Security-57337.50.23.tar.gz

diff --git a/OSX/authd/authorization.plist b/OSX/authd/authorization.plist
index 8406e487c799f7b34d319acf97979f000d0d63f1..4afb26f4399402d794f031b20961f80bef8da613 100644 (file)
--- a/OSX/authd/authorization.plist
+++ b/OSX/authd/authorization.plist
@@ -206,6 +206,28 @@ See remaining rules for examples.
                        <key>timeout</key>
                        <integer>0</integer>
                </dict>
+        <key>com.apple.Safari.allow-apple-events-to-run-javascript</key>
+        <dict>
+            <key>class</key>
+            <string>user</string>
+            <key>comment</key>
+            <string>This right is used by Safari to allow Apple Events to run JavaScript on web pages.</string>
+            <key>session-owner</key>
+            <true/>
+            <key>shared</key>
+            <false/>
+        </dict>
+        <key>com.apple.Safari.allow-javascript-in-smart-search-field</key>
+        <dict>
+            <key>class</key>
+            <string>user</string>
+            <key>comment</key>
+            <string>This right is used by Safari to allow JavaScript to be used in the Smart Search Field.</string>
+            <key>session-owner</key>
+            <true/>
+            <key>shared</key>
+            <false/>
+        </dict>
                <key>com.apple.ServiceManagement.blesshelper</key>
                <dict>
                        <key>allow-root</key>

diff --git a/OSX/lib/en.lproj/authorization.prompts.strings b/OSX/lib/en.lproj/authorization.prompts.strings
index a3831df4794c7f772741f5f59a343c8cbb6d086a..5fb742614b1723a2a768d66136253e4e3e8568c7 100644 (file)
--- a/OSX/lib/en.lproj/authorization.prompts.strings
+++ b/OSX/lib/en.lproj/authorization.prompts.strings
@@ -40,6 +40,10 @@
 
 "com.apple.Safari.install-ephemeral-extensions" = "__APPNAME__ is trying to install an extension.";
 
+"com.apple.Safari.allow-apple-events-to-run-javascript" = "__APPNAME__ is trying to allow Apple Events to run JavaScript on web pages.";
+
+"com.apple.Safari.allow-javascript-in-smart-search-field" = "__APPNAME__ is trying to allow JavaScript to be used in the Smart Search Field.";
+
 "system.sharepoints." = "__APPNAME__ is trying to modify Sharing preferences.";
 
 "system.preferences.energysaver" = "__APPNAME__ is trying to unlock the Energy Saver preferences.";

diff --git a/OSX/lib/security.exp-in b/OSX/lib/security.exp-in
index 39d7aed2150630b222a2e67cdf13791bc8cda5b3..d308e7aac0ec6cf432fe1fd2ded95afb1ba59381 100644 (file)
--- a/OSX/lib/security.exp-in
+++ b/OSX/lib/security.exp-in
@@ -405,6 +405,7 @@ _kSecAssessmentContextKeyOperation
 _kSecAssessmentOperationTypeExecute
 _kSecAssessmentOperationTypeInstall
 _kSecAssessmentOperationTypeOpenDocument
+_kSecAssessmentContextKeyUTI
 _kSecAssessmentContextKeyFeedback
 _kSecAssessmentFeedbackProgress
 _kSecAssessmentFeedbackInfoCurrent
@@ -1776,6 +1777,7 @@ _SecPolicyCreateWithProperties
 _SecPolicyCreateAppleTimeStampingAndRevocationPolicies
 _SecPolicyCreateApplePackageSigning
 _SecPolicyCreateAppleSWUpdateSigning
+_SecPolicyCreateAppleHomeKitServerAuth
 _SecPolicyGetOID
 _SecPolicyGetTPHandle
 _SecPolicyGetTypeID

diff --git a/OSX/libsecurity_codesigning/lib/SecAssessment.cpp b/OSX/libsecurity_codesigning/lib/SecAssessment.cpp
index c6129c7996a193ef61f54ae27189e2f231bd50ac..ff228381462a66036ad5ec5ec1300638f181606d 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/SecAssessment.cpp
+++ b/OSX/libsecurity_codesigning/lib/SecAssessment.cpp
@@ -126,6 +126,8 @@ ModuleNexus<PolicyEngine> gEngine;
 //
 // Policy evaluation ("assessment") operations
 //
+CFStringRef kSecAssessmentContextKeyUTI = CFSTR("context:uti");
+
 CFStringRef kSecAssessmentContextKeyFeedback = CFSTR("context:feedback");
 CFStringRef kSecAssessmentFeedbackProgress = CFSTR("feedback:progress");
 CFStringRef kSecAssessmentFeedbackInfoCurrent = CFSTR("current");

diff --git a/OSX/libsecurity_codesigning/lib/SecAssessment.h b/OSX/libsecurity_codesigning/lib/SecAssessment.h
index 78d968320da3253549d3b39c6f4c904242df81b8..fb17a20e2bb1a748912b57598d61db614bc9d2cc 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/SecAssessment.h
+++ b/OSX/libsecurity_codesigning/lib/SecAssessment.h
@@ -136,6 +136,8 @@ enum {
        @constant kSecAssessmentContextKeyOperation Type of operation (see overview above). This defaults
                to the kSecAssessmentOperationTypeExecute.
  */
+extern CFStringRef kSecAssessmentContextKeyUTI;                        // caller determination of UTI for primary assessment subject
+
 extern CFStringRef kSecAssessmentContextKeyFeedback;   // feedback reporting block
 typedef Boolean (^SecAssessmentFeedback)(CFStringRef type, CFDictionaryRef information);
 extern CFStringRef kSecAssessmentFeedbackProgress;             // progress reporting feedback

diff --git a/OSX/libsecurity_codesigning/lib/cdbuilder.h b/OSX/libsecurity_codesigning/lib/cdbuilder.h
index c4de2bec09a4b6ad0c3ff8e7db69e9c12ecb169a..1c6d373de98b3dd22d2611a852517f5294827d4b 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/cdbuilder.h
+++ b/OSX/libsecurity_codesigning/lib/cdbuilder.h
@@ -63,6 +63,8 @@ public:
        size_t size(const uint32_t version);            // calculate size
        CodeDirectory *build();                                         // build CodeDirectory and return it
        const size_t fixedSize(const uint32_t version); // calculate fixed size of the CodeDirectory
+       
+       uint32_t hashType() const { return mHashType; }
 
        DynamicHash *getHash() const { return CodeDirectory::hashFor(this->mHashType); }
        

diff --git a/OSX/libsecurity_codesigning/lib/policydb.cpp b/OSX/libsecurity_codesigning/lib/policydb.cpp
index be72b432e407c8e04c950727b5cd6e2caab91195..af49aa9e95e0da668c791e7a811442c547a4f83f 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/policydb.cpp
+++ b/OSX/libsecurity_codesigning/lib/policydb.cpp
@@ -273,6 +273,15 @@ void PolicyDatabase::upgradeDatabase()
                add.bind(":flags") = kAuthorityFlagDefault;
                add.execute();
        });
+       
+       simpleFeature("document rules", ^{
+               SQLite::Statement addApple(*this,
+                       "INSERT INTO authority (type, allow, flags, label, requirement) VALUES (3, 1, 2, 'Apple System', 'anchor apple')");
+               addApple.execute();
+               SQLite::Statement addDevID(*this,
+                       "INSERT INTO authority (type, allow, flags, label, requirement) VALUES (3, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists')");
+               addDevID.execute();
+       });
 }
 
 

diff --git a/OSX/libsecurity_codesigning/lib/policyengine.cpp b/OSX/libsecurity_codesigning/lib/policyengine.cpp
index cba2bdc40d7c9f1d43a5ae2a4b6b43eb069f5af5..3f49aebd6df6eb99be4f90dadf721d9d9c8f0fd2 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/policyengine.cpp
+++ b/OSX/libsecurity_codesigning/lib/policyengine.cpp
@@ -322,6 +322,15 @@ void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessment
        if (qtn.flag(QTN_FLAG_HARD))
                MacOSError::throwMe(errSecCSFileHardQuarantined);
        
+       // hack: if caller passed a UTI, use that to turn off app-only checks for some well-known ones
+       bool appOk = false;
+       if (CFStringRef uti = CFStringRef(CFDictionaryGetValue(context, kSecAssessmentContextKeyUTI))) {
+               appOk = CFEqual(uti, CFSTR("com.apple.systempreference.prefpane"))
+                       || CFEqual(uti, CFSTR("com.apple.systempreference.screen-saver"))
+                       || CFEqual(uti, CFSTR("com.apple.systempreference.screen-slide-saver"))
+                       || CFEqual(uti, CFSTR("com.apple.menu-extra"));
+       }
+       
        CFCopyRef<SecStaticCodeRef> code;
        MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref()));
        
@@ -377,7 +386,7 @@ void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessment
        
        // go for it!
        SecCSFlags topFlags = validationFlags | kSecCSCheckNestedCode | kSecCSRestrictSymlinks | kSecCSReportProgress;
-       if (type == kAuthorityExecute)
+       if (type == kAuthorityExecute && !appOk)
                topFlags |= kSecCSRestrictToAppLike;
        switch (rc = SecStaticCodeCheckValidity(code, topFlags, NULL)) {
        case errSecSuccess:             // continue below

diff --git a/OSX/libsecurity_codesigning/lib/resources.cpp b/OSX/libsecurity_codesigning/lib/resources.cpp
index 490b1e07bb378d6dc4ca690dc3752b68d46078c7..c1efa959ce5d039785e2ab77fb47c6bb24aa469f 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/resources.cpp
+++ b/OSX/libsecurity_codesigning/lib/resources.cpp
@@ -396,6 +396,8 @@ const Hashing::Byte *ResourceSeal::hash(CodeDirectory::HashAlgorithm type) const
 {
        std::string name = ResourceBuilder::hashName(type);
        CFTypeRef hash = CFDictionaryGetValue(mDict, CFTempString(name));
+       if (hash == NULL)       // pre-agility fallback
+               hash = CFDictionaryGetValue(mDict, CFSTR("hash"));
        if (hash == NULL || CFGetTypeID(hash) != CFDataGetTypeID())
                MacOSError::throwMe(errSecCSResourcesInvalid);
        return CFDataGetBytePtr(CFDataRef(hash));

diff --git a/OSX/libsecurity_codesigning/lib/signer.cpp b/OSX/libsecurity_codesigning/lib/signer.cpp
index 387f68b5535f1968b9b158527f4ef912863e1ae1..b0e14edb399fa85cb5c676ede26626cce40602d4 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/signer.cpp
+++ b/OSX/libsecurity_codesigning/lib/signer.cpp
@@ -546,13 +546,15 @@ void SecCodeSigner::Signer::signArchitectureAgnostic(const Requirement::Context
 
        // write out all CodeDirectories
        cdSet.populate(writer);
-       writer->flush();
 
        CFRef<CFArrayRef> hashes = cdSet.hashBag();
        CFTemp<CFDictionaryRef> hashDict("{cdhashes=%O}", hashes.get());
        CFRef<CFDataRef> hashBag = makeCFData(hashDict.get());
        CFRef<CFDataRef> signature = signCodeDirectory(cdSet.primary(), hashBag);
        writer->signature(signature);
+       
+       // commit to storage
+       writer->flush();
 }
 
 
@@ -600,7 +602,8 @@ void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::W
        
        writer.addDiscretionary(builder);
        
-       if ((signingFlags() & (kSecCSSignOpaque|kSecCSSignV1)) == 0) {
+#if 0 // rdar://problem/25720754
+       if ((signingFlags() & (kSecCSSignOpaque|kSecCSSignV1)) == 0 && builder.hashType() != kSecCodeSignatureHashSHA1) {
                // calculate sorted list of top SuperBlob keys in this EmbeddedSignatureBlob (if any)
                // (but not for opaque or V1 construction, which must remain bit-for-bit compatible)
                std::vector<Endian<uint32_t> > slotVector;
@@ -615,6 +618,7 @@ void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::W
                writer.component(cdTopDirectorySlot, cfSlotVector);
                builder.specialSlot(cdTopDirectorySlot, cfSlotVector);
        }
+#endif
 }
 
        

diff --git a/OSX/libsecurity_codesigning/lib/syspolicy.sql b/OSX/libsecurity_codesigning/lib/syspolicy.sql
index 745533f63c8d63c50093cca6aadf4348597a7617..23b5df15290a1b860265176237b48e18e581380d 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/syspolicy.sql
+++ b/OSX/libsecurity_codesigning/lib/syspolicy.sql
@@ -117,6 +117,8 @@ INSERT INTO feature (name, value, remarks)
        VALUES ('codesignedpackages', 'present', 'builtin');
 INSERT INTO feature (name, value, remarks)
        VALUES ('filter_unsigned', 'present', 'builtin');
+INSERT INTO feature (name, value, remarks)
+       VALUES ('document rules', 'present', 'builtin');
 
 
 --
@@ -149,6 +151,12 @@ insert into authority (type, allow, flags, label, requirement)
 insert into authority (type, allow, flags, label, requirement)
        values (2, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])');
 
+-- Document signing
+insert into authority (type, allow, flags, label, requirement)
+       values (3, 1, 2, 'Apple System', 'anchor apple');
+insert into authority (type, allow, flags, label, requirement)
+values (3, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists');
+
 
 --
 -- The cache table lists previously determined outcomes

diff --git a/OSX/libsecurity_keychain/lib/SecItemPriv.h b/OSX/libsecurity_keychain/lib/SecItemPriv.h
index 58ecbbe6a7f72ef1beddd79da43c882a6c036522..57593b816335135ae546f8c569475b1edfb26eca 100644 (file)
--- a/OSX/libsecurity_keychain/lib/SecItemPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecItemPriv.h
@@ -326,12 +326,18 @@ extern const CFStringRef kSecAttrViewHintThumper;
     @constant kSecUseCredentialReference Specifies a CFDataRef containing
         AppleCredentialManager reference handle to be used when authorizing access
         to the item.
+    @constant kSecUseCallerName Specifies a dictionary key whose value
+        is a CFStringRef that represents a user-visible string describing
+        the caller name for which the application is attempting to authenticate.
+        The caller must have 'com.apple.private.LocalAuthentication.CallerName'
+        entitlement set to YES to use this feature, otherwise it is ignored.
 */
 extern const CFStringRef kSecUseTombstones
     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
 extern const CFStringRef kSecUseCredentialReference
     __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
-
+extern const CFStringRef kSecUseCallerName
+    __OSX_AVAILABLE(10.11.4) __IOS_AVAILABLE(9.3) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3);
 
 /*!
     @function SecItemCopyDisplayNames

diff --git a/OSX/libsecurity_keychain/lib/SecPolicy.cpp b/OSX/libsecurity_keychain/lib/SecPolicy.cpp
index 95fc6f36fdcf761c47071d1199c08e7bb055ec59..e4515732c42fd2c1b6c110eb2b45eb6f0cb289bf 100644 (file)
--- a/OSX/libsecurity_keychain/lib/SecPolicy.cpp
+++ b/OSX/libsecurity_keychain/lib/SecPolicy.cpp
@@ -857,6 +857,11 @@ SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryR
     return SecPolicyCreateSSL(true, hostname);
 }
 
+SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
+{
+    return SecPolicyCreateSSL(true, hostname);
+}
+
 #if !SECTRUST_OSX
 /* new in 10.11 */
 SecPolicyRef SecPolicyCreateAppleATVAppSigning(void)

diff --git a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h b/OSX/libsecurity_keychain/lib/SecPolicyPriv.h
index 6243ab9e2f0200a4df2affada6dd8f09b34fb37d..bb4a60239988e1e87af486b837d359883df9fed3 100644 (file)
--- a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h
+++ b/OSX/libsecurity_keychain/lib/SecPolicyPriv.h
@@ -257,6 +257,27 @@ SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void)
 SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
     __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 
+/*!
+ @function SecPolicyCreateAppleHomeKitServerAuth
+ @abstract Ensure we're appropriately pinned to the HomeKit service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+    * The chain is anchored to any of the production Apple Root CAs via full certificate
+    comparison. Test Apple Root CAs are permitted only on internal releases with defaults write.
+    * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.16
+    * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.9.
+    * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+    extension or Common Name.
+    * The leaf is checked against the Black and Gray lists.
+    * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+    * Revocation is checked via CRL.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
+    __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
+
 #if defined(__cplusplus)
 }
 #endif

diff --git a/OSX/libsecurity_keychain/lib/security_keychain.exp b/OSX/libsecurity_keychain/lib/security_keychain.exp
index 8672c7900d981632af43d6f74720e4f044779dca..e0fcb27d6d2843580797639a4616bdea03f4d469 100644 (file)
--- a/OSX/libsecurity_keychain/lib/security_keychain.exp
+++ b/OSX/libsecurity_keychain/lib/security_keychain.exp
@@ -650,6 +650,7 @@ _SecPolicyCreateSSL
 _SecPolicyCreateWithOID
 _SecPolicyCreateWithProperties
 _SecPolicyCreateAppleTimeStampingAndRevocationPolicies
+_SecPolicyCreateAppleHomeKitServerAuth
 _SecPolicyGetOID
 _SecPolicyGetTPHandle
 _SecPolicyGetTypeID

diff --git a/OSX/libsecurity_keychain/libDER/libDER/oids.c b/OSX/libsecurity_keychain/libDER/libDER/oids.c
index 2a65d35cdb6d2fc1aa78bb5303eff671676199f7..58bb7dd2e9324dbf75f95e257eb1267d93e77f03 100644 (file)
--- a/OSX/libsecurity_keychain/libDER/libDER/oids.c
+++ b/OSX/libsecurity_keychain/libDER/libDER/oids.c
@@ -320,6 +320,13 @@
 #define APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_TEST    APPLE_SERVER_AUTHENTICATION, 8, 1
 #define APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PROD    APPLE_SERVER_AUTHENTICATION, 8, 2
 
