/*
- * crypto-embedded.c
- * libsecurity_smime
+ * Copyright (c) 2008-2011,2013,2015 Apple Inc. All Rights Reserved.
*
- * Created by Conrad Sauerwald on 2/7/08.
- * Copyright (c) 2008-2011,2013 Apple Inc. All Rights Reserved.
+ * @APPLE_LICENSE_HEADER_START@
*
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
*/
#include <stdio.h>
#include <Security/oidsalg.h>
#include <Security/SecPolicy.h>
#include <Security/SecItem.h>
+#include <Security/SecItemPriv.h>
#include <Security/SecIdentity.h>
#include <Security/SecCertificateInternal.h>
#include <Security/SecKeyPriv.h>
SECStatus
CERT_VerifyCert(SecKeychainRef keychainOrArray __unused, CFArrayRef certs,
- CFTypeRef policies, CFAbsoluteTime stime, SecTrustRef *trustRef)
+ CFTypeRef policies, CFAbsoluteTime stime, SecTrustRef *trustRef)
{
SecTrustRef trust = NULL;
OSStatus rv;
rv = SecTrustSetVerifyDate(trust, verifyDate);
CFRelease(verifyDate);
if (rv)
- goto loser;
+ goto loser;
if (trustRef)
{
- *trustRef = trust;
+ *trustRef = trust;
}
else
{
- SecTrustResultType result;
- /* The caller doesn't want a SecTrust object, so let's evaluate it for them. */
- rv = SecTrustEvaluate(trust, &result);
- if (rv)
- goto loser;
-
- switch (result)
- {
- case kSecTrustResultProceed:
- case kSecTrustResultUnspecified:
- /* TP Verification succeeded and there was either a UserTurst entry
- telling us to procceed, or no user trust setting was specified. */
- CFRelease(trust);
- break;
- default:
- PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
- rv = SECFailure;
- goto loser;
- break;
- }
+ SecTrustResultType result;
+ /* The caller doesn't want a SecTrust object, so let's evaluate it for them. */
+ rv = SecTrustEvaluate(trust, &result);
+ if (rv)
+ goto loser;
+
+ switch (result)
+ {
+ case kSecTrustResultProceed:
+ case kSecTrustResultUnspecified:
+ /* TP Verification succeeded and there was either a UserTurst entry
+ telling us to procceed, or no user trust setting was specified. */
+ CFRelease(trust);
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+ rv = SECFailure;
+ goto loser;
+ break;
+ }
}
return SECSuccess;
loser:
if (trust)
- CFRelease(trust);
+ CFRelease(trust);
return rv;
}
+static CFTypeRef CERT_FindItemInAllAvailableKeychains(CFDictionaryRef query) {
+ CFTypeRef item = NULL;
+ CFMutableDictionaryRef q = NULL;
+ CFDictionaryRef whoAmI = NULL;
+ CFErrorRef error = NULL;
+ CFDataRef musr = NULL;
+ const uint8_t activeUserUuid[16] = "\xA7\x5A\x3A\x35\xA5\x57\x4B\x10\xBE\x2E\x83\x94\x7E\x4A\x34\x72";
+
+ /* Do the standard keychain query */
+ require_quiet(errSecItemNotFound == SecItemCopyMatching(query, &item), out);
+
+ /* No item found. Can caller use the system keychain? */
+ whoAmI = _SecSecuritydCopyWhoAmI(&error);
+ require_quiet(NULL == error && whoAmI && CFDictionaryGetValue(whoAmI, CFSTR("status")), out);
+ musr = CFDictionaryGetValue(whoAmI, CFSTR("musr"));
+ /* Caller has system-keychain entitlement, is in multi-user mode, and is an active user. */
+ if (CFDictionaryGetValue(whoAmI, CFSTR("system-keychain")) && musr &&
+ (16 == CFDataGetLength(musr)) && (0 == memcmp(activeUserUuid,CFDataGetBytePtr(musr),12))) {
+ q = CFDictionaryCreateMutableCopy(NULL, CFDictionaryGetCount(query) + 1, query);
+ CFDictionaryAddValue(q, kSecUseSystemKeychain, kCFBooleanTrue);
