+++ /dev/null
-/*
- * Copyright (c) 2003-2004,2006-2010 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- *
- * OTATrustUtilities.c
- */
-
-#include "OTATrustUtilities.h"
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <dirent.h>
-#include <sys/syslimits.h>
-#include <sys/mman.h>
-#include <sys/stat.h>
-#include <CoreFoundation/CoreFoundation.h>
-#include <ftw.h>
-#include "SecFramework.h"
-#include <pthread.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <utilities/SecCFRelease.h>
-#include <utilities/SecCFError.h>
-#include <utilities/SecCFWrappers.h>
-#include <Security/SecBasePriv.h>
-#include <Security/SecFramework.h>
-#include <dispatch/dispatch.h>
-#include <CommonCrypto/CommonDigest.h>
-
-//#define VERBOSE_LOGGING 1
-
-#if VERBOSE_LOGGING
-
-static void TestOTALog(const char* sz, ...)
-{
- va_list va;
- va_start(va, sz);
-
- FILE* fp = fopen("/tmp/secd_OTAUtil.log", "a");
- if (NULL != fp)
- {
- vfprintf(fp, sz, va);
- fclose(fp);
- }
- va_end(va);
-}
-
-#else
-
-#define TestOTALog(sz, ...)
-
-#endif
-
-
-//#define NEW_LOCATION 1
-
-#if NEW_LOCATION
-static const char* kBaseAssertDirectory = "/var/OTAPKI/Assets";
-#else
-static const char* kBaseAssertDirectory = "/var/Keychains/Assets";
-#endif
-
-static const char* kVersionDirectoryNamePrefix = "Version_";
-static const char* kNumberString = "%d";
-
-struct index_record
-{
- unsigned char hash[CC_SHA1_DIGEST_LENGTH];
- uint32_t offset;
-};
-typedef struct index_record index_record;
-
-
-struct _OpaqueSecOTAPKI
-{
- CFRuntimeBase _base;
- CFSetRef _blackListSet;
- CFSetRef _grayListSet;
- CFArrayRef _escrowCertificates;
- CFDictionaryRef _evPolicyToAnchorMapping;
- CFDictionaryRef _anchorLookupTable;
- const char* _anchorTable;
- int _assetVersion;
-};
-
-CFGiblisFor(SecOTAPKI)
-
-static CF_RETURNS_RETAINED CFStringRef SecOTAPKICopyDescription(CFTypeRef cf)
-{
- SecOTAPKIRef otapkiRef = (SecOTAPKIRef)cf;
- return CFStringCreateWithFormat(kCFAllocatorDefault,NULL,CFSTR("<SecOTAPKIRef: version %d>"), otapkiRef->_assetVersion);
-}
-
-static void SecOTAPKIDestroy(CFTypeRef cf)
-{
- SecOTAPKIRef otapkiref = (SecOTAPKIRef)cf;
-
- CFReleaseNull(otapkiref->_blackListSet);
- CFReleaseNull(otapkiref->_grayListSet);
- CFReleaseNull(otapkiref->_escrowCertificates);
-
- CFReleaseNull(otapkiref->_evPolicyToAnchorMapping);
- CFReleaseNull(otapkiref->_anchorLookupTable);
-
- free((void *)otapkiref->_anchorTable);
-}
-
-static CFDataRef SecOTACopyFileContents(const char *path)
-{
- CFMutableDataRef data = NULL;
- int fd = open(path, O_RDONLY, 0666);
-
- if (fd == -1)
- {
- goto badFile;
- }
-
- off_t fsize = lseek(fd, 0, SEEK_END);
- if (fsize == (off_t)-1)
- {
- goto badFile;
- }
-
- if (fsize > (off_t)INT32_MAX)
- {
- goto badFile;
- }
-
- data = CFDataCreateMutable(kCFAllocatorDefault, (CFIndex)fsize);
- if (NULL == data)
- {
- goto badFile;
- }
-
- CFDataSetLength(data, (CFIndex)fsize);
- void *buf = CFDataGetMutableBytePtr(data);
- if (NULL == buf)
- {
- goto badFile;
- }
-
- off_t total_read = 0;
- while (total_read < fsize)
- {
- ssize_t bytes_read;
-
- bytes_read = pread(fd, buf, (size_t)(fsize - total_read), total_read);
- if (bytes_read == -1)
- {
- goto badFile;
- }
- if (bytes_read == 0)
- {
- goto badFile;
- }
- total_read += bytes_read;
- }
-
- close(fd);
- return data;
-
-badFile:
- if (fd != -1)
- {
- close(fd);
- }
-
- if (data)
- {
- CFRelease(data);
- }
-
- return NULL;
-}
-