+/* HomeKit Server Authentication
+ *  Intermediate Marker OID: 1.2.840.113635.100.6.2.16
+ *  Leaf Marker OID: 1.2.840.113635.100.6.27.9
+ */
+#define APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLE_HOME_KIT_SERVER_AUTH   APPLE_CERT_EXT_INTERMEDIATE_MARKER, 16
+#define APPLE_CERT_EXT_HOME_KIT_SERVER_AUTH     APPLE_SERVER_AUTHENTICATION, 9
+
 /*
  * Netscape OIDs.
  */
@@ -547,7 +554,9 @@ __unused static const DERByte
     _oidAppleCertExtATVVPNProfileSigning[] = {APPLE_CERT_EXT_APPLE_ATV_VPN_PROFILE_SIGNING},
     _oidAppleCertExtCryptoServicesExtEncryption[] = {APPLE_CERT_EXT_CRYPTO_SERVICES_EXT_ENCRYPTION},
     _oidAppleCertExtAST2DiagnosticsServerAuthTest[] = {APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_TEST},
-    _oidAppleCertExtAST2DiagnosticsServerAuthProd[] = {APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PROD};
+    _oidAppleCertExtAST2DiagnosticsServerAuthProd[] = {APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PROD},
+    _oidAppleCertExtHomeKitServerAuth[] = {APPLE_CERT_EXT_HOME_KIT_SERVER_AUTH},
+    _oidAppleIntmMarkerAppleHomeKitServerCA[] = {APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLE_HOME_KIT_SERVER_AUTH};
 
 __unused const DERItem
     oidSubjectKeyIdentifier         = { (DERByte *)_oidSubjectKeyIdentifier,
@@ -738,7 +747,11 @@ __unused const DERItem
     oidAppleCertExtAST2DiagnosticsServerAuthTest = { (DERByte *)_oidAppleCertExtAST2DiagnosticsServerAuthTest,
                                         sizeof(_oidAppleCertExtAST2DiagnosticsServerAuthTest)},
     oidAppleCertExtAST2DiagnosticsServerAuthProd = { (DERByte *)_oidAppleCertExtAST2DiagnosticsServerAuthProd,
-                                        sizeof(_oidAppleCertExtAST2DiagnosticsServerAuthProd)};
+                                        sizeof(_oidAppleCertExtAST2DiagnosticsServerAuthProd)},
+    oidAppleCertExtHomeKitServerAuth = { (DERByte *)_oidAppleCertExtHomeKitServerAuth,
+                                        sizeof(_oidAppleCertExtHomeKitServerAuth)},
+    oidAppleIntmMarkerAppleHomeKitServerCA = { (DERByte *)_oidAppleIntmMarkerAppleHomeKitServerCA,
+                                        sizeof(_oidAppleIntmMarkerAppleHomeKitServerCA) };
 
 
 

diff --git a/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h b/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h
index 302459d5328eb4780b0064bcdd49306408deb6e2..8fa2f0b3bc12333b94d258ffd5876ec656195d57 100644 (file)
--- a/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h
+++ b/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h
@@ -79,7 +79,9 @@ extern const DERItem
     oidAppleCertExtATVVPNProfileSigning,
     oidAppleCertExtCryptoServicesExtEncryption,
     oidAppleCertExtAST2DiagnosticsServerAuthTest,
-    oidAppleCertExtAST2DiagnosticsServerAuthProd;
+    oidAppleCertExtAST2DiagnosticsServerAuthProd,
+    oidAppleCertExtHomeKitServerAuth,
+    oidAppleIntmMarkerAppleHomeKitServerCA;
 
     /* Compare two decoded OIDs.  Returns true iff they are equivalent. */
     bool DEROidCompare(const DERItem *oid1, const DERItem *oid2);

diff --git a/OSX/sec/Security/Regressions/Security_regressions.h b/OSX/sec/Security/Regressions/Security_regressions.h
index 035b3d77d0088edf29e323251f5e775adc2f0955..5a9ce794da577daf5c8b377202ddc25af9c5a05d 100644 (file)
--- a/OSX/sec/Security/Regressions/Security_regressions.h
+++ b/OSX/sec/Security/Regressions/Security_regressions.h
@@ -21,7 +21,11 @@ ONE_TEST(si_20_sectrust_activation)
 ONE_TEST(si_20_sectrust)
 ONE_TEST(si_21_sectrust_asr)
 ONE_TEST(si_22_sectrust_iap)
+#if !TARGET_OS_WATCH
 ONE_TEST(si_23_sectrust_ocsp)
+#else
+DISABLED_ONE_TEST(si_23_sectrust_ocsp)
+#endif
 ONE_TEST(si_24_sectrust_itms)
 ONE_TEST(si_24_sectrust_nist)
 ONE_TEST(si_24_sectrust_otatasking)
@@ -53,7 +57,11 @@ ONE_TEST(si_63_scep)
 ONE_TEST(si_64_ossl_cms)
 ONE_TEST(si_65_cms_cert_policy)
 ONE_TEST(si_66_smime)
+#if !TARGET_OS_WATCH
 ONE_TEST(si_67_sectrust_blacklist)
+#else
+DISABLED_ONE_TEST(si_67_sectrust_blacklist)
+#endif
 ONE_TEST(si_68_secmatchissuer)
 ONE_TEST(si_69_keydesc)
 ONE_TEST(si_70_sectrust_unified)
@@ -90,6 +98,7 @@ ONE_TEST(si_88_sectrust_vpnprofile)
 ONE_TEST(si_89_cms_hash_agility)
 ONE_TEST(si_90_emcs)
 ONE_TEST(si_91_sectrust_ast2)
+ONE_TEST(si_92_sectrust_homekit)
 
 ONE_TEST(vmdh_40)
 ONE_TEST(vmdh_41_example)

diff --git a/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m b/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m
index a0701bf5c9670323b76b73116be993c99fdcb312..33c164f20742d32edea73a1f446deb9ec70e4d28 100644 (file)
--- a/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m
+++ b/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m
@@ -78,7 +78,7 @@ static void tests(void)
                   (__bridge id)kSecUseSystemKeychain : @YES,
                   };
         
-        is(SecItemCopyMatching((CFTypeRef)query, NULL), multiUser ? noErr : errSecItemNotFound, "Blue tooth item - system keychain");
+        is(SecItemCopyMatching((CFTypeRef)query, NULL), noErr, "Blue tooth item - system keychain");
     }
 }
 

diff --git a/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.c b/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.c
new file mode 100644 (file)
index 0000000..e879e3f
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+#include <Security/SecCertificatePriv.h>
+#include <Security/SecPolicyPriv.h>
+
+#include "utilities/SecCFRelease.h"
+#include "utilities/SecCFWrappers.h"
+
+#include "Security_regressions.h"
+
+#include "si-92-sectrust-homekit.h"
+
+static void tests(void)
+{
+    SecTrustRef trust = NULL;
+    SecPolicyRef policy = NULL;
+    SecCertificateRef cert0 = NULL, cert1 = NULL, rootcert = NULL;
+    SecTrustResultType trustResult;
+    CFArrayRef certs = NULL, anchor_certs = NULL;
+
+    isnt(cert0 = SecCertificateCreateWithBytes(NULL, _AppleHomeKitUATServer, sizeof(_AppleHomeKitUATServer)), NULL, "create cert0");
+    isnt(cert1 = SecCertificateCreateWithBytes(NULL, _AppleHomeKitCA, sizeof(_AppleHomeKitCA)), NULL, "create cert1");
+    isnt(rootcert = SecCertificateCreateWithBytes(NULL, _AppleG3Root, sizeof(_AppleG3Root)), NULL, "create root cert");
+
+    const void *v_certs[] = { cert0, cert1 };
+    certs = CFArrayCreate(NULL, v_certs, sizeof(v_certs)/sizeof(*v_certs), &kCFTypeArrayCallBacks);
+    anchor_certs = CFArrayCreate(NULL, (const void**)&rootcert, 1, &kCFTypeArrayCallBacks);
+
+    /* Set explicit verify date: 12 February 2016 */
+    CFDateRef date = NULL;
+    isnt(date = CFDateCreate(NULL, 476992610.0), NULL, "Create verify date");
+
+    /* Evaluate production certs with policy. Should succeed.*/
+    isnt(policy = SecPolicyCreateAppleHomeKitServerAuth(CFSTR("homekit.accessories-qa.apple.com")), NULL, "create policy");
+
+    ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
+    ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor");
+    ok_status(SecTrustSetVerifyDate(trust, date), "set date");
+
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    is_status(trustResult, kSecTrustResultUnspecified, "trustResult is kSecTrustResultUnspecified");
+    is(SecTrustGetCertificateCount(trust), 3, "cert count is 3");
+
+    CFReleaseSafe(trust);
+    CFReleaseSafe(certs);
+    CFReleaseSafe(cert0);
+    CFReleaseSafe(cert1);
+    CFReleaseSafe(anchor_certs);
+    CFReleaseSafe(rootcert);
+
+    /* Evaluate certs with a different profile against this test. Should fail. */
+    isnt(cert0 = SecCertificateCreateWithBytes(NULL, _testLeaf, sizeof(_testLeaf)), NULL, "create cert0");
+    isnt(cert1 = SecCertificateCreateWithBytes(NULL, _testServerAuthCA, sizeof(_testServerAuthCA)), NULL, "create cert1");
+    isnt(rootcert = SecCertificateCreateWithBytes(NULL, _testRoot, sizeof(_testRoot)), NULL, "create root cert");
+
+    const void *v_certs2[] = { cert0, cert1 };
+    certs = CFArrayCreate(NULL, v_certs2, sizeof(v_certs2)/sizeof(*v_certs2), &kCFTypeArrayCallBacks);
+    anchor_certs = CFArrayCreate(NULL, (const void**)&rootcert, 1, &kCFTypeArrayCallBacks);
+
+    ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust");
+    ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor");
+    ok_status(SecTrustSetVerifyDate(trust, date), "set date");
+
+    ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust");
+    is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trustResult is kSecTrustResultRecoverableTrustFailure");
+
+    CFReleaseSafe(date);
+    CFReleaseSafe(trust);
+    CFReleaseSafe(policy);
+    CFReleaseSafe(certs);
+    CFReleaseSafe(cert0);
+    CFReleaseSafe(cert1);
+    CFReleaseSafe(anchor_certs);
+    CFReleaseSafe(rootcert);
+
+}
+
+
+int si_92_sectrust_homekit(int argc, char *const *argv)
+{
+    plan_tests(19);
+
+    tests();
+
+    return 0;
+}

