]> git.saurik.com Git - apple/security.git/blobdiff - OSX/libsecurity_keychain/lib/SecTrust.cpp
Security-59306.61.1.tar.gz
[apple/security.git] / OSX / libsecurity_keychain / lib / SecTrust.cpp
index 3aea2e977d11d427c4afb6965317694ed7b75109..eb9d29469328f803307f2eb10c4f1bd988ada8d7 100644 (file)
  * @APPLE_LICENSE_HEADER_END@
  */
 
  * @APPLE_LICENSE_HEADER_END@
  */
 
-#include "SecTrust.h"
-#include "SecTrustPriv.h"
+#include <libDER/oids.h>
+#include <Security/oidscert.h>
+
+#include <Security/SecTrust.h>
+#include <Security/SecTrustPriv.h>
 #include "Trust.h"
 #include "Trust.h"
-#include "SecBase.h"
+#include <Security/SecBase.h>
 #include "SecBridge.h"
 #include "SecBridge.h"
-#include "SecInternal.h"
-#include "SecTrustSettings.h"
-#include "SecTrustSettingsPriv.h"
-#include "SecTrustStatusCodes.h"
-#include "SecCertificatePriv.h"
-#include "SecCertificateP.h"
-#include "SecCertificatePrivP.h"
-#include "SecPolicyPriv.h"
+#include <Security/SecInternal.h>
+#include <Security/SecTrustSettings.h>
+#include <Security/SecTrustSettingsPriv.h>
+#include <Security/SecTrustStatusCodes.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecPolicyPriv.h>
 #include <security_utilities/cfutilities.h>
 #include <security_utilities/cfmunge.h>
 #include <CoreFoundation/CoreFoundation.h>
 #include <security_utilities/cfutilities.h>
 #include <security_utilities/cfmunge.h>
 #include <CoreFoundation/CoreFoundation.h>
@@ -50,16 +51,6 @@ typedef struct SecTrustCheckExceptionContext {
        bool exceptionNotFound;
 } SecTrustCheckExceptionContext;
 
        bool exceptionNotFound;
 } SecTrustCheckExceptionContext;
 
-// public trust result constants
-const CFStringRef kSecTrustEvaluationDate           = CFSTR("TrustEvaluationDate");
-const CFStringRef kSecTrustExtendedValidation       = CFSTR("TrustExtendedValidation");
-const CFStringRef kSecTrustOrganizationName         = CFSTR("Organization");
-const CFStringRef kSecTrustResultValue              = CFSTR("TrustResultValue");
-const CFStringRef kSecTrustRevocationChecked        = CFSTR("TrustRevocationChecked");
-const CFStringRef kSecTrustRevocationReason         = CFSTR("TrustRevocationReason");
-const CFStringRef kSecTrustRevocationValidUntilDate = CFSTR("TrustExpirationDate");
-const CFStringRef kSecTrustResultDetails            = CFSTR("TrustResultDetails");
-
 //
 // Sec* API bridge functions
 //
 //
 // Sec* API bridge functions
 //
@@ -191,86 +182,19 @@ static uint8_t convertCssmResultToPriority(CSSM_RETURN resultCode) {
     }
 }
 