-static Boolean PathExists(const char* path, size_t* pFileSize)
-{
- TestOTALog("In PathExists: checking path %s\n", path);
- Boolean result = false;
- struct stat sb;
-
- if (NULL != pFileSize)
- {
- *pFileSize = 0;
- }
-
- int stat_result = stat(path, &sb);
- result = (stat_result == 0);
-
-
- if (result)
- {
- TestOTALog("In PathExists: stat returned 0 for %s\n", path);
- if (S_ISDIR(sb.st_mode))
- {
- TestOTALog("In PathExists: %s is a directory\n", path);
- // It is a directory
- ;
- }
- else
- {
- TestOTALog("In PathExists: %s is a file\n", path);
- // It is a file
- if (NULL != pFileSize)
- {
- *pFileSize = (size_t)sb.st_size;
- }
- }
- }
-#if VERBOSE_LOGGING
- else
- {
- TestOTALog("In PathExists: stat returned %d for %s\n", stat_result, path);
- int local_errno = errno;
- switch(local_errno)
- {
- case EACCES:
- TestOTALog("In PathExists: stat failed because of EACCES\n");
- break;
-
- case EBADF:
- TestOTALog("In PathExists: stat failed because of EBADF (Not likely)\n");
- break;
-
- case EFAULT:
- TestOTALog("In PathExists: stat failed because of EFAULT (huh?)\n");
- break;
-
- case ELOOP:
- TestOTALog("In PathExists: stat failed because of ELOOP (huh?)\n");
- break;
-
- case ENAMETOOLONG:
- TestOTALog("In PathExists: stat failed because of ENAMETOOLONG (huh?)\n");
- break;
-
- case ENOENT:
- TestOTALog("In PathExists: stat failed because of ENOENT (missing?)\n");
- break;
-
- case ENOMEM:
- TestOTALog("In PathExists: stat failed because of ENOMEM (really?)\n");
- break;
-
- case ENOTDIR:
- TestOTALog("In PathExists: stat failed because of ENOTDIR (really?)\n");
- break;
-
- case EOVERFLOW:
- TestOTALog("In PathExists: stat failed because of EOVERFLOW (really?)\n");
- break;
-
- default:
- TestOTALog("In PathExists: unknown errno of %d\n", local_errno);
- break;
- }
- }
-#endif // #if VERBOSE_LOGGING
-
- return result;
-}
-
-static int unlink_cb(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf)
-{
- int rv = remove(fpath);
- return rv;
-}
-
-static int rmrf(char *path)
-{
- const char* p1 = NULL;
- char path_buffer[PATH_MAX];
- memset(path_buffer, 0, sizeof(path_buffer));
-
- p1 = realpath(path, path_buffer);
- if (!strncmp(path, p1, PATH_MAX))
- {
- return nftw(path, unlink_cb, 64, FTW_DEPTH | FTW_PHYS);
- }
- return -1;
-}
-
-static const char* InitOTADirectory(int* pAssetVersion)
-{
- TestOTALog("In InitOTADirectory\n");
- const char* result = NULL;
-
- char buffer[PATH_MAX];
- DIR *dp;
- struct dirent *ep;
- int version = 0;
- int current_version = 0;
- CFIndex asset_number = 0;
-
- bool assetDirectoryExists = PathExists(kBaseAssertDirectory, NULL);
- if (assetDirectoryExists)
- {
- TestOTALog("InitOTADirectory: %s exists\n", kBaseAssertDirectory);
- dp = opendir (kBaseAssertDirectory);
- if (NULL != dp)
- {
- TestOTALog("InitOTADirectory: opendir sucessfully open %s\n", kBaseAssertDirectory);
- while ((ep = readdir(dp)))
- {
- TestOTALog("InitOTADirectory: processing name %s\n", ep->d_name);
- if (strstr(ep->d_name, kVersionDirectoryNamePrefix))
- {
- TestOTALog("InitOTADirectory: %s matches\n", ep->d_name);
- memset(buffer, 0, sizeof(buffer));
- snprintf(buffer, sizeof(buffer), "%s%s", kVersionDirectoryNamePrefix, kNumberString);
-
- sscanf(ep->d_name, buffer, &version);
-
- TestOTALog("InitOTADirectory: version = %d\n", version);
-
- if (current_version > 0)
- {
- if (version > current_version)
- {
- // There is more than one Version_ directory.
