X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/ecaf5866106b8f08bdb7c1b4f489ef4dfd01278a..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_keychain/lib/SecTrust.cpp?ds=inline diff --git a/OSX/libsecurity_keychain/lib/SecTrust.cpp b/OSX/libsecurity_keychain/lib/SecTrust.cpp index a710f92a..eb9d2946 100644 --- a/OSX/libsecurity_keychain/lib/SecTrust.cpp +++ b/OSX/libsecurity_keychain/lib/SecTrust.cpp @@ -24,17 +24,17 @@ #include #include -#include "SecTrust.h" -#include "SecTrustPriv.h" +#include +#include #include "Trust.h" -#include "SecBase.h" +#include #include "SecBridge.h" -#include "SecInternal.h" -#include "SecTrustSettings.h" -#include "SecTrustSettingsPriv.h" -#include "SecTrustStatusCodes.h" -#include "SecCertificatePriv.h" -#include "SecPolicyPriv.h" +#include +#include +#include +#include +#include +#include #include #include #include @@ -51,16 +51,6 @@ typedef struct SecTrustCheckExceptionContext { bool exceptionNotFound; } SecTrustCheckExceptionContext; -// public trust result constants -const CFStringRef kSecTrustEvaluationDate = CFSTR("TrustEvaluationDate"); -const CFStringRef kSecTrustExtendedValidation = CFSTR("TrustExtendedValidation"); -const CFStringRef kSecTrustOrganizationName = CFSTR("Organization"); -const CFStringRef kSecTrustResultValue = CFSTR("TrustResultValue"); -const CFStringRef kSecTrustRevocationChecked = CFSTR("TrustRevocationChecked"); -const CFStringRef kSecTrustRevocationReason = CFSTR("TrustRevocationReason"); -const CFStringRef kSecTrustRevocationValidUntilDate = CFSTR("TrustExpirationDate"); -const CFStringRef kSecTrustResultDetails = CFSTR("TrustResultDetails"); - // // Sec* API bridge functions // @@ -192,84 +182,19 @@ static uint8_t convertCssmResultToPriority(CSSM_RETURN resultCode) { } } -static bool isSoftwareUpdateDevelopment(SecTrustRef trust) { - bool isPolicy = false, isEKU = false; - CFArrayRef policies = NULL; - - /* Policy used to evaluate was SWUpdateSigning */ - SecTrustCopyPolicies(trust, &policies); - if (policies) { - SecPolicyRef swUpdatePolicy = SecPolicyCreateAppleSWUpdateSigning(); - if (swUpdatePolicy && CFArrayContainsValue(policies, CFRangeMake(0, CFArrayGetCount(policies)), - swUpdatePolicy)) { - isPolicy = true; - } - if (swUpdatePolicy) { CFRelease(swUpdatePolicy); } - CFRelease(policies); - } - if (!isPolicy) { - return false; - } - - /* Only error was EKU on the leaf */ - CFArrayRef details = SecTrustCopyFilteredDetails(trust); - CFIndex ix, count = CFArrayGetCount(details); - bool hasDisqualifyingError = false; - for (ix = 0; ix < count; ix++) { - CFDictionaryRef detail = (CFDictionaryRef)CFArrayGetValueAtIndex(details, ix); - if (ix == 0) { // Leaf - if (CFDictionaryGetCount(detail) != 1 || // One error - CFDictionaryGetValue(detail, CFSTR("ExtendedKeyUsage")) != kCFBooleanFalse) { // kSecPolicyCheckExtendedKeyUsage - hasDisqualifyingError = true; - break; - } - } else { - if (CFDictionaryGetCount(detail) > 0) { // No errors on other certs - hasDisqualifyingError = true; - break; - } - } - } - CFReleaseSafe(details); - if (hasDisqualifyingError) { - return false; - } - - /* EKU on the leaf is the Apple Development Code Signing OID */ - SecCertificateRef leaf = SecTrustGetCertificateAtIndex(trust, 0); - CSSM_DATA *fieldValue = NULL; - if (errSecSuccess != SecCertificateCopyFirstFieldValue(leaf, &CSSMOID_ExtendedKeyUsage, &fieldValue)) { - return false; - } - if (fieldValue && fieldValue->Data && fieldValue->Length == sizeof(CSSM_X509_EXTENSION)) { - const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)fieldValue->Data; - if (ext->format == CSSM_X509_DATAFORMAT_PARSED) { - const CE_ExtendedKeyUsage *ekus = (const CE_ExtendedKeyUsage *)ext->value.parsedValue; - if (ekus && (ekus->numPurposes == 