diff --git a/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.h b/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.h
new file mode 100644 (file)
index 0000000..0f68a42
--- /dev/null
+++ b/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.h
@@ -0,0 +1,409 @@
+/*
+ * Copyright (c) 2016 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+#ifndef si_92_sectrust_homekit_h
+#define si_92_sectrust_homekit_h
+
+#include <stdio.h>
+
+/* subject:/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */
+/* issuer :/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */
+unsigned char _AppleG3Root[]={
+    0x30,0x82,0x02,0x43,0x30,0x82,0x01,0xC9,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x2D,
+    0xC5,0xFC,0x88,0xD2,0xC5,0x4B,0x95,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
+    0x04,0x03,0x03,0x30,0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,
+    0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,
+    0x47,0x33,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,
+    0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
+    0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,
+    0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,
+    0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,
+    0x31,0x34,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x39,0x30,0x36,0x5A,0x17,0x0D,0x33,
+    0x39,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x39,0x30,0x36,0x5A,0x30,0x67,0x31,0x1B,
+    0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,
+    0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,0x47,0x33,0x31,0x26,0x30,0x24,0x06,
+    0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,
+    0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,
+    0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,
+    0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
+    0x06,0x13,0x02,0x55,0x53,0x30,0x76,0x30,0x10,0x06,0x07,0x2A,0x86,0x48,0xCE,0x3D,
+    0x02,0x01,0x06,0x05,0x2B,0x81,0x04,0x00,0x22,0x03,0x62,0x00,0x04,0x98,0xE9,0x2F,
+    0x3D,0x40,0x72,0xA4,0xED,0x93,0x22,0x72,0x81,0x13,0x1C,0xDD,0x10,0x95,0xF1,0xC5,
+    0xA3,0x4E,0x71,0xDC,0x14,0x16,0xD9,0x0E,0xE5,0xA6,0x05,0x2A,0x77,0x64,0x7B,0x5F,
+    0x4E,0x38,0xD3,0xBB,0x1C,0x44,0xB5,0x7F,0xF5,0x1F,0xB6,0x32,0x62,0x5D,0xC9,0xE9,
+    0x84,0x5B,0x4F,0x30,0x4F,0x11,0x5A,0x00,0xFD,0x58,0x58,0x0C,0xA5,0xF5,0x0F,0x2C,
+    0x4D,0x07,0x47,0x13,0x75,0xDA,0x97,0x97,0x97,0x6F,0x31,0x5C,0xED,0x2B,0x9D,0x7B,
+    0x20,0x3B,0xD8,0xB9,0x54,0xD9,0x5E,0x99,0xA4,0x3A,0x51,0x0A,0x31,0xA3,0x42,0x30,
+    0x40,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xBB,0xB0,0xDE,0xA1,
+    0x58,0x33,0x88,0x9A,0xA4,0x8A,0x99,0xDE,0xBE,0xBD,0xEB,0xAF,0xDA,0xCB,0x24,0xAB,
+    0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,
+    0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,
+    0x06,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03,0x03,0x68,0x00,
+    0x30,0x65,0x02,0x31,0x00,0x83,0xE9,0xC1,0xC4,0x16,0x5E,0x1A,0x5D,0x34,0x18,0xD9,
+    0xED,0xEF,0xF4,0x6C,0x0E,0x00,0x46,0x4B,0xB8,0xDF,0xB2,0x46,0x11,0xC5,0x0F,0xFD,
+    0xE6,0x7A,0x8C,0xA1,0xA6,0x6B,0xCE,0xC2,0x03,0xD4,0x9C,0xF5,0x93,0xC6,0x74,0xB8,
+    0x6A,0xDF,0xAA,0x23,0x15,0x02,0x30,0x6D,0x66,0x8A,0x10,0xCA,0xD4,0x0D,0xD4,0x4F,
+    0xCD,0x8D,0x43,0x3E,0xB4,0x8A,0x63,0xA5,0x33,0x6E,0xE3,0x6D,0xDA,0x17,0xB7,0x64,
+    0x1F,0xC8,0x53,0x26,0xF9,0x88,0x62,0x74,0x39,0x0B,0x17,0x5B,0xCB,0x51,0xA8,0x0C,
+    0xE8,0x18,0x03,0xE7,0xA2,0xB2,0x28,
+};
+
+/* subject:/CN=Apple HomeKit Server CA/OU=Apple Certification Authority/O=Apple Inc./C=US */
+/* issuer :/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */
+unsigned char _AppleHomeKitCA[]={
+    0x30,0x82,0x02,0x98,0x30,0x82,0x02,0x1F,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x37,
+    0xF6,0xF8,0x7D,0xFB,0xC3,0xD4,0x92,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
+    0x04,0x03,0x02,0x30,0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,
+    0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,
+    0x47,0x33,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,
+    0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,
+    0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,
+    0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,
+    0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,
+    0x31,0x36,0x30,0x32,0x30,0x39,0x32,0x30,0x30,0x36,0x33,0x30,0x5A,0x17,0x0D,0x33,
+    0x31,0x30,0x32,0x30,0x39,0x32,0x30,0x30,0x36,0x33,0x30,0x5A,0x30,0x6C,0x31,0x20,
+    0x30,0x1E,0x06,0x03,0x55,0x04,0x03,0x0C,0x17,0x41,0x70,0x70,0x6C,0x65,0x20,0x48,
+    0x6F,0x6D,0x65,0x4B,0x69,0x74,0x20,0x53,0x65,0x72,0x76,0x65,0x72,0x20,0x43,0x41,
+    0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,
+    0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,
+    0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
+    0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,
+    0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x59,0x30,0x13,0x06,0x07,
+    0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,
+    0x07,0x03,0x42,0x00,0x04,0xD5,0x1A,0xFF,0x7F,0xA9,0x84,0x21,0x33,0x22,0x0A,0xD0,
+    0x05,0x76,0x70,0x09,0xCE,0x59,0x65,0xF6,0x4F,0x53,0xD6,0x0D,0x76,0x90,0xC1,0x6E,
+    0xF7,0x8D,0x40,0x32,0xF1,0xB6,0x91,0x06,0xAF,0x51,0xE4,0xF0,0xA7,0x45,0x9C,0xD0,
+    0xD8,0x6C,0x23,0x26,0x5A,0x05,0x6A,0x6C,0x07,0x4F,0x9C,0x81,0xEE,0x58,0xB0,0x18,
+    0x41,0x58,0x9C,0x85,0xFC,0xA3,0x81,0xAF,0x30,0x81,0xAC,0x30,0x1D,0x06,0x03,0x55,
+    0x1D,0x0E,0x04,0x16,0x04,0x14,0x9C,0x6A,0xFA,0xC5,0x96,0x06,0x60,0xAC,0x69,0x67,
+    0xDD,0x5E,0x81,0xF9,0xDD,0xCA,0x9B,0x2E,0x3A,0x1E,0x30,0x0F,0x06,0x03,0x55,0x1D,
+    0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,0x55,
+    0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xBB,0xB0,0xDE,0xA1,0x58,0x33,0x88,0x9A,
+    0xA4,0x8A,0x99,0xDE,0xBE,0xBD,0xEB,0xAF,0xDA,0xCB,0x24,0xAB,0x30,0x37,0x06,0x03,
+    0x55,0x1D,0x1F,0x04,0x30,0x30,0x2E,0x30,0x2C,0xA0,0x2A,0xA0,0x28,0x86,0x26,0x68,
+    0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,
+    0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x72,0x6F,0x6F,0x74,0x63,0x61,0x67,
+    0x33,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,
+    0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,
+    0x06,0x02,0x10,0x04,0x02,0x05,0x00,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
+    0x04,0x03,0x02,0x03,0x67,0x00,0x30,0x64,0x02,0x30,0x35,0x1E,0xFD,0xB4,0xE4,0x6A,
+    0xFD,0x0C,0xA7,0xED,0x5E,0xA9,0x17,0x9E,0x6D,0x81,0x2F,0x35,0x0F,0x09,0x9F,0x7C,
+    0x4A,0x02,0xE1,0x25,0x47,0x9D,0xAF,0x7B,0xD3,0x59,0x4F,0x43,0x5A,0xDC,0xFA,0x79,
+    0xC2,0x26,0xFC,0x57,0x21,0xEF,0x3B,0x90,0x60,0xB5,0x02,0x30,0x4E,0x6B,0x0E,0xF2,
+    0xCF,0xCF,0x68,0x0E,0x9C,0x0D,0x58,0xB4,0x98,0x3D,0x89,0xAD,0xD1,0x71,0x76,0x1C,
+    0xCA,0x7A,0x12,0x2F,0xC2,0xCF,0xF0,0x7D,0x1B,0xDB,0x94,0xFD,0xBD,0x3D,0x6D,0x63,
+    0x21,0x8D,0xC2,0x8A,0x38,0x6B,0x7E,0xB4,0x0D,0xC7,0x72,0xC1,
+};
+
+/* subject:/CN=homekit.accessories-qa.apple.com/OU=Embedded Core Technology QA/O=Apple Inc./C=US */
+/* issuer :/CN=Apple HomeKit Server CA/OU=Apple Certification Authority/O=Apple Inc./C=US */
+unsigned char _AppleHomeKitUATServer[792]={
+    0x30,0x82,0x03,0x14,0x30,0x82,0x02,0xBB,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x61,
+    0xE7,0xC3,0x29,0xAE,0x15,0xAB,0xC8,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,
+    0x04,0x03,0x02,0x30,0x6C,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x03,0x0C,0x17,
+    0x41,0x70,0x70,0x6C,0x65,0x20,0x48,0x6F,0x6D,0x65,0x4B,0x69,0x74,0x20,0x53,0x65,
+    0x72,0x76,0x65,0x72,0x20,0x43,0x41,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,
+    0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,
+    0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,
+    0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,
+    0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,
+    0x53,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x32,0x31,0x31,0x30,0x30,0x34,0x32,0x30,
+    0x32,0x5A,0x17,0x0D,0x31,0x37,0x30,0x33,0x31,0x32,0x30,0x30,0x34,0x32,0x30,0x32,
+    0x5A,0x30,0x73,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x0C,0x20,0x68,0x6F,
+    0x6D,0x65,0x6B,0x69,0x74,0x2E,0x61,0x63,0x63,0x65,0x73,0x73,0x6F,0x72,0x69,0x65,
+    0x73,0x2D,0x71,0x61,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x31,0x24,
+    0x30,0x22,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1B,0x45,0x6D,0x62,0x65,0x64,0x64,0x65,
+    0x64,0x20,0x43,0x6F,0x72,0x65,0x20,0x54,0x65,0x63,0x68,0x6E,0x6F,0x6C,0x6F,0x67,
+    0x79,0x20,0x51,0x41,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,
+    0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,
+    0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,0x48,0xCE,
+    0x3D,0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,0x42,0x00,
+    0x04,0xC4,0xFE,0x35,0x16,0x5B,0x50,0x66,0x3B,0x28,0xFA,0x77,0x2B,0x59,0x67,0x7F,
+    0xDD,0x83,0x1C,0xC7,0x10,0x71,0x6D,0xA8,0x82,0x08,0xE0,0x81,0x21,0x86,0x6B,0x18,
+    0x17,0xE9,0x38,0xB6,0x42,0xC0,0xDE,0x6C,0x81,0x23,0x16,0x2C,0xE3,0x3C,0x6C,0x71,
+    0x63,0x45,0xBF,0x14,0x82,0xB5,0xBC,0x59,0x34,0x47,0x86,0x83,0xC0,0xC4,0x4D,0x48,
+    0x11,0xA3,0x82,0x01,0x3E,0x30,0x82,0x01,0x3A,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,
+    0x04,0x16,0x04,0x14,0x24,0xCD,0x2A,0x09,0xD1,0xAD,0x73,0x19,0x8C,0x0C,0x2A,0xA0,
+    0x7B,0xEE,0x21,0x36,0x96,0x82,0x48,0x8E,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,
+    0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,
+    0x16,0x80,0x14,0x9C,0x6A,0xFA,0xC5,0x96,0x06,0x60,0xAC,0x69,0x67,0xDD,0x5E,0x81,
+    0xF9,0xDD,0xCA,0x9B,0x2E,0x3A,0x1E,0x30,0x36,0x06,0x03,0x55,0x1D,0x1F,0x04,0x2F,
+    0x30,0x2D,0x30,0x2B,0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,0x3A,0x2F,
+    0x2F,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x68,
+    0x6B,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,0x74,0x68,0x2E,0x63,0x72,0x6C,0x30,
+    0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x03,0x88,0x30,
+    0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,
+    0x05,0x07,0x03,0x01,0x30,0x7B,0x06,0x03,0x55,0x1D,0x11,0x04,0x74,0x30,0x72,0x82,
+    0x20,0x68,0x6F,0x6D,0x65,0x6B,0x69,0x74,0x2E,0x61,0x63,0x63,0x65,0x73,0x73,0x6F,
+    0x72,0x69,0x65,0x73,0x2D,0x71,0x61,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,
+    0x6D,0x82,0x25,0x70,0x61,0x73,0x73,0x2E,0x68,0x6F,0x6D,0x65,0x6B,0x69,0x74,0x2E,
+    0x61,0x63,0x63,0x65,0x73,0x73,0x6F,0x72,0x69,0x65,0x73,0x2D,0x71,0x61,0x2E,0x61,
+    0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x27,0x72,0x65,0x70,0x6F,0x72,0x74,
+    0x2E,0x68,0x6F,0x6D,0x65,0x6B,0x69,0x74,0x2E,0x61,0x63,0x63,0x65,0x73,0x73,0x6F,
+    0x72,0x69,0x65,0x73,0x2D,0x71,0x61,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,
+    0x6D,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x1B,0x09,0x04,
+    0x02,0x05,0x00,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,0x03,
+    0x47,0x00,0x30,0x44,0x02,0x20,0x71,0x18,0xBA,0xDB,0x3D,0x3F,0x0C,0x54,0xA7,0xC4,
+    0x79,0x6A,0x95,0x7D,0x0F,0xBC,0xFC,0x58,0x19,0xC4,0x2A,0xCC,0x17,0xA3,0xE3,0x18,
+    0xA8,0xD2,0x9C,0xE0,0xCE,0x50,0x02,0x20,0x39,0x02,0x7B,0x84,0x19,0xE4,0x6B,0x58,
+    0xFC,0xB8,0xB1,0x48,0xB1,0x5B,0x26,0xD9,0x70,0x10,0xCC,0x9C,0x4C,0x06,0x8C,0x73,
+    0xCB,0xC7,0xAA,0x28,0xA7,0x25,0x2A,0x6F,
+};
+
+/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */
+/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */
+unsigned char _testRoot[1232]={
+    0x30,0x82,0x04,0xCC,0x30,0x82,0x03,0xB4,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x3D,
+    0x00,0x4B,0x90,0x3E,0xDE,0xE0,0xD0,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
+    0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
+    0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,
+    0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,
+    0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,
+    0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,
+    0x74,0x79,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73,
+    0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,
+    0x1E,0x17,0x0D,0x31,0x35,0x30,0x34,0x32,0x32,0x30,0x32,0x31,0x35,0x34,0x38,0x5A,
+    0x17,0x0D,0x33,0x35,0x30,0x32,0x30,0x39,0x32,0x31,0x34,0x30,0x33,0x36,0x5A,0x30,
+    0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,
+    0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,
+    0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,
+    0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,
+    0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x1B,0x30,0x19,0x06,
+    0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65,
+    0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,
+    0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xC7,0xD1,0x43,0x53,0x7F,0x0D,0x88,
+    0x6B,0xE6,0xB1,0x67,0x9D,0xEE,0x67,0xB6,0xE7,0x77,0x12,0x81,0xC4,0xDF,0x24,0x6B,
+    0x7A,0x75,0x24,0xF7,0x01,0x09,0xCE,0x34,0x92,0xF5,0x38,0x08,0x42,0x7E,0xEC,0x9D,
+    0xF2,0x5D,0x38,0x91,0xB4,0x93,0x98,0x35,0x11,0x3C,0x98,0x00,0x77,0xD9,0xD7,0xF3,
+    0x4A,0xF8,0xF0,0xBC,0xEB,0x97,0x5D,0x4B,0x61,0x2E,0xFB,0xC5,0xCC,0x68,0xB7,0x6D,
+    0x69,0x10,0xCC,0xA5,0x61,0x78,0xA8,0x81,0x02,0x9E,0xE7,0x63,0xC5,0xFF,0x29,0x22,
+    0x82,0x68,0xAA,0xAA,0x0E,0xFB,0xA9,0xD8,0x16,0x73,0x25,0xBF,0x9D,0x08,0x62,0x2F,
+    0x78,0x04,0xF6,0xF6,0x44,0x07,0x37,0x6E,0x99,0x1B,0x93,0xD8,0x7F,0xEE,0x72,0xDE,
+    0xE8,0x32,0xF6,0x6D,0x78,0x04,0xA0,0xA8,0x21,0x26,0x8A,0x32,0xE3,0xB1,0x65,0x85,
+    0xA1,0x7B,0x1A,0xA9,0x02,0xB2,0xBB,0xEE,0xDD,0xDD,0x8F,0x41,0x49,0xC8,0x3F,0xDC,
+    0x1E,0xDF,0x21,0xA3,0x95,0x99,0xBB,0xFC,0x29,0xBA,0x40,0x43,0xB9,0x1C,0xCD,0xC9,
+    0x21,0x45,0x73,0xAD,0xFF,0xFD,0xA2,0x6C,0x5C,0x3B,0x1C,0x37,0x91,0x34,0x8E,0x5C,
+    0xD3,0xD5,0x03,0x58,0x28,0xC7,0xF2,0x76,0x6F,0x11,0xC0,0xB5,0xBD,0x7E,0xEF,0x23,
+    0xB3,0x3D,0xB8,0xBD,0x38,0x66,0x8C,0xF2,0x78,0x95,0xC1,0x8B,0x32,0x65,0x3A,0x9B,
+    0x49,0x1A,0x5C,0x41,0x3C,0xC6,0x85,0x50,0xEC,0x85,0xF0,0x59,0x17,0x81,0xE8,0x96,
+    0xE8,0x6A,0xCC,0xB3,0xC7,0x46,0xBF,0x81,0x48,0xD1,0x09,0x1B,0xBC,0x73,0x1E,0xD7,
+    0xE8,0x27,0xA8,0x49,0x48,0xA2,0x1C,0x41,0x1D,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,
+    0x01,0x7A,0x30,0x82,0x01,0x76,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,
+    0x14,0x59,0xB8,0x2B,0x94,0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,0x23,0x33,
+    0xC9,0x59,0xC3,0x54,0x98,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,
+    0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,
+    0x16,0x80,0x14,0x59,0xB8,0x2B,0x94,0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,
+    0x23,0x33,0xC9,0x59,0xC3,0x54,0x98,0x30,0x82,0x01,0x11,0x06,0x03,0x55,0x1D,0x20,
+    0x04,0x82,0x01,0x08,0x30,0x82,0x01,0x04,0x30,0x82,0x01,0x00,0x06,0x09,0x2A,0x86,
+    0x48,0x86,0xF7,0x63,0x64,0x05,0x01,0x30,0x81,0xF2,0x30,0x2A,0x06,0x08,0x2B,0x06,
+    0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1E,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,
+    0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70,
+    0x70,0x6C,0x65,0x63,0x61,0x2F,0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,
+    0x07,0x02,0x02,0x30,0x81,0xB6,0x0C,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63,
+    0x65,0x20,0x6F,0x6E,0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66,
+    0x69,0x63,0x61,0x74,0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72,
+    0x74,0x79,0x20,0x61,0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70,
+    0x74,0x61,0x6E,0x63,0x65,0x20,0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65,
+    0x6E,0x20,0x61,0x70,0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61,
+    0x6E,0x64,0x61,0x72,0x64,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20,
+    0x63,0x6F,0x6E,0x64,0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73,
+    0x65,0x2C,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70,
+    0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66,
+    0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65,
+    0x20,0x73,0x74,0x61,0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x0E,0x06,0x03,
+    0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x0D,0x06,0x09,
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,
+    0x10,0x5E,0x6C,0x69,0xFC,0xA6,0x0F,0xE2,0x09,0xD5,0x94,0x90,0xA6,0x7C,0x22,0xDC,
+    0xEE,0xB0,0x8F,0x24,0x22,0x4F,0xB3,0x67,0xDB,0x32,0xB0,0xD6,0x24,0x87,0xE6,0xF3,
+    0xEA,0x9E,0xD0,0x95,0x75,0xAA,0xA7,0x08,0xFF,0xB0,0x35,0xD7,0x1F,0xA3,0xBF,0x89,
+    0x55,0x0C,0x1C,0xA4,0xD0,0xF8,0x00,0x17,0x44,0x94,0x36,0x63,0x3B,0x83,0xFE,0x4E,
+    0xE5,0xB3,0xEC,0x7B,0x7D,0xCE,0xFE,0xA9,0x54,0xED,0xBB,0x12,0xA6,0x72,0x2B,0xB3,
+    0x48,0x00,0xC7,0x8E,0xF5,0x5B,0x68,0xC9,0x24,0x22,0x7F,0xA1,0x4D,0xFC,0x54,0xD9,
+    0xD0,0x5D,0x82,0x53,0x71,0x29,0x66,0xCF,0x0F,0x6D,0x32,0xA6,0x3F,0xAE,0x54,0x27,
+    0xC2,0x8C,0x12,0x4C,0xF0,0xD6,0xC1,0x80,0x75,0xC3,0x33,0x19,0xD1,0x8B,0x58,0xE6,
+    0x00,0x69,0x76,0xE7,0xE5,0x3D,0x47,0xF9,0xC0,0x9C,0xE7,0x19,0x1E,0x95,0xBC,0x52,
+    0x15,0xCE,0x94,0xF8,0x30,0x14,0x0B,0x39,0x0E,0x8B,0xAF,0x29,0x30,0x56,0xAF,0x5A,
+    0x28,0xAC,0xE1,0x0F,0x51,0x76,0x76,0x9A,0xE7,0xB9,0x7D,0xA3,0x30,0xE8,0xE3,0x71,
+    0x15,0xE8,0xBF,0x0D,0x4F,0x12,0x9B,0x65,0xAB,0xEF,0xA4,0xE9,0x42,0xF0,0xD2,0x4D,
+    0x20,0x55,0x29,0x88,0x58,0x5C,0x82,0x67,0x63,0x20,0x50,0xC6,0xCA,0x04,0xE8,0xBC,
+    0x3D,0x93,0x06,0x21,0xB2,0xC0,0xBF,0x53,0x1E,0xE1,0x8B,0x48,0xA9,0xB9,0xD7,0xE6,
+    0x5F,0x4E,0x5A,0x2F,0x43,0xAC,0x35,0xBD,0x26,0x60,0x2F,0x01,0xD5,0x86,0x6B,0x64,
+    0xFA,0x67,0x05,0x44,0x55,0x83,0x5B,0x93,0x9C,0x7C,0xA7,0x26,0x4E,0x02,0x2B,0x48,
+};
+
+/* subject:/CN=Test Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */
+/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */
+unsigned char _testServerAuthCA[1043]={
+    0x30,0x82,0x04,0x0F,0x30,0x82,0x02,0xF7,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x4B,
+    0x28,0xA9,0x3B,0x57,0x8B,0xF6,0x26,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
+    0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,
+    0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,
+    0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,
+    0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,
+    0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,
+    0x74,0x79,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73,
+    0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,
+    0x1E,0x17,0x0D,0x31,0x35,0x30,0x36,0x30,0x38,0x30,0x37,0x35,0x38,0x34,0x35,0x5A,
+    0x17,0x0D,0x32,0x39,0x30,0x33,0x30,0x38,0x30,0x31,0x35,0x33,0x30,0x34,0x5A,0x30,
+    0x72,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,0x03,0x0C,0x23,0x54,0x65,0x73,0x74,
+    0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,0x72,0x76,0x65,0x72,0x20,0x41,0x75,
+    0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x41,0x31,
+    0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,0x69,0x66,
+    0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,
+    0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,
+    0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,
+    0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
+    0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,
+    0x82,0x01,0x01,0x00,0xC5,0x7B,0x3F,0x48,0xD3,0x62,0x93,0x93,0x7C,0x0C,0x37,0x69,
+    0xDB,0x28,0x05,0x40,0x12,0xD7,0x1F,0x0A,0xB8,0xC3,0xBA,0x24,0x39,0x22,0xDC,0x39,
+    0x42,0x1F,0xFD,0x93,0x45,0x3C,0x23,0x0B,0x3E,0xB4,0x96,0xA6,0x55,0x59,0xBA,0xC4,
+    0x99,0xE7,0x8A,0x5F,0x8F,0xAE,0x66,0xA7,0x28,0xE2,0x9E,0x68,0xD9,0xEC,0x52,0x67,
+    0xFE,0xDD,0xBE,0x59,0xB4,0xAD,0x97,0x63,0x64,0xB0,0x08,0x3C,0xBB,0x6E,0xD1,0x29,
+    0xD8,0x58,0xA1,0x99,0x6C,0x2F,0x2F,0xB3,0xF5,0x5C,0x59,0xCA,0xA1,0xE6,0x67,0x44,
+    0x3C,0x13,0xB4,0xAE,0x0D,0x00,0xC7,0x53,0xB7,0xF5,0x61,0x58,0xD5,0xC8,0x42,0xFC,
+    0xE2,0xFD,0xD5,0x39,0x18,0x80,0xE2,0x72,0xBC,0xF8,0xC3,0x9F,0xCB,0xD8,0x2F,0x83,
+    0x40,0x9A,0x3E,0x55,0x5E,0x61,0xA9,0xC4,0x81,0x14,0x2B,0x7B,0x19,0x15,0xAD,0x84,
+    0x5E,0x80,0xA8,0x67,0x79,0x05,0x16,0x48,0x5C,0xAE,0x1A,0x2B,0x59,0x9F,0xAA,0x62,
+    0x0B,0x2F,0x57,0xCD,0xE8,0xA8,0x5D,0x38,0xAD,0x7C,0x90,0x79,0x50,0xAC,0x4D,0x13,
+    0xA4,0xA7,0xF3,0x73,0xED,0xD6,0x93,0x45,0xDD,0xA8,0xC6,0xFE,0x03,0x28,0x4D,0x58,
+    0xC1,0x8B,0xC1,0x03,0x0E,0xE7,0xDF,0x78,0xDD,0x21,0xC6,0x6D,0x1E,0xA0,0x38,0xD7,
+    0xA7,0xD7,0x04,0x8C,0x7F,0xCA,0x15,0xEA,0x88,0xE9,0xAE,0x8D,0x46,0xE0,0x87,0x94,
+    0x3E,0x8F,0x53,0x11,0x88,0x23,0x99,0x7B,0x9D,0xD8,0x69,0x1A,0x22,0xAE,0xB5,0x18,
+    0xA5,0x9F,0xEA,0x71,0x31,0x0B,0x27,0x93,0x85,0x1D,0xF7,0xA0,0xC3,0x82,0x0A,0x3F,
+    0xEE,0xD2,0xD4,0xEF,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0xB3,0x30,0x81,0xB0,0x30,
+    0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xA8,0xCA,0x7A,0x9B,0xA8,0x37,
+    0x71,0x9E,0x3D,0xEC,0x5A,0xAB,0x66,0x2E,0xDC,0xD7,0x14,0x3D,0x7B,0xF2,0x30,0x0F,
+    0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,
+    0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x59,0xB8,0x2B,0x94,
+    0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,0x23,0x33,0xC9,0x59,0xC3,0x54,0x98,
+    0x30,0x3B,0x06,0x03,0x55,0x1D,0x1F,0x04,0x34,0x30,0x32,0x30,0x30,0xA0,0x2E,0xA0,
+    0x2C,0x86,0x2A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2D,0x75,0x61,
+    0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,
+    0x2F,0x74,0x65,0x73,0x74,0x72,0x6F,0x6F,0x74,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,
+    0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06,
+    0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x02,0x0C,0x04,0x02,0x05,0x00,0x30,
+    0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,
+    0x01,0x01,0x00,0x11,0x24,0x61,0x2B,0x7C,0x5E,0x67,0x29,0x94,0x14,0x19,0x16,0xD5,
+    0xD4,0x7A,0xEE,0x53,0x1A,0x64,0xA2,0x6A,0x2B,0x04,0xE6,0x2C,0xA1,0x08,0xBA,0xCA,
+    0x81,0xF5,0x28,0x2A,0xCE,0xD5,0x6B,0x52,0xAC,0xE7,0xBD,0xB3,0x23,0xB9,0x67,0x2C,
+    0xC7,0x9E,0x61,0xA1,0xD9,0x6C,0x3F,0x4F,0x55,0xD4,0x75,0xAF,0x44,0xAD,0xF8,0xCE,
+    0x58,0xA7,0x2E,0xF8,0x6A,0xF0,0x76,0x51,0x31,0x75,0x4C,0xCA,0xF6,0xC3,0x59,0xC7,
+    0xE6,0xAE,0x4A,0x20,0x4E,0x5F,0xB9,0xAB,0x1C,0xB6,0x36,0x25,0x60,0x02,0x32,0x47,
+    0x7D,0xA0,0xE2,0x36,0xB3,0x3B,0x40,0x20,0x9E,0x38,0x40,0x1C,0x7E,0x83,0x35,0x9C,
+    0x9D,0x8B,0xD1,0xF9,0xEA,0xD4,0xF2,0x83,0xE0,0x30,0xEA,0xC3,0xEE,0x3D,0x76,0x98,
+    0x9E,0x0A,0x07,0xB5,0xB6,0xFC,0x38,0x32,0xF6,0x41,0xEF,0x8E,0x25,0x2C,0xE3,0xC7,
+    0xA7,0xAD,0x88,0x77,0x4D,0x10,0x1D,0x67,0x50,0x64,0xB0,0x02,0x04,0x2C,0xEA,0x4C,
+    0x81,0x33,0xBE,0xF3,0xCD,0x43,0x63,0x97,0x44,0xDF,0xBB,0xC6,0xE2,0x37,0x32,0xF1,
+    0xE4,0x19,0x1F,0xF5,0xAE,0xDA,0x05,0xC4,0x0B,0xFA,0x30,0xCA,0x77,0x78,0x65,0xD6,
+    0x4F,0x2D,0xFE,0x63,0xD3,0x4C,0x3D,0xA9,0x0E,0xC4,0x0F,0xD6,0xCC,0x2A,0x2D,0x06,
+    0x9B,0xDE,0x94,0xF6,0x22,0x2E,0x89,0xCB,0x68,0x4E,0xDE,0x79,0xE5,0x83,0xDE,0x64,
+    0x63,0xE9,0x77,0x88,0xF1,0x57,0xF2,0x5C,0xB4,0x77,0x3A,0xC8,0x1F,0x6D,0x80,0x4C,
+    0x8B,0x68,0xA5,0xFA,0xAD,0x1F,0x5C,0x8C,0x50,0x27,0xED,0xF7,0x43,0x68,0xAD,0x34,
+    0x5E,0xF6,0x74,
+};
+
+/* subject:/CN=ast2.test.domain.here/OU=IS&T/O=Apple Inc./C=US */
+/* issuer :/CN=Test Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */
+unsigned char _testLeaf[1223]={
+    0x30,0x82,0x04,0xC3,0x30,0x82,0x03,0xAB,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x51,
+    0x24,0x24,0xE7,0xA6,0xFC,0x66,0x24,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,
+    0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x72,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,
+    0x03,0x0C,0x23,0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,
+    0x72,0x76,0x65,0x72,0x20,0x41,0x75,0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,
+    0x69,0x6F,0x6E,0x20,0x43,0x41,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,
+    0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,
+    0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
+    0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,
+    0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x35,
+    0x31,0x32,0x30,0x39,0x31,0x36,0x30,0x31,0x34,0x31,0x5A,0x17,0x0D,0x31,0x37,0x30,
+    0x31,0x30,0x37,0x31,0x36,0x30,0x31,0x34,0x31,0x5A,0x30,0x51,0x31,0x1E,0x30,0x1C,
+    0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x61,0x73,0x74,0x32,0x2E,0x74,0x65,0x73,0x74,
+    0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x2E,0x68,0x65,0x72,0x65,0x31,0x0D,0x30,0x0B,
+    0x06,0x03,0x55,0x04,0x0B,0x0C,0x04,0x49,0x53,0x26,0x54,0x31,0x13,0x30,0x11,0x06,
+    0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,
+    0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01,
+    0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,
+    0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB8,0x3F,
+    0x03,0x68,0x0F,0xEB,0x75,0x69,0x6F,0xAB,0x1A,0x2A,0x5F,0x48,0x97,0x73,0x4A,0x90,
+    0xD9,0xB2,0x60,0x88,0x3D,0xD6,0xA3,0x7B,0xFE,0x37,0xF1,0x2B,0x57,0xDB,0xE2,0xFE,
+    0xDA,0xE9,0x35,0x90,0x4E,0xC1,0x9B,0xB7,0x07,0x7D,0x0C,0xB7,0xAE,0xAF,0x5C,0xD8,
+    0xDC,0xD8,0x5A,0x65,0x4D,0x34,0x11,0xDF,0x75,0x27,0x4F,0xA0,0xC0,0x3B,0xF0,0x85,
+    0x16,0xDD,0x25,0x6C,0x21,0x23,0xFA,0xD0,0xF7,0x3D,0x37,0x66,0xF2,0x32,0x10,0x95,
+    0xA0,0x36,0xE0,0x33,0xB5,0x4D,0x5A,0x33,0xAC,0xB6,0x2E,0xBC,0x22,0xA5,0x20,0xA7,
+    0xA9,0x16,0xE4,0xDB,0xE7,0x42,0xC9,0x6A,0xF7,0xDF,0x55,0xF4,0xC3,0x9C,0x1B,0xE9,
+    0x56,0x7F,0xF3,0x1F,0xD7,0x94,0x19,0xB0,0x2B,0xBC,0x4B,0xF8,0xDF,0xB2,0x4A,0xDD,
+    0xAA,0x1A,0x67,0xD8,0xEA,0xF7,0x30,0xF8,0xB1,0x6B,0x3C,0xC4,0xF7,0xA2,0x70,0xEF,
+    0xAA,0xDD,0x49,0x8A,0x27,0x8E,0x71,0xF7,0xC1,0xFE,0x7B,0xD5,0xF2,0x45,0xC8,0xE4,
+    0xA9,0x73,0x53,0x90,0xB0,0xFA,0xA0,0xDE,0x71,0xFF,0x58,0x74,0x2C,0xC4,0xD1,0x54,
+    0x14,0xCC,0x00,0xF4,0x95,0xEB,0x81,0x85,0xBB,0xCC,0x3D,0xCF,0x7D,0xF3,0xEE,0x75,
+    0xE6,0x82,0xCB,0x93,0x79,0x8F,0xD9,0xED,0xE7,0x45,0x6F,0xA8,0xBE,0xA4,0xDE,0x45,
+    0x46,0x38,0x14,0xDC,0x79,0xF6,0x1F,0x64,0xD3,0x05,0x45,0xBF,0x50,0x1B,0x81,0x7E,
+    0x6C,0x77,0x1B,0xF2,0xBC,0x57,0xFD,0x25,0x94,0xB4,0x9A,0x0B,0x48,0x59,0x8F,0x8A,
+    0x0C,0x8F,0xBD,0x4C,0xE2,0x53,0x49,0xBC,0xC6,0x16,0x99,0xF4,0xE6,0x6F,0x02,0x03,
+    0x01,0x00,0x01,0xA3,0x82,0x01,0x7C,0x30,0x82,0x01,0x78,0x30,0x53,0x06,0x08,0x2B,
+    0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x47,0x30,0x45,0x30,0x43,0x06,0x08,0x2B,
+    0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x37,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,
+    0x6F,0x63,0x73,0x70,0x2D,0x75,0x61,0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,
+    0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,0x73,0x70,0x30,0x33,0x2D,0x61,
+    0x70,0x70,0x6C,0x65,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,0x74,0x68,0x30,0x31,
+    0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xC2,0x1E,0xBD,0xED,0x39,
+    0xF8,0x62,0x73,0x86,0x05,0xF3,0xBC,0x85,0x73,0xB3,0xA9,0x3C,0x12,0xBA,0xA8,0x30,
+    0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06,
+    0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xA8,0xCA,0x7A,0x9B,0xA8,0x37,
+    0x71,0x9E,0x3D,0xEC,0x5A,0xAB,0x66,0x2E,0xDC,0xD7,0x14,0x3D,0x7B,0xF2,0x30,0x49,
+    0x06,0x03,0x55,0x1D,0x1F,0x04,0x42,0x30,0x40,0x30,0x3E,0xA0,0x3C,0xA0,0x3A,0x86,
+    0x38,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2D,0x75,0x61,0x74,0x2E,
+    0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x74,
+    0x65,0x73,0x74,0x61,0x70,0x70,0x6C,0x65,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,
+    0x74,0x68,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,
+    0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,
+    0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x50,
+    0x06,0x03,0x55,0x1D,0x11,0x04,0x49,0x30,0x47,0x82,0x15,0x61,0x73,0x74,0x32,0x2E,
+    0x74,0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x2E,0x68,0x65,0x72,0x65,
+    0x82,0x16,0x61,0x73,0x74,0x32,0x2E,0x74,0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61,
+    0x69,0x6E,0x32,0x2E,0x68,0x65,0x72,0x65,0x82,0x16,0x61,0x73,0x74,0x32,0x2E,0x74,
+    0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x33,0x2E,0x68,0x65,0x72,0x65,
+    0x30,0x11,0x06,0x0B,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x1B,0x08,0x02,0x04,
+    0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,
+    0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xA1,0xF3,0x96,0x32,0xD2,0x94,0x78,0x0F,0x03,
+    0xF5,0xCF,0x96,0x8F,0xAC,0xDA,0xA9,0x1E,0x39,0xE5,0xCE,0x24,0xFD,0xA6,0x66,0x06,
+    0x00,0xBC,0x66,0x69,0xC1,0xE1,0xF2,0x31,0xB6,0x70,0xBB,0xD6,0xCA,0x7A,0xCC,0xCF,
+    0x01,0x1E,0x47,0x80,0x60,0x43,0x05,0x48,0x8E,0x33,0xF7,0xA9,0xFD,0xE8,0xB9,0x05,
+    0x9F,0x7E,0xD1,0xF2,0xDA,0x13,0x45,0xD9,0x96,0x16,0x64,0xD5,0x74,0x0F,0xBD,0x1C,
+    0x95,0x72,0xD6,0x31,0xBD,0xFB,0x66,0xC6,0xC0,0xD4,0x4C,0x52,0x1D,0xFB,0xB0,0x65,
+    0x4F,0xF2,0x4C,0x4D,0xF5,0x68,0xD6,0xB5,0x4C,0x14,0xC1,0xFA,0xF1,0xDF,0x70,0x4E,
+    0x14,0x07,0x8C,0xD6,0x55,0x66,0x91,0x97,0xE0,0x95,0x46,0x15,0x25,0x9B,0xCA,0xC4,
+    0x64,0x10,0xFA,0xB4,0xDF,0xF3,0x2E,0x3A,0x26,0x74,0xFB,0x44,0x8E,0x8A,0xEA,0xC9,
+    0x2E,0x31,0xD9,0xA2,0xB3,0xA0,0xAF,0x5E,0x48,0xE1,0x5A,0xEC,0xE0,0xA7,0x3B,0x35,
+    0x1C,0x8F,0xFF,0xAA,0x02,0xBB,0x2F,0x95,0x11,0xA8,0x8B,0xE6,0x3D,0x65,0x1B,0xC0,
+    0xBD,0x6C,0xCC,0x11,0x0C,0xFE,0xCD,0x0D,0x30,0xF1,0xE7,0x53,0xA4,0x7E,0xAC,0x50,
+    0xC9,0x23,0x01,0xEE,0xD3,0xD5,0xE5,0xAC,0x0F,0x04,0x22,0xDA,0x30,0x14,0x25,0x6A,
+    0x64,0x7B,0xA9,0x9E,0xB9,0x59,0x07,0x0B,0x0C,0x39,0x88,0x18,0x5B,0x35,0x61,0x31,
+    0x3D,0x4E,0xCE,0xD5,0xB3,0x67,0x82,0x88,0x3C,0x10,0x12,0xA6,0xC0,0x08,0xC3,0xA5,
+    0x41,0x39,0x69,0xAE,0x84,0x34,0x9C,0xED,0x4A,0xED,0x3A,0x85,0x9D,0x98,0xF7,0x12,
+    0xD1,0x1D,0xCD,0x9B,0xC8,0x60,0x57,
+};
+
+#endif /* si_92_sectrust_homekit_h */