+ SecItemCopyMatching(q, &item);
+ }
+
+out:
+ if (q)
+ CFRelease(q);
+ if (whoAmI)
+ CFRelease(whoAmI);
+ if (error)
+ CFRelease(error);
+
+ return item;
+}
SecCertificateRef CERT_FindUserCertByUsage(SecKeychainRef keychainOrArray,
char *nickname,SECCertUsage usage,Boolean validOnly,void *proto_win)
const void *values[] = { kSecClassCertificate, nickname_cfstr };
CFDictionaryRef query = CFDictionaryCreate(kCFAllocatorDefault, keys, values, sizeof(keys)/sizeof(*keys), NULL, NULL);
CFTypeRef result = NULL;
- SecItemCopyMatching(query, &result);
+ result = CERT_FindItemInAllAvailableKeychains(query);
CFRelease(query);
CFRelease(nickname_cfstr);
return (SecCertificateRef)result;
if (SecTrustEvaluate(trust, &result))
goto out;
CFIndex idx, count = SecTrustGetCertificateCount(trust);
+
+ /* If we weren't able to build a chain to a self-signed cert, warn. */
+ Boolean isSelfSigned = false;
+ SecCertificateRef lastCert = SecTrustGetCertificateAtIndex(trust, count - 1);
+ if (lastCert && (0 == SecCertificateIsSelfSigned(lastCert, &isSelfSigned)) && !isSelfSigned) {
+ CFStringRef commonName = NULL;
+ (void)SecCertificateCopyCommonName(cert, &commonName);
+ fprintf(stderr, "Warning: unable to build chain to self-signed root for signer \"%s\"",
+ commonName ? CFStringGetCStringPtr(commonName, kCFStringEncodingUTF8) : "");
+ if (commonName) { CFRelease(commonName); }
+ }
+
+ /* We don't drop the root if there is only 1 certificate in the chain. */
+ if (!includeRoot && count > 1) { count--; }
certs = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks);
for(idx = 0; idx < count; idx++)
CFArrayAppendValue(certs, SecTrustGetCertificateAtIndex(trust, idx));
-
+
out:
if (trust) CFRelease(trust);
if (policy) CFRelease(policy);
CFIndex c, count = CFArrayGetCount((CFArrayRef)keychainOrArray);
for (c = 0; c < count; c++) {
SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex((CFArrayRef)keychainOrArray, c);
- if (CFEqual(SecCertificateGetNormalizedIssuerContent(cert), issuer)) {
- CFDataRef cert_serial = SecCertificateCopySerialNumber(cert);
- bool found = CFEqual(cert_serial, serial);
- CFRelease(cert_serial);
- if (found) {
- CFRetain(cert);
- ident = cert;
- goto out;
+ CFDataRef nic = (cert) ? SecCertificateGetNormalizedIssuerContent(cert) : NULL;
+ if (nic && CFEqual(nic, issuer)) {
+ CFDataRef cert_serial = SecCertificateCopySerialNumberData(cert, NULL);
+ if (cert_serial) {
+ bool found = CFEqual(cert_serial, serial);
+ CFRelease(cert_serial);
+ if (found) {
+ CFRetain(cert);
+ ident = cert;
+ goto out;
+ }
}
}
}
const void *keys[] = { kSecClass, kSecAttrIssuer, kSecAttrSerialNumber, kSecReturnRef };
const void *values[] = { class, issuer, serial, kCFBooleanTrue };
query = CFDictionaryCreate(kCFAllocatorDefault, keys, values, sizeof(keys)/sizeof(*keys), NULL, NULL);
- require_noerr_quiet(SecItemCopyMatching(query, (CFTypeRef*)&ident), out);
+ ident = CERT_FindItemInAllAvailableKeychains(query);
out:
if (query)
return (SecCertificateRef)CERT_FindByIssuerAndSN(keychainOrArray, kSecClassCertificate, issuerAndSN);
}
-SecIdentityRef CERT_FindIdentityBySubjectKeyID (CFTypeRef keychainOrArray __unused, const SecAsn1Item *subjKeyID)
+// Generate a certificate key from the Subject Key ID, then look it up in the database.
