X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/6b200bc335dc93c5516ccb52f14bd896d8c7fad7..refs/heads/master:/OSX/libsecurity_keychain/lib/TrustAdditions.cpp diff --git a/OSX/libsecurity_keychain/lib/TrustAdditions.cpp b/OSX/libsecurity_keychain/lib/TrustAdditions.cpp index 8d88ba8d..0710cadb 100644 --- a/OSX/libsecurity_keychain/lib/TrustAdditions.cpp +++ b/OSX/libsecurity_keychain/lib/TrustAdditions.cpp @@ -47,9 +47,9 @@ #include #include // for CSSM_APPLE_TP_OCSP_OPTIONS, CSSM_APPLE_TP_OCSP_OPT_FLAGS -#include "SecTrustPriv.h" -#include "SecTrustSettings.h" -#include "SecTrustSettingsPriv.h" +#include +#include +#include // // Macros @@ -103,7 +103,7 @@ static void SafeCFRelease(void * CF_CONSUMED cfTypeRefPtr) // utility function to create a CFDataRef from the contents of the specified file; // caller must release // -static CFDataRef dataWithContentsOfFile(const char *fileName) +static CFDataRef CF_RETURNS_RETAINED dataWithContentsOfFile(const char *fileName) { int rtn; int fd; @@ -194,7 +194,7 @@ static SecKeychainRef systemRootStore() // returns a CFDictionaryRef created from the specified XML plist file; caller must release // -static CFDictionaryRef dictionaryWithContentsOfPlistFile(const char *fileName) +static CFDictionaryRef CF_RETURNS_RETAINED dictionaryWithContentsOfPlistFile(const char *fileName) { CFDictionaryRef resultDict = NULL; CFDataRef fileData = dataWithContentsOfFile(fileName); @@ -377,10 +377,11 @@ CFArrayRef potentialEVChainWithCertificates(CFArrayRef certificates) // static SecCertificateRef _rootCertificateWithSubjectOfCertificate(SecCertificateRef certificate) { - if (!certificate) + if (!certificate) { return NULL; + } - StLock _(SecTrustKeychainsGetMutex()); + StLock _(SecTrustKeychainsGetMutex()); // get data+length for the provided certificate CSSM_CL_HANDLE clHandle = 0; @@ -416,7 +417,6 @@ static SecCertificateRef _rootCertificateWithSubjectOfCertificate(SecCertificate SecKeyRef keyRef = NULL; SecCertificateRef resultCert = NULL; // note: Sec* APIs are not re-entrant due to the API lock - // status = SecCertificateCopyPublicKey(certificate, &keyRef); BEGIN_SECAPI_INTERNAL_CALL keyRef = Certificate::required(certificate)->publicKey()->handle(); END_SECAPI_INTERNAL_CALL @@ -520,8 +520,9 @@ static SecCertificateRef _rootCertificateWithSubjectKeyIDOfCertificate(SecCertif SecCertificateRef resultCert = NULL; OSStatus status = errSecSuccess; - if (!certificate) + if (!certificate) { return NULL; + } StLock _(SecTrustKeychainsGetMutex()); @@ -558,8 +559,9 @@ CFArrayRef CF_RETURNS_RETAINED _possibleRootCertificatesForOidString(CFStringRef { StLock _(SecTrustKeychainsGetMutex()); - if (!oidString) + if (!oidString) { return NULL; + } CFDictionaryRef evOidDict = _evCAOidDict(); if (!evOidDict) return NULL; @@ -826,37 +828,6 @@ bool isRevocationStatusCode(CSSM_RETURN statusCode) return false; } -// returns true if the given revocation status code can be ignored. -// -bool ignorableRevocationStatusCode(CSSM_RETURN statusCode) -{ - if (!isRevocationStatusCode(statusCode)) - return false; - - // if OCSP and/or CRL revocation info was unavailable for this certificate, - // and revocation checking is not required, we can ignore this status code. - - CFStringRef ocsp_val = (CFStringRef) CFPreferencesCopyValue(kSecRevocationOcspStyle, CFSTR(kSecRevocationDomain), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); - CFStringRef crl_val = (CFStringRef) CFPreferencesCopyValue(kSecRevocationCrlStyle, CFSTR(kSecRevocationDomain), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); - bool ocspRequired = (ocsp_val && CFEqual(ocsp_val, kSecRevocationRequireForAll)); - bool crlRequired = (crl_val && CFEqual(crl_val, kSecRevocationRequireForAll)); - if (!ocspRequired && ocsp_val && CFEqual(ocsp_val, kSecRevocationRequireIfPresent)) - ocspRequired = (statusCode != CSSMERR_APPLETP_OCSP_UNAVAILABLE); - if (!crlRequired && crl_val && CFEqual(crl_val, kSecRevocationRequireIfPresent)) - crlRequired = (statusCode != CSSMERR_APPLETP_CRL_NOT_FOUND); - if (ocsp_val) - CFRelease(ocsp_val); - if (crl_val) - CFRelease(crl_val); - - if (isOCSPStatusCode(statusCode)) - return (ocspRequired) ? false : true; - if (isCRLStatusCode(statusCode)) - return (crlRequired) ? false : true; - - return false; -} - // returns a CFArrayRef of allowed root certificates for the provided leaf certificate // if it passes initial EV evaluation criteria and should be subject to OCSP revocation // checking; otherwise, NULL is returned. (Caller must release the result if not NULL.)