diff --git a/OSX/sec/Security/SecAccessControlExports.exp-in b/OSX/sec/Security/SecAccessControlExports.exp-in
index c3b9371e081ddf8fc974f684829aabc3acb61ad0..2a58b75d7196ff01ac61cda2cbd7bc68e5b41de6 100644 (file)
--- a/OSX/sec/Security/SecAccessControlExports.exp-in
+++ b/OSX/sec/Security/SecAccessControlExports.exp-in
@@ -33,3 +33,4 @@ _kSecUseAuthenticationUIAllow
 _kSecUseAuthenticationUIFail
 _kSecUseAuthenticationUISkip
 _kSecUseAuthenticationContext
+_kSecUseCallerName

diff --git a/OSX/sec/Security/SecExports.exp-in b/OSX/sec/Security/SecExports.exp-in
index 2a2fb56f2e778965e573229a781338759ba366ee..6300a3472e062363154c7b6321ffd81d2963cc4b 100644 (file)
--- a/OSX/sec/Security/SecExports.exp-in
+++ b/OSX/sec/Security/SecExports.exp-in
@@ -152,6 +152,7 @@ _SecPolicyCreateAppleAST2Service
 _SecPolicyCreateAppleSSLService
 _SecPolicyCreateApplePackageSigning
 _SecPolicyCreateAppleSWUpdateSigning
+_SecPolicyCreateAppleHomeKitServerAuth
 _SecPolicyCreateBasicX509
 _SecPolicyCreateCodeSigning
 _SecPolicyCreateConfigurationProfileSigner

diff --git a/OSX/sec/Security/SecItem.c b/OSX/sec/Security/SecItem.c
index 1595e0bf683e4b416a1f554287812e2c5fb602f7..68b60013c5ea68ea39d1813192f09b37912694b6 100644 (file)
--- a/OSX/sec/Security/SecItem.c
+++ b/OSX/sec/Security/SecItem.c
@@ -971,6 +971,13 @@ bool SecItemAuthDo(SecCFDictionaryCOW *auth_params, CFErrorRef *error, SecItemAu
                 CFRelease(key);
             }
 
