+++ /dev/null
-/*
- * Copyright (c) 2003-2010,2012,2014 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- *
- * identity_prefs.c
- */
-
-#include "identity_prefs.h"
-#include "identity_find.h"
-#include "keychain_utilities.h"
-#include "security_tool.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <Security/cssmtype.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecIdentity.h>
-#include <Security/SecIdentitySearch.h>
-#include <Security/SecItem.h>
-
-// SecCertificateInferLabel, SecDigestGetData
-#include <Security/SecCertificatePriv.h>
-
-
-static int
-do_set_identity_preference(CFTypeRef keychainOrArray,
- const char *identity,
- const char *service,
- CSSM_KEYUSE keyUsage,
- const char *hash)
-{
- int result = 0;
- CFStringRef serviceRef = NULL;
- SecIdentityRef identityRef = NULL;
-
- // must have a service name
- if (!service) {
- return SHOW_USAGE_MESSAGE;
- }
-
- // find identity (if specified by name or hash)
- if (identity || hash) {
- identityRef = CopyMatchingIdentity(keychainOrArray, identity, hash, keyUsage);
- if (!identityRef) {
- sec_error("No matching identity found for \"%s\"", (hash) ? hash : identity);
- result = 1;
- goto cleanup;
- }
- }
-
- // set the identity preference
- serviceRef = CFStringCreateWithCString(NULL, service, kCFStringEncodingUTF8);
- result = SecIdentitySetPreference(identityRef, serviceRef, keyUsage);
-
-cleanup:
- if (identityRef)
- CFRelease(identityRef);
- if (serviceRef)
- CFRelease(serviceRef);
-
- return result;
-}
-
-typedef struct {
- int i;
- const char *name;
-} ctk_print_context;
-
-OSStatus ctk_dump_item(CFTypeRef item, ctk_print_context *ctx);
-
-static int
-do_get_identity_preference(const char *service,
- CSSM_KEYUSE keyUsage,
- Boolean printName,
- Boolean printHash,
- Boolean pemFormat)
-{
- int result = 0;
- if (!service) {
- return SHOW_USAGE_MESSAGE;
- }
- CFStringRef serviceRef = CFStringCreateWithCString(NULL, service, kCFStringEncodingUTF8);
- SecCertificateRef certRef = NULL;
- SecIdentityRef identityRef = NULL;
- CSSM_DATA certData = { 0, NULL };
-
- result = SecIdentityCopyPreference(serviceRef, keyUsage, NULL, &identityRef);
- if (result) {
- sec_perror("SecIdentityCopyPreference", result);
- goto cleanup;
- }
- result = SecIdentityCopyCertificate(identityRef, &certRef);
- if (result) {
- sec_perror("SecIdentityCopyCertificate", result);
- goto cleanup;
- }
- result = SecCertificateGetData(certRef, &certData);
- if (result) {
- sec_perror("SecCertificateGetData", result);
- goto cleanup;
- }
-
- if (printName) {
- char *nameBuf = NULL;
- CFStringRef nameRef = NULL;
- (void)SecCertificateCopyCommonName(certRef, &nameRef);
- CFIndex nameLen = (nameRef) ? CFStringGetLength(nameRef) : 0;
- if (nameLen > 0) {
- CFIndex bufLen = 1 + CFStringGetMaximumSizeForEncoding(nameLen, kCFStringEncodingUTF8);
- nameBuf = (char *)malloc(bufLen);
- if (!CFStringGetCString(nameRef, nameBuf, bufLen-1, kCFStringEncodingUTF8))
- nameBuf[0]=0;
- }
- fprintf(stdout, "common name: \"%s\"\n", (nameBuf && nameBuf[0] != 0) ? nameBuf : "<NULL>");
- if (nameBuf)
- free(nameBuf);
- safe_CFRelease(&nameRef);
- }
-
- if (printHash) {
- uint8 sha1_hash[20];
- CSSM_DATA digest;
- digest.Length = sizeof(sha1_hash);
- digest.Data = sha1_hash;
- if (SecDigestGetData(CSSM_ALGID_SHA1, &digest, &certData) == CSSM_OK) {
- unsigned int i;
- size_t len = digest.Length;
- uint8 *cp = digest.Data;
- fprintf(stdout, "SHA-1 hash: ");
- for(i=0; i<len; i++) {
- fprintf(stdout, "%02X", ((unsigned char *)cp)[i]);