- // Delete the one with the smaller version number
- memset(buffer, 0, sizeof(buffer));
- snprintf(buffer, sizeof(buffer), "%s/%s%d", kBaseAssertDirectory, kVersionDirectoryNamePrefix, current_version);
- if (PathExists(buffer, NULL))
- {
- rmrf(buffer);
- }
- current_version = version;
- }
- }
- else
- {
- current_version = version;
- }
- }
- }
- closedir(dp);
- }
- else
- {
- TestOTALog("InitOTADirectory: opendir failed to open %s\n", kBaseAssertDirectory);
- }
- }
- else
- {
- TestOTALog("InitOTADirectory: PathExists returned false for %s\n", kBaseAssertDirectory);
- }
-
- memset(buffer, 0, sizeof(buffer));
-
- if (0 == current_version)
- {
- TestOTALog("InitOTADirectory: current_version = 0\n");
- // No Assets are installed so get the Asset Verson from the AssertVersion.plist in the Security.framework
-
- // Look in the resources for a AssetVerstion.plst file
-
- CFDataRef assetVersionData = SecFrameworkCopyResourceContents(CFSTR("AssetVersion"), CFSTR("plist"), NULL);
- if (NULL != assetVersionData)
- {
- CFPropertyListFormat propFormat;
- CFDictionaryRef versionPlist = CFPropertyListCreateWithData(kCFAllocatorDefault, assetVersionData, 0, &propFormat, NULL);
- if (NULL != versionPlist && CFDictionaryGetTypeID() == CFGetTypeID(versionPlist))
- {
- CFNumberRef versionNumber = (CFNumberRef)CFDictionaryGetValue(versionPlist, (const void *)CFSTR("VersionNumber"));
- if (NULL != versionNumber)
- {
- CFNumberGetValue(versionNumber, kCFNumberCFIndexType, &asset_number);
- }
- }
- CFReleaseSafe(versionPlist);
- CFReleaseSafe(assetVersionData);
- }
-
- current_version = (int)asset_number;
- }
- else
- {
- TestOTALog("InitOTADirectory: current_version = %d\n", current_version);
- snprintf(buffer, sizeof(buffer), "%s/%s%d", kBaseAssertDirectory, kVersionDirectoryNamePrefix, current_version);
- size_t length = strlen(buffer);
- char* temp_str = (char*)malloc(length + 1);
- memset(temp_str, 0, (length + 1));
- strncpy(temp_str, buffer, length);
- result = temp_str;
- }
-
- if (NULL != pAssetVersion)
- {
- *pAssetVersion = current_version;
- }
- return result;
-}
-
-static CFSetRef InitializeBlackList(const char* path_ptr)
-{
- CFSetRef result = NULL;
-
- // Check to see if the EVRoots.plist file is in the asset location
- CFDataRef xmlData = NULL;
- const char* asset_path = path_ptr;
- if (NULL == asset_path)
- {
- // There is no OTA asset file so use the file in the Sercurity.framework bundle
- xmlData = SecFrameworkCopyResourceContents(CFSTR("Blocked"), CFSTR("plist"), NULL);
- }
- else
- {
- char file_path_buffer[PATH_MAX];
- memset(file_path_buffer, 0, PATH_MAX);
- snprintf(file_path_buffer, PATH_MAX, "%s/Blocked.plist", asset_path);
-
- xmlData = SecOTACopyFileContents(file_path_buffer);
-
- if (NULL == xmlData)
- {
- xmlData = SecFrameworkCopyResourceContents(CFSTR("Blocked"), CFSTR("plist"), NULL);
- }
- }
-
- CFPropertyListRef blackKeys = NULL;
- if (xmlData)
- {
- blackKeys = CFPropertyListCreateWithData(kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL);
- CFRelease(xmlData);
- }
-
- if (blackKeys)
- {
- CFMutableSetRef tempSet = NULL;
- if (CFGetTypeID(blackKeys) == CFArrayGetTypeID())
- {
- tempSet = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
- if (NULL == tempSet)
- {
- CFRelease(blackKeys);
- return result;
- }
- CFArrayRef blackKeyArray = (CFArrayRef)blackKeys;
- CFIndex num_keys = CFArrayGetCount(blackKeyArray);
- for (CFIndex idx = 0; idx < num_keys; idx++)
- {