+            CFStringRef caller_name = CFDictionaryGetValue(auth_params->dictionary, kSecUseCallerName);
+            if (caller_name != NULL) {
+                CFNumberRef key = CFNumberCreateWithCFIndex(NULL, kLAOptionCallerName);
+                CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&auth_options), key, caller_name);
+                CFRelease(key);
+            }
+
             CFTypeRef auth_ui = CFDictionaryGetValue(auth_params->dictionary, kSecUseAuthenticationUI);
             if (CFEqualSafe(auth_ui, kSecUseAuthenticationUIFail)) {
                 CFNumberRef key = CFNumberCreateWithCFIndex(NULL, kLAOptionNotInteractive);
@@ -1017,6 +1024,13 @@ void SecItemAuthCopyParams(SecCFDictionaryCOW *auth_params, SecCFDictionaryCOW *
         CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(query), kSecUseOperationPrompt);
     }
 
+    // Store caller name.
+    CFStringRef caller_name = CFDictionaryGetValue(query->dictionary, kSecUseCallerName);
+    if (caller_name != NULL) {
+        CFDictionarySetValue(SecCFDictionaryCOWGetMutable(auth_params), kSecUseCallerName, caller_name);
+        CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(query), kSecUseCallerName);
+    }
+
     // Find out whether we are allowed to pop up a UI.
     CFTypeRef auth_ui = CFDictionaryGetValue(query->dictionary, kSecUseAuthenticationUI) ?:
     (CFEqualSafe(CFDictionaryGetValue(query->dictionary, kSecUseNoAuthenticationUI), kCFBooleanTrue) ?

diff --git a/OSX/sec/Security/SecItemConstants.c b/OSX/sec/Security/SecItemConstants.c
index d09ce9d44770adfdcf0dc38d8788bcd96f027dec..ddc1f0c8de541901d7d446ba5d806ef2983cda87 100644 (file)
--- a/OSX/sec/Security/SecItemConstants.c
+++ b/OSX/sec/Security/SecItemConstants.c
@@ -144,6 +144,7 @@ SEC_CONST_DECL (kSecUseNoAuthenticationUI, "u_NoAuthUI");
 SEC_CONST_DECL (kSecUseAuthenticationUI, "u_AuthUI");
 SEC_CONST_DECL (kSecUseSystemKeychain, "u_SystemKeychain");
 SEC_CONST_DECL (kSecUseSyncBubbleKeychain, "u_SyncBubbleKeychain");
+SEC_CONST_DECL (kSecUseCallerName, "u_CallerName");
 
 /* kSecAttrAccessible Value Constants. */
 SEC_CONST_DECL (kSecAttrAccessibleWhenUnlocked, "ak");

diff --git a/OSX/sec/Security/SecItemPriv.h b/OSX/sec/Security/SecItemPriv.h
index e8fab148af76144727767963bdb62b884ae6a28e..664242ab94be3ed360719df33a23a75136f1a778 100644 (file)
--- a/OSX/sec/Security/SecItemPriv.h
+++ b/OSX/sec/Security/SecItemPriv.h
@@ -345,12 +345,18 @@ extern const CFStringRef kSecUseSyncBubbleKeychain
     @constant kSecUseCredentialReference Specifies a CFDataRef containing
         AppleCredentialManager reference handle to be used when authorizing access
         to the item.
+    @constant kSecUseCallerName Specifies a dictionary key whose value
+        is a CFStringRef that represents a user-visible string describing
+        the caller name for which the application is attempting to authenticate.
+        The caller must have 'com.apple.private.LocalAuthentication.CallerName'
+        entitlement set to YES to use this feature, otherwise it is ignored.
 */
 extern const CFStringRef kSecUseTombstones
     __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0);
 extern const CFStringRef kSecUseCredentialReference
     __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
-
+extern const CFStringRef kSecUseCallerName
+    __OSX_AVAILABLE(10.11.4) __IOS_AVAILABLE(9.3) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3);
 
 /*!
     @function SecItemCopyDisplayNames

diff --git a/OSX/sec/Security/SecPolicy.c b/OSX/sec/Security/SecPolicy.c
index 72d35c5199995a7579d8e8f006a18cb47d72d7c5..a552287bead2be453997596d78a7c764dcb846aa 100644 (file)
--- a/OSX/sec/Security/SecPolicy.c
+++ b/OSX/sec/Security/SecPolicy.c
@@ -283,6 +283,7 @@ static CFStringRef kSecPolicyOIDApplePayIssuerEncryption = CFSTR("ApplePayIssuer
 static CFStringRef kSecPolicyOIDAppleOSXProvisioningProfileSigning = CFSTR("AppleOSXProvisioningProfileSigning");
 static CFStringRef kSecPolicyOIDAppleATVVPNProfileSigning = CFSTR("AppleATVVPNProfileSigning");
 static CFStringRef kSecPolicyOIDAppleAST2Service = CFSTR("AST2Service");
+static CFStringRef kSecPolicyOIDAppleHomeKitServerAuth = CFSTR("HomeKitServerAuth");
 
 /* Policies will now change to multiple categories of checks.
 
@@ -3005,3 +3006,51 @@ errOut:
     CFReleaseSafe(appleAnchorOptions);
     return result;
 }
+
+SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) {
+    CFMutableDictionaryRef appleAnchorOptions = NULL;
+    CFMutableDictionaryRef options = NULL;
+    SecPolicyRef result = NULL;
+    CFDataRef oid = NULL;
+
+    options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
+    require(options, errOut);
+
+    SecPolicyAddBasicX509Options(options);
+
+    CFDictionaryAddValue(options, kSecPolicyCheckSSLHostname, hostname);
+
+    add_eku(options, &oidExtendedKeyUsageServerAuth);
+
+    if (requirePinning(false, CFSTR("HomeKit"))) {
+        bool allowUAT = allowUATRoot(false, CFSTR("HomeKit"), NULL);
+
+        // Cert chain length 3
+        require(SecPolicyAddChainLengthOptions(options, 3), errOut);
+
+        // Apple anchors, allowing test anchors for internal releases properly configured
+        appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL);
+        require(appleAnchorOptions, errOut);
+        if (allowUAT) {
+            CFDictionarySetValue(appleAnchorOptions,
+                                 kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue);
+        }
+        add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions);
+
+        add_leaf_marker(options, &oidAppleCertExtHomeKitServerAuth);
+
+        add_oid(options, kSecPolicyCheckIntermediateMarkerOid, &oidAppleIntmMarkerAppleHomeKitServerCA);
+    }
+
+
+    CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanTrue);
+
+    result = SecPolicyCreate(kSecPolicyOIDAppleHomeKitServerAuth, options);
+    require(result, errOut);
+
+errOut:
+    CFReleaseSafe(appleAnchorOptions);
+    CFReleaseSafe(options);
+    CFReleaseSafe(oid);
+    return result;
+}

diff --git a/OSX/sec/Security/SecPolicyPriv.h b/OSX/sec/Security/SecPolicyPriv.h
index 5bfd8f324e884b3a51ca12732d436c1fe23a43fa..9c0f0c7619e017072a675aa89c4276cf67d2a709 100644 (file)
--- a/OSX/sec/Security/SecPolicyPriv.h
+++ b/OSX/sec/Security/SecPolicyPriv.h
@@ -583,6 +583,27 @@ SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void)
 SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void)
 __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0);
 
+/*!
+ @function SecPolicyCreateAppleHomeKitServerAuth
+ @abstract Ensure we're appropriately pinned to the HomeKit service (SSL + Apple restrictions)
+ @param hostname Required; hostname to verify the certificate name against.
+ @discussion This policy uses the Basic X.509 policy with validity check
+ and pinning options:
+ * The chain is anchored to any of the production Apple Root CAs via full certificate
+ comparison. Test Apple Root CAs are permitted only on internal releases with defaults write.
+ * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.16
+ * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.9.
+ * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName
+ extension or Common Name.
+ * The leaf is checked against the Black and Gray lists.
+ * The leaf has ExtendedKeyUsage with the ServerAuth OID.
+ * Revocation is checked via CRL.
+ @result A policy object. The caller is responsible for calling CFRelease
+ on this when it is no longer needed.
+ */
+SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname)
+__OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3);
+
 __END_DECLS
 
 #endif /* !_SECURITY_SECPOLICYPRIV_H_ */

diff --git a/OSX/sec/Security/SecSharedCredential.c b/OSX/sec/Security/SecSharedCredential.c
index a1f6963fcff4a813a3a2dbbd69018918b1b69757..effad87d659c6474d4533524263eaed7401986f4 100644 (file)
--- a/OSX/sec/Security/SecSharedCredential.c
+++ b/OSX/sec/Security/SecSharedCredential.c
@@ -65,7 +65,7 @@ OSStatus SecAddSharedWebCredentialSync(CFStringRef fqdn,
         bool xpc_result;
         bool internal_spi = false; // TODO: support this for SecurityDevTests
         if(internal_spi && gSecurityd && gSecurityd->sec_add_shared_web_credential) {
-            xpc_result = gSecurityd->sec_add_shared_web_credential(args, NULL, NULL, SecAccessGroupsGetCurrent(), &raw_result, error);
+            xpc_result = gSecurityd->sec_add_shared_web_credential(args, NULL, NULL, NULL, SecAccessGroupsGetCurrent(), &raw_result, error);
         } else {
             xpc_result = cftype_client_to_bool_cftype_error_request(sec_add_shared_web_credential_id, args, SecSecurityClientGet(), &raw_result, error);
         }
@@ -162,7 +162,7 @@ OSStatus SecCopySharedWebCredentialSync(CFStringRef fqdn,
         bool xpc_result;
         bool internal_spi = false; // TODO: support this for SecurityDevTests
         if(internal_spi && gSecurityd && gSecurityd->sec_copy_shared_web_credential) {
-            xpc_result = gSecurityd->sec_copy_shared_web_credential(args, NULL, NULL, SecAccessGroupsGetCurrent(), &raw_result, error);
+            xpc_result = gSecurityd->sec_copy_shared_web_credential(args, NULL, NULL, NULL, SecAccessGroupsGetCurrent(), &raw_result, error);
         } else {
             xpc_result = cftype_client_to_bool_cftype_error_request(sec_copy_shared_web_credential_id, args, SecSecurityClientGet(), &raw_result, error);
         }

diff --git a/OSX/sec/ipc/securityd_client.h b/OSX/sec/ipc/securityd_client.h
index af006dedacc3bd97f9ad02650301a60073f0dd88..e7ad3dabcae021c4f34956d637231d418225f985 100644 (file)
--- a/OSX/sec/ipc/securityd_client.h
+++ b/OSX/sec/ipc/securityd_client.h
@@ -271,8 +271,8 @@ struct securityd {
     bool (*sec_item_copy_matching)(CFDictionaryRef query, SecurityClient *client, CFTypeRef *result, CFErrorRef* error);
     bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, SecurityClient *client, CFErrorRef* error);
     bool (*sec_item_delete)(CFDictionaryRef query, SecurityClient *client, CFErrorRef* error);
-    bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
-    bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
+    bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
+    bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error);
     SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error);       // TODO: remove, has no msg id
     bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error);
     bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error);

diff --git a/OSX/sec/ipc/server.c b/OSX/sec/ipc/server.c
index ff7d1e3fb8349a77656f9792563a8b70dbf59c2d..892542d8e3afa857dcb62e93b96911084a1d5cca 100644 (file)
--- a/OSX/sec/ipc/server.c
+++ b/OSX/sec/ipc/server.c
@@ -77,7 +77,7 @@
 #include <xpc/xpc.h>
 
 #if TARGET_OS_IPHONE
-static int inMultiUser = -1;
+static int inMultiUser = 0;
 #endif
 
 
@@ -497,8 +497,6 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
 
 #if TARGET_OS_IOS && !TARGET_OS_SIMULATOR
         if (inMultiUser) {
-            assert(inMultiUser != -1);
-
             client.activeUser = MKBForegroundUserSessionID(&error);
             if (client.activeUser == -1 || client.activeUser == 0) {
                 assert(0);
@@ -961,7 +959,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
                 if (query) {
                     CFTypeRef result = NULL;
                     CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL;
-                    if (_SecAddSharedWebCredential(query, &auditToken, appID, domains, &result, &error) && result) {
+                    if (_SecAddSharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) {
                         SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
                         CFRelease(result);
                     }
@@ -976,7 +974,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection,
                 if (query) {
                     CFTypeRef result = NULL;
                     CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL;
-                    if (_SecCopySharedWebCredential(query, &auditToken, appID, domains, &result, &error) && result) {
+                    if (_SecCopySharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) {
                         SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
                         CFRelease(result);
                     }
@@ -1753,32 +1751,30 @@ int main(int argc, char *argv[])
                kill(getpid(), SIGSTOP);
        }
 
-    const char *serviceName = kSecuritydXPCServiceName;
-#if TRUSTD_SERVER
-    serviceName = kTrustdXPCServiceName;
-    if (argc > 1 && (!strcmp(argv[1], "--agent"))) {
-        serviceName = kTrustdAgentXPCServiceName;
-    }
-#endif
-    securityd_init_server();
-    securityd_xpc_init(serviceName);
-
 #if TARGET_OS_IOS && !TARGET_OS_SIMULATOR
-    if (inMultiUser == -1) {
+    {
         CFDictionaryRef deviceMode = MKBUserTypeDeviceMode(NULL, NULL);
         CFTypeRef value = NULL;
 
         if (deviceMode && CFDictionaryGetValueIfPresent(deviceMode, kMKBDeviceModeKey, &value) && CFEqual(value, kMKBDeviceModeMultiUser)) {
             inMultiUser = 1;
-        } else {
-            inMultiUser = 0;
         }
         CFReleaseNull(deviceMode);
     }
-#elif TARGET_OS_IPHONE
-    inMultiUser = 0;
 #endif
 
