X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/5c19dc3ae3bd8e40a9c028b0deddd50ff337692c..dd5fb164cf5b32c462296bc65e289e100f74b59a:/OSX/libsecurity_keychain/lib/SecIdentity.cpp?ds=sidebyside diff --git a/OSX/libsecurity_keychain/lib/SecIdentity.cpp b/OSX/libsecurity_keychain/lib/SecIdentity.cpp index 7939d6b6..1cb7b595 100644 --- a/OSX/libsecurity_keychain/lib/SecIdentity.cpp +++ b/OSX/libsecurity_keychain/lib/SecIdentity.cpp @@ -35,8 +35,10 @@ #include #include #include +#include #include #include +#include /* private function declarations */ OSStatus @@ -107,6 +109,9 @@ CFTypeID SecIdentityGetTypeID(void) { BEGIN_SECAPI + os_activity_t activity = os_activity_create("SecIdentityGetTypeID", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); return gTypes().Identity.typeID; @@ -120,30 +125,56 @@ SecIdentityCopyCertificate( SecCertificateRef *certificateRef) { BEGIN_SECAPI + os_activity_t activity = os_activity_create("SecIdentityCopyCertificate", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); - SecPointer certificatePtr(Identity::required(identityRef)->certificate()); - Required(certificateRef) = certificatePtr->handle(); - -#if SECTRUST_OSX - /* convert outgoing item to a unified SecCertificateRef */ - CssmData certData = certificatePtr->data(); - CFDataRef data = NULL; - if (certData.Data && certData.Length) { - data = CFDataCreate(NULL, certData.Data, certData.Length); + if (!identityRef || !certificateRef) { + return errSecParam; + } + CFTypeID itemType = CFGetTypeID(identityRef); + if (itemType == SecIdentityGetTypeID()) { + SecPointer certificatePtr(Identity::required(identityRef)->certificate()); + Required(certificateRef) = certificatePtr->handle(); + + /* convert outgoing certificate item to a unified SecCertificateRef */ + CssmData certData = certificatePtr->data(); + CFDataRef data = NULL; + if (certData.Data && certData.Length) { + data = CFDataCreate(NULL, certData.Data, certData.Length); + } + if (!data) { + *certificateRef = NULL; + syslog(LOG_ERR, "ERROR: SecIdentityCopyCertificate failed to retrieve certificate data (length=%ld, data=0x%lX)", + (long)certData.Length, (uintptr_t)certData.Data); + return errSecInternal; + } + SecCertificateRef tmpRef = *certificateRef; + *certificateRef = SecCertificateCreateWithKeychainItem(NULL, data, tmpRef); + if (data) { + CFRelease(data); + } + if (tmpRef) { + CFRelease(tmpRef); + } + } + else if (itemType == SecCertificateGetTypeID()) { + // rdar://24483382 + // reconstituting a persistent identity reference could return the certificate + SecCertificateRef certificate = (SecCertificateRef)identityRef; + + /* convert outgoing certificate item to a unified SecCertificateRef, if needed */ + if (SecCertificateIsItemImplInstance(certificate)) { + *certificateRef = SecCertificateCreateFromItemImplInstance(certificate); + } + else { + *certificateRef = (SecCertificateRef) CFRetain(certificate); + } + return errSecSuccess; } - if (!data) { - *certificateRef = NULL; - syslog(LOG_ERR, "ERROR: SecIdentityCopyCertificate failed to retrieve certificate data (length=%ld, data=0x%lX)", - (long)certData.Length, (uintptr_t)certData.Data); - return errSecInternal; + else { + return errSecParam; } - SecCertificateRef tmpRef = *certificateRef; - *certificateRef = SecCertificateCreateWithKeychainItem(NULL, data, tmpRef); - if (data) - CFRelease(data); - if (tmpRef) - CFRelease(tmpRef); -#endif END_SECAPI } @@ -155,9 +186,11 @@ SecIdentityCopyPrivateKey( SecKeyRef *privateKeyRef) { BEGIN_SECAPI + os_activity_t activity = os_activity_create("SecIdentityCopyPrivateKey", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); - SecPointer keyItemPtr(Identity::required(identityRef)->privateKey()); - Required(privateKeyRef) = keyItemPtr->handle(); + Required(privateKeyRef) = (SecKeyRef)CFRetain(Identity::required(identityRef)->privateKeyRef()); END_SECAPI } @@ -188,11 +221,20 @@ SecIdentityCreate( { SecIdentityRef identityRef = NULL; OSStatus __secapiresult; - SecCertificateRef __itemImplRef=SecCertificateCreateItemImplInstance(certificate); + SecCertificateRef __itemImplRef = NULL; + if (SecCertificateIsItemImplInstance(certificate)) { + __itemImplRef=(SecCertificateRef)CFRetain(certificate); + } + if (!