+++ /dev/null
-/*
- * Copyright (c) 2003-2018 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- *
- * verify-cert.c
- */
-
-#define CFRELEASE(cf) if (cf) { CFRelease(cf); }
-
-#include <Security/SecCertificate.h>
-#include <Security/SecCertificatePriv.h>
-#include <Security/SecTrust.h>
-#include <Security/SecPolicy.h>
-#include <Security/SecPolicyPriv.h>
-#include <utilities/fileIo.h>
-
-#include <sys/stat.h>
-#include <stdio.h>
-#include <time.h>
-
-#include "SecurityCommands.h"
-
-CFStringRef policyToConstant(const char *policy);
-int verify_cert(int argc, char * const *argv);
-
-static int addCertFile(const char *fileName, CFMutableArrayRef *array) {
- SecCertificateRef certRef = NULL;
- CFDataRef dataRef = NULL;
- unsigned char *buf = NULL;
- size_t numBytes;
- int rtn = 0;
-
- if (readFileSizet(fileName, &buf, &numBytes)) {
- rtn = -1;
- goto errOut;
- }
-
- dataRef = CFDataCreate(NULL, buf, numBytes);
- certRef = SecCertificateCreateWithData(NULL, dataRef);
- if (!certRef) {
- certRef = SecCertificateCreateWithPEM(NULL, dataRef);
- if (!certRef) {
- rtn = -1;
- goto errOut;
- }
- }
-
- if (*array == NULL) {
- *array = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- }
-
- CFArrayAppendValue(*array, certRef);
-
-errOut:
- /* Cleanup */
- free(buf);
- CFRELEASE(dataRef);
- CFRELEASE(certRef);
- return rtn;
-}
-
-CFStringRef policyToConstant(const char *policy) {
- if (policy == NULL) {
- return NULL;
- }
- else if (!strcmp(policy, "basic")) {
- return kSecPolicyAppleX509Basic;
- }
- else if (!strcmp(policy, "ssl")) {
- return kSecPolicyAppleSSL;
- }
- else if (!strcmp(policy, "smime")) {
- return kSecPolicyAppleSMIME;
- }
- else if (!strcmp(policy, "eap")) {
- return kSecPolicyAppleEAP;
- }
- else if (!strcmp(policy, "IPSec")) {
- return kSecPolicyAppleIPsec;
- }
- else if (!strcmp(policy, "appleID")) {
- return kSecPolicyAppleIDValidation;
- }
- else if (!strcmp(policy, "codeSign")) {
- return kSecPolicyAppleCodeSigning;
- }
- else if (!strcmp(policy, "timestamping")) {
- return kSecPolicyAppleTimeStamping;
- }
- else if (!strcmp(policy, "revocation")) {
- return kSecPolicyAppleRevocation;
- }
- else if (!strcmp(policy, "passbook")) {
- /* Passbook not implemented */
- return NULL;
- }
- else {
- return NULL;
- }
-}
-
-static CFOptionFlags revCheckOptionStringToFlags(
- const char *revCheckOption)
-{
- CFOptionFlags result = 0;
- if(revCheckOption == NULL) {
- return result;
- }
- else if(!strcmp(revCheckOption, "ocsp")) {
- result |= kSecRevocationOCSPMethod;
- }
- else if(!strcmp(revCheckOption, "crl")) {
- result |= kSecRevocationCRLMethod;
- }
- else if(!strcmp(revCheckOption, "require")) {
- result |= kSecRevocationRequirePositiveResponse;
- }
- else if(!strcmp(revCheckOption, "offline")) {
- result |= kSecRevocationNetworkAccessDisabled;
- }
- else if(!strcmp(revCheckOption, "online")) {
- result |= kSecRevocationOnlineCheck;
- }
- return result;
-}
-
-int verify_cert(int argc, char * const *argv) {
- extern char *optarg;
- extern int optind;
- int arg;
-
- CFMutableArrayRef certs = NULL;
- CFMutableArrayRef roots = NULL;
- CFMutableArrayRef policies = NULL;
-
- CFMutableDictionaryRef dict = NULL;
- CFStringRef name = NULL;
- CFBooleanRef client = kCFBooleanFalse;
- CFOptionFlags revOptions = 0;
-
- OSStatus ortn;
- int ourRtn = 0;
- bool quiet = false;
-
- struct tm time;
- CFGregorianDate gregorianDate;