+// Return the cert if found. "subjKeyID" is the Subject Key ID to look for
+static CFTypeRef CERT_FindBySubjectKeyID (CFTypeRef keychainOrArray, CFTypeRef class, const SecAsn1Item *subjKeyID)
{
- SecIdentityRef ident = NULL;
- CFDictionaryRef query = NULL;
+ CFTypeRef ident = NULL;
+ CFDictionaryRef query = NULL;
CFDataRef subjectkeyid = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, subjKeyID->Data, subjKeyID->Length, kCFAllocatorNull);
- const void *keys[] = { kSecClass, kSecAttrSubjectKeyID, kSecReturnRef };
- const void *values[] = { kSecClassIdentity, subjectkeyid, kCFBooleanTrue };
- query = CFDictionaryCreate(kCFAllocatorDefault, keys, values, sizeof(keys)/sizeof(*keys), NULL, NULL);
- require_noerr_quiet(SecItemCopyMatching(query, (CFTypeRef*)&ident), out);
+ if (keychainOrArray && (CFGetTypeID(keychainOrArray) == CFArrayGetTypeID()) && CFEqual(class, kSecClassCertificate))
+ {
+ CFIndex c, count = CFArrayGetCount((CFArrayRef)keychainOrArray);
+ for (c = 0; c < count; c++) {
+ SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex((CFArrayRef)keychainOrArray, c);
+ CFDataRef skid = (cert) ? SecCertificateGetSubjectKeyID(cert) : NULL;
+ if (skid && CFEqual(skid, subjectkeyid)) {
+ CFRetain(cert);
+ ident = cert;
+ goto out;
+ }
+ }
+ }
+
+ const void *keys[] = { kSecClass, kSecAttrSubjectKeyID, kSecReturnRef };
+ const void *values[] = { class, subjectkeyid, kCFBooleanTrue };
+ query = CFDictionaryCreate(kCFAllocatorDefault, keys, values, sizeof(keys)/sizeof(*keys), NULL, NULL);
+ ident = CERT_FindItemInAllAvailableKeychains(query);
out:
if (query)
return ident;
}
+SecIdentityRef CERT_FindIdentityBySubjectKeyID (CFTypeRef keychainOrArray, const SecAsn1Item *subjKeyID)
+{
+ return (SecIdentityRef)CERT_FindBySubjectKeyID(keychainOrArray, kSecClassIdentity, subjKeyID);
+}
+
+SecCertificateRef CERT_FindCertificateBySubjectKeyID(CFTypeRef keychainOrArray, const SecAsn1Item *subjKeyID)
+{
+ return (SecCertificateRef)CERT_FindBySubjectKeyID(keychainOrArray, kSecClassCertificate, subjKeyID);
+}
+
SecPublicKeyRef SECKEY_CopyPublicKey(SecPublicKeyRef pubKey)
WRAP_PubUnwrapSymKey(SecPrivateKeyRef privkey, const SecAsn1Item *encKey, SECOidTag bulkalgtag)
{
size_t bulkkey_size = encKey->Length;
+ if (bulkkey_size > 16384) {
+ return NULL;
+ }
+
uint8_t bulkkey_buffer[bulkkey_size];
if (SecKeyDecrypt(privkey, kSecPaddingPKCS1,
encKey->Data, encKey->Length, bulkkey_buffer, &bulkkey_size))
projects / apple / security.git / blobdiff