+++ /dev/null
-/*
- * Copyright (c) 2008-2009,2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- *
- * access_utils.c
- */
-
-#include "access_utils.h"
-#include "security_tool.h"
-#include <stdio.h>
-#include <Security/SecKeychainItem.h>
-#include <Security/SecAccess.h>
-#include <Security/SecACL.h>
-
-// create_access
-//
-// This function creates a SecAccessRef with an array of trusted applications.
-//
-int
-create_access(const char *accessName, Boolean allowAny, CFArrayRef trustedApps, SecAccessRef *access)
-{
- int result = 0;
- CFArrayRef appList = NULL;
- CFArrayRef aclList = NULL;
- CFStringRef description = NULL;
- const char *descriptionLabel = (accessName) ? accessName : "<unlabeled key>";
- CFStringRef promptDescription = NULL;
- CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR promptSelector;
- SecACLRef aclRef;
- OSStatus status;
-
- if (accessName) {
- description = CFStringCreateWithCString(NULL, descriptionLabel, kCFStringEncodingUTF8);
- }
-
- status = SecAccessCreate(description, trustedApps, access);
- if (status)
- {
- sec_perror("SecAccessCreate", status);
- result = 1;
- goto cleanup;
- }
-
- // get the access control list for decryption operations (this controls access to an item's data)
- status = SecAccessCopySelectedACLList(*access, CSSM_ACL_AUTHORIZATION_DECRYPT, &aclList);
- if (status)
- {
- sec_perror("SecAccessCopySelectedACLList", status);
- result = 1;
- goto cleanup;
- }
-
- // get the first entry in the access control list
- aclRef = (SecACLRef)CFArrayGetValueAtIndex(aclList, 0);
- status = SecACLCopySimpleContents(aclRef, &appList, &promptDescription, &promptSelector);
- if (status)
- {
- sec_perror("SecACLCopySimpleContents", status);
- result = 1;
- goto cleanup;
- }
-
- if (allowAny) // "allow all applications to access this item"
- {
- // change the decryption ACL to not require the passphrase, and have a nil application list.
- promptSelector.flags &= ~CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE;
- status = SecACLSetSimpleContents(aclRef, NULL, promptDescription, &promptSelector);
- }
- else // "allow access by these applications"
- {
- // modify the application list
- status = SecACLSetSimpleContents(aclRef, trustedApps, promptDescription, &promptSelector);
- }
- if (status)
- {
- sec_perror("SecACLSetSimpleContents", status);
- result = 1;
- goto cleanup;
- }
-
-cleanup:
- if (description)
- CFRelease(description);
- if (promptDescription)
- CFRelease(promptDescription);
- if (appList)
- CFRelease(appList);
- if (aclList)
- CFRelease(aclList);
-
- return result;
-}
-
-// merge_access
-//
-// This function merges the contents of otherAccess into access.
-// Simple ACL contents are assumed, and only the standard ACL
-// for decryption operations is currently processed.
-//
-int
-merge_access(SecAccessRef access, SecAccessRef otherAccess)
-{
- OSStatus status;
- CFArrayRef aclList, newAclList;
-
- // get existing access control list for decryption operations (this controls access to an item's data)
- status = SecAccessCopySelectedACLList(access, CSSM_ACL_AUTHORIZATION_DECRYPT, &aclList);
- if (status) {
- return status;
- }
- // get desired access control list for decryption operations
- status = SecAccessCopySelectedACLList(otherAccess, CSSM_ACL_AUTHORIZATION_DECRYPT, &newAclList);
- if (status) {
- newAclList = nil;
- } else {
- SecACLRef aclRef=(SecACLRef)CFArrayGetValueAtIndex(aclList, 0);
- SecACLRef newAclRef=(SecACLRef)CFArrayGetValueAtIndex(newAclList, 0);
- CFArrayRef appList=nil;
- CFArrayRef newAppList=nil;
- CFMutableArrayRef mergedAppList = nil;
- CFStringRef promptDescription=nil;
- CFStringRef newPromptDescription=nil;
- CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR promptSelector;
- CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR newPromptSelector;
-
- status = SecACLCopySimpleContents(aclRef, &appList, &promptDescription, &promptSelector);
- if (!status) {
- status = SecACLCopySimpleContents(newAclRef, &newAppList, &newPromptDescription, &newPromptSelector);
- }
- if (!status) {
- if (appList) {
- mergedAppList = CFArrayCreateMutableCopy(NULL, 0, appList);
- }
- if (newAppList) {
- if (mergedAppList) {
- CFArrayAppendArray(mergedAppList, newAppList, CFRangeMake(0, CFArrayGetCount(newAppList)));
- } else {
- mergedAppList = CFArrayCreateMutableCopy(NULL, 0, newAppList);
- }
- }
- promptSelector.flags = newPromptSelector.flags;
- status = SecACLSetSimpleContents(aclRef, mergedAppList, newPromptDescription, &newPromptSelector);
- }
-
- if (appList) CFRelease(appList);
- if (newAppList) CFRelease(newAppList);
- if (mergedAppList) CFRelease(mergedAppList);
- if (promptDescription) CFRelease(promptDescription);
- if (newPromptDescription) CFRelease(newPromptDescription);
- }
- if (aclList) CFRelease(aclList);
- if (newAclList) CFRelease(newAclList);
-
- return status;
-}
-
-// modify_access
-//
-// This function updates the access for an existing item.
-// The provided access is merged with the item's existing access.
-//
-int
-modify_access(SecKeychainItemRef itemRef, SecAccessRef access)
-{
- OSStatus status;
- SecAccessRef curAccess = NULL;
- // for historical reasons, we have to modify the item's existing access reference
- // (setting the item's access to a freshly created SecAccessRef instance doesn't behave as expected)
- status = SecKeychainItemCopyAccess(itemRef, &curAccess);
- if (status) {
- sec_error("SecKeychainItemCopyAccess: %s", sec_errstr(status));
- } else {
- status = merge_access(curAccess, access); // make changes to the existing access reference
- if (!status) {
- status = SecKeychainItemSetAccess(itemRef, curAccess); // will prompt!
- if (status) {
- sec_error("SecKeychainItemSetAccess: %s", sec_errstr(status));
- }
- }
- }
- if (curAccess) {
- CFRelease(curAccess);
- }
- return status;
-}
projects / apple / security.git / blobdiff