- CFDataRef key_data = (CFDataRef)CFArrayGetValueAtIndex(blackKeyArray, idx);
- CFSetAddValue(tempSet, key_data);
- }
- }
- else
- {
- CFRelease(blackKeys);
- return result;
- }
-
- if (NULL != tempSet)
- {
- result = tempSet;
- }
- CFRelease(blackKeys);
- }
-
- return result;
-}
-
-static CFSetRef InitializeGrayList(const char* path_ptr)
-{
- CFSetRef result = NULL;
-
- // Check to see if the EVRoots.plist file is in the asset location
- CFDataRef xmlData = NULL;
- const char* asset_path = path_ptr;
- if (NULL == asset_path)
- {
- // There is no updated asset file so use the file in the Sercurity.framework bundle
- xmlData = SecFrameworkCopyResourceContents(CFSTR("GrayListedKeys"), CFSTR("plist"), NULL);
- }
- else
- {
- char file_path_buffer[PATH_MAX];
- memset(file_path_buffer, 0, PATH_MAX);
- snprintf(file_path_buffer, PATH_MAX, "%s/GrayListedKeys.plist", asset_path);
-
- xmlData = SecOTACopyFileContents(file_path_buffer);
-
- if (NULL == xmlData)
- {
- xmlData = SecFrameworkCopyResourceContents(CFSTR("GrayListedKeys"), CFSTR("plist"), NULL);
- }
- }
-
- CFPropertyListRef grayKeys = NULL;
- if (xmlData)
- {
- grayKeys = CFPropertyListCreateWithData(kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL);
- CFRelease(xmlData);
- }
-
- if (grayKeys)
- {
- CFMutableSetRef tempSet = NULL;
- if (CFGetTypeID(grayKeys) == CFArrayGetTypeID())
- {
- tempSet = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
- if (NULL == tempSet)
- {
- CFRelease(grayKeys);
- return result;
- }
- CFArrayRef grayKeyArray = (CFArrayRef)grayKeys;
- CFIndex num_keys = CFArrayGetCount(grayKeyArray);
- for (CFIndex idx = 0; idx < num_keys; idx++)
- {
- CFDataRef key_data = (CFDataRef)CFArrayGetValueAtIndex(grayKeyArray, idx);
- CFSetAddValue(tempSet, key_data);
- }
- }
- else
- {
- CFRelease(grayKeys);
- return result;
- }
-
- if (NULL != tempSet)
- {
- result = tempSet;
- }
-
- CFRelease(grayKeys);
- }
- return result;
-}
-
-static CFDictionaryRef InitializeEVPolicyToAnchorDigestsTable(const char* path_ptr)
-{
- CFDictionaryRef result = NULL;
-
- // Check to see if the EVRoots.plist file is in the asset location
- CFDataRef xmlData = NULL;
- const char* asset_path = path_ptr;
- if (NULL == asset_path)
- {
- // There is no updated asset file so use the file in the Sercurity.framework bundle
- xmlData = SecFrameworkCopyResourceContents(CFSTR("EVRoots"), CFSTR("plist"), NULL);
- }
- else
- {
- char file_path_buffer[PATH_MAX];
- memset(file_path_buffer, 0, PATH_MAX);
- snprintf(file_path_buffer, PATH_MAX, "%s/EVRoots.plist", asset_path);
-
- xmlData = SecOTACopyFileContents(file_path_buffer);
-
- if (NULL == xmlData)
- {
- xmlData = SecFrameworkCopyResourceContents(CFSTR("EVRoots"), CFSTR("plist"), NULL);
- }
- }
-
- CFPropertyListRef evroots = NULL;
- if (xmlData)
- {
- evroots = CFPropertyListCreateWithData(
- kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL);
- CFRelease(xmlData);
- }
-
- if (evroots)
- {
- if (CFGetTypeID(evroots) == CFDictionaryGetTypeID())
- {
- /* @@@ Ensure that each dictionary key is a dotted list of digits,
- each value is an NSArrayRef and each element in the array is a
- 20 byte digest. */
-
- result = (CFDictionaryRef)evroots;
- }
- else
- {
- secwarning("EVRoot.plist is wrong type.");
- CFRelease(evroots);
- }
- }
-
- return result;
-}
-
-static void* MapFile(const char* path, int* out_fd, size_t* out_file_size)
-{
- void* result = NULL;
- void* temp_result = NULL;
- if (NULL == path || NULL == out_fd || NULL == out_file_size)
- {
