+++ /dev/null
-/*
- * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-/*
- * identPicker.cpp - Given a keychain, select from possible multiple
- * SecIdentityRefs via stdio UI, and cook up a
- * CFArray containing that identity and all certs needed
- * for cert verification by an SSL peer. The resulting
- * CFArrayRef is suitable for passing to SSLSetCertificate().
- */
-
-#include "identPicker.h"
-#include <sys/param.h>
-#include <string.h>
-#include <stdio.h>
-#include <ctype.h>
-
-/*
- * Safe gets().
- * -- guaranteed no buffer overflow
- * -- guaranteed NULL-terminated string
- * -- handles empty string (i.e., response is just CR) properly
- */
-static void getString(
- char *buf,
- unsigned bufSize)
-{
- unsigned dex;
- char c;
- char *cp = buf;
-
- for(dex=0; dex<bufSize-1; dex++) {
- c = getchar();
- if(!isprint(c)) {
- break;
- }
- switch(c) {
- case '\n':
- case '\r':
- goto done;
- default:
- *cp++ = c;
- }
- }
-done:
- *cp = '\0';
-}
-
-/*
- * Obtain the printable name of a SecKeychainItemRef as a C string.
- * Caller must free() the result.
- */
-static char *kcItemPrintableName(
- SecKeychainItemRef certRef)
-{
- char *crtn = NULL;
-
- /* just search for the one attr we want */
- UInt32 tag = kSecLabelItemAttr;
- SecKeychainAttributeInfo attrInfo;
- attrInfo.count = 1;
- attrInfo.tag = &tag;
- attrInfo.format = NULL;
- SecKeychainAttributeList *attrList = NULL;
- SecKeychainAttribute *attr = NULL;
-
- OSStatus ortn = SecKeychainItemCopyAttributesAndData(
- (SecKeychainItemRef)certRef,
- &attrInfo,
- NULL, // itemClass
- &attrList,
- NULL, // length - don't need the data
- NULL); // outData
- if(ortn) {
- cssmPerror("SecKeychainItemCopyAttributesAndData", ortn);
- /* may want to be a bit more robust here, but this should
- * never happen */
- return strdup("Unnamed KeychainItem");
- }
- /* subsequent errors to errOut: */
-
- if((attrList == NULL) || (attrList->count != 1)) {
- printf("***Unexpected result fetching label attr\n");
- crtn = strdup("Unnamed KeychainItem");
- goto errOut;
- }
- /* We're assuming 8-bit ASCII attribute data here... */
- attr = attrList->attr;
- crtn = (char *)malloc(attr->length + 1);
- memmove(crtn, attr->data, attr->length);
- crtn[attr->length] = '\0';
-
-errOut:
- SecKeychainItemFreeAttributesAndData(attrList, NULL);
- return crtn;
-}
-
-/*
- * Get the final term of a keychain's path as a C string. Caller must free()
- * the result.
- */
-static char *kcFileName(
- SecKeychainRef kcRef)
-{
- char fullPath[MAXPATHLEN + 1];
- OSStatus ortn;
- UInt32 pathLen = MAXPATHLEN;
-
- ortn = SecKeychainGetPath(kcRef, &pathLen, fullPath);
- if(ortn) {
- cssmPerror("SecKeychainGetPath", ortn);
- return strdup("orphan keychain");
- }
-
- /* NULL terminate the path string and search for final '/' */
- fullPath[pathLen] = '\0';
- char *lastSlash = NULL;
- char *thisSlash = fullPath;
- do {
- thisSlash = strchr(thisSlash, '/');
- if(thisSlash == NULL) {
- /* done */
- break;
- }
- thisSlash++;
- lastSlash = thisSlash;
- } while(thisSlash != NULL);
- if(lastSlash == NULL) {
- /* no slashes, odd, but handle it */
- return strdup(fullPath);
- }
- else {
- return strdup(lastSlash);
- }
-}
-
-/*
- * Determine if specified SecCertificateRef is a self-signed cert.
- * We do this by comparing the subject and issuerr names; no cryptographic
- * verification is performed.
- *
- * Returns true if the cert appears to be a root.