+
+    const char *serviceName = kSecuritydXPCServiceName;
+#if TRUSTD_SERVER
+    serviceName = kTrustdXPCServiceName;
+    if (argc > 1 && (!strcmp(argv[1], "--agent"))) {
+        serviceName = kTrustdAgentXPCServiceName;
+    }
+#endif
+    securityd_init_server();
+    securityd_xpc_init(serviceName);
+
+
        // <rdar://problem/22425706> 13B104+Roots:Device never moved past spinner after using approval to ENABLE icdp
 #if TARGET_OS_EMBEDDED
        securityd_soscc_lock_hack();

diff --git a/OSX/sec/sec.xcodeproj/project.pbxproj b/OSX/sec/sec.xcodeproj/project.pbxproj
index c2a5765e6b8f3992e259dfa076dbe36043f4d868..44102c59263376eb6f861fbc4a235efcb889879f 100644 (file)
--- a/OSX/sec/sec.xcodeproj/project.pbxproj
+++ b/OSX/sec/sec.xcodeproj/project.pbxproj
@@ -407,6 +407,8 @@
                CDF9BBE11B03E24D00D1AF0F /* secd-52-offering-gencount-reset.c in Sources */ = {isa = PBXBuildFile; fileRef = CDF9BBE01B03E24D00D1AF0F /* secd-52-offering-gencount-reset.c */; };
                D40294A91C20A806008CE4B6 /* si-91-sectrust-ast2.c in Sources */ = {isa = PBXBuildFile; fileRef = D40294A71C20A806008CE4B6 /* si-91-sectrust-ast2.c */; };
                D40294AA1C20A806008CE4B6 /* si-91-sectrust-ast2.h in Headers */ = {isa = PBXBuildFile; fileRef = D40294A81C20A806008CE4B6 /* si-91-sectrust-ast2.h */; };
+               D41380C91C6E529500F1A4B6 /* si-92-sectrust-homekit.c in Sources */ = {isa = PBXBuildFile; fileRef = D41380C71C6E529500F1A4B6 /* si-92-sectrust-homekit.c */; };
+               D41380CA1C6E529500F1A4B6 /* si-92-sectrust-homekit.h in Headers */ = {isa = PBXBuildFile; fileRef = D41380C81C6E529500F1A4B6 /* si-92-sectrust-homekit.h */; };
                D4273AA61B5D54E70007D67B /* nameconstraints.c in Sources */ = {isa = PBXBuildFile; fileRef = D4273AA21B5D54CA0007D67B /* nameconstraints.c */; };
                D445CDE11B44D53C005040AC /* si-84-sectrust-atv-appsigning.c in Sources */ = {isa = PBXBuildFile; fileRef = D445CDDF1B44D372005040AC /* si-84-sectrust-atv-appsigning.c */; };
                D4B4A9A81B8BB9B70097B393 /* si-85-sectrust-ssl-policy.c in Sources */ = {isa = PBXBuildFile; fileRef = D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */; };
@@ -997,6 +999,8 @@
                CDF9BBE01B03E24D00D1AF0F /* secd-52-offering-gencount-reset.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-52-offering-gencount-reset.c"; sourceTree = "<group>"; };
                D40294A71C20A806008CE4B6 /* si-91-sectrust-ast2.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-91-sectrust-ast2.c"; sourceTree = "<group>"; };
                D40294A81C20A806008CE4B6 /* si-91-sectrust-ast2.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-91-sectrust-ast2.h"; sourceTree = "<group>"; };
+               D41380C71C6E529500F1A4B6 /* si-92-sectrust-homekit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-92-sectrust-homekit.c"; sourceTree = "<group>"; };
+               D41380C81C6E529500F1A4B6 /* si-92-sectrust-homekit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-92-sectrust-homekit.h"; sourceTree = "<group>"; };
                D4273AA21B5D54CA0007D67B /* nameconstraints.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = nameconstraints.c; sourceTree = "<group>"; };
                D4273AA31B5D54CA0007D67B /* nameconstraints.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = nameconstraints.h; sourceTree = "<group>"; };
                D445CDDF1B44D372005040AC /* si-84-sectrust-atv-appsigning.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-84-sectrust-atv-appsigning.c"; sourceTree = "<group>"; };
@@ -1614,6 +1618,8 @@
                                EB69AB051BF425F300913AF1 /* si-90-emcs.m */,
                                D40294A71C20A806008CE4B6 /* si-91-sectrust-ast2.c */,
                                D40294A81C20A806008CE4B6 /* si-91-sectrust-ast2.h */,
+                               D41380C71C6E529500F1A4B6 /* si-92-sectrust-homekit.c */,
+                               D41380C81C6E529500F1A4B6 /* si-92-sectrust-homekit.h */,
                        );
                        name = secitem;
                        path = Regressions/secitem;
@@ -2212,6 +2218,7 @@
                                4CC92A9B15A3ABD400C6D578 /* UTN-USERFirst-Hardware.cer.h in Headers */,
                                4CC92A9C15A3ABD400C6D578 /* addons.mozilla.org.cer.h in Headers */,
                                4CC92A9D15A3ABD400C6D578 /* login.live.com.cer.h in Headers */,
+                               D41380CA1C6E529500F1A4B6 /* si-92-sectrust-homekit.h in Headers */,
                                4CC92A9E15A3ABD400C6D578 /* login.skype.com.cer.h in Headers */,
                                4CC92A9F15A3ABD400C6D578 /* login.yahoo.com.1.cer.h in Headers */,
                                4CC92AA015A3ABD400C6D578 /* login.yahoo.com.2.cer.h in Headers */,
@@ -2919,6 +2926,7 @@
                                4CC92A7515A3ABD400C6D578 /* si-24-sectrust-mobileasset.c in Sources */,
                                4477A8D918F28AB700B5BB9F /* si-78-query-attrs.c in Sources */,
                                4CC92A7615A3ABD400C6D578 /* si-24-sectrust-nist.c in Sources */,
+                               D41380C91C6E529500F1A4B6 /* si-92-sectrust-homekit.c in Sources */,
                                4CC92A7715A3ABD400C6D578 /* si-24-sectrust-otatasking.c in Sources */,
                                4CC92A7815A3ABD400C6D578 /* si-24-sectrust-shoebox.c in Sources */,
                                EB8F48DD1AE4CC7000CE93A7 /* si-25-sectrust-apple-authentication.c in Sources */,

diff --git a/OSX/sec/securityd/SecItemDb.c b/OSX/sec/securityd/SecItemDb.c
index 9a4f866723f4ad27458349c1d43acc3fc72e5951..312fb076b76f940f8113a3dd23811d878ba93a19 100644 (file)
--- a/OSX/sec/securityd/SecItemDb.c
+++ b/OSX/sec/securityd/SecItemDb.c
@@ -1036,7 +1036,7 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo
         }
     }
 
-    if (multiUser && CFEqual(agrp, CFSTR("com.apple.apsd"))) {
+    if (multiUser && CFEqual(agrp, CFSTR("com.apple.apsd")) && cls == &genp_class) {
         static CFStringRef pushServices[] = {
             CFSTR("push.apple.com"),
             CFSTR("push.apple.com,PerAppToken.v0"),
@@ -1050,22 +1050,64 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo
         }
     }
 
-    if (multiUser && CFEqual(agrp, CFSTR("apple"))) {
+    if (multiUser && CFEqual(agrp, CFSTR("apple")) && cls == &genp_class) {
         static CFStringRef acountServices[] = {
             CFSTR("com.apple.account.AppleAccount.token"),
             CFSTR("com.apple.account.AppleAccount.password"),
             CFSTR("com.apple.account.AppleAccount.rpassword"),
             CFSTR("com.apple.account.idms.token"),
+            CFSTR("com.apple.account.idms.heartbeat-token"),
             CFSTR("com.apple.account.idms.continuation-key"),
             CFSTR("com.apple.account.CloudKit.token"),
+            CFSTR("com.apple.account.IdentityServices.password"), /* accountsd for ids */
+            CFSTR("com.apple.account.IdentityServices.rpassword"),
+            CFSTR("com.apple.account.IdentityServices.token"),
+            CFSTR("BackupIDSAccountToken"),
+            CFSTR("com.apple.ids"),
+            CFSTR("ids"),
+            CFSTR("IDS"),
             NULL
         };
         CFStringRef service = CFDictionaryGetValue(item, kSecAttrService);
 
         if (isString(service) && matchAnyString(service, acountServices)) {
-            secdebug("backup", "found sys_bound item: %@", item);
+            secdebug("backup", "found exact sys_bound item: %@", item);
             return true;
         }
+        if (isString(service) && CFEqual(service, CFSTR("com.apple.facetime"))) {
+            CFStringRef account = CFDictionaryGetValue(item, kSecAttrAccount);
+            if (isString(account) && CFEqual(account, CFSTR("registrationV1"))) {
+                secdebug("backup", "found exact sys_bound item: %@", item);
+                return true;
+            }
+        }
+    }
+
+    if (multiUser && CFEqual(agrp, CFSTR("ichat")) && cls == &genp_class) {
+        static CFStringRef acountServices[] = {
+            CFSTR("ids"),
+            NULL
+        };
+        CFStringRef service = CFDictionaryGetValue(item, kSecAttrService);
+
+        if (isString(service) && matchAnyString(service, acountServices)) {
+            secdebug("backup", "found exact sys_bound item: %@", item);
+            return true;
+        }
+    }
+
+    if (multiUser && CFEqual(agrp, CFSTR("ichat")) && cls == &keys_class) {
+        static CFStringRef exactMatchingLabel[] = {
+            CFSTR("iMessage Encryption Key"),
+            CFSTR("iMessage Signing Key"),
+        };
+        CFStringRef label = CFDictionaryGetValue(item, kSecAttrLabel);
+        if (isString(label)) {
+            if (matchAnyString(label, exactMatchingLabel)) {
+                secdebug("backup", "found exact sys_bound item: %@", item);
+                return true;
+            }
+        }
     }
 
 
@@ -1078,9 +1120,9 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo
  access group, this ensures that an import or restore of a backup
  will never overwrite an existing activation record. */
 static bool SecServerDeleteAll(SecDbConnectionRef dbt, CFErrorRef *error) {
-    return kc_transaction(dbt, error, ^{
+    secwarning("SecServerDeleteAll");
 
-        secwarning("SecServerDeleteAll");
+    return kc_transaction(dbt, error, ^{
 
         bool ok = (SecDbExec(dbt, CFSTR("DELETE from genp;"), error) &&
                    SecDbExec(dbt, CFSTR("DELETE from inet;"), error) &&
@@ -1095,12 +1137,21 @@ static bool SecServerDeleteAll(SecDbConnectionRef dbt, CFErrorRef *error) {
 static bool DeleteAllFromTableForMUSRView(SecDbConnectionRef dbt,
                                           CFStringRef sql,
                                           CFDataRef musr,
+                                          bool keepU,
                                           CFErrorRef *error)
 {
     sqlite3_stmt *stmt = NULL;
+    CFStringRef sql2 = NULL;
     bool ok = false;
+    
+    if (keepU) {
+        sql2 = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@ AND pdmn NOT IN ('aku','akpu','cku','dku')"), sql);
+    } else {
+        sql2 = CFRetain(sql);
+    }
+    require(sql2, fail);
 
-    stmt = SecDbCopyStmt(dbt, sql, NULL, error);
+    stmt = SecDbCopyStmt(dbt, sql2, NULL, error);
     require(stmt, fail);
 
     ok = SecDbBindObject(stmt, 1, musr, error);
@@ -1113,20 +1164,24 @@ fail:
     if (stmt) {
         ok = SecDbFinalize(stmt, error);
     }
+    if (!ok)
+        secwarning("DeleteAllFromTableForMUSRView failed for %@ for musr: %@: %@", sql2, musr, error ? *error : NULL);
+    
+    CFReleaseNull(sql2);
 
     return ok;
 }
 
-bool SecServerDeleteAllForUser(SecDbConnectionRef dbt, CFDataRef musrView, CFErrorRef *error) {
+bool SecServerDeleteAllForUser(SecDbConnectionRef dbt, CFDataRef musrView, bool keepU, CFErrorRef *error) {
+    secwarning("SecServerDeleteAllForUser for user: %@ keepU %s", musrView, keepU ? "yes" : "no");
+
     return kc_transaction(dbt, error, ^{
         bool ok;
 
-        secwarning("SecServerDeleteAllForUser for user: %@", musrView);
-
-        ok = (DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM genp WHERE musr = ?"), musrView, error) &&
-              DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM inet WHERE musr = ?"), musrView, error) &&
-              DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM cert WHERE musr = ?"), musrView, error) &&
-              DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM keys WHERE musr = ?"), musrView, error));
+        ok = (DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM genp WHERE musr = ?"), musrView, keepU, error) &&
+              DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM inet WHERE musr = ?"), musrView, keepU, error) &&
+              DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM cert WHERE musr = ?"), musrView, keepU, error) &&
+              DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM keys WHERE musr = ?"), musrView, keepU, error));
 
         return ok;
     });
@@ -1239,8 +1294,10 @@ SecServerCopyKeychainPlist(SecDbConnectionRef dbt,
     unsigned class_ix;
     bool inMultiUser = false;
     Query q = { .q_keybag = src_keybag };
-    q.q_return_type = kSecReturnDataMask | kSecReturnAttributesMask | \
-    kSecReturnPersistentRefMask;
+    q.q_return_type =
+        kSecReturnDataMask |
+        kSecReturnAttributesMask |
+        kSecReturnPersistentRefMask;
     q.q_limit = kSecMatchUnlimited;
     q.q_skip_acl_items = true;
 
@@ -1341,12 +1398,34 @@ SecServerImportItem(const void *value, void *context)
 
     secdebug("item", "Import Item : %@", dict);
 
-    /* We don't filter non sys_bound items during import since we know we
-     will never have any in this case, we use the kSecSysBoundItemFilter
-     to indicate that we don't preserve rowid's during import instead. */
-    if (state->s->filter == kSecBackupableItemFilter &&
-        SecItemIsSystemBound(dict, state->class, inMultiUser))
-        return;
+    /* We use the kSecSysBoundItemFilte to indicate that we don't
+     * preserve rowid's during import.
+     */
+    if (state->s->filter == kSecBackupableItemFilter) {
+        CFTypeRef pdmu;
+        
+        /* We don't filter non sys_bound items during import since we know we
+         * will never have any in this case.
+         */
+        if (SecItemIsSystemBound(dict, state->class, inMultiUser))
+            return;
+        
+        /* 
+         * Don't bother with u items when in edu mode since our current backup system
+         * don't keep track of items that blongs to the device (u) but rather just
+         * merge them into one blob.
+         */
+        if (inMultiUser && (pdmu = CFDictionaryGetValue(dict, kSecAttrAccessible))) {
+            if (CFEqual(pdmu, kSecAttrAccessibleWhenUnlockedThisDeviceOnly)     ||
+                CFEqual(pdmu, kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly) ||
+                CFEqual(pdmu, kSecAttrAccessibleWhenUnlockedThisDeviceOnly)     ||
+                CFEqual(pdmu, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly))
+            {
+                secdebug("item", "Skipping KU item : %@", dict);
+                return;
+            }
+        }
+    }
 
     SecDbItemRef item;
 
@@ -1401,7 +1480,7 @@ SecServerImportItem(const void *value, void *context)
      */
 
     if (item) {
-       bool insertStatus;
+        bool insertStatus;
 
         if(state->s->filter != kSecSysBoundItemFilter) {
             SecDbItemExtractRowIdFromBackupDictionary(item, dict, &state->s->error);
@@ -1447,7 +1526,11 @@ static void SecServerImportClass(const void *key, const void *value,
         return;
     }
     const SecDbClass *class = kc_class_with_name(key);
-    if (!class || class == &identity_class) {
+    if (!class) {
+        secwarning("Ignoring unknown key class '%@'", key);
+        return;
+    }
+    if (class == &identity_class) {
         SecError(errSecParam, &state->error, CFSTR("attempt to import an identity"));
         return;
     }
@@ -1456,11 +1539,15 @@ static void SecServerImportClass(const void *key, const void *value,
     };
     if (isArray(value)) {
         CFArrayRef items = (CFArrayRef)value;
+        secwarning("Import %ld items of class %@ (filter %d)", (long)CFArrayGetCount(items), key, state->filter);
         CFArrayApplyFunction(items, CFRangeMake(0, CFArrayGetCount(items)),
                              SecServerImportItem, &item_state);
-    } else {
+    } else if (isDictionary(value)) {
         CFDictionaryRef item = (CFDictionaryRef)value;
+        secwarning("Import %ld items of class %@ (filter %d)", (long)CFDictionaryGetCount(item), key, state->filter);
         SecServerImportItem(item, &item_state);
+    } else {
+        secwarning("Unknown value type for class %@ (filter %d)", key, state->filter);
     }
 }
 
@@ -1483,7 +1570,7 @@ bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt, SecurityClient *clie
     if (client->inMultiUser) {
         CFDataRef musrView = SecMUSRCreateActiveUserUUID(client->uid);
         require_action(musrView, errOut, ok = false);
-        require_action(ok = SecServerDeleteAllForUser(dbt, musrView, error), errOut, CFReleaseNull(musrView));
+        require_action(ok = SecServerDeleteAllForUser(dbt, musrView, true, error), errOut, CFReleaseNull(musrView));
         CFReleaseNull(musrView);
     } else
 #endif
@@ -1499,12 +1586,14 @@ bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt, SecurityClient *clie
         .filter = filter,
     };
     /* Import the provided items, preserving rowids. */
+    secwarning("Restoring backup items '%ld'", (long)CFDictionaryGetCount(keychain));
     CFDictionaryApplyFunction(keychain, SecServerImportClass, &state);
 
     if (sys_bound) {
         state.src_keybag = KEYBAG_NONE;
         /* Import the items we preserved with random rowids. */
         state.filter = kSecSysBoundItemFilter;
+        secwarning("Restoring sysbound items '%ld'", (long)CFDictionaryGetCount(sys_bound));
         CFDictionaryApplyFunction(sys_bound, SecServerImportClass, &state);
     }
     if (state.error) {

diff --git a/OSX/sec/securityd/SecItemDb.h b/OSX/sec/securityd/SecItemDb.h
index 86ed675e89131bdc96e266c436d9fa91aebf8120..139f8a58a564ef38dd5999622bc52ccdfa037450 100644 (file)
--- a/OSX/sec/securityd/SecItemDb.h
+++ b/OSX/sec/securityd/SecItemDb.h
@@ -127,7 +127,7 @@ bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt,
                                     CFErrorRef *error);
 
