_message_with_reply_sync(message, error);
- if (reply) {
- ok = securityd_message_no_error(reply, error);
- xpc_release(reply);
- }
- }
- xpc_release(message);
- }
- }
- return ok;
- });
-
-#ifndef SECITEM_SHIM_OSX
-errOut:
-#endif
- CFReleaseSafe(args);
- return status;
-}
-
-#ifndef SECITEM_SHIM_OSX
-static void copy_all_keys_and_values(const void *key, const void *value, void *context)
-{
- CFDictionaryAddValue((CFMutableDictionaryRef)context, key, value);
-}
-#endif
-
-#ifndef SECITEM_SHIM_OSX
-static OSStatus explode_persistent_identity_ref(CFDictionaryRef query, CFMutableDictionaryRef *delete_query)
-{
- OSStatus status = errSecSuccess;
- CFTypeRef persist = CFDictionaryGetValue(query, kSecValuePersistentRef);
- CFStringRef class;
- if (persist && _SecItemParsePersistentRef(persist, &class, NULL)
- && CFEqual(class, kSecClassIdentity)) {
- const void *keys[] = { kSecReturnRef, kSecValuePersistentRef };
- const void *vals[] = { kCFBooleanTrue, persist };
- CFDictionaryRef persistent_query = CFDictionaryCreate(NULL, keys,
- vals, (array_size(keys)), NULL, NULL);
- CFTypeRef item_query = NULL;
- status = SecItemCopyMatching(persistent_query, &item_query);
- CFReleaseNull(persistent_query);
- if (status)
- return status;
- CFMutableDictionaryRef new_query = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
- &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- if (new_query) {
- CFDictionaryApplyFunction(query, copy_all_keys_and_values, new_query);
- CFDictionaryRemoveValue(new_query, kSecValuePersistentRef);
- CFDictionarySetValue(new_query, kSecValueRef, item_query);
- *delete_query = new_query;
- } else
- status = errSecAllocate;
- CFRelease(item_query);
- }
-
- return status;
-}
-#endif
-
-OSStatus
-#if SECITEM_SHIM_OSX
-SecItemDelete_ios(CFDictionaryRef query)
-#else
-SecItemDelete(CFDictionaryRef query)
-#endif // *** END SECITEM_SHIM_OSX ***
-{
- CFMutableDictionaryRef args1 = NULL, args2 = NULL;
- OSStatus status;
-
-#ifndef SECITEM_SHIM_OSX
- require_noerr_quiet(status = explode_persistent_identity_ref(query, &args1), errOut);
- if (args1)
- query = args1;
- require_quiet(!explode_identity(query, (secitem_operation)SecItemDelete, &status, NULL), errOut);
- require_noerr_quiet(status = cook_query(query, &args2), errOut);
-#endif // *** END SECITEM_SHIM_OSX ***
- if (args2)
- query = args2;
-
- status = SecOSStatusWith(^bool (CFErrorRef *error) {
- return SECURITYD_XPC(sec_item_delete, dict_ag_to_error_request, query, SecAccessGroupsGetCurrent(), error);
- });
-
-#ifndef SECITEM_SHIM_OSX
-errOut:
-#endif // *** END SECITEM_SHIM_OSX ***
- CFReleaseSafe(args1);
- CFReleaseSafe(args2);
- return status;
-}
-
-OSStatus
-SecItemDeleteAll(void)
-{
- return SecOSStatusWith(^bool (CFErrorRef *error) {
- bool ok;
- if (gSecurityd) {
-#ifndef SECITEM_SHIM_OSX
- SecTrustStoreRef ts = SecTrustStoreForDomain(kSecTrustStoreDomainUser);
- if (!gSecurityd->sec_truststore_remove_all(ts, error))
- ok = SecError(errSecInternal, error, CFSTR("sec_truststore_remove_all is NULL"));
-#endif // *** END SECITEM_SHIM_OSX ***
- if (!gSecurityd->sec_item_delete_all(error))
- ok = SecError(errSecInternal, error, CFSTR("sec_item_delete_all is NULL"));
- ok = true;
- } else {
- ok = securityd_send_sync_and_do(sec_delete_all_id, error, NULL, NULL);
- }
- return ok;
- });
-}
-
-CFDataRef _SecKeychainCopyOTABackup(void) {
- return SECURITYD_XPC(sec_keychain_backup, data_data_to_data_error_request, NULL, NULL, NULL);
-}
-
-CFDataRef _SecKeychainCopyBackup(CFDataRef backupKeybag, CFDataRef password) {
- return SECURITYD_XPC(sec_keychain_backup, data_data_to_data_error_request, backupKeybag, password, NULL);
-}
-
-OSStatus _SecKeychainRestoreBackup(CFDataRef backup, CFDataRef backupKeybag,
- CFDataRef password) {
- return SecOSStatusWith(^bool (CFErrorRef *error) {
- return SECURITYD_XPC(sec_keychain_restore, data_data_data_to_error_request, backup, backupKeybag, password, error);
- });
-}
-
-bool _SecKeychainSyncUpdate(CFDictionaryRef updates, CFErrorRef *error) {
- return SECURITYD_XPC(sec_keychain_sync_update, dict_to_error_request, updates, error);
-}
-
-OSStatus _SecKeychainBackupSyncable(CFDataRef keybag, CFDataRef password, CFDictionaryRef backup_in, CFDictionaryRef *backup_out)
-{
- return SecOSStatusWith(^bool (CFErrorRef *error) {
- *backup_out = SECURITYD_XPC(sec_keychain_backup_syncable, data_data_dict_to_dict_error_request, backup_in, keybag, password, error);
- return *backup_out != NULL;
- });
-}
-
-OSStatus _SecKeychainRestoreSyncable(CFDataRef keybag, CFDataRef password, CFDictionaryRef backup_in)
-{
- return SecOSStatusWith(^bool (CFErrorRef *error) {
- return SECURITYD_XPC(sec_keychain_restore_syncable, dict_data_data_to_error_request, backup_in, keybag, password, error);
- });
-}
-
-
-#ifndef SECITEM_SHIM_OSX
-OSStatus SecTaskValidateForRequirement(SecTaskRef task, CFStringRef requirement);
-
-OSStatus SecTaskValidateForRequirement(SecTaskRef task, CFStringRef requirement)
-{
- return -1; /* this is only on OS X currently */
-}
-
-#else
-
-extern OSStatus SecTaskValidateForRequirement(SecTaskRef task, CFStringRef requirement);
-
-#endif
projects / apple / security.git / blobdiff