+++ /dev/null
-/*
- * acltool.cpp - display and manipluate ACLs on SecKeychainItems
- */
-
-#include <stdlib.h>
-#include <strings.h>
-#include <stdio.h>
-#include <unistd.h>
-#include <Security/Security.h>
-#include "aclUtils.h"
-
-static void usage(char **argv)
-{
- printf("usage: %s op [options]\n", argv[0]);
- printf("op:\n");
- printf(" d -- display ACL\n");
- printf(" a -- add ACL\n");
- printf(" l -- lookup, dump label; no ACL operation\n");
- printf(" m -- modify data (only allowed for password items; must specify -p)\n");
- printf("Options:\n");
- printf(" -k keychain\n");
- printf(" -t itemType : k=privateKey, b=publicKey s=sessionKey, p=password; default is sessionKey\n");
- printf(" -l label_or_printName\n");
- printf(" -p new_password_data\n");
- printf(" -d -- dump data\n");
- printf(" -e -- edit ACL entries\n");
- printf(" -s -- simulate StickyRecord ACL\n");
- /* etc. */
- exit(1);
-}
-
-
-/* print an item's label and (optionally) its data */
-static OSStatus printItemLabelAndData(
- SecKeychainItemRef itemRef,
- SecItemAttr labelAttr,
- bool dumpData)
-{
- SecKeychainAttributeList attrList;
- SecKeychainAttribute attr;
- UInt32 length = 0;
- void *outData = NULL;
-
- attr.tag = labelAttr;
- attr.length = 0;
- attr.data = NULL;
- attrList.count = 1;
- attrList.attr = &attr;
-
- OSStatus ortn = SecKeychainItemCopyContent(itemRef,
- NULL, // itemClass - we know
- &attrList, // for label
- dumpData ? &length : 0,
- dumpData ? &outData : NULL);
- if(ortn) {
- cssmPerror("SecKeychainItemCopyContent", ortn);
- printf("***Error fetching label %s\n", dumpData ? "and data" : "");
- return ortn;
- }
-
- if(attr.data == NULL) {
- printf("**No label attribute found\n");
- }
- else {
- printf("Label: ");
- print_buffer(stdout, attr.length, attr.data);
- printf("\n");
- }
- if(dumpData) {
- if(outData == NULL) {
- printf("***Asked for data but none found\n");
- }
- else {
- printf("Data : ");
- print_buffer(stdout, length, outData);
- printf("\n");
- }
- }
- SecKeychainItemFreeContent(&attrList, outData);
- return noErr;
-}
-
-/*
- * Lookup by itemClass and optional label. Then do one or more of:
- *
- * -- dump label (always done)
- * -- dump ACLs
- * -- edit acl
- * -- dump data
- * -- set (modify) data
- */
-static OSStatus dumpAcls(
- SecKeychainRef kcRef,
-
- /* item specification */
- SecItemClass itemClass,
- SecItemAttr labelAttr, // to look up by label if specified
- const char *label,
-
- /* what we do with the item(s) found */
- bool dumpData,
- bool dumpAcl,
- bool editAcl,
- bool simulateStickyRecord,
- const unsigned char *newData, // if non-NULL, set/modify new data
- unsigned newDataLen)
-{
- OSStatus ortn;
- SecKeychainSearchRef srchRef;
- SecKeychainAttributeList attrList;
- SecKeychainAttributeList *attrListP = NULL;
- SecKeychainAttribute attr;
- unsigned numFound = 0;
-
- /* searching by label, or blindly? */
- if(label) {
- attr.tag = labelAttr;
- attr.length = strlen(label);
- attr.data = (void *)label;
- attrList.count = 1;
- attrList.attr = &attr;
- attrListP = &attrList;
- }
- ortn = SecKeychainSearchCreateFromAttributes(kcRef,
- itemClass,
- attrListP,
- &srchRef);
- if(ortn) {
- cssmPerror("SecKeychainSearchCreateFromAttributes", ortn);
- return ortn;
- }
- for(;;) {
- SecKeychainItemRef itemRef;
- ortn = SecKeychainSearchCopyNext(srchRef, &itemRef);
- if(ortn) {
- if(ortn == errSecItemNotFound) {
- /* normal search end */
- ortn = noErr;
- }
- else {
- cssmPerror("SecKeychainSearchCopyNext", ortn);
- }
- break;
- }
-
- printf("Item %u:\n", numFound++);
- printItemLabelAndData(itemRef, labelAttr, dumpData);
-
- if(newData) {
- ortn = SecKeychainItemModifyAttributesAndData(itemRef,
