*/
#include "SecBridge.h"
-#include "SecCertificatePriv.h"
-#include "SecTrustSettings.h"
-#include "SecTrustSettingsPriv.h"
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecTrustSettings.h>
+#include <Security/SecTrustSettingsPriv.h>
#include "SecTrustSettingsCertificates.h"
#include "SecCFRelease.h"
#include "TrustSettingsUtils.h"
#include <security_utilities/simpleprefs.h>
#include <securityd_client/dictionary.h>
#include <securityd_client/ssclient.h>
-#include <assert.h>
+#include <security_utilities/simulatecrash_assert.h>
#include <dlfcn.h>
#include <libproc.h>
#include <syslog.h>
Dictionary* dictionary = Dictionary::CreateDictionary(kSecTrustSettingsPrefsDomain, Dictionary::US_System);
if (dictionary)
{
- auto_ptr<Dictionary> prefsDict(dictionary);
+ unique_ptr<Dictionary> prefsDict(dictionary);
/* this returns false if the pref isn't there, just like we want */
tsUserTrustDisable = prefsDict->getBoolValue(kSecTrustSettingsDisableUserTrustSettings);
}
static void tsTrustSettingsChanged()
{
tsPurgeCache();
+ SecTrustSettingsPurgeUserAdminCertsCache();
/* The only interesting data is our pid */
NameValueDictionary nvd;
return result;
}
- auto_ptr<TrustSettings>_(ts); // make sure this gets deleted just in case something throws underneath
+ unique_ptr<TrustSettings>_(ts); // make sure this gets deleted just in case something throws underneath
if(trustSettings) {
*trustSettings = ts->copyTrustSettings(cert);
END_RCSAPI
}
+/*
+ * Common code for SecTrustSettingsCopyTrustSettings(),
+ * SecTrustSettingsCopyModificationDate().
+ */
+static OSStatus tsCopyTrustSettings_cached(
+ SecCertificateRef cert,
+ SecTrustSettingsDomain domain,
+ CFArrayRef CF_RETURNS_RETAINED *trustSettings)
+{
+ BEGIN_RCSAPI
+
+ TS_REQUIRED(cert)
+
+ StLock<Mutex> _(sutCacheLock());
+ TrustSettings* ts = tsGetGlobalTrustSettings(domain);
+
+ // rather than throw these results, just return them because we are at the top level
+ if (ts == NULL) {
+ return errSecItemNotFound;
+ }
+
+ if(trustSettings) {
+ *trustSettings = ts->copyTrustSettings(cert);
+ }
+
+ END_RCSAPI
+}
+
+static OSStatus tsContains(
+ SecCertificateRef cert,
+ SecTrustSettingsDomain domain)
+{
+ BEGIN_RCSAPI
+
+ TS_REQUIRED(cert)
+
+ StLock<Mutex> _(sutCacheLock());
+ TrustSettings* ts = tsGetGlobalTrustSettings(domain);
+
+ // rather than throw these results, just return them because we are at the top level
+ if (ts == NULL) {
+ return errSecItemNotFound;
+ }
+
+ if (ts->contains(cert)) {
+ return errSecSuccess;
+ } else {
+ return errSecItemNotFound;
+ }
+
+ END_RCSAPI
+}
+
static void tsAddConditionalCerts(CFMutableArrayRef certArray);
/*
return result;
}
- auto_ptr<TrustSettings>_(ts);
+ unique_ptr<TrustSettings>_(ts);
if(certRef != NULL) {
ts->setTrustSettings(certRef, trustSettingsDictOrArray);
END_RCSAPI
}
+void SecTrustSettingsPurgeCache(void) {
+ tsPurgeCache();
+}
+
+OSStatus SecTrustSettingsCopyTrustSettings_Cached(
+ SecCertificateRef certRef,
+ SecTrustSettingsDomain domain,
+ CFArrayRef CF_RETURNS_RETAINED *trustSettings) /* RETURNED */
+{
+ TS_REQUIRED(certRef)
+ TS_REQUIRED(trustSettings)
+
+ OSStatus result = tsCopyTrustSettings_cached(certRef, domain, trustSettings);
+ if (result == errSecSuccess && *trustSettings == NULL) {
+ result = errSecItemNotFound; /* documented result if no trust settings exist */
+ }
+ return result;
+}
+