- return result;
- }
-
- *out_fd = -1;
- *out_file_size = 0;
-
-
- *out_fd = open(path, O_RDONLY, 0666);
-
- if (*out_fd == -1)
- {
- return result;
- }
-
- off_t fsize = lseek(*out_fd, 0, SEEK_END);
- if (fsize == (off_t)-1)
- {
- return result;
- }
-
- if (fsize > (off_t)INT32_MAX)
- {
- close(*out_fd);
- *out_fd = -1;
- return result;
- }
-
- size_t malloc_size = (size_t)fsize;
-
- temp_result = malloc(malloc_size);
- if (NULL == temp_result)
- {
- close(*out_fd);
- *out_fd = -1;
- return result;
- }
-
- *out_file_size = malloc_size;
-
- off_t total_read = 0;
- while (total_read < fsize)
- {
- ssize_t bytes_read;
-
- bytes_read = pread(*out_fd, temp_result, (size_t)(fsize - total_read), total_read);
- if (bytes_read == -1)
- {
- free(temp_result);
- temp_result = NULL;
- close(*out_fd);
- *out_fd = -1;
- return result;
- }
- if (bytes_read == 0)
- {
- free(temp_result);
- temp_result = NULL;
- close(*out_fd);
- *out_fd = -1;
- return result;
- }
- total_read += bytes_read;
- }
-
- if (NULL != temp_result)
- {
- result = temp_result;
- }
-
- return result;
-}
-
-static void UnMapFile(void* mapped_data, size_t data_size)
-{
-#pragma unused(mapped_data, data_size)
- if (NULL != mapped_data)
- {
- free((void *)mapped_data);
- mapped_data = NULL;
- }
-}
-
-static bool InitializeAnchorTable(const char* path_ptr, CFDictionaryRef* pLookupTable, const char** ppAnchorTable)
-{
-
- bool result = false;
-
- if (NULL == pLookupTable || NULL == ppAnchorTable)
- {
- return result;
- }
-
- *pLookupTable = NULL;
- *ppAnchorTable = NULL;;
-
- // first see if there is a file at /var/db/OTA_Anchors
- const char* dir_path = NULL;
- CFDataRef cert_index_file_data = NULL;
- char file_path_buffer[PATH_MAX];
- CFURLRef table_data_url = NULL;
- CFStringRef table_data_cstr_path = NULL;
- const char* table_data_path = NULL;
- const index_record* pIndex = NULL;
- size_t index_offset = 0;
- size_t index_data_size = 0;
- CFMutableDictionaryRef anchorLookupTable = NULL;
- uint32_t offset_int_value = 0;
- CFNumberRef index_offset_value = NULL;
- CFDataRef index_hash = NULL;
- CFMutableArrayRef offsets = NULL;
- Boolean release_offset = false;
-
- char* local_anchorTable = NULL;
- size_t local_anchorTableSize = 0;
- int local_anchorTable_fd = -1;
-
- // ------------------------------------------------------------------------
- // First determine if there are asset files at /var/Keychains. If there
- // are files use them for the trust table. Otherwise, use the files in the
- // Security.framework bundle.
- //
- // The anchor table file is mapped into memory. This SHOULD be OK as the
- // size of the data is around 250K.
- // ------------------------------------------------------------------------
- dir_path = path_ptr;
-
- if (NULL != dir_path)
- {
- // There is a set of OTA asset files
- memset(file_path_buffer, 0, PATH_MAX);
- snprintf(file_path_buffer, PATH_MAX, "%s/certsIndex.data", dir_path);
- cert_index_file_data = SecOTACopyFileContents(file_path_buffer);
-
- if (NULL != cert_index_file_data)
- {
- memset(file_path_buffer, 0, PATH_MAX);
- snprintf(file_path_buffer, PATH_MAX, "%s/certsTable.data", dir_path);
- local_anchorTable = (char *)MapFile(file_path_buffer, &local_anchorTable_fd, &local_anchorTableSize);
- }
-
- free((void *)dir_path);
- dir_path = NULL;
- }
-
- // Check to see if kAnchorTable was indeed set
- if (NULL == local_anchorTable)
- {
- // local_anchorTable is still NULL so the asset in the Security framework needs to be used.