- */
-static bool isCertRefRoot(
- SecCertificateRef certRef)
-{
- /* just search for the two attrs we want */
- UInt32 tags[2] = {kSecSubjectItemAttr, kSecIssuerItemAttr};
- SecKeychainAttributeInfo attrInfo;
- attrInfo.count = 2;
- attrInfo.tag = tags;
- attrInfo.format = NULL;
- SecKeychainAttributeList *attrList = NULL;
- SecKeychainAttribute *attr1 = NULL;
- SecKeychainAttribute *attr2 = NULL;
- bool brtn = false;
-
- OSStatus ortn = SecKeychainItemCopyAttributesAndData(
- (SecKeychainItemRef)certRef,
- &attrInfo,
- NULL, // itemClass
- &attrList,
- NULL, // length - don't need the data
- NULL); // outData
- if(ortn) {
- cssmPerror("SecKeychainItemCopyAttributesAndData", ortn);
- /* may want to be a bit more robust here, but this should
- * never happen */
- return false;
- }
- /* subsequent errors to errOut: */
-
- if((attrList == NULL) || (attrList->count != 2)) {
- printf("***Unexpected result fetching label attr\n");
- goto errOut;
- }
-
- /* rootness is just byte-for-byte compare of the two names */
- attr1 = &attrList->attr[0];
- attr2 = &attrList->attr[1];
- if(attr1->length == attr2->length) {
- if(memcmp(attr1->data, attr2->data, attr1->length) == 0) {
- brtn = true;
- }
- }
-errOut:
- SecKeychainItemFreeAttributesAndData(attrList, NULL);
- return brtn;
-}
-
-
-/*
- * Given a SecIdentityRef, do our best to construct a complete, ordered, and
- * verified cert chain, returning the result in a CFArrayRef. The result is
- * suitable for use when calling SSLSetCertificate().
- */
-static OSStatus completeCertChain(
- SecIdentityRef identity,
- SecCertificateRef trustedAnchor, // optional additional trusted anchor
- bool includeRoot, // include the root in outArray
- CFArrayRef *outArray) // created and RETURNED
-{
- CFMutableArrayRef certArray;
- SecTrustRef secTrust = NULL;
- SecPolicyRef policy = NULL;
- SecPolicySearchRef policySearch = NULL;
- SecTrustResultType secTrustResult;
- CSSM_TP_APPLE_EVIDENCE_INFO *dummyEv; // not used
- CFArrayRef certChain = NULL; // constructed chain
- CFIndex numResCerts;
-
- certArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- CFArrayAppendValue(certArray, identity);
-
- /*
- * Case 1: identity is a root; we're done. Note that this case
- * overrides the includeRoot argument.
- */
- SecCertificateRef certRef;
- OSStatus ortn = SecIdentityCopyCertificate(identity, &certRef);
- if(ortn) {
- /* should never happen */
- cssmPerror("SecIdentityCopyCertificate", ortn);
- return ortn;
- }
- bool isRoot = isCertRefRoot(certRef);
- if(isRoot) {
- *outArray = certArray;
- CFRelease(certRef);
- return noErr;
- }
-
- /*
- * Now use SecTrust to get a complete cert chain, using all of the
- * user's keychains to look for intermediate certs.
- * NOTE this does NOT handle root certs which are not in the system
- * root cert DB. (The above case, where the identity is a root cert, does.)
- */
- CFMutableArrayRef subjCerts = CFArrayCreateMutable(NULL, 1, &kCFTypeArrayCallBacks);
- CFArraySetValueAtIndex(subjCerts, 0, certRef);
-
- /* the array owns the subject cert ref now */
- CFRelease(certRef);
-
- /* Get a SecPolicyRef for generic X509 cert chain verification */
- ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3,
- &CSSMOID_APPLE_X509_BASIC,
- NULL, // value
- &policySearch);
- if(ortn) {
- cssmPerror("SecPolicySearchCreate", ortn);
- goto errOut;
- }
- ortn = SecPolicySearchCopyNext(policySearch, &policy);
- if(ortn) {
- cssmPerror("SecPolicySearchCopyNext", ortn);
- goto errOut;
- }
-
- /* build a SecTrustRef for specified policy and certs */
- ortn = SecTrustCreateWithCertificates(subjCerts,
- policy, &secTrust);
- if(ortn) {
- cssmPerror("SecTrustCreateWithCertificates", ortn);
- goto errOut;
- }
-
- if(trustedAnchor) {
- /*
- * Tell SecTrust to trust this one in addition to the current
- * trusted system-wide anchors.