 #if TARGET_OS_IPHONE
-bool SecServerDeleteAllForUser(SecDbConnectionRef dbt, CFDataRef musrView, CFErrorRef *error);
+bool SecServerDeleteAllForUser(SecDbConnectionRef dbt, CFDataRef musrView, bool keepU, CFErrorRef *error);
 #endif
 
 bool kc_transaction(SecDbConnectionRef dbt, CFErrorRef *error, bool(^perform)());

diff --git a/OSX/sec/securityd/SecItemServer.c b/OSX/sec/securityd/SecItemServer.c
index 86448f4f7d3131cea25b13309c75968e338a9861..7527b7c9d7642290aa9cd89145e3e1b1a6f7b720 100644 (file)
--- a/OSX/sec/securityd/SecItemServer.c
+++ b/OSX/sec/securityd/SecItemServer.c
@@ -63,7 +63,7 @@
 #include <Security/SecuritydXPC.h>
 #include "swcagent_client.h"
 
-#if TARGET_OS_IPHONE && !TARGET_OS_NANO
+#if TARGET_OS_IPHONE && !TARGET_OS_WATCH
 #include <dlfcn.h>
 #include <SharedWebCredentials/SharedWebCredentials.h>
 
@@ -1119,7 +1119,9 @@ _SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate,
     }
     if (ok) {
         ok = kc_with_dbt(true, error, ^(SecDbConnectionRef dbt) {
-            return s3dl_query_update(dbt, q, attributesToUpdate, accessGroups, error);
+            return kc_transaction(dbt, error, ^{
+                return s3dl_query_update(dbt, q, attributesToUpdate, accessGroups, error);
+            });
         });
     }
     if (q) {
@@ -1178,7 +1180,9 @@ _SecItemDelete(CFDictionaryRef query, SecurityClient *client, CFErrorRef *error)
             ok = SecError(errSecItemIllegalQuery, error, CFSTR("rowid and other attributes are mutually exclusive"));
         } else {
             ok = kc_with_dbt(true, error, ^(SecDbConnectionRef dbt) {
-                return s3dl_query_delete(dbt, q, accessGroups, error);
+                return kc_transaction(dbt, error, ^{
+                    return s3dl_query_delete(dbt, q, accessGroups, error);
+                });
             });
         }
         ok = query_notify_and_destroy(q, ok, error);
@@ -1341,7 +1345,7 @@ _SecEntitlementContainsDomainForService(CFArrayRef domains, CFStringRef domain,
 #endif
 
 static bool
-_SecAddNegativeWebCredential(CFStringRef fqdn, CFStringRef appID, bool forSafari)
+_SecAddNegativeWebCredential(SecurityClient *client, CFStringRef fqdn, CFStringRef appID, bool forSafari)
 {
     bool result = false;
     if (!fqdn) { return result; }
@@ -1377,12 +1381,13 @@ _SecAddNegativeWebCredential(CFStringRef fqdn, CFStringRef appID, bool forSafari
 
     CFErrorRef error = NULL;
     CFStringRef accessGroup = CFSTR("*");
-    SecurityClient client = {
+    SecurityClient swcclient = {
         .task = NULL,
         .accessGroups =  CFArrayCreate(kCFAllocatorDefault, (const void **)&accessGroup, 1, &kCFTypeArrayCallBacks),
         .allowSystemKeychain = false,
         .allowSyncBubbleKeychain = false,
         .isNetworkExtension = false,
+        .musr = client->musr,
     };
 
     CFDictionaryAddValue(attrs, kSecClass, kSecClassInternetPassword);
@@ -1392,7 +1397,7 @@ _SecAddNegativeWebCredential(CFStringRef fqdn, CFStringRef appID, bool forSafari
     CFDictionaryAddValue(attrs, kSecAttrServer, fqdn);
     CFDictionaryAddValue(attrs, kSecAttrSynchronizable, kCFBooleanTrue);
 
-    (void)_SecItemDelete(attrs, &client, &error);
+    (void)_SecItemDelete(attrs, &swcclient, &error);
     CFReleaseNull(error);
 
     CFDictionaryAddValue(attrs, kSecAttrAccount, kSecSafariPasswordsNotSaved);
@@ -1413,12 +1418,12 @@ _SecAddNegativeWebCredential(CFStringRef fqdn, CFStringRef appID, bool forSafari
     }
 
     CFTypeRef addResult = NULL;
-    result = _SecItemAdd(attrs, &client, &addResult, &error);
+    result = _SecItemAdd(attrs, &swcclient, &addResult, &error);
 
     CFReleaseSafe(addResult);
     CFReleaseSafe(error);
     CFReleaseSafe(attrs);
-    CFReleaseSafe(client.accessGroups);
+    CFReleaseSafe(swcclient.accessGroups);
 
     return result;
 }
@@ -1426,26 +1431,23 @@ _SecAddNegativeWebCredential(CFStringRef fqdn, CFStringRef appID, bool forSafari
 /* Specialized version of SecItemAdd for shared web credentials */
 bool
 _SecAddSharedWebCredential(CFDictionaryRef attributes,
-    const audit_token_t *clientAuditToken,
-    CFStringRef appID,
-    CFArrayRef domains,
-    CFTypeRef *result,
-    CFErrorRef *error) {
+                           SecurityClient *client,
+                           const audit_token_t *clientAuditToken,
+                           CFStringRef appID,
+                           CFArrayRef domains,
+                           CFTypeRef *result,
+                           CFErrorRef *error)
+{
 
-    SecurityClient client = {};
+    SecurityClient swcclient = {};
 
     CFStringRef fqdn = CFRetainSafe(CFDictionaryGetValue(attributes, kSecAttrServer));
-    CFStringRef account = CFRetainSafe(CFDictionaryGetValue(attributes, kSecAttrAccount));
-#if TARGET_OS_IPHONE && !TARGET_OS_WATCH
-    CFStringRef password = CFRetainSafe(CFDictionaryGetValue(attributes, kSecSharedPassword));
-#else
-    CFStringRef password = CFRetainSafe(CFDictionaryGetValue(attributes, CFSTR("spwd")));
-#endif
+    CFStringRef account = CFDictionaryGetValue(attributes, kSecAttrAccount);
+    CFStringRef password = CFDictionaryGetValue(attributes, CFSTR("spwd") /* kSecSharedPassword */);
     CFStringRef accessGroup = CFSTR("*");
     CFMutableDictionaryRef query = NULL, attrs = NULL;
     SInt32 port = -1;
-    bool ok = false, update = false;
-    //bool approved = false;
+    bool ok = false;
 
     // check autofill enabled status
     if (!swca_autofill_enabled(clientAuditToken)) {
@@ -1509,18 +1511,19 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes,
 #else
     // get approval status for this app/domain pair
     SWCFlags flags = _SecAppDomainApprovalStatus(appID, fqdn, error);
-    //approved = ((flags & kSWCFlag_SiteApproved) && (flags & kSWCFlag_UserApproved));
     if (!(flags & kSWCFlag_SiteApproved)) {
         goto cleanup;
     }
 #endif
 
     // give ourselves access to see matching items for kSecSafariAccessGroup
-    client.task = NULL;
-    client.accessGroups =  CFArrayCreate(kCFAllocatorDefault, (const void **)&accessGroup, 1, &kCFTypeArrayCallBacks);
-    client.allowSystemKeychain = false;
-    client.allowSyncBubbleKeychain = false;
-    client.isNetworkExtension = false;
+    swcclient.task = NULL;
+    swcclient.accessGroups =  CFArrayCreate(kCFAllocatorDefault, (const void **)&accessGroup, 1, &kCFTypeArrayCallBacks);
+    swcclient.allowSystemKeychain = false;
+    swcclient.musr = client->musr;
+    swcclient.allowSystemKeychain = false;
+    swcclient.allowSyncBubbleKeychain = false;
+    swcclient.isNetworkExtension = false;
 
 
     // create lookup query
@@ -1537,7 +1540,7 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes,
 
     // check for presence of Safari's negative entry ('passwords not saved')
     CFDictionarySetValue(query, kSecAttrAccount, kSecSafariPasswordsNotSaved);
-    ok = _SecItemCopyMatching(query, &client, result, error);
+    ok = _SecItemCopyMatching(query, &swcclient, result, error);
     if(result) CFReleaseNull(*result);
     CFReleaseNull(*error);
     if (ok) {
@@ -1555,11 +1558,11 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes,
     }
 
     // look up existing password
-    if (_SecItemCopyMatching(query, &client, result, error)) {
+    if (_SecItemCopyMatching(query, &swcclient, result, error)) {
         // found it, so this becomes either an "update password" or "delete password" operation
         if(result) CFReleaseNull(*result);
         CFReleaseNull(*error);
-        update = (password != NULL);
+        bool update = (password != NULL);
         if (update) {
             attrs = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
             CFDataRef credential = CFStringCreateExternalRepresentation(kCFAllocatorDefault, password, kCFStringEncodingUTF8, 0);
@@ -1570,18 +1573,18 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes,
             // confirm the update
             // (per rdar://16676310 we always prompt, even if there was prior user approval)
             ok = /*approved ||*/ swca_confirm_operation(swca_update_request_id, clientAuditToken, query, error,
-                ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); });
+                ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(client, fqdn, appID, false); });
             if (ok) {
-                ok = _SecItemUpdate(query, attrs, &client, error);
+                ok = _SecItemUpdate(query, attrs, &swcclient, error);
             }
         }
         else {
             // confirm the delete
             // (per rdar://16676288 we always prompt, even if there was prior user approval)
             ok = /*approved ||*/ swca_confirm_operation(swca_delete_request_id, clientAuditToken, query, error,
-                ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); });
+                ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(client, fqdn, appID, false); });
             if (ok) {
-                ok = _SecItemDelete(query, &client, error);
+                ok = _SecItemDelete(query, &swcclient, error);
             }
         }
         if (ok) {
@@ -1612,8 +1615,8 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes,
         CFReleaseSafe(credential);
         CFDictionarySetValue(query, kSecAttrComment, kSecSafariDefaultComment);
 
-        CFReleaseSafe(client.accessGroups);
-        client.accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&kSecSafariAccessGroup, 1, &kCFTypeArrayCallBacks);
+        CFReleaseSafe(swcclient.accessGroups);
+        swcclient.accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&kSecSafariAccessGroup, 1, &kCFTypeArrayCallBacks);
 
         // mark the item as created by this function
         const int32_t creator_value = 'swca';
@@ -1627,41 +1630,31 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes,
             // confirm the add
             // (per rdar://16680019, we won't prompt here in the normal case)
             ok = /*approved ||*/ swca_confirm_operation(swca_add_request_id, clientAuditToken, query, error,
-                ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); });
+                ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(client, fqdn, appID, false); });
         }
     }
     if (ok) {
-        ok = _SecItemAdd(query, &client, result, error);
+        ok = _SecItemAdd(query, &swcclient, result, error);
     }
 
 cleanup:
-#if 0 /* debugging */
-{
-    const char *op_str = (password) ? ((update) ? "updated" : "added") : "deleted";
-    const char *result_str = (ok) ? "true" : "false";
-    secerror("result=%s, %s item %@, error=%@", result_str, op_str, *result, *error);
-}
-#else
-    (void)update;
-#endif
     CFReleaseSafe(attrs);
     CFReleaseSafe(query);
-    CFReleaseSafe(client.accessGroups);
+    CFReleaseSafe(swcclient.accessGroups);
     CFReleaseSafe(fqdn);
-    CFReleaseSafe(account);
-    CFReleaseSafe(password);
     return ok;
 }
 
 /* Specialized version of SecItemCopyMatching for shared web credentials */
 bool
 _SecCopySharedWebCredential(CFDictionaryRef query,
-    const audit_token_t *clientAuditToken,
-    CFStringRef appID,
-    CFArrayRef domains,
-    CFTypeRef *result,
-    CFErrorRef *error) {
-
+                           SecurityClient *client,
+                           const audit_token_t *clientAuditToken,
+                           CFStringRef appID,
+                           CFArrayRef domains,
+                           CFTypeRef *result,
+                           CFErrorRef *error)
+{
     CFMutableArrayRef credentials = NULL;
     CFMutableArrayRef foundItems = NULL;
     CFMutableArrayRef fqdns = NULL;
@@ -1678,12 +1671,13 @@ _SecCopySharedWebCredential(CFDictionaryRef query,
 
     // give ourselves access to see matching items for kSecSafariAccessGroup
     CFStringRef accessGroup = CFSTR("*");
-    SecurityClient client = {
+    SecurityClient swcclient = {
         .task = NULL,
         .accessGroups =  CFArrayCreate(kCFAllocatorDefault, (const void **)&accessGroup, 1, &kCFTypeArrayCallBacks),
         .allowSystemKeychain = false,
         .allowSyncBubbleKeychain = false,
         .isNetworkExtension = false,
+       .musr = client->musr,
     };
 
     // On input, the query dictionary contains optional fqdn and account entries.
@@ -1749,9 +1743,9 @@ _SecCopySharedWebCredential(CFDictionaryRef query,
             }
         }
 
-    #if TARGET_IPHONE_SIMULATOR
+#if TARGET_IPHONE_SIMULATOR
         secerror("app/site association entitlements not checked in Simulator");
-    #else
+#else
            OSStatus status = errSecMissingEntitlement;
         if (!appID) {
             SecError(status, error, CFSTR("Missing application-identifier entitlement"));
@@ -1773,7 +1767,7 @@ _SecCopySharedWebCredential(CFDictionaryRef query,
             CFReleaseSafe(fqdn);
             goto cleanup;
         }
-    #endif
+#endif
 
         attrs = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
         if (!attrs) {
@@ -1799,7 +1793,7 @@ _SecCopySharedWebCredential(CFDictionaryRef query,
         CFDictionaryAddValue(attrs, kSecReturnAttributes, kCFBooleanTrue);
         CFDictionaryAddValue(attrs, kSecReturnData, kCFBooleanTrue);
 
-        ok = _SecItemCopyMatching(attrs, &client, (CFTypeRef*)&items, error);
+        ok = _SecItemCopyMatching(attrs, &swcclient, (CFTypeRef*)&items, error);
         if (count > 1) {
             // ignore interim error since we have multiple domains to search
             CFReleaseNull(*error);
@@ -1932,11 +1926,6 @@ _SecCopySharedWebCredential(CFDictionaryRef query,
             CFArrayAppendValue(credentials, selected);
         }
 
-#if 0
-        // confirm the access
-        ok = swca_confirm_operation(swca_copy_request_id, clientAuditToken, query, error,
-                    ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); });
-#endif
         if (ok) {
             #if TARGET_OS_IPHONE && !TARGET_OS_WATCH
             // register confirmation with database
@@ -1975,11 +1964,9 @@ cleanup:
     }
     CFReleaseSafe(foundItems);
     *result = credentials;
-    CFReleaseSafe(client.accessGroups);
+    CFReleaseSafe(swcclient.accessGroups);
     CFReleaseSafe(fqdns);
-#if 0 /* debugging */
-    secerror("result=%s, copied items %@, error=%@", (ok) ? "true" : "false", *result, *error);
-#endif
+
     return ok;
 }
 
@@ -2667,7 +2654,7 @@ _SecServerTransmogrifyToSystemKeychain(SecurityClient *client, CFErrorRef *error
 }
 
 /*
- * Migrate from user keychain to system keychain when switching to edu mode
+ * Delete account from local usage
  */
 
 bool
@@ -2683,8 +2670,8 @@ _SecServerDeleteMUSERViews(SecurityClient *client, uid_t uid, CFErrorRef *error)
         musrView = SecMUSRCreateActiveUserUUID(uid);
         require(musrView, fail);
 
-        require(ok = SecServerDeleteAllForUser(dbt, syncBubbleView, error), fail);
-        require(ok = SecServerDeleteAllForUser(dbt, musrView, error), fail);
+        require(ok = SecServerDeleteAllForUser(dbt, syncBubbleView, false, error), fail);
+        require(ok = SecServerDeleteAllForUser(dbt, musrView, false, error), fail);
 
     fail:
         CFReleaseNull(syncBubbleView);

diff --git a/OSX/sec/securityd/SecItemServer.h b/OSX/sec/securityd/SecItemServer.h
index 4bc57b9494f5bb3d970b02900a6bb3d76dd120b4..5ec10c7ad848e3347709332d6da9b8ad95fb8135 100644 (file)
--- a/OSX/sec/securityd/SecItemServer.h
+++ b/OSX/sec/securityd/SecItemServer.h
@@ -64,8 +64,8 @@ bool _SecServerTransmogrifyToSyncBubble(CFArrayRef services, uid_t uid, Security
 bool _SecServerDeleteMUSERViews(SecurityClient *client, uid_t uid, CFErrorRef *error);
 #endif
 