     }
 }
 
-#include <libDER/oidsPriv.h>
-#include <Security/oidscert.h>
-static bool isSoftwareUpdateDevelopment(SecTrustRef trust) {
-    bool isPolicy = false, isEKU = false;
-    CFArrayRef policies = NULL;
-
-    /* Policy used to evaluate was SWUpdateSigning */
-    SecTrustCopyPolicies(trust, &policies);
-    if (policies) {
-        SecPolicyRef swUpdatePolicy = SecPolicyCreateAppleSWUpdateSigning();
-        if (swUpdatePolicy && CFArrayContainsValue(policies, CFRangeMake(0, CFArrayGetCount(policies)),
-                                                   swUpdatePolicy)) {
-            isPolicy = true;
-        }
-        if (swUpdatePolicy) { CFRelease(swUpdatePolicy); }
-        CFRelease(policies);
-    }
-    if (!isPolicy) {
-        return false;
-    }
-
-    /* Only error was EKU on the leaf */
-    CFArrayRef details = SecTrustCopyFilteredDetails(trust);
-    CFIndex ix, count = CFArrayGetCount(details);
-    bool hasDisqualifyingError = false;
-    for (ix = 0; ix < count; ix++) {
-        CFDictionaryRef detail = (CFDictionaryRef)CFArrayGetValueAtIndex(details, ix);
-        if (ix == 0) { // Leaf
-            if (CFDictionaryGetCount(detail) != 1 || // One error
-                CFDictionaryGetValue(detail, CFSTR("ExtendedKeyUsage")) != kCFBooleanFalse) { // kSecPolicyCheckExtendedKeyUsage
-                hasDisqualifyingError = true;
-                break;
-            }
-        } else {
-            if (CFDictionaryGetCount(detail) > 0) { // No errors on other certs
-                hasDisqualifyingError = true;
-                break;
-            }
-        }
-    }
-    CFReleaseSafe(details);
-    if (hasDisqualifyingError) {
-        return false;
-    }
-
-    /* EKU on the leaf is the Apple Development Code Signing OID */
-    SecCertificateRef leaf = SecTrustGetCertificateAtIndex(trust, 0);
-    CSSM_DATA *fieldValue = NULL;
-    if (errSecSuccess != SecCertificateCopyFirstFieldValue(leaf, &CSSMOID_ExtendedKeyUsage, &fieldValue)) {
-        return false;
-    }
-    if (fieldValue && fieldValue->Data && fieldValue->Length == sizeof(CSSM_X509_EXTENSION)) {
-        const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)fieldValue->Data;
-        if (ext->format == CSSM_X509_DATAFORMAT_PARSED) {
-            const CE_ExtendedKeyUsage *ekus = (const CE_ExtendedKeyUsage *)ext->value.parsedValue;
-            if (ekus && (ekus->numPurposes == 1) && ekus->purposes[0].Data &&
-                (ekus->purposes[0].Length == CSSMOID_APPLE_EKU_CODE_SIGNING_DEV.Length) &&
-                (memcmp(ekus->purposes[0].Data, CSSMOID_APPLE_EKU_CODE_SIGNING_DEV.Data,
-                        ekus->purposes[0].Length) == 0)) {
-                isEKU = true;
-            }
-        }
-    }
-    SecCertificateReleaseFirstFieldValue(leaf, &CSSMOID_ExtendedKeyUsage, fieldValue);
-    return isEKU;
-}
-
 //
 // Retrieve CSSM_LEVEL TP return code
 //
 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
 OSStatus SecTrustGetCssmResultCode(SecTrustRef trustRef, OSStatus *result)
 {
 //
 // Retrieve CSSM_LEVEL TP return code
 //
 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
 OSStatus SecTrustGetCssmResultCode(SecTrustRef trustRef, OSStatus *result)
 {
-       /* bridge to support old functionality */
+    /* bridge to support old functionality */
 #if SECTRUST_DEPRECATION_WARNINGS
     syslog(LOG_ERR, "WARNING: SecTrustGetCssmResultCode has been deprecated since 10.7, and will be removed in a future release. Please use SecTrustCopyProperties instead.");
 #endif
 #if SECTRUST_DEPRECATION_WARNINGS
     syslog(LOG_ERR, "WARNING: SecTrustGetCssmResultCode has been deprecated since 10.7, and will be removed in a future release. Please use SecTrustCopyProperties instead.");
 #endif
-       if (!trustRef || !result) {
-               return errSecParam;
-       }
+    if (!trustRef || !result) {
+        return errSecParam;
+    }
 
     SecTrustResultType trustResult = kSecTrustResultInvalid;
     (void) SecTrustGetTrustResult(trustRef, &trustResult);
 
     SecTrustResultType trustResult = kSecTrustResultInvalid;
     (void) SecTrustGetTrustResult(trustRef, &trustResult);
@@ -279,15 +203,6 @@ OSStatus SecTrustGetCssmResultCode(SecTrustRef trustRef, OSStatus *result)
         return errSecSuccess;
     }
 