- */
- CFMutableArrayRef newAnchors;
- CFArrayRef currAnchors;
-
- ortn = SecTrustCopyAnchorCertificates(&currAnchors);
- if(ortn) {
- /* should never happen */
- cssmPerror("SecTrustCopyAnchorCertificates", ortn);
- goto errOut;
- }
- newAnchors = CFArrayCreateMutableCopy(NULL,
- CFArrayGetCount(currAnchors) + 1,
- currAnchors);
- CFRelease(currAnchors);
- CFArrayAppendValue(newAnchors, trustedAnchor);
- ortn = SecTrustSetAnchorCertificates(secTrust, newAnchors);
- CFRelease(newAnchors);
- if(ortn) {
- cssmPerror("SecTrustSetAnchorCertificates", ortn);
- goto errOut;
- }
- }
- /* evaluate: GO */
- ortn = SecTrustEvaluate(secTrust, &secTrustResult);
- if(ortn) {
- cssmPerror("SecTrustEvaluate", ortn);
- goto errOut;
- }
- switch(secTrustResult) {
- case kSecTrustResultUnspecified:
- /* cert chain valid, no special UserTrust assignments */
- case kSecTrustResultProceed:
- /* cert chain valid AND user explicitly trusts this */
- break;
- default:
- /*
- * Cert chain construction failed.
- * Just go with the single subject cert we were given.
- */
- printf("***Warning: could not construct completed cert chain\n");
- ortn = noErr;
- goto errOut;
- }
-
- /* get resulting constructed cert chain */
- ortn = SecTrustGetResult(secTrust, &secTrustResult, &certChain, &dummyEv);
- if(ortn) {
- cssmPerror("SecTrustEvaluate", ortn);
- goto errOut;
- }
-
- /*
- * Copy certs from constructed chain to our result array, skipping
- * the leaf (which is already there, as a SecIdentityRef) and possibly
- * a root.
- */
- numResCerts = CFArrayGetCount(certChain);
- if(numResCerts < 2) {
- /*
- * Can't happen: if subject was a root, we'd already have returned.
- * If chain doesn't verify to a root, we'd have bailed after
- * SecTrustEvaluate().
- */
- printf("***sslCompleteCertChain screwup: numResCerts %d\n",
- (int)numResCerts);
- ortn = noErr;
- goto errOut;
- }
- if(!includeRoot) {
- /* skip the last (root) cert) */
- numResCerts--;
- }
- for(CFIndex dex=1; dex<numResCerts; dex++) {
- certRef = (SecCertificateRef)CFArrayGetValueAtIndex(certChain, dex);
- CFArrayAppendValue(certArray, certRef);
- }
-errOut:
- /* clean up */
- if(secTrust) {
- CFRelease(secTrust);
- }
- if(subjCerts) {
- CFRelease(subjCerts);
- }
- if(policy) {
- CFRelease(policy);
- }
- if(policySearch) {
- CFRelease(policySearch);
- }
- *outArray = certArray;
- return ortn;
-}
-
-
-/*
- * Given an array of SecIdentityRefs:
- * -- display a printable name of each identity's cert;
- * -- prompt user to select which one to use;
- *
- * Returns CFIndex of desired identity. A return of <0 indicates
- * "none - abort".
- */
-static CFIndex pickIdent(
- CFArrayRef idArray)
-{
- CFIndex count = CFArrayGetCount(idArray);
- CFIndex dex;
- OSStatus ortn;
-
- if(count == 0) {
- printf("***sslIdentPicker screwup: no identities found\n");
- return -1;
- }
- for(dex=0; dex<count; dex++) {
- SecIdentityRef idRef = (SecIdentityRef)CFArrayGetValueAtIndex(idArray, dex);
- SecCertificateRef certRef;
- ortn = SecIdentityCopyCertificate(idRef, &certRef);
- if(ortn) {
- /* should never happen */
- cssmPerror("SecIdentityCopyCertificate", ortn);
- return -1;
- }
-
- /* get printable name of cert and the keychain it's in */
- char *certLabel = kcItemPrintableName((SecKeychainItemRef)certRef);
- SecKeychainRef kcRef;
- char *kcLabel;
- ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)certRef, &kcRef);
- if(ortn) {
- cssmPerror("SecKeychainItemCopyKeychain", ortn);
- kcLabel = "Unnamed keychain";
- }
- else {
- kcLabel = kcFileName(kcRef);
- }
- printf("[%d] keychain : %s\n", (int)dex, kcLabel);
- printf(" cert : %s\n", certLabel);
- free(certLabel);
- if(ortn == noErr) {
- free(kcLabel);
- }
- CFRelease(certRef);
- }
-
- while(1) {
- fpurge(stdin);
- printf("\nEnter Certificate number or CR to quit : ");
- fflush(stdout);
- char resp[64];
- getString(resp, sizeof(resp));
- if(resp[0] == '\0') {
- return -1;
- }
- int ires = atoi(resp);
- if((ires >= 0) && (ires < count)) {
- return (CFIndex)ires;
- }
- printf("***Invalid entry. Type a number between 0 and %d\n",
- (int)(count-1));
- }
- return -1;
-}
-
-OSStatus simpleIdentPicker(
- SecKeychainRef kcRef, // NULL means use default list
- SecIdentityRef *ident) // RETURNED
-{
- OSStatus ortn;
- CFMutableArrayRef idArray = NULL; // holds all SecIdentityRefs found
-
- /* Search for all identities */
- *ident = NULL;
- SecIdentitySearchRef srchRef = nil;
- ortn = SecIdentitySearchCreate(kcRef,
- 0, // keyUsage - any
- &srchRef);
- if(ortn) {
- cssmPerror("SecIdentitySearchCreate", (CSSM_RETURN)ortn);
- printf("Cannot find signing key in keychain.\n");
- return ortn;
- }
-
- /* get all identities, stuff them into idArray */
- SecIdentityRef identity = nil;
- idArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- do {
- ortn = SecIdentitySearchCopyNext(srchRef, &identity);
- if(ortn != noErr) {
- break;
- }
- CFArrayAppendValue(idArray, identity);
-
- /* the array has the retain count we need */
- CFRelease(identity);
- } while(ortn == noErr);
-
- switch(ortn) {
- case errSecItemNotFound:
- if(CFArrayGetCount(idArray) == 0) {
- printf("No signing keys found in keychain.\n");
- return errSecItemNotFound;
- }
- else {
- /* found at least one; proceed */
- break;
- }
- default:
- cssmPerror("SecIdentitySearchCopyNext", (CSSM_RETURN)ortn);
- printf("Cannot find signing key in keychain.\n");
- return ortn;
- }
-
- /*
- * If there is just one, use it without asking
- */
- CFIndex whichId;
- if(CFArrayGetCount(idArray) == 1) {
- whichId = 0;
- }
- else {
- whichId = pickIdent(idArray);
- if(whichId < 0) {
- return CSSMERR_CSSM_USER_CANCELED;
- }
- }
-
- /* keep this one, free the rest */
- identity = (SecIdentityRef)CFArrayGetValueAtIndex(idArray, whichId);
- CFRetain(identity);
- CFRelease(idArray);
- *ident = identity;
- return noErr;
-}
-
-OSStatus identPicker(
- SecKeychainRef kcRef, // NULL means use default list
- SecCertificateRef trustedAnchor, // optional additional trusted anchor
- bool includeRoot, // true --> root is appended to outArray
- // false --> root not included
- CFArrayRef *outArray) // created and RETURNED
-{
- OSStatus ortn;
- SecIdentityRef identity;
-
- ortn = simpleIdentPicker(kcRef, &identity);
- if(ortn) {
- return ortn;
- }
- return completeCertChain(identity, trustedAnchor, includeRoot, outArray);
-}
-
projects / apple / security.git / blobdiff