- NULL, // attrList - we don't change any attrs
- newDataLen,
- newData);
- if(ortn) {
- cssmPerror("SecKeychainItemModifyAttributesAndData", ortn);
- printf("***Cannot modify data of this item***\n");
- goto endOfLoop;
- }
- }
- if(dumpAcl) {
- SecAccessRef accessRef = nil;
- ortn = SecKeychainItemCopyAccess(itemRef, &accessRef);
- if(ortn) {
- cssmPerror("SecKeychainItemCopyAccess", ortn);
- printf("***No SecAccessRef found***\n");
- goto endOfLoop;
- }
- print_access(stdout, accessRef, editAcl);
- if(simulateStickyRecord) {
- ortn = stickyRecordUpdateAcl(accessRef);
- if(ortn) {
- goto endOfLoop;
- }
- }
- if(editAcl || simulateStickyRecord) {
- ortn = SecKeychainItemSetAccess(itemRef, accessRef);
- if(ortn) {
- cssmPerror("SecKeychainItemSetAccess", ortn);
- }
- }
- }
-endOfLoop:
- CFRelease(itemRef);
- if(ortn) {
- break;
- }
- }
- CFRelease(srchRef);
- printf("...%u items found\n", numFound);
- return ortn;
-}
-
-typedef enum {
- AO_Dump,
- AO_Add,
- AO_Lookup,
- AO_ModifyPassword
-} AclOp;
-
-int main(int argc, char **argv)
-{
- /* user spec'd variables */
- const char *kcName = NULL;
- const char *labelOrName = NULL; // attribute type varies per
- AclOp op = AO_Dump;
- SecItemClass itemClass = CSSM_DL_DB_RECORD_SYMMETRIC_KEY;
- /* FIXME why does this work like this for keys? doc says kSecKeyPrintName but that doesn't work */
- SecItemAttr labelAttr = kSecLabelItemAttr;
- bool dumpData = false;
- bool editAcl = false;
- bool dumpAcl = true;
- bool simulateStickyRecord = false;
- const char *newPassword = NULL;
- unsigned newPasswordLen = 0;
-
- SecKeychainRef kcRef = nil;
- OSStatus ortn;
-
- if(argc < 2) {
- usage(argv);
- }
- switch(argv[1][0]) {
- case 'd':
- op = AO_Dump;
- break;
- case 'a':
- op = AO_Add;
- break;
- case 'l':
- op = AO_Lookup;
- dumpAcl = false;
- break;
- case 'm':
- op = AO_ModifyPassword;
- dumpAcl = false;
- break;
- default:
- usage(argv);
- }
-
- extern char *optarg;
- int arg;
- extern int optind;
- optind = 2;
- while ((arg = getopt(argc, argv, "k:t:l:dep:sh")) != -1) {
- switch (arg) {
- case 'k':
- kcName = optarg;
- break;
- case 't':
- switch(optarg[0]) {
- case 'k':
- itemClass = CSSM_DL_DB_RECORD_PRIVATE_KEY;
- break;
- case 's':
- itemClass = CSSM_DL_DB_RECORD_SYMMETRIC_KEY;
- break;
- case 'b':
- itemClass = CSSM_DL_DB_RECORD_PUBLIC_KEY;
- break;
- case 'p':
- itemClass = kSecGenericPasswordItemClass;
- labelAttr = kSecLabelItemAttr;
- break;
- default:
- usage(argv);
- }
- break;
- case 'l':
- labelOrName = optarg;
- break;
- case 'd':
- dumpData = true;
- break;
- case 'e':
- editAcl = true;
- break;
- case 'p':
- newPassword = optarg;
- newPasswordLen = strlen(newPassword);
- break;
- case 's':
- simulateStickyRecord = true;
- break;
- case 'h':
- usage(argv);
- }
- }
- if(optind != argc) {
- usage(argv);
- }
- if(op == AO_ModifyPassword) {
- if(itemClass != kSecGenericPasswordItemClass) {
- printf("***You can only modify data on a password item.\n");
- exit(1);
- }
- if(newPassword == NULL) {
- printf("***You must supply new password data for this operation.\n");
- exit(1);
- }
- }
- if(kcName) {
- ortn = SecKeychainOpen(kcName, &kcRef);
- if(ortn) {
- cssmPerror("SecKeychainOpen", ortn);
- printf("***Error opening keychain %s. Aborting.\n", kcName);
- exit(1);
- }
- }
-
- switch(op) {
- case AO_Dump:
- case AO_Lookup:
- case AO_ModifyPassword:
- ortn = dumpAcls(kcRef, itemClass, labelAttr, labelOrName, dumpData, dumpAcl, editAcl,
- simulateStickyRecord, (unsigned char *)newPassword, newPasswordLen);
- break;
- case AO_Add:
- printf("Add ACL op to be implemented real soon now\n");
- ortn = -1;
- break;
- }
- if(kcRef) {
- CFRelease(kcRef);
- }
- return (int)ortn;
-}
projects / apple / security.git / blobdiff