- CFReleaseSafe(cert_index_file_data);
- cert_index_file_data = SecFrameworkCopyResourceContents(CFSTR("certsIndex"), CFSTR("data"), NULL);
- table_data_url = SecFrameworkCopyResourceURL(CFSTR("certsTable"), CFSTR("data"), NULL);
- if (NULL != table_data_url)
- {
- table_data_cstr_path = CFURLCopyFileSystemPath(table_data_url, kCFURLPOSIXPathStyle);
- if (NULL != table_data_cstr_path)
- {
- memset(file_path_buffer, 0, PATH_MAX);
- table_data_path = CFStringGetCStringPtr(table_data_cstr_path, kCFStringEncodingUTF8);
- if (NULL == table_data_path)
- {
- if (CFStringGetCString(table_data_cstr_path, file_path_buffer, PATH_MAX, kCFStringEncodingUTF8))
- {
- table_data_path = file_path_buffer;
- }
- }
- local_anchorTable = (char *)MapFile(table_data_path, &local_anchorTable_fd, &local_anchorTableSize);
- CFReleaseSafe(table_data_cstr_path);
- }
- }
- CFReleaseSafe(table_data_url);
- }
-
- if (NULL == local_anchorTable || NULL == cert_index_file_data)
- {
- // we are in trouble
- CFReleaseSafe(cert_index_file_data);
- return result;
- }
-
- // ------------------------------------------------------------------------
- // Now that the locations of the files are known and the table file has
- // been mapped into memory, create a dictionary that maps the SHA1 hash of
- // normalized issuer to the offset in the mapped anchor table file which
- // contains a index_record to the correct certificate
- // ------------------------------------------------------------------------
- pIndex = (const index_record*)CFDataGetBytePtr(cert_index_file_data);
- index_data_size = CFDataGetLength(cert_index_file_data);
-
- anchorLookupTable = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
- &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-
- for (index_offset = index_data_size; index_offset > 0; index_offset -= sizeof(index_record), pIndex++)
- {
- offset_int_value = pIndex->offset;
-
- index_offset_value = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &offset_int_value);
- index_hash = CFDataCreate(kCFAllocatorDefault, pIndex->hash, CC_SHA1_DIGEST_LENGTH);
-
- // see if the dictionary already has this key
- release_offset = false;
- offsets = (CFMutableArrayRef)CFDictionaryGetValue(anchorLookupTable, index_hash);
- if (NULL == offsets)
- {
- offsets = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
- release_offset = true;
- }
-
- // Add the offset
- CFArrayAppendValue(offsets, index_offset_value);
-
- // set the key value pair in the dictionary
- CFDictionarySetValue(anchorLookupTable, index_hash, offsets);
-
- CFRelease(index_offset_value);
- CFRelease(index_hash);
- if (release_offset)
- {
- CFRelease(offsets);
- }
- }
-
- CFRelease(cert_index_file_data);
-
- if (NULL != anchorLookupTable && NULL != local_anchorTable)
- {
- *pLookupTable = anchorLookupTable;
- *ppAnchorTable = local_anchorTable;
- result = true;
- }
- else
- {
- CFReleaseSafe(anchorLookupTable);
- if (NULL != local_anchorTable)
- {
- UnMapFile(local_anchorTable, local_anchorTableSize);
- //munmap(kAnchorTable, local_anchorTableSize);
- local_anchorTable = NULL;
- local_anchorTableSize = 0;
- }
- }
-
- return result;
-}
-
-static CFArrayRef InitializeEscrowCertificates(const char* path_ptr)
-{
- CFArrayRef result = NULL;
- CFDataRef file_data = NULL;
-
- const char* dir_path = path_ptr;
- if (NULL == dir_path)
- {