__itemImplRef && certificate) { + __itemImplRef=(SecCertificateRef)SecCertificateCopyKeychainItem(certificate); + } + if (!__itemImplRef && certificate) { + __itemImplRef=SecCertificateCreateItemImplInstance(certificate); + (void)SecCertificateSetKeychainItem(certificate,__itemImplRef); + } try { SecPointer certificatePtr(Certificate::required(__itemImplRef)); - SecPointer keyItemPtr(KeyItem::required(privateKey)); - SecPointer identityPtr(new Identity(keyItemPtr, certificatePtr)); + SecPointer identityPtr(new Identity(privateKey, certificatePtr)); identityRef = identityPtr->handle(); __secapiresult=errSecSuccess; @@ -201,6 +243,7 @@ SecIdentityCreate( catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } catch (...) { __secapiresult=errSecInternalComponent; } + if (__itemImplRef) { CFRelease(__itemImplRef); } return identityRef; } @@ -220,19 +263,20 @@ SecIdentityCompare( return kCFCompareGreaterThan; } - BEGIN_SECAPI - - SecPointer id1(Identity::required(identity1)); - SecPointer id2(Identity::required(identity2)); - - if (id1 == id2) - return kCFCompareEqualTo; - else if (id1 < id2) - return kCFCompareLessThan; - else - return kCFCompareGreaterThan; - - END_SECAPI1(kCFCompareGreaterThan); + try { + SecPointer id1(Identity::required(identity1)); + SecPointer id2(Identity::required(identity2)); + + if (id1 == id2) + return kCFCompareEqualTo; + else if (id1 < id2) + return kCFCompareLessThan; + else + return kCFCompareGreaterThan; + } catch(...) + {} + + return kCFCompareGreaterThan; } static @@ -388,25 +432,12 @@ OSStatus _SecIdentityCopyPreferenceMatchingName( } // create identity reference, given certificate -#if SECTRUST_OSX - status = SecIdentityCreateWithCertificate(NULL, (SecCertificateRef)certItemRef, identity); -#else - try { - Item certItem = ItemImpl::required(SecKeychainItemRef(certItemRef)); - SecPointer certificate(static_cast(certItem.get())); - SecPointer identity_ptr(new Identity(keychains, certificate)); - if (certItemRef) { - CFRelease(certItemRef); // retained by identity - } - Required(identity) = identity_ptr->handle(); - } - catch (const MacOSError &err) { status=err.osStatus(); } - catch (const CommonError &err) { status=SecKeychainErrFromOSStatus(err.osStatus()); } - catch (const std::bad_alloc &) { status=errSecAllocate; } - catch (...) { status=errSecInvalidItemRef; } -#endif + status = SecIdentityCreateWithCertificate(NULL, (SecCertificateRef)certItemRef, identity); + if (certItemRef) { + CFRelease(certItemRef); + } - return status; + return status; } SecIdentityRef SecIdentityCopyPreferred(CFStringRef name, CFArrayRef keyUsage, CFArrayRef validIssuers) @@ -440,16 +471,21 @@ OSStatus SecIdentityCopyPreference( // (Note that behavior is unchanged if the specified name is not a URL.) BEGIN_SECAPI + os_activity_t activity = os_activity_create("SecIdentityCopyPreference", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); CFTypeRef val = (CFTypeRef)CFPreferencesCopyValue(CFSTR("LogIdentityPreferenceLookup"), CFSTR("com.apple.security"), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); Boolean logging = false; - if (val && CFGetTypeID(val) == CFBooleanGetTypeID()) { - logging = CFBooleanGetValue((CFBooleanRef)val); - CFRelease(val); + if (val) { + if (CFGetTypeID(val) == CFBooleanGetTypeID()) { + logging = CFBooleanGetValue((CFBooleanRef)val); + } } + CFReleaseNull(val); OSStatus status = errSecItemNotFound; CFArrayRef names = _SecIdentityCopyPossiblePaths(name); @@ -535,8 +571,15 @@ OSStatus SecIdentitySetPreference( } BEGIN_SECAPI - - SecPointer certificate(Identity::required(identity)->certificate()); + os_activity_t activity = os_activity_create("SecIdentitySetPreference", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); + + CFRef certRef; + OSStatus status = SecIdentityCopyCertificate(identity, certRef.take()); + if(status != errSecSuccess) { + MacOSError::throwMe(status); + } // determine the account attribute // @@ -548,7 +591,7 @@ OSStatus SecIdentitySetPreference( // If the key usage is 0 (i.e. the normal case), we omit the appended key usage string. // CFStringRef labelStr = nil; - certificate->inferLabel(false, &labelStr); + SecCertificateInferLabel(certRef.get(), &labelStr); if (!labelStr) { MacOSError::throwMe(errSecDataTooLarge); // data is "in a format which cannot be displayed" } @@ -596,7 +639,7 @@ OSStatus SecIdentitySetPreference( // generic attribute (store persistent certificate reference) CFDataRef pItemRef = nil; - certificate->copyPersistentReference(pItemRef); + SecKeychainItemCreatePersistentReference((SecKeychainItemRef)certRef.get(), &pItemRef); if (!pItemRef) { MacOSError::throwMe(errSecInvalidItemRef); } @@ -644,6 +687,9 @@ SecIdentityFindPreferenceItem( SecKeychainItemRef *itemRef) { BEGIN_SECAPI + os_activity_t activity = os_activity_create("SecIdentityFindPreferenceItem", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); StorageManager::KeychainList keychains; globals().storageManager.optionalSearchList(keychainOrArray, keychains); @@ -682,6 +728,9 @@ SecIdentityFindPreferenceItemWithNameAndKeyUsage( SecKeychainItemRef *itemRef) { BEGIN_SECAPI + os_activity_t activity = os_activity_create("SecIdentityFindPreferenceItemWithNameAndKeyUsage", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); StorageManager::KeychainList keychains; globals().storageManager.optionalSearchList(keychainOrArray, keychains); @@ -725,7 +774,7 @@ OSStatus SecIdentityDeletePreferenceItemWithNameAndKeyUsage( // cut things off at that point if we're still finding items (if they can't // be deleted for some reason, we'd never break out of the loop.) - OSStatus status; + OSStatus status = errSecInternalError; SecKeychainItemRef item = NULL; int count = 0, maxUsages = 12; while (++count <= maxUsages && @@ -849,6 +898,9 @@ OSStatus SecIdentityAddPreferenceItem( // (Note that behavior is unchanged if the specified idString is not a URL.) BEGIN_SECAPI + os_activity_t activity = os_activity_create("SecIdentityAddPreferenceItem", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); OSStatus status = errSecInternalComponent; CFArrayRef names = _SecIdentityCopyPossiblePaths(idString); @@ -905,6 +957,9 @@ OSStatus SecIdentityUpdatePreferenceItem( SecIdentityRef identityRef) { BEGIN_SECAPI + os_activity_t activity = os_activity_create("SecIdentityUpdatePreferenceItem", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); if (!itemRef || !identityRef) MacOSError::throwMe(errSecParam); @@ -973,6 +1028,9 @@ OSStatus SecIdentityCopyFromPreferenceItem( SecIdentityRef *identityRef) { BEGIN_SECAPI + os_activity_t activity = os_activity_create("SecIdentityCopyFromPreferenceItem", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); if (!itemRef || !identityRef) MacOSError::throwMe(errSecParam); @@ -1034,6 +1092,9 @@ OSStatus SecIdentityCopySystemIdentity( CFStringRef *actualDomain) /* optional */ { BEGIN_SECAPI + os_activity_t activity = os_activity_create("SecIdentityCopySystemIdentity", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); StLock _(systemIdentityLock()); auto_ptr identDict; @@ -1102,6 +1163,9 @@ OSStatus SecIdentitySetSystemIdentity( SecIdentityRef idRef) { BEGIN_SECAPI + os_activity_t activity = os_activity_create("SecIdentitySetSystemIdentity", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); + os_activity_scope(activity); + os_release(activity); StLock _(systemIdentityLock()); if(geteuid() != 0) {