#pragma mark --- API functions ---
OSStatus SecTrustSettingsCopyTrustSettings(
return result;
}
- auto_ptr<TrustSettings>_(ts);
+ unique_ptr<TrustSettings>_(ts);
ts->setTrustSettings(certRef, trustSettingsDictOrArray);
ts->flushToDisk();
return result;
}
- auto_ptr<TrustSettings>_(ts);
+ unique_ptr<TrustSettings>_(ts);
/* deleteTrustSettings throws if record not found */
trustSettingsDbg("SecTrustSettingsRemoveTrustSettings: deleting from domain %d",
OSStatus status;
TrustSettings* ts;
CFMutableArrayRef trustedCertArray = NULL;
+ SecTrustRef trust = NULL;
status = TrustSettings::CreateTrustSettings(domain, CREATE_NO, TRIM_NO, ts);
if (status != errSecSuccess) {
return status;
}
- auto_ptr<TrustSettings>_(ts);
+ unique_ptr<TrustSettings>_(ts);
CFMutableArrayRef outArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
SecPolicyRef policy = SecPolicyCreateBasicX509();
trustedCertArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
for (i = 0; i < count ; i++) {
- SecTrustRef trust;
SecTrustResultType result;
SecCertificateRef certificate = (SecCertificateRef) CFArrayGetValueAtIndex(outArray, i);
status = SecTrustCreateWithCertificates(certificate, policy, &trust);
if (result != kSecTrustResultFatalTrustFailure) {
CFArrayAppendValue(trustedCertArray, certificate);
}
+ CFReleaseNull(trust);
}
tsAddConditionalCerts(trustedCertArray);
if (CFArrayGetCount(trustedCertArray) == 0) {
CFReleaseSafe(outArray);
CFReleaseSafe(trustedCertArray);
}
+ CFReleaseNull(trust);
return status;
END_RCSAPI
}
static CFArrayRef gUserAdminCerts = NULL;
static bool gUserAdminCertsCacheBuilt = false;
-static ReadWriteLock gUserAdminCertsLock;
+static ModuleNexus<ReadWriteLock> gUserAdminCertsLock;
void SecTrustSettingsPurgeUserAdminCertsCache(void) {
- StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Write);
+ StReadWriteLock _(gUserAdminCertsLock(), StReadWriteLock::Write);
CFReleaseNull(gUserAdminCerts);
gUserAdminCertsCacheBuilt = false;
}
OSStatus result = errSecSuccess;
{ /* Hold the read lock for the check */
- StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Read);
+ StReadWriteLock _(gUserAdminCertsLock(), StReadWriteLock::Read);
if (gUserAdminCertsCacheBuilt) {
if (gUserAdminCerts) {
*certArray = (CFArrayRef)CFRetain(gUserAdminCerts);
/* For valid results, update the global cache */
if (result == errSecSuccess || result == errSecNoTrustSettings) {
- StReadWriteLock _(gUserAdminCertsLock, StReadWriteLock::Write);
+ StReadWriteLock _(gUserAdminCertsLock(), StReadWriteLock::Write);
CFReleaseNull(gUserAdminCerts);
gUserAdminCerts = (CFArrayRef)CFRetainSafe(outArray);
gUserAdminCertsCacheBuilt = true;
return result;
}
+bool SecTrustSettingsUserAdminDomainsContain(SecCertificateRef certRef)
+{
+ TS_REQUIRED(certRef)
+ if (tsContains(certRef, kSecTrustSettingsDomainAdmin) == errSecSuccess ||
+ tsContains(certRef, kSecTrustSettingsDomainUser) == errSecSuccess) {
+ return true;
+ }
+ return false;
+}
+
/*
* Obtain an external, portable representation of the specified
* domain's TrustSettings. Caller must CFRelease the returned data.
return result;
}
- auto_ptr<TrustSettings>_(ts);
+ unique_ptr<TrustSettings>_(ts);
*trustSettings = ts->createExternal();
return errSecSuccess;
return result;
}
- auto_ptr<TrustSettings>_(ts);
+ unique_ptr<TrustSettings>_(ts);
ts->flushToDisk();
tsTrustSettingsChanged();
projects / apple / security.git / blobdiff