- file_data = SecFrameworkCopyResourceContents(CFSTR("AppleESCertificates"), CFSTR("plist"), NULL);
- }
- else
- {
- char buffer[1024];
- memset(buffer, 0, 1024);
- snprintf(buffer, 1024, "%s/AppleESCertificates.plist", dir_path);
- file_data = SecOTACopyFileContents(buffer);
- }
-
- if (NULL != file_data)
- {
- CFPropertyListFormat propFormat;
- CFDictionaryRef certsDictionary = CFPropertyListCreateWithData(kCFAllocatorDefault, file_data, 0, &propFormat, NULL);
- if (NULL != certsDictionary && CFDictionaryGetTypeID() == CFGetTypeID((CFTypeRef)certsDictionary))
- {
- CFArrayRef certs = (CFArrayRef)CFDictionaryGetValue(certsDictionary, CFSTR("ProductionEscrowKey"));
- if (NULL != certs && CFArrayGetTypeID() == CFGetTypeID((CFTypeRef)certs) && CFArrayGetCount(certs) > 0)
- {
- result = CFArrayCreateCopy(kCFAllocatorDefault, certs);
- }
- CFRelease(certsDictionary);
- }
- CFRelease(file_data);
- }
-
- return result;
-}
-
-
-static SecOTAPKIRef SecOTACreate()
-{
- TestOTALog("In SecOTACreate\n");
-
- SecOTAPKIRef otapkiref = NULL;
-
- otapkiref = CFTypeAllocate(SecOTAPKI, struct _OpaqueSecOTAPKI , kCFAllocatorDefault);
-
- if (NULL == otapkiref)
- {
- return otapkiref;
- }
-
- // Mkae suer that if this routine has to bail that the clean up
- // will do the right thing
- otapkiref->_blackListSet = NULL;
- otapkiref->_grayListSet = NULL;
- otapkiref->_escrowCertificates = NULL;
- otapkiref->_evPolicyToAnchorMapping = NULL;
- otapkiref->_anchorLookupTable = NULL;
- otapkiref->_anchorTable = NULL;
- otapkiref->_assetVersion = 0;
-
- // Start off by getting the correct asset directory info
- int asset_version = 0;
- const char* path_ptr = InitOTADirectory(&asset_version);
- otapkiref->_assetVersion = asset_version;
-
- TestOTALog("SecOTACreate: asset_path = %s\n", path_ptr);
- TestOTALog("SecOTACreate: asset_version = %d\n", asset_version);
-
- // Get the set of black listed keys
- CFSetRef blackKeysSet = InitializeBlackList(path_ptr);
- if (NULL == blackKeysSet)
- {
- CFReleaseNull(otapkiref);
- return otapkiref;
- }
- otapkiref->_blackListSet = blackKeysSet;
-
- // Get the set of gray listed keys
- CFSetRef grayKeysSet = InitializeGrayList(path_ptr);
- if (NULL == grayKeysSet)
- {
- CFReleaseNull(otapkiref);
- return otapkiref;
- }
- otapkiref->_grayListSet = grayKeysSet;
-
- CFArrayRef escrowCerts = InitializeEscrowCertificates(path_ptr);
- if (NULL == escrowCerts)
- {
- CFReleaseNull(otapkiref);
- return otapkiref;
- }
- otapkiref->_escrowCertificates = escrowCerts;
-
- // Geht the mapping of EV Policy OIDs to Anchor digest
- CFDictionaryRef evOidToAnchorDigestMap = InitializeEVPolicyToAnchorDigestsTable(path_ptr);
- if (NULL == evOidToAnchorDigestMap)
- {
- CFReleaseNull(otapkiref);
- return otapkiref;
- }
- otapkiref->_evPolicyToAnchorMapping = evOidToAnchorDigestMap;
-
- CFDictionaryRef anchorLookupTable = NULL;
- const char* anchorTablePtr = NULL;
-
- if (!InitializeAnchorTable(path_ptr, &anchorLookupTable, &anchorTablePtr))
- {
- CFReleaseSafe(anchorLookupTable);
- if (NULL != anchorTablePtr)
- {
- free((void *)anchorTablePtr);
- }
-
- CFReleaseNull(otapkiref);
- return otapkiref;
- }
- otapkiref->_anchorLookupTable = anchorLookupTable;
- otapkiref->_anchorTable = anchorTablePtr;
- return otapkiref;
-}
-
-static dispatch_once_t kInitializeOTAPKI = 0;
-static const char* kOTAQueueLabel = "com.apple.security.OTAPKIQueue";