- CFDateRef dateRef = NULL;
-
- CFStringRef policy = NULL;
- SecPolicyRef policyRef = NULL;
- SecPolicyRef revPolicyRef = NULL;
- Boolean fetch = true;
- SecTrustRef trustRef = NULL;
- SecTrustResultType resultType;
-
- if (argc < 2) {
- return SHOW_USAGE_MESSAGE;
- }
-
- optind = 1;
-
- while ((arg = getopt(argc, argv, "Cc:r:p:d:n:LqR:")) != -1) {
- switch (arg) {
- case 'c':
- /* Can be specified multiple times */
- if (addCertFile(optarg, &certs)) {
- fprintf(stderr, "Cert file error\n");
- ourRtn = 1;
- goto errOut;
- }
- break;
- case 'r':
- /* Can be specified multiple times */
- if (addCertFile(optarg, &roots)) {
- fprintf(stderr, "Root file error\n");
- ourRtn = 1;
- goto errOut;
- }
- break;
- case 'p':
- policy = policyToConstant(optarg);
- if (policy == NULL) {
- fprintf(stderr, "Policy processing error\n");
- ourRtn = 2;
- goto errOut;
- }
- break;
- case 'L':
- /* Force no network fetch of certs */
- fetch = false;
- break;
- case 'n':
- if (name == NULL) {
- name = CFStringCreateWithCString(NULL, optarg, kCFStringEncodingUTF8);
- }
- break;
- case 'q':
- quiet = true;
- break;
- case 'C':
- /* Set to client */
- client = kCFBooleanTrue;
- break;
- case 'd':
- memset(&time, 0, sizeof(struct tm));
- if (strptime(optarg, "%Y-%m-%d-%H:%M:%S", &time) == NULL) {
- if (strptime(optarg, "%Y-%m-%d", &time) == NULL) {
- fprintf(stderr, "Date processing error\n");
- ourRtn = 2;
- goto errOut;
- }
- }
- gregorianDate.second = time.tm_sec;
- gregorianDate.minute = time.tm_min;
- gregorianDate.hour = time.tm_hour;
- gregorianDate.day = time.tm_mday;
- gregorianDate.month = time.tm_mon + 1;
- gregorianDate.year = time.tm_year + 1900;
-
- if (dateRef == NULL) {
- dateRef = CFDateCreate(NULL, CFGregorianDateGetAbsoluteTime(gregorianDate, NULL));
- }
- break;
- case 'R':
- revOptions |= revCheckOptionStringToFlags(optarg);
- break;
- default:
- fprintf(stderr, "Usage error\n");
- ourRtn = 2;
- goto errOut;
- }
- }
-
- if (optind != argc) {
- ourRtn = 2;
- goto errOut;
- }
-
- if (policy == NULL) {
- policy = kSecPolicyAppleX509Basic;
- }
-
- if (certs == NULL) {
- if (roots == NULL) {
- fprintf(stderr, "No certificates specified.\n");
- ourRtn = 2;
- goto errOut;
- }
- if (CFArrayGetCount(roots) != 1) {
- fprintf(stderr, "Multiple roots and no certificates not allowed.\n");
- ourRtn = 2;
- goto errOut;
- }
-
- /* No certs and one root: verify the root */
- certs = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(certs, CFArrayGetValueAtIndex(roots, 0));
- }
-
- /* Per-policy options */
- if (!CFStringCompare(policy, kSecPolicyAppleSSL, 0) || !CFStringCompare(policy, kSecPolicyAppleIPsec, 0)) {
- dict = CFDictionaryCreateMutable(NULL, 2, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-
- if (name == NULL) {
- fprintf(stderr, "Name not specified for IPsec or SSL policy. '-n' is a required option for these policies.");
- ourRtn = 2;
- goto errOut;
- }
- CFDictionaryAddValue(dict, kSecPolicyName, name);
- CFDictionaryAddValue(dict, kSecPolicyClient, client);
- }
- else if (!CFStringCompare(policy, kSecPolicyAppleEAP, 0)) {
- dict = CFDictionaryCreateMutable(NULL, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-
- CFDictionaryAddValue(dict, kSecPolicyClient, client);
- }
- else if (!CFStringCompare(policy, kSecPolicyAppleSMIME, 0)) {
- dict = CFDictionaryCreateMutable(NULL, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
-
