It uses the standard Debug and Release configurations. Currently, command-line tools aren't supported in the Simulator.
-
Thanks!
old_ts = auth_items_get_double(config, "data_ts");
+ // <rdar://problem/17484375> SEED: BUG: Fast User Switching Not Working
+ // After Mavericks => Yosemite upgrade install, the new Yosemite rule "system.login.fus" was missing.
+ // Somehow (probably during install) ts < old_ts, even though that should never happen.
+ // Solution: always import plist and update db when time stamps don't match.
+ // After a successful import, old_ts = ts below.
if (ts != old_ts) {
LOGV("authdb: %s modified old=%f, new=%f", AUTHDB_DATA, old_ts, ts);
CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault, authURL, &data, NULL, NULL, (SInt32*)&rc);
<key>class</key>
<string>user</string>
<key>comment</key>
- <string>This right is used by Safari to show passwords </string>
+ <string>This right is used by Safari to show passwords.</string>
<key>session-owner</key>
<true/>
<key>shared</key>
<key>timeout</key>
<integer>10</integer>
</dict>
+ <key>com.apple.Safari.install-ephemeral-extensions</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>This is the right used by Safari to install an ephemeral extension without a developer certificate present.</string>
+ <key>session-owner</key>
+ <true/>
+ <key>shared</key>
+ <false/>
+ <key>timeout</key>
+ <integer>0</integer>
+ </dict>
<key>com.apple.ServiceManagement.blesshelper</key>
<dict>
<key>allow-root</key>
<key>group</key>
<string>admin</string>
<key>shared</key>
- <true/>
+ <false/>
+ <key>version</key>
+ <integer>1</integer>
</dict>
<key>system.preferences.energysaver</key>
<dict>
CSSM_BOOL freeRawKey = CSSM_FALSE;
rawCert = NULL;
+
+ /*
+ * Set Signature Algorithm OID and parameters
+ */
algId.algorithm = sigOid;
- algId.parameters.Data = NULL;
- algId.parameters.Length = 0;
+
+ /* NULL params - skip for ECDSA */
+ CSSM_ALGORITHMS algorithmType = 0;
+ cssmOidToAlg(&sigOid, &algorithmType);
+ switch(algorithmType) {
+ case CSSM_ALGID_SHA1WithECDSA:
+ case CSSM_ALGID_SHA224WithECDSA:
+ case CSSM_ALGID_SHA256WithECDSA:
+ case CSSM_ALGID_SHA384WithECDSA:
+ case CSSM_ALGID_SHA512WithECDSA:
+ case CSSM_ALGID_ECDSA_SPECIFIED:
+ algId.parameters.Data = NULL;
+ algId.parameters.Length = 0;
+ break;
+ default:
+ static const uint8 encNull[2] = { SEC_ASN1_NULL, 0 };
+ CSSM_DATA encNullData;
+ encNullData.Data = (uint8 *)encNull;
+ encNullData.Length = 2;
+
+ algId.parameters = encNullData;
+ break;
+ }
+
/*
* Convert possible ref public key to raw format as required by CL.
#define PL_ARENA_GROW(p, pool, size, incr) \
PR_BEGIN_MACRO \
PLArena *_a = (pool)->current; \
- typeof((incr)) _incr = PL_ARENA_ALIGN(pool, incr); /* __APPLE__ more to be generic */ \
PRUword _p = _a->avail; \
- PRUword _q = _p + _incr; \
+ PRUword _q = (PRUword)p + size + incr; /*__APPLE__ */ \
if (_p == (PRUword)(p) + PL_ARENA_ALIGN(pool, size) && \
- _incr <= _a->limit - _a->avail) { /* __APPLE__ */\
- _a->avail = _q; \
+ _a->limit >= PL_ARENA_ALIGN(pool,_q)) { /* __APPLE__ */ \
+ _a->avail = PL_ARENA_ALIGN(pool, _q); /*__APPLE__ */ \
PL_ArenaCountInplaceGrowth(pool, size, incr); \
} else { \
p = PL_ArenaGrow(pool, p, size, incr); \
else if (mNetworkPolicy == useNetworkDisabled)
actionDataP->ActionFlags &= ~(CSSM_TP_ACTION_FETCH_CERT_FROM_NET);
+ if (policySpecified(mPolicies, CSSMOID_APPLE_TP_ESCROW_SERVICE)) {
+ // ignore expiration dates, per rdar://21943474
+ actionDataP->ActionFlags |= (CSSM_TP_ACTION_ALLOW_EXPIRED |
+ CSSM_TP_ACTION_ALLOW_EXPIRED_ROOT);
+ }
+
/*
* Policies (one at least, please).
* For revocation policies, see if any have been explicitly specified...
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks), errOut);
- SecPolicyAddBasicX509Options(options);
+ // X509, ignoring date validity
+ SecPolicyAddBasicCertOptions(options);
add_ku(options, kSecKeyUsageKeyEncipherment);
# be sure to replace the certs in the corresponding keychain.
#
# Note: since the RSA MD2 root which signed the amazon.com certificate has
-# been removed from the System Roots keychain (<rdar://7880748>),
+# been removed from the System Roots keychain in (<rdar://7880748>),
# we are no longer checking the CSSM_CERT_STATUS_IS_IN_ANCHORS bit for that cert.
#
globals
+This project is a copy of the normal Foundation command-line tool, and the differences are summarized below.
+
+It uses the standard Debug and Release configurations. Currently, command-line tools aren't supported in the Simulator.
+
+Thanks!
SecCmsRecipientInfoRef
SecCmsRecipientInfoCreate(SecCmsEnvelopedDataRef envd, SecCertificateRef cert)
{
- /* TODO: we might want to prefer subjkeyid */
+ /* TODO: We might want to prefer subjkeyid */
#if 0
SecCmsRecipientInfoRef info = SecCmsRecipientInfoCreateWithSubjKeyIDFromCert(envd, cert);
#include <System/sys/fileport.h>
#include <bsm/audit.h>
#include <bsm/audit_uevents.h> // AUE_ssauthint
+#include <membership.h>
+#include <membershipPriv.h>
#include <security_utilities/logging.h>
#include <security_utilities/mach++.h>
#include <stdlib.h>
Reason
QueryKeychainAuth::accept(string &username, string &passphrase)
{
- const char *user = username.c_str();
- const char *passwd = passphrase.c_str();
- int checkpw_status = checkpw(user, passwd);
-
- if (checkpw_status != CHECKPW_SUCCESS)
+ // Note: QueryKeychainAuth currently requires that the
+ // specified user be in the admin group. If this requirement
+ // ever needs to change, the group name should be passed as
+ // a separate argument to this method.
+
+ const char *user = username.c_str();
+ const char *passwd = passphrase.c_str();
+ int checkpw_status = checkpw(user, passwd);
+
+ if (checkpw_status != CHECKPW_SUCCESS) {
return SecurityAgent::invalidPassphrase;
+ }
+
+ const char *group = "admin";
+ if (group) {
+ int rc, ismember;
+ uuid_t group_uuid, user_uuid;
+ rc = mbr_group_name_to_uuid(group, group_uuid);
+ if (rc) { return SecurityAgent::userNotInGroup; }
+
+ rc = mbr_user_name_to_uuid(user, user_uuid);
+ if (rc) { return SecurityAgent::userNotInGroup; }
+
+ rc = mbr_check_membership(user_uuid, group_uuid, &ismember);
+ if (rc || !ismember) { return SecurityAgent::userNotInGroup; }
+ }
return SecurityAgent::noReason;
}
projects / apple / security.git / commitdiff