- }
- fprintf(stdout, "\n");
- }
- }
-
- if (pemFormat)
- {
- CSSM_DATA certData = { 0, NULL };
- result = SecCertificateGetData(certRef, &certData);
- if (result) {
- sec_perror("SecCertificateGetData", result);
- goto cleanup;
- }
-
- print_buffer_pem(stdout, "CERTIFICATE", certData.Length, certData.Data);
- }
- else
- {
- CFTypeRef keys[] = { kSecValueRef, kSecReturnAttributes };
- CFTypeRef values[] = { certRef, kCFBooleanTrue };
- CFDictionaryRef query = CFDictionaryCreate(kCFAllocatorDefault, keys, values, sizeof(keys) / sizeof(CFTypeRef), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
- CFDictionaryRef attributes = NULL;
- if (SecItemCopyMatching(query, (void *)&attributes) == errSecSuccess && CFDictionaryContainsKey(attributes, kSecAttrTokenID)) {
- ctk_print_context ctx = { 1, "certificate" };
- ctk_dump_item(attributes, &ctx);
- } else
- print_keychain_item_attributes(stdout, (SecKeychainItemRef)certRef, FALSE, FALSE, FALSE, FALSE);
-
- CFRelease(query);
- if(attributes)
- CFRelease(attributes);
- }
-
-cleanup:
- safe_CFRelease(&serviceRef);
- safe_CFRelease(&certRef);
- safe_CFRelease(&identityRef);
-
- return result;
-}
-
-int
-set_identity_preference(int argc, char * const *argv)
-{
- int ch, result = 0;
- char *identity = NULL, *service = NULL, *hash = NULL;
- CSSM_KEYUSE keyUsage = 0;
- CFTypeRef keychainOrArray = NULL;
-
- /*
- * " -n Specify no identity (clears existing preference for service)\n"
- * " -c Specify identity by common name of the certificate\n"
- * " -s Specify service (URI, email address, DNS host, or other name)\n"
- * " for which this identity is to be preferred\n"
- * " -u Specify key usage (optional)\n"
- * " -Z Specify identity by SHA-1 hash of certificate (optional)\n"
- */
-
- while ((ch = getopt(argc, argv, "hnc:s:u:Z:")) != -1)
- {
- switch (ch)
- {
- case 'n':
- identity = NULL;
- break;
- case 'c':
- identity = optarg;
- break;
- case 's':
- service = optarg;
- break;
- case 'u':
- keyUsage = atoi(optarg);
- break;
- case 'Z':
- hash = optarg;
- break;
- case '?':
- default:
- result = SHOW_USAGE_MESSAGE;
- goto cleanup;
- }
- }
-
- argc -= optind;
- argv += optind;
-
- keychainOrArray = keychain_create_array(argc, argv);
-
- result = do_set_identity_preference(keychainOrArray, identity, service, keyUsage, hash);
-
-cleanup:
- safe_CFRelease(&keychainOrArray);
-
- return result;
-}
-
-int
-get_identity_preference(int argc, char * const *argv)
-{
- int ch, result = 0;
- char *service = NULL;
- Boolean printName = FALSE, printHash = FALSE, pemFormat = FALSE;
- CSSM_KEYUSE keyUsage = 0;
-
- /*
- * " -s Specify service (URI, email address, DNS host, or other name)\n"
- * " -u Specify key usage (optional)\n"
- * " -p Output identity certificate in pem format\n"
- * " -c Print common name of the preferred identity certificate (optional)\n"
- * " -Z Print SHA-1 hash of the preferred identity certificate (optional)\n"
- */
-
- while ((ch = getopt(argc, argv, "hs:u:pcZ")) != -1)
- {
- switch (ch)
- {
- case 'c':
- printName = TRUE;
- break;
- case 'p':
- pemFormat = TRUE;
- break;
- case 's':
- service = optarg;
- break;
- case 'u':
- keyUsage = atoi(optarg);
- break;
- case 'Z':
- printHash = TRUE;
- break;
- case '?':
- default:
- result = 2; /* @@@ Return 2 triggers usage message. */
- goto cleanup;
- }
- }
-
- result = do_get_identity_preference(service, keyUsage, printName, printHash, pemFormat);
-
-cleanup:
-
- return result;
-}
-
projects / apple / security.git / blobdiff