-static dispatch_queue_t kOTAQueue;
-static SecOTAPKIRef kCurrentOTAPKIRef = NULL;
-
-SecOTAPKIRef SecOTAPKICopyCurrentOTAPKIRef()
-{
- __block SecOTAPKIRef result = NULL;
- dispatch_once(&kInitializeOTAPKI,
- ^{
- kOTAQueue = dispatch_queue_create(kOTAQueueLabel, NULL);
- kCurrentOTAPKIRef = SecOTACreate();
- });
-
- dispatch_sync(kOTAQueue,
- ^{
- result = kCurrentOTAPKIRef;
- CFRetainSafe(result);
- });
- return result;
-}
-
-
-CFSetRef SecOTAPKICopyBlackListSet(SecOTAPKIRef otapkiRef)
-{
- CFSetRef result = NULL;
- if (NULL == otapkiRef)
- {
- return result;
- }
-
- result = otapkiRef->_blackListSet;
- CFRetainSafe(result);
- return result;
-}
-
-
-CFSetRef SecOTAPKICopyGrayList(SecOTAPKIRef otapkiRef)
-{
- CFSetRef result = NULL;
- if (NULL == otapkiRef)
- {
- return result;
- }
-
- result = otapkiRef->_grayListSet;
- CFRetainSafe(result);
- return result;
-}
-
-CFArrayRef SecOTAPKICopyEscrowCertificates(SecOTAPKIRef otapkiRef)
-{
- CFArrayRef result = NULL;
- if (NULL == otapkiRef)
- {
- return result;
- }
-
- result = otapkiRef->_escrowCertificates;
- CFRetainSafe(result);
- return result;
-}
-
-
-CFDictionaryRef SecOTAPKICopyEVPolicyToAnchorMapping(SecOTAPKIRef otapkiRef)
-{
- CFDictionaryRef result = NULL;
- if (NULL == otapkiRef)
- {
- return result;
- }
-
- result = otapkiRef->_evPolicyToAnchorMapping;
- CFRetainSafe(result);
- return result;
-}
-
-
-CFDictionaryRef SecOTAPKICopyAnchorLookupTable(SecOTAPKIRef otapkiRef)
-{
- CFDictionaryRef result = NULL;
- if (NULL == otapkiRef)
- {
- return result;
- }
-
- result = otapkiRef->_anchorLookupTable;
- CFRetainSafe(result);
- return result;
-}
-
-const char* SecOTAPKIGetAnchorTable(SecOTAPKIRef otapkiRef)
-{
- const char* result = NULL;
- if (NULL == otapkiRef)
- {
- return result;
- }
-
- result = otapkiRef->_anchorTable;
- return result;
-}
-
-int SecOTAPKIGetAssetVersion(SecOTAPKIRef otapkiRef)
-{
- int result = 0;
- if (NULL == otapkiRef)
- {
- return result;
- }
-
- result = otapkiRef->_assetVersion;
- return result;
-}
-
-void SecOTAPKIRefreshData()
-{
- TestOTALog("In SecOTAPKIRefreshData\n");
- SecOTAPKIRef new_otaPKRef = SecOTACreate();
- dispatch_sync(kOTAQueue,
- ^{
- CFReleaseSafe(kCurrentOTAPKIRef);
- kCurrentOTAPKIRef = new_otaPKRef;
- });
-}
-
-CFArrayRef SecOTAPKICopyCurrentEscrowCertificates(CFErrorRef* error)
-{
- CFArrayRef result = NULL;
-
- SecOTAPKIRef otapkiref = SecOTAPKICopyCurrentOTAPKIRef();
- if (NULL == otapkiref)
- {
- SecError(errSecInternal, error, CFSTR("Unable to get the current OTAPKIRef"));
- return result;
- }
-
- result = SecOTAPKICopyEscrowCertificates(otapkiref);
- CFRelease(otapkiref);
-
- if (NULL == result)
- {
- SecError(errSecInternal, error, CFSTR("Could not get the array of escrow certificates form the current OTAPKIRef"));
- }
- return result;
-}
-
-int SecOTAPKIGetCurrentAssetVersion(CFErrorRef* error)
-{
- int result = 0;
-
- SecOTAPKIRef otapkiref = SecOTAPKICopyCurrentOTAPKIRef();
- if (NULL == otapkiref)
- {
- SecError(errSecInternal, error, CFSTR("Unable to get the current OTAPKIRef"));
- return result;
- }
-
- result = otapkiref->_assetVersion;
- return result;
-}
-
-int SecOTAPKISignalNewAsset(CFErrorRef* error)
-{
- TestOTALog("SecOTAPKISignalNewAsset has been called!\n");
- SecOTAPKIRefreshData();
- return 1;
-}
projects / apple / security.git / blobdiff