- if (name == NULL) {
- fprintf(stderr, "Name not specified for SMIME policy. '-n' is a required option for this policy.");
- ourRtn = 2;
- goto errOut;
- }
- CFDictionaryAddValue(dict, kSecPolicyName, name);
- }
-
- policyRef = SecPolicyCreateWithProperties(policy, dict);
-
- /* create policies array */
- policies = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(policies, policyRef);
- /* add optional SecPolicyRef for revocation, if specified */
- if(revOptions != 0) {
- revPolicyRef = SecPolicyCreateRevocation(revOptions);
- CFArrayAppendValue(policies, revPolicyRef);
- }
-
- /* create trust reference from certs and policies */
- ortn = SecTrustCreateWithCertificates(certs, policies, &trustRef);
- if (ortn) {
- fprintf(stderr, "SecTrustCreateWithCertificates\n");
- ourRtn = 1;
- goto errOut;
- }
-
- /* Roots (anchors) are optional */
- if (roots != NULL) {
- ortn = SecTrustSetAnchorCertificates(trustRef, roots);
- if (ortn) {
- fprintf(stderr, "SecTrustSetAnchorCertificates\n");
- ourRtn = 1;
- goto errOut;
- }
- }
- if (fetch == false) {
- ortn = SecTrustSetNetworkFetchAllowed(trustRef, fetch);
- if (ortn) {
- fprintf(stderr, "SecTrustSetNetworkFetchAllowed\n");
- ourRtn = 1;
- goto errOut;
- }
- }
-
- /* Set verification time for trust object */
- if (dateRef != NULL) {
- ortn = SecTrustSetVerifyDate(trustRef, dateRef);
- if (ortn) {
- fprintf(stderr, "SecTrustSetVerifyDate\n");
- ourRtn = 1;
- goto errOut;
- }
- }
-
- /* Evaluate certs */
- ortn = SecTrustEvaluate(trustRef, &resultType);
- if (ortn) {
- /* Should never fail - error doesn't mean the cert verified badly */
- fprintf(stderr, "SecTrustEvaluate\n");
- ourRtn = 1;
- goto errOut;
- }
- switch (resultType) {
- case kSecTrustResultUnspecified:
- /* Cert chain valid, no special UserTrust assignments */
- case kSecTrustResultProceed:
- /* Cert chain valid AND user explicitly trusts this */
- break;
- case kSecTrustResultDeny:
- /* User-configured denial */
- if (!quiet) {
- fprintf(stderr, "SecTrustEvaluate result: kSecTrustResultDeny\n");
- }
- ourRtn = 1;
- break;
- case kSecTrustResultInvalid:
- /* SecTrustEvaluate not called yet */
- if (!quiet) {
- fprintf(stderr, "SecTrustEvaluate result: kSecTrustResultInvalid\n");
- }
- ourRtn = 1;
- break;
- case kSecTrustResultRecoverableTrustFailure:
- /* Failure, can be user-overridden */
- if (!quiet) {
- fprintf(stderr, "SecTrustEvaluate result: kSecTrustResultRecoverableTrustFailure\n");
- }
- ourRtn = 1;
- break;
- case kSecTrustResultFatalTrustFailure:
- /* Complete failure */
- if (!quiet) {
- fprintf(stderr, "SecTrustEvaluate result: kSecTrustResultFatalTrustFailure\n");
- }
- ourRtn = 1;
- break;
- case kSecTrustResultOtherError:
- /* Failure unrelated to trust evaluation */
- if (!quiet) {
- fprintf(stderr, "SecTrustEvaluate result: kSecTrustResultOtherError\n");
- }
- ourRtn = 1;
- break;
- default:
- /* Error is not a defined SecTrustResultType */
- if (!quiet) {
- fprintf(stderr, "Cert Verify Result: %u\n", resultType);
- }
- ourRtn = 1;
- break;
- }
-
- if ((ourRtn == 0) && !quiet) {
- printf("...certificate verification successful.\n");
- }
-errOut:
- /* Cleanup */
- CFRELEASE(certs);
- CFRELEASE(roots);
- CFRELEASE(dateRef);
- CFRELEASE(dict);
- CFRELEASE(policies);
- CFRELEASE(revPolicyRef);
- CFRELEASE(policyRef);
- CFRELEASE(trustRef);
- CFRELEASE(name);
- return ourRtn;
-}
projects / apple / security.git / blobdiff