-bool _SecAddSharedWebCredential(CFDictionaryRef attributes, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error);
-bool _SecCopySharedWebCredential(CFDictionaryRef query, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error);
+bool _SecAddSharedWebCredential(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error);
+bool _SecCopySharedWebCredential(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error);
 
 // Hack to log objects from inside SOS code
 void SecItemServerAppendItemDescription(CFMutableStringRef desc, CFDictionaryRef object);

diff --git a/OSX/sec/securityd/SecPolicyServer.c b/OSX/sec/securityd/SecPolicyServer.c
index 46257024951597fc223169f38b24f507d7b9ac08..9bad034c0a709a85be4ff90efa864bd7c44eabbf 100644 (file)
--- a/OSX/sec/securityd/SecPolicyServer.c
+++ b/OSX/sec/securityd/SecPolicyServer.c
@@ -2203,7 +2203,7 @@ static CFStringRef get_valid_sct_operator(CFDataRef sct, int entry_type, CFDataR
     q = SSLEncodeUint16(q, extensionsLen);
     memcpy(q, extensionsData, extensionsLen);
 
-    CFDataRef logIDData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, logID, 32, NULL);
+    CFDataRef logIDData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, logID, 32, kCFAllocatorNull);
 
     CFDictionaryRef logData = CFArrayGetValueMatching(trustedLogs, ^bool(const void *dict) {
         const void *key_data;
@@ -2215,6 +2215,7 @@ static CFStringRef get_valid_sct_operator(CFDataRef sct, int entry_type, CFDataR
         CFReleaseSafe(valueID);
         return result;
     });
+    CFReleaseSafe(logIDData);
     require(logData, out);
 
     /* If an expiry date is specified, and is a valid CFDate, then we check it against issuanceTime or verifyTime */
@@ -2290,8 +2291,8 @@ static CFArrayRef copy_ocsp_scts(SecPVCRef pvc)
                 }
                 SecOCSPSingleResponseDestroy(ocspSingleResponse);
             }
-            SecOCSPResponseFinalize(ocspResponse);
         }
+        if(ocspResponse) SecOCSPResponseFinalize(ocspResponse);
     });
 
     if(CFArrayGetCount(SCTs)==0) {

diff --git a/OSX/sec/securityd/SecTrustServer.c b/OSX/sec/securityd/SecTrustServer.c
index e3e17cb64ab240890551c6c39d0fc45a477c0b5a..a499b047188d087e4138565596cbe4f85ccb8cf1 100644 (file)
--- a/OSX/sec/securityd/SecTrustServer.c
+++ b/OSX/sec/securityd/SecTrustServer.c
@@ -705,7 +705,11 @@ static void SecPathBuilderInit(SecPathBuilderRef builder,
 
     builder->nextParentSource = 1;
     builder->considerPartials = false;
+#if !TARGET_OS_WATCH
     builder->canAccessNetwork = true;
+#else
+    builder->canAccessNetwork = false;
+#endif
 
     builder->anchorSources = CFArrayCreateMutable(allocator, 0, NULL);
     builder->parentSources = CFArrayCreateMutable(allocator, 0, NULL);
@@ -750,7 +754,9 @@ static void SecPathBuilderInit(SecPathBuilderRef builder,
         CFArrayAppendValue(builder->anchorSources, &kSecSystemAnchorSource);
         CFArrayAppendValue(builder->anchorSources, &kSecUserAnchorSource);
     }
-    CFArrayAppendValue(builder->parentSources, &kSecCAIssuerSource);
+    if (builder->canAccessNetwork) {
+        CFArrayAppendValue(builder->parentSources, &kSecCAIssuerSource);
+    }
 
        /* Now let's get the leaf cert and turn it into a path. */
        SecCertificateRef leaf =
@@ -813,6 +819,9 @@ static void SecPathBuilderDestroy(SecPathBuilderRef builder) {
        CFReleaseSafe(builder->rejectedPaths);
        CFReleaseSafe(builder->candidatePaths);
        CFReleaseSafe(builder->leafDetails);
+    CFReleaseSafe(builder->ocspResponses);
+    CFReleaseSafe(builder->signedCertificateTimestamps);
+    CFReleaseSafe(builder->trustedLogs);
 
     SecPVCDelete(&builder->path);
 }
@@ -825,10 +834,15 @@ void SecPathBuilderSetCanAccessNetwork(SecPathBuilderRef builder, bool allow) {
     if (builder->canAccessNetwork != allow) {
         builder->canAccessNetwork = allow;
         if (allow) {
+#if !TARGET_OS_WATCH
             secdebug("http", "network access re-enabled by policy");
             /* re-enabling network_access re-adds kSecCAIssuerSource as
                a parent source. */
             CFArrayAppendValue(builder->parentSources, &kSecCAIssuerSource);
+#else
+            secdebug("http", "network access not allowed on WatchOS");
+            builder->canAccessNetwork = false;
+#endif
         } else {
             secdebug("http", "network access disabled by policy");
             /* disabling network_access removes kSecCAIssuerSource from

diff --git a/OSX/shared_regressions/si-82-sectrust-ct.c b/OSX/shared_regressions/si-82-sectrust-ct.c
index b772072aa3eb2a4fe07ec02b48f3ef82367cc381..e33e85a3a8279a57b8931490da0a3f914f58ff37 100644 (file)
--- a/OSX/shared_regressions/si-82-sectrust-ct.c
+++ b/OSX/shared_regressions/si-82-sectrust-ct.c
@@ -1124,7 +1124,7 @@ static uint8_t invalid_ocsp_response_der[] = {
 static void tests()
 {
     SecCertificateRef certA=NULL, certD=NULL, certF=NULL, certCA_alpha=NULL, certCA_beta=NULL;
-    CFDataRef proofD=NULL, proofA_1, proofA_2;
+    CFDataRef proofD=NULL, proofA_1=NULL, proofA_2=NULL;
     SecCertificateRef www_digicert_com_cert=NULL, digicert_sha2_ev_server_ca=NULL;
     SecCertificateRef www_paypal_com_cert=NULL, www_paypal_com_issuer_cert=NULL;
     SecCertificateRef cfCert = NULL;

diff --git a/OSX/utilities/src/SecDb.c b/OSX/utilities/src/SecDb.c
index 8ea52f9d3a268c0dde84c831faafc89c946d8b79..335add4008bade6efa355289da3898eb803deb1c 100644 (file)
--- a/OSX/utilities/src/SecDb.c
+++ b/OSX/utilities/src/SecDb.c
@@ -51,7 +51,6 @@
 #define LOGD(ARG,...) secdebug("secdb", ARG, ## __VA_ARGS__)
 
 #define HAVE_UNLOCK_NOTIFY  0
-#define USE_BUSY_HANDLER  1
 
 struct __OpaqueSecDbStatement {
     CFRuntimeBase _base;
@@ -417,75 +416,46 @@ static bool SecDbWaitForUnlockNotify(SecDbConnectionRef dbconn, sqlite3_stmt *st
 
 #endif
 
-#if USE_BUSY_HANDLER
-
-// Return 0 to stop retrying.
-static int SecDbHandleBusy(void *ctx, int retryCount) {
-    SecDbConnectionRef dbconn __unused = ctx;
-    struct timespec sleeptime = { .tv_sec = 0, .tv_nsec = 10000 };
-    while (retryCount--) {
-        // Double sleeptime until we hit one second then add one
-        // second more every time we sleep.
-        if (sleeptime.tv_sec) {
-            sleeptime.tv_sec++;
-        } else {
-            sleeptime.tv_nsec *= 2;
-            if (sleeptime.tv_nsec > NSEC_PER_SEC) {
-                sleeptime.tv_nsec = 0;
-                sleeptime.tv_sec++;
-            }
-        }
-    }
-    struct timespec unslept = {};
-    nanosleep(&sleeptime, &unslept);
-
-    return 1;
-}
+#define BUSY_TIMEOUT_MS (5 * 60 * 1000)  /* 5 minutes */
 
 static bool SecDbBusyHandler(SecDbConnectionRef dbconn, CFErrorRef *error) {
-    return SecDbErrorWithDb(sqlite3_busy_handler(dbconn->handle, SecDbHandleBusy, dbconn), dbconn->handle, error, CFSTR("busy_handler"));
+    return SecDbErrorWithDb(sqlite3_busy_timeout(dbconn->handle, BUSY_TIMEOUT_MS), dbconn->handle, error, CFSTR("busy_handler"));
 }
 
-#endif // USE_BUSY_HANDLER
+static int sleepBackoff[] = { 10, 20, 50, 100, 250 };
+static int sumBackoff[]   = { 10, 30, 80, 180, 430 };
+static int numEntries = sizeof(sleepBackoff)/sizeof(sleepBackoff[0]);
 
 // Return true causes the operation to be tried again.
-static bool SecDbWaitIfNeeded(SecDbConnectionRef dbconn, int s3e, sqlite3_stmt *stmt, CFStringRef desc, struct timespec *sleeptime, CFErrorRef *error) {
+static bool SecDbWaitIfNeeded(SecDbConnectionRef dbconn, int s3e, sqlite3_stmt *stmt, CFStringRef desc, int nTries, CFErrorRef *error) {
 #if HAVE_UNLOCK_NOTIFY
     if (s3e == SQLITE_LOCKED) { // Optionally check for extended code being SQLITE_LOCKED_SHAREDCACHE
         return SecDbWaitForUnlockNotify(dbconn, stmt, error))
     }
 #endif
+    if (((0xFF & s3e) == SQLITE_BUSY) || ((0xFF & s3e) == SQLITE_LOCKED)) {
+        int totaltimeout, timeout;
 
-#if !USE_BUSY_HANDLER
-    if (s3e == SQLITE_LOCKED || s3e == SQLITE_BUSY) {
-        LOGV("sqlDb: %s", sqlite3_errmsg(dbconn->handle));
-        while (s3e == SQLITE_LOCKED || s3e == SQLITE_BUSY) {
-            struct timespec unslept = {};
-            nanosleep(sleeptime, &unslept);
-            s3e = SQLITE_OK;
-            if (stmt)
-                s3e = sqlite3_reset(stmt);
-
-            // Double sleeptime until we hit one second the add one
-            // second more every time we sleep.
-            if (sleeptime->tv_sec) {
-                sleeptime->tv_sec++;
-            } else {
-                sleeptime->tv_nsec *= 2;
-                if (sleeptime->tv_nsec > NSEC_PER_SEC) {
-                    sleeptime->tv_nsec = 0;
-                    sleeptime->tv_sec++;
-                }
-            }
+        _Static_assert(sizeof(sumBackoff) == sizeof(sleepBackoff), "matching arrays not matching");
+        _Static_assert(sizeof(sumBackoff[0]) == sizeof(sleepBackoff[0]), "matching arrays not matching");
+
+        if (nTries < numEntries) {
+            timeout = sleepBackoff[nTries];
+            totaltimeout = sumBackoff[nTries];
+        } else {
+            timeout = sleepBackoff[numEntries - 1];
+            totaltimeout = sumBackoff[numEntries - 1] + (timeout * (nTries - numEntries));
+        }
+        if (totaltimeout < BUSY_TIMEOUT_MS) {
+            LOGE("sqlite busy/locked: %d ntries: %d totaltimeout: %d", s3e, nTries, totaltimeout);
+            sqlite3_sleep(timeout);
+            return true;
+        } else {
+            LOGE("sqlite busy/locked: too long: %d ms, giving up", totaltimeout);
         }
-        if (s3e)
-            return SecDbErrorWithStmt(s3e, stmt, error, CFSTR("reset"));
-    } else
-#endif // !USE_BUSY_HANDLER
-    {
-        return SecDbConnectionCheckCode(dbconn, s3e, error, desc);
     }
-    return true;
+
+    return SecDbConnectionCheckCode(dbconn, s3e, error, desc);
 }
 
 enum SecDbStepResult {
@@ -498,15 +468,18 @@ typedef enum SecDbStepResult SecDbStepResult;
 static SecDbStepResult _SecDbStep(SecDbConnectionRef dbconn, sqlite3_stmt *stmt, CFErrorRef *error) {
     assert(stmt != NULL);
     int s3e;
-    struct timespec sleeptime = { .tv_sec = 0, .tv_nsec = 10000 };
+    int ntries = 0;
     for (;;) {
         s3e = sqlite3_step(stmt);
-        if (s3e == SQLITE_ROW)
+        if (s3e == SQLITE_ROW) {
+            ntries = 0;
             return kSecDbRowStep;
-        else if (s3e == SQLITE_DONE)
+        } else if (s3e == SQLITE_DONE)
             return kSecDbDoneStep;
-        else if (!SecDbWaitIfNeeded(dbconn, s3e, stmt, CFSTR("step"), &sleeptime, error))
+        else if (!SecDbWaitIfNeeded(dbconn, s3e, stmt, CFSTR("step"), ntries, error)) {
             return kSecDbErrorStep;
+        }
+        ntries++;
     };
 }
 
@@ -841,9 +814,7 @@ static bool SecDbOpenHandle(SecDbConnectionRef dbconn, bool *created, CFErrorRef
         if (ok && SecDbTraceEnabled()) {
             sqlite3_trace(dbconn->handle, SecDbTrace, dbconn);
         }
-#if USE_BUSY_HANDLER
         ok = ok && SecDbBusyHandler(dbconn, error);
-#endif
     });
 
 done:
@@ -1179,14 +1150,15 @@ sqlite3_stmt *SecDbPrepareV2(SecDbConnectionRef dbconn, const char *sql, size_t
         SecDbErrorWithDb(SQLITE_TOOBIG, db, error, CFSTR("prepare_v2: sql bigger than INT_MAX"));
         return NULL;
     }
-    struct timespec sleeptime = { .tv_sec = 0, .tv_nsec = 10000 };
+    int ntries = 0;
     for (;;) {
         sqlite3_stmt *stmt = NULL;
         int s3e = sqlite3_prepare_v2(db, sql, (int)sqlLen, &stmt, sqlTail);
         if (s3e == SQLITE_OK)
             return stmt;
-        else if (!SecDbWaitIfNeeded(dbconn, s3e, NULL, CFSTR("preparev2"), &sleeptime, error))
+        else if (!SecDbWaitIfNeeded(dbconn, s3e, NULL, CFSTR("preparev2"), ntries, error))
             return NULL;
+        ntries++;
     }
 }
 

diff --git a/OSX/utilities/src/iOSforOSX-SecAttr.c b/OSX/utilities/src/iOSforOSX-SecAttr.c
index f37ef5f54d882327be365f74f743ac00b657044a..1b7dfe2d2cae5751270fb9587041e192de0679e9 100644 (file)
--- a/OSX/utilities/src/iOSforOSX-SecAttr.c
+++ b/OSX/utilities/src/iOSforOSX-SecAttr.c
@@ -51,5 +51,6 @@ SEC_CONST_DECL (kSecUseAuthenticationUISkip, "u_AuthUIS");
 SEC_CONST_DECL (kSecUseAuthenticationContext, "u_AuthCtx");
 SEC_CONST_DECL (kSecUseToken, "u_Token");
 SEC_CONST_DECL (kSecUseTokenObjectID, "u_TokenOID");
+SEC_CONST_DECL (kSecUseCallerName, "u_CallerName");
 
 #endif

diff --git a/securityd/src/kcdatabase.cpp b/securityd/src/kcdatabase.cpp
index 4326b29d47340462e5ab0fdecc2e7f5ed0eba05a..fbd52a2e0b972623f25e1329973b8444ecbe12e6 100644 (file)
--- a/securityd/src/kcdatabase.cpp
+++ b/securityd/src/kcdatabase.cpp
@@ -1674,7 +1674,7 @@ void KeychainDbCommon::activity()
 void KeychainDbCommon::sleepProcessing()
 {
        secdebug("KCdb", "common %s(%p) sleep-lock processing", dbName(), this);
-    if (mParams.lockOnSleep) {
+    if (mParams.lockOnSleep && !isDefaultSystemKeychain()) {
         StLock<Mutex> _(*this);
                lockDb();
     }
@@ -1693,11 +1693,18 @@ void KeychainDbCommon::lockProcessing()
 //
 bool KeychainDbCommon::belongsToSystem() const
 {
-       if (const char *name = this->dbName())
-               return !strncmp(name, "/Library/Keychains/", 19);
-       return false;
+    if (const char *name = this->dbName())
+        return !strncmp(name, "/Library/Keychains/", 19);
+    return false;
 }
 
+bool KeychainDbCommon::isDefaultSystemKeychain() const
+{
+    // /Library/Keychains/System.keychain (34)
+    if (const char *name = this->dbName())
+        return !strncmp(name, "/Library/Keychains/System.keychain", 34);
+    return false;
+}
 
 //
 // Keychain global objects

diff --git a/securityd/src/kcdatabase.h b/securityd/src/kcdatabase.h
index b34da0cd0485df375d7a64761f95dc9f9ce1d497..4013de84e1abf59fcfd6ef4072f918fa05e1a951 100644 (file)
--- a/securityd/src/kcdatabase.h
+++ b/securityd/src/kcdatabase.h
@@ -123,6 +123,7 @@ public:
        void lockProcessing();
        
        bool belongsToSystem() const;
+    bool isDefaultSystemKeychain() const;
 
 public:
     // debugging