From: Apple Date: Sat, 16 Jul 2016 00:14:12 +0000 (+0000) Subject: Security-57337.50.23.tar.gz X-Git-Tag: os-x-10115^0 X-Git-Url: https://git.saurik.com/apple/security.git/commitdiff_plain/641423b6670d8656d5daeaf988e7d307fb6c1ebc?ds=sidebyside;hp=e3d460c9de4426da6c630c3ae3f46173a99f82d8 Security-57337.50.23.tar.gz --- diff --git a/OSX/authd/authorization.plist b/OSX/authd/authorization.plist index 8406e487..4afb26f4 100644 --- a/OSX/authd/authorization.plist +++ b/OSX/authd/authorization.plist @@ -206,6 +206,28 @@ See remaining rules for examples. timeout 0 + com.apple.Safari.allow-apple-events-to-run-javascript + + class + user + comment + This right is used by Safari to allow Apple Events to run JavaScript on web pages. + session-owner + + shared + + + com.apple.Safari.allow-javascript-in-smart-search-field + + class + user + comment + This right is used by Safari to allow JavaScript to be used in the Smart Search Field. + session-owner + + shared + + com.apple.ServiceManagement.blesshelper allow-root diff --git a/OSX/lib/en.lproj/authorization.prompts.strings b/OSX/lib/en.lproj/authorization.prompts.strings index a3831df4..5fb74261 100644 --- a/OSX/lib/en.lproj/authorization.prompts.strings +++ b/OSX/lib/en.lproj/authorization.prompts.strings @@ -40,6 +40,10 @@ "com.apple.Safari.install-ephemeral-extensions" = "__APPNAME__ is trying to install an extension."; +"com.apple.Safari.allow-apple-events-to-run-javascript" = "__APPNAME__ is trying to allow Apple Events to run JavaScript on web pages."; + +"com.apple.Safari.allow-javascript-in-smart-search-field" = "__APPNAME__ is trying to allow JavaScript to be used in the Smart Search Field."; + "system.sharepoints." = "__APPNAME__ is trying to modify Sharing preferences."; "system.preferences.energysaver" = "__APPNAME__ is trying to unlock the Energy Saver preferences."; diff --git a/OSX/lib/security.exp-in b/OSX/lib/security.exp-in index 39d7aed2..d308e7aa 100644 --- a/OSX/lib/security.exp-in +++ b/OSX/lib/security.exp-in @@ -405,6 +405,7 @@ _kSecAssessmentContextKeyOperation _kSecAssessmentOperationTypeExecute _kSecAssessmentOperationTypeInstall _kSecAssessmentOperationTypeOpenDocument +_kSecAssessmentContextKeyUTI _kSecAssessmentContextKeyFeedback _kSecAssessmentFeedbackProgress _kSecAssessmentFeedbackInfoCurrent @@ -1776,6 +1777,7 @@ _SecPolicyCreateWithProperties _SecPolicyCreateAppleTimeStampingAndRevocationPolicies _SecPolicyCreateApplePackageSigning _SecPolicyCreateAppleSWUpdateSigning +_SecPolicyCreateAppleHomeKitServerAuth _SecPolicyGetOID _SecPolicyGetTPHandle _SecPolicyGetTypeID diff --git a/OSX/libsecurity_codesigning/lib/SecAssessment.cpp b/OSX/libsecurity_codesigning/lib/SecAssessment.cpp index c6129c79..ff228381 100644 --- a/OSX/libsecurity_codesigning/lib/SecAssessment.cpp +++ b/OSX/libsecurity_codesigning/lib/SecAssessment.cpp @@ -126,6 +126,8 @@ ModuleNexus gEngine; // // Policy evaluation ("assessment") operations // +CFStringRef kSecAssessmentContextKeyUTI = CFSTR("context:uti"); + CFStringRef kSecAssessmentContextKeyFeedback = CFSTR("context:feedback"); CFStringRef kSecAssessmentFeedbackProgress = CFSTR("feedback:progress"); CFStringRef kSecAssessmentFeedbackInfoCurrent = CFSTR("current"); diff --git a/OSX/libsecurity_codesigning/lib/SecAssessment.h b/OSX/libsecurity_codesigning/lib/SecAssessment.h index 78d96832..fb17a20e 100644 --- a/OSX/libsecurity_codesigning/lib/SecAssessment.h +++ b/OSX/libsecurity_codesigning/lib/SecAssessment.h @@ -136,6 +136,8 @@ enum { @constant kSecAssessmentContextKeyOperation Type of operation (see overview above). This defaults to the kSecAssessmentOperationTypeExecute. */ +extern CFStringRef kSecAssessmentContextKeyUTI; // caller determination of UTI for primary assessment subject + extern CFStringRef kSecAssessmentContextKeyFeedback; // feedback reporting block typedef Boolean (^SecAssessmentFeedback)(CFStringRef type, CFDictionaryRef information); extern CFStringRef kSecAssessmentFeedbackProgress; // progress reporting feedback diff --git a/OSX/libsecurity_codesigning/lib/cdbuilder.h b/OSX/libsecurity_codesigning/lib/cdbuilder.h index c4de2bec..1c6d373d 100644 --- a/OSX/libsecurity_codesigning/lib/cdbuilder.h +++ b/OSX/libsecurity_codesigning/lib/cdbuilder.h @@ -63,6 +63,8 @@ public: size_t size(const uint32_t version); // calculate size CodeDirectory *build(); // build CodeDirectory and return it const size_t fixedSize(const uint32_t version); // calculate fixed size of the CodeDirectory + + uint32_t hashType() const { return mHashType; } DynamicHash *getHash() const { return CodeDirectory::hashFor(this->mHashType); } diff --git a/OSX/libsecurity_codesigning/lib/policydb.cpp b/OSX/libsecurity_codesigning/lib/policydb.cpp index be72b432..af49aa9e 100644 --- a/OSX/libsecurity_codesigning/lib/policydb.cpp +++ b/OSX/libsecurity_codesigning/lib/policydb.cpp @@ -273,6 +273,15 @@ void PolicyDatabase::upgradeDatabase() add.bind(":flags") = kAuthorityFlagDefault; add.execute(); }); + + simpleFeature("document rules", ^{ + SQLite::Statement addApple(*this, + "INSERT INTO authority (type, allow, flags, label, requirement) VALUES (3, 1, 2, 'Apple System', 'anchor apple')"); + addApple.execute(); + SQLite::Statement addDevID(*this, + "INSERT INTO authority (type, allow, flags, label, requirement) VALUES (3, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists')"); + addDevID.execute(); + }); } diff --git a/OSX/libsecurity_codesigning/lib/policyengine.cpp b/OSX/libsecurity_codesigning/lib/policyengine.cpp index cba2bdc4..3f49aebd 100644 --- a/OSX/libsecurity_codesigning/lib/policyengine.cpp +++ b/OSX/libsecurity_codesigning/lib/policyengine.cpp @@ -322,6 +322,15 @@ void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessment if (qtn.flag(QTN_FLAG_HARD)) MacOSError::throwMe(errSecCSFileHardQuarantined); + // hack: if caller passed a UTI, use that to turn off app-only checks for some well-known ones + bool appOk = false; + if (CFStringRef uti = CFStringRef(CFDictionaryGetValue(context, kSecAssessmentContextKeyUTI))) { + appOk = CFEqual(uti, CFSTR("com.apple.systempreference.prefpane")) + || CFEqual(uti, CFSTR("com.apple.systempreference.screen-saver")) + || CFEqual(uti, CFSTR("com.apple.systempreference.screen-slide-saver")) + || CFEqual(uti, CFSTR("com.apple.menu-extra")); + } + CFCopyRef code; MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref())); @@ -377,7 +386,7 @@ void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessment // go for it! SecCSFlags topFlags = validationFlags | kSecCSCheckNestedCode | kSecCSRestrictSymlinks | kSecCSReportProgress; - if (type == kAuthorityExecute) + if (type == kAuthorityExecute && !appOk) topFlags |= kSecCSRestrictToAppLike; switch (rc = SecStaticCodeCheckValidity(code, topFlags, NULL)) { case errSecSuccess: // continue below diff --git a/OSX/libsecurity_codesigning/lib/resources.cpp b/OSX/libsecurity_codesigning/lib/resources.cpp index 490b1e07..c1efa959 100644 --- a/OSX/libsecurity_codesigning/lib/resources.cpp +++ b/OSX/libsecurity_codesigning/lib/resources.cpp @@ -396,6 +396,8 @@ const Hashing::Byte *ResourceSeal::hash(CodeDirectory::HashAlgorithm type) const { std::string name = ResourceBuilder::hashName(type); CFTypeRef hash = CFDictionaryGetValue(mDict, CFTempString(name)); + if (hash == NULL) // pre-agility fallback + hash = CFDictionaryGetValue(mDict, CFSTR("hash")); if (hash == NULL || CFGetTypeID(hash) != CFDataGetTypeID()) MacOSError::throwMe(errSecCSResourcesInvalid); return CFDataGetBytePtr(CFDataRef(hash)); diff --git a/OSX/libsecurity_codesigning/lib/signer.cpp b/OSX/libsecurity_codesigning/lib/signer.cpp index 387f68b5..b0e14edb 100644 --- a/OSX/libsecurity_codesigning/lib/signer.cpp +++ b/OSX/libsecurity_codesigning/lib/signer.cpp @@ -546,13 +546,15 @@ void SecCodeSigner::Signer::signArchitectureAgnostic(const Requirement::Context // write out all CodeDirectories cdSet.populate(writer); - writer->flush(); CFRef hashes = cdSet.hashBag(); CFTemp hashDict("{cdhashes=%O}", hashes.get()); CFRef hashBag = makeCFData(hashDict.get()); CFRef signature = signCodeDirectory(cdSet.primary(), hashBag); writer->signature(signature); + + // commit to storage + writer->flush(); } @@ -600,7 +602,8 @@ void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::W writer.addDiscretionary(builder); - if ((signingFlags() & (kSecCSSignOpaque|kSecCSSignV1)) == 0) { +#if 0 // rdar://problem/25720754 + if ((signingFlags() & (kSecCSSignOpaque|kSecCSSignV1)) == 0 && builder.hashType() != kSecCodeSignatureHashSHA1) { // calculate sorted list of top SuperBlob keys in this EmbeddedSignatureBlob (if any) // (but not for opaque or V1 construction, which must remain bit-for-bit compatible) std::vector > slotVector; @@ -615,6 +618,7 @@ void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::W writer.component(cdTopDirectorySlot, cfSlotVector); builder.specialSlot(cdTopDirectorySlot, cfSlotVector); } +#endif } diff --git a/OSX/libsecurity_codesigning/lib/syspolicy.sql b/OSX/libsecurity_codesigning/lib/syspolicy.sql index 745533f6..23b5df15 100644 --- a/OSX/libsecurity_codesigning/lib/syspolicy.sql +++ b/OSX/libsecurity_codesigning/lib/syspolicy.sql @@ -117,6 +117,8 @@ INSERT INTO feature (name, value, remarks) VALUES ('codesignedpackages', 'present', 'builtin'); INSERT INTO feature (name, value, remarks) VALUES ('filter_unsigned', 'present', 'builtin'); +INSERT INTO feature (name, value, remarks) + VALUES ('document rules', 'present', 'builtin'); -- @@ -149,6 +151,12 @@ insert into authority (type, allow, flags, label, requirement) insert into authority (type, allow, flags, label, requirement) values (2, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])'); +-- Document signing +insert into authority (type, allow, flags, label, requirement) + values (3, 1, 2, 'Apple System', 'anchor apple'); +insert into authority (type, allow, flags, label, requirement) +values (3, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists'); + -- -- The cache table lists previously determined outcomes diff --git a/OSX/libsecurity_keychain/lib/SecItemPriv.h b/OSX/libsecurity_keychain/lib/SecItemPriv.h index 58ecbbe6..57593b81 100644 --- a/OSX/libsecurity_keychain/lib/SecItemPriv.h +++ b/OSX/libsecurity_keychain/lib/SecItemPriv.h @@ -326,12 +326,18 @@ extern const CFStringRef kSecAttrViewHintThumper; @constant kSecUseCredentialReference Specifies a CFDataRef containing AppleCredentialManager reference handle to be used when authorizing access to the item. + @constant kSecUseCallerName Specifies a dictionary key whose value + is a CFStringRef that represents a user-visible string describing + the caller name for which the application is attempting to authenticate. + The caller must have 'com.apple.private.LocalAuthentication.CallerName' + entitlement set to YES to use this feature, otherwise it is ignored. */ extern const CFStringRef kSecUseTombstones __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); extern const CFStringRef kSecUseCredentialReference __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); - +extern const CFStringRef kSecUseCallerName + __OSX_AVAILABLE(10.11.4) __IOS_AVAILABLE(9.3) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3); /*! @function SecItemCopyDisplayNames diff --git a/OSX/libsecurity_keychain/lib/SecPolicy.cpp b/OSX/libsecurity_keychain/lib/SecPolicy.cpp index 95fc6f36..e4515732 100644 --- a/OSX/libsecurity_keychain/lib/SecPolicy.cpp +++ b/OSX/libsecurity_keychain/lib/SecPolicy.cpp @@ -857,6 +857,11 @@ SecPolicyRef SecPolicyCreateAppleAST2Service(CFStringRef hostname, CFDictionaryR return SecPolicyCreateSSL(true, hostname); } +SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) +{ + return SecPolicyCreateSSL(true, hostname); +} + #if !SECTRUST_OSX /* new in 10.11 */ SecPolicyRef SecPolicyCreateAppleATVAppSigning(void) diff --git a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h b/OSX/libsecurity_keychain/lib/SecPolicyPriv.h index 6243ab9e..bb4a6023 100644 --- a/OSX/libsecurity_keychain/lib/SecPolicyPriv.h +++ b/OSX/libsecurity_keychain/lib/SecPolicyPriv.h @@ -257,6 +257,27 @@ SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void) SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void) __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); +/*! + @function SecPolicyCreateAppleHomeKitServerAuth + @abstract Ensure we're appropriately pinned to the HomeKit service (SSL + Apple restrictions) + @param hostname Required; hostname to verify the