1) && ekus->purposes[0].Data && - (ekus->purposes[0].Length == CSSMOID_APPLE_EKU_CODE_SIGNING_DEV.Length) && - (memcmp(ekus->purposes[0].Data, CSSMOID_APPLE_EKU_CODE_SIGNING_DEV.Data, - ekus->purposes[0].Length) == 0)) { - isEKU = true; - } - } - } - SecCertificateReleaseFirstFieldValue(leaf, &CSSMOID_ExtendedKeyUsage, fieldValue); - return isEKU; -} - // // Retrieve CSSM_LEVEL TP return code // /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */ OSStatus SecTrustGetCssmResultCode(SecTrustRef trustRef, OSStatus *result) { - /* bridge to support old functionality */ + /* bridge to support old functionality */ #if SECTRUST_DEPRECATION_WARNINGS syslog(LOG_ERR, "WARNING: SecTrustGetCssmResultCode has been deprecated since 10.7, and will be removed in a future release. Please use SecTrustCopyProperties instead."); #endif - if (!trustRef || !result) { - return errSecParam; - } + if (!trustRef || !result) { + return errSecParam; + } SecTrustResultType trustResult = kSecTrustResultInvalid; (void) SecTrustGetTrustResult(trustRef, &trustResult); @@ -278,15 +203,6 @@ OSStatus SecTrustGetCssmResultCode(SecTrustRef trustRef, OSStatus *result) return errSecSuccess; } - /* Development Software Update certs return a special error code when evaluated - * against the AppleSWUpdateSigning policy. See . */ - if (isSoftwareUpdateDevelopment(trustRef)) { - if (result) { - *result = CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT; - } - return errSecSuccess; - } - OSStatus cssmResultCode = errSecSuccess; uint8_t resultCodePriority = 0xFF; CFIndex ix, count = SecTrustGetCertificateCount(trustRef); @@ -309,10 +225,10 @@ OSStatus SecTrustGetCssmResultCode(SecTrustRef trustRef, OSStatus *result) if (resultCodePriority == 1) { break; } } - if (result) { - *result = cssmResultCode; - } - return errSecSuccess; + if (result) { + *result = cssmResultCode; + } + return errSecSuccess; } /* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_2, __MAC_10_7, __IPHONE_NA, __IPHONE_NA) */ @@ -350,9 +266,9 @@ OSStatus SecTrustCopyAnchorCertificates(CFArrayRef *anchorCertificates) /* Go through outArray and do a SecTrustEvaluate */ CFIndex i; SecPolicyRef policy = SecPolicyCreateBasicX509(); + SecTrustRef trust = NULL; CFMutableArrayRef trustedCertArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); for (i = 0; i < count ; i++) { - SecTrustRef trust; SecTrustResultType result; SecCertificateRef certificate = (SecCertificateRef) CFArrayGetValueAtIndex(outArray, i); status = SecTrustCreateWithCertificates(certificate, policy, &trust); @@ -368,6 +284,7 @@ OSStatus SecTrustCopyAnchorCertificates(CFArrayRef *anchorCertificates) if (result != kSecTrustResultFatalTrustFailure) { CFArrayAppendValue(trustedCertArray, certificate); } + CFReleaseNull(trust); } if (CFArrayGetCount(trustedCertArray) == 0) { status = errSecNoTrustSettings; @@ -378,17 +295,26 @@ OSStatus SecTrustCopyAnchorCertificates(CFArrayRef *anchorCertificates) out: CFReleaseSafe(outArray); CFReleaseSafe(policy); + CFReleaseSafe(trust); return status; END_SECAPI } -/* We have an iOS-style SecTrustRef, but we need to return a CDSA-based SecKeyRef. +/* + * We have an iOS-style SecTrustRef, but we need to return a CDSA-based SecKeyRef. + * + * If you need a SecKeyRef based of the iOS based SecKey, check certificate chain + * length, get certificate with SecTrustGetCertificateAtIndex(0), use + * SecCertificateCopyKey() to get a iOS based key. */ SecKeyRef SecTrustCopyPublicKey(SecTrustRef trust) { SecKeyRef pubKey = NULL; SecCertificateRef certificate = SecTrustGetCertificateAtIndex(trust, 0); +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wdeprecated-declarations" (void) SecCertificateCopyPublicKey(certificate, &pubKey); +#pragma clang diagnostic pop return pubKey; }