         return errSecSuccess;
     }
 
-    /* Development Software Update certs return a special error code when evaluated
-     * against the AppleSWUpdateSigning policy. See <rdar://27362805>. */
-    if (isSoftwareUpdateDevelopment(trustRef)) {
-        if (result) {
-            *result = CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT;
-        }
-        return errSecSuccess;
-    }
-
     OSStatus cssmResultCode = errSecSuccess;
     uint8_t resultCodePriority = 0xFF;
     CFIndex ix, count = SecTrustGetCertificateCount(trustRef);
     OSStatus cssmResultCode = errSecSuccess;
     uint8_t resultCodePriority = 0xFF;
     CFIndex ix, count = SecTrustGetCertificateCount(trustRef);
@@ -310,10 +225,10 @@ OSStatus SecTrustGetCssmResultCode(SecTrustRef trustRef, OSStatus *result)
         if (resultCodePriority == 1) { break; }
     }
 
         if (resultCodePriority == 1) { break; }
     }
 
-       if (result) {
-               *result = cssmResultCode;
-       }
-       return errSecSuccess;
+    if (result) {
+        *result = cssmResultCode;
+    }
+    return errSecSuccess;
 }
 
 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
 }
 
 /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */
@@ -351,9 +266,9 @@ OSStatus SecTrustCopyAnchorCertificates(CFArrayRef *anchorCertificates)
     /* Go through outArray and do a SecTrustEvaluate */
     CFIndex i;
     SecPolicyRef policy = SecPolicyCreateBasicX509();
     /* Go through outArray and do a SecTrustEvaluate */
     CFIndex i;
     SecPolicyRef policy = SecPolicyCreateBasicX509();
+    SecTrustRef trust = NULL;
     CFMutableArrayRef trustedCertArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
     for (i = 0; i < count ; i++) {
     CFMutableArrayRef trustedCertArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
     for (i = 0; i < count ; i++) {
-        SecTrustRef trust;
         SecTrustResultType result;
         SecCertificateRef certificate = (SecCertificateRef) CFArrayGetValueAtIndex(outArray, i);
         status = SecTrustCreateWithCertificates(certificate, policy, &trust);
         SecTrustResultType result;
         SecCertificateRef certificate = (SecCertificateRef) CFArrayGetValueAtIndex(outArray, i);
         status = SecTrustCreateWithCertificates(certificate, policy, &trust);
@@ -369,6 +284,7 @@ OSStatus SecTrustCopyAnchorCertificates(CFArrayRef *anchorCertificates)
         if (result != kSecTrustResultFatalTrustFailure) {
             CFArrayAppendValue(trustedCertArray, certificate);
         }
         if (result != kSecTrustResultFatalTrustFailure) {
             CFArrayAppendValue(trustedCertArray, certificate);
         }
+        CFReleaseNull(trust);
     }
     if (CFArrayGetCount(trustedCertArray) == 0) {
        status = errSecNoTrustSettings;
     }
     if (CFArrayGetCount(trustedCertArray) == 0) {
        status = errSecNoTrustSettings;
@@ -379,17 +295,26 @@ OSStatus SecTrustCopyAnchorCertificates(CFArrayRef *anchorCertificates)
 out:
        CFReleaseSafe(outArray);
     CFReleaseSafe(policy);
 out:
        CFReleaseSafe(outArray);
     CFReleaseSafe(policy);
+    CFReleaseSafe(trust);
     return status;
        END_SECAPI
 }
 
     return status;
        END_SECAPI
 }
 
-/* We have an iOS-style SecTrustRef, but we need to return a CDSA-based SecKeyRef.
+/*
+ * We have an iOS-style SecTrustRef, but we need to return a CDSA-based SecKeyRef.
+ *
+ * If you need a SecKeyRef based of the iOS based SecKey, check certificate chain
+ * length, get certificate with SecTrustGetCertificateAtIndex(0), use
+ * SecCertificateCopyKey() to get a iOS based key.
  */
 SecKeyRef SecTrustCopyPublicKey(SecTrustRef trust)
 {
        SecKeyRef pubKey = NULL;
        SecCertificateRef certificate = SecTrustGetCertificateAtIndex(trust, 0);
  */
 SecKeyRef SecTrustCopyPublicKey(SecTrustRef trust)
 {
        SecKeyRef pubKey = NULL;
        SecCertificateRef certificate = SecTrustGetCertificateAtIndex(trust, 0);
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
        (void) SecCertificateCopyPublicKey(certificate, &pubKey);
        (void) SecCertificateCopyPublicKey(certificate, &pubKey);
+#pragma clang diagnostic pop
        return pubKey;
 }
 
        return pubKey;
 }