certificate name against. + @discussion This policy uses the Basic X.509 policy with validity check + and pinning options: + * The chain is anchored to any of the production Apple Root CAs via full certificate + comparison. Test Apple Root CAs are permitted only on internal releases with defaults write. + * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.16 + * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.9. + * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName + extension or Common Name. + * The leaf is checked against the Black and Gray lists. + * The leaf has ExtendedKeyUsage with the ServerAuth OID. + * Revocation is checked via CRL. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. + */ +SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) + __OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3); + #if defined(__cplusplus) } #endif diff --git a/OSX/libsecurity_keychain/lib/security_keychain.exp b/OSX/libsecurity_keychain/lib/security_keychain.exp index 8672c790..e0fcb27d 100644 --- a/OSX/libsecurity_keychain/lib/security_keychain.exp +++ b/OSX/libsecurity_keychain/lib/security_keychain.exp @@ -650,6 +650,7 @@ _SecPolicyCreateSSL _SecPolicyCreateWithOID _SecPolicyCreateWithProperties _SecPolicyCreateAppleTimeStampingAndRevocationPolicies +_SecPolicyCreateAppleHomeKitServerAuth _SecPolicyGetOID _SecPolicyGetTPHandle _SecPolicyGetTypeID diff --git a/OSX/libsecurity_keychain/libDER/libDER/oids.c b/OSX/libsecurity_keychain/libDER/libDER/oids.c index 2a65d35c..58bb7dd2 100644 --- a/OSX/libsecurity_keychain/libDER/libDER/oids.c +++ b/OSX/libsecurity_keychain/libDER/libDER/oids.c @@ -320,6 +320,13 @@ #define APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_TEST APPLE_SERVER_AUTHENTICATION, 8, 1 #define APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PROD APPLE_SERVER_AUTHENTICATION, 8, 2 +/* HomeKit Server Authentication + * Intermediate Marker OID: 1.2.840.113635.100.6.2.16 + * Leaf Marker OID: 1.2.840.113635.100.6.27.9 + */ +#define APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLE_HOME_KIT_SERVER_AUTH APPLE_CERT_EXT_INTERMEDIATE_MARKER, 16 +#define APPLE_CERT_EXT_HOME_KIT_SERVER_AUTH APPLE_SERVER_AUTHENTICATION, 9 + /* * Netscape OIDs. */ @@ -547,7 +554,9 @@ __unused static const DERByte _oidAppleCertExtATVVPNProfileSigning[] = {APPLE_CERT_EXT_APPLE_ATV_VPN_PROFILE_SIGNING}, _oidAppleCertExtCryptoServicesExtEncryption[] = {APPLE_CERT_EXT_CRYPTO_SERVICES_EXT_ENCRYPTION}, _oidAppleCertExtAST2DiagnosticsServerAuthTest[] = {APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_TEST}, - _oidAppleCertExtAST2DiagnosticsServerAuthProd[] = {APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PROD}; + _oidAppleCertExtAST2DiagnosticsServerAuthProd[] = {APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PROD}, + _oidAppleCertExtHomeKitServerAuth[] = {APPLE_CERT_EXT_HOME_KIT_SERVER_AUTH}, + _oidAppleIntmMarkerAppleHomeKitServerCA[] = {APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLE_HOME_KIT_SERVER_AUTH}; __unused const DERItem oidSubjectKeyIdentifier = { (DERByte *)_oidSubjectKeyIdentifier, @@ -738,7 +747,11 @@ __unused const DERItem oidAppleCertExtAST2DiagnosticsServerAuthTest = { (DERByte *)_oidAppleCertExtAST2DiagnosticsServerAuthTest, sizeof(_oidAppleCertExtAST2DiagnosticsServerAuthTest)}, oidAppleCertExtAST2DiagnosticsServerAuthProd = { (DERByte *)_oidAppleCertExtAST2DiagnosticsServerAuthProd, - sizeof(_oidAppleCertExtAST2DiagnosticsServerAuthProd)}; + sizeof(_oidAppleCertExtAST2DiagnosticsServerAuthProd)}, + oidAppleCertExtHomeKitServerAuth = { (DERByte *)_oidAppleCertExtHomeKitServerAuth, + sizeof(_oidAppleCertExtHomeKitServerAuth)}, + oidAppleIntmMarkerAppleHomeKitServerCA = { (DERByte *)_oidAppleIntmMarkerAppleHomeKitServerCA, + sizeof(_oidAppleIntmMarkerAppleHomeKitServerCA) }; diff --git a/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h b/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h index 302459d5..8fa2f0b3 100644 --- a/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h +++ b/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h @@ -79,7 +79,9 @@ extern const DERItem oidAppleCertExtATVVