+++ /dev/null
-/*
- * trustApps.cpp - set list of trusted apps for specified executable
- */
-#include <Security/Security.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <utilLib/common.h>
-#include <clAppUtils/identPicker.h>
-
-static void usage(char **argv)
-{
- printf("Usage: %s keychain [-q(uiet)] executable ...\n", argv[0]);
- exit(1);
-}
-
-int main(int argc, char **argv)
-{
- if(argc < 3) {
- usage(argv);
- }
-
- const char *keychainName = argv[1];
- int nextArg;
- bool quiet = false;
- OSStatus ortn;
-
- for(nextArg=2; nextArg<argc; ) {
- char *argp = argv[nextArg];
- if(argp[0] != '-') {
- break;
- }
- switch(argp[2]) {
- case 'q':
- quiet = true;
- break;
- default:
- usage(argv);
- }
- }
- if(nextArg == argc) {
- usage(argv);
- }
-
- /* create an array of SecTrustedApplications */
- CFMutableArrayRef appList = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
- for(; nextArg<argc; nextArg++) {
- SecTrustedApplicationRef appRef;
- ortn = SecTrustedApplicationCreateFromPath(argv[nextArg], &appRef);
- if(ortn) {
- cssmPerror("SecTrustedApplicationCreateFromPath", ortn);
- exit(1);
- }
- CFArrayAppendValue(appList, appRef);
- }
-
- /* Find a signing identity; extract its private key */
- SecKeychainRef kcRef;
- ortn = SecKeychainOpen(keychainName, &kcRef);
- if(ortn) {
- cssmPerror("SecKeychainOpen", ortn);
- exit(1);
- }
- SecIdentityRef identRef;
- ortn = sslSimpleIdentPicker(kcRef, &identRef);
- if(ortn) {
- exit(1);
- }
-
- SecKeyRef keyRef;
- ortn = SecIdentityCopyPrivateKey(identRef, &keyRef);
- if(ortn) {
- cssmPerror("SecIdentityCopyPrivateKey", ortn);
- exit(1);
- }
-
- /*
- * Get existing ACL list (may be empty)
- */
- SecAccessRef accessRef;
- CFArrayRef aclList = NULL;
- ortn = SecKeychainItemCopyAccess((SecKeychainItemRef)keyRef, &accessRef);
- if(ortn) {
- cssmPerror("SecIdentityCopyPrivateKey", ortn);
- exit(1);
- }
- ortn = SecAccessCopySelectedACLList(accessRef, CSSM_ACL_AUTHORIZATION_DECRYPT,
- &aclList);
- if(ortn) {
- cssmPerror("SecAccessCopySelectedACLList", ortn);
- exit(1);
- }
- if((aclList == NULL) || (CFArrayGetCount(aclList) == 0)) {
- printf("No ACL list found. I don't know how to set the trusted app list.\n");
- exit(1);
- }
-
- /* append our app list to each ACL's trusted app list */
- for(int aclDex=0; aclDex<CFArrayGetCount(aclList); aclDex++) {
-
- /* get existing app list */
- SecACLRef aclRef = (SecACLRef)CFArrayGetValueAtIndex(aclList, aclDex);
- CFArrayRef existApps = NULL;
- CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR promptSelector;
- CFStringRef promptDescription;
-
- ortn = SecACLCopySimpleContents(aclRef, &existApps, &promptDescription,
- &promptSelector);
- if(ortn) {
- cssmPerror("SecACLCopySimpleContents", ortn);
- exit(1);
- }
-
- /* appends its contents to our list */
- if(existApps != NULL) {
- for(int i=0; i<CFArrayGetCount(existApps); i++) {
- CFArrayAppendValue(appList, CFArrayGetValueAtIndex(existApps, i));
- }
- }
-
- /* turn off possible keychain prompt flag */
- promptSelector.flags &= ~CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE;
-
- /* Update */
- ortn = SecACLSetSimpleContents(aclRef, appList, promptDescription,
- &promptSelector);
- if(ortn) {
- cssmPerror("SecACLCopySimpleContents", ortn);
- exit(1);
- }
- if(existApps != NULL) {
- CFRelease(existApps);
- }
- }
-
- /* presumably we're been operating on "the" ACL list in "the" SecAccess,
- * not a separate copy... */
- ortn = SecKeychainItemSetAccess((SecKeychainItemRef)keyRef, accessRef);
- if(ortn) {
- cssmPerror("SecKeychainItemSetAccess", ortn);
- exit(1);
- }
-
- /* is that it? */
- CFRelease(appList);
- CFRelease(kcRef);
- CFRelease(identRef);
- CFRelease(keyRef);
- CFRelease(accessRef);
- CFRelease(aclList);
- if(!quiet) {
- printf("...success\n");
- }
-}
projects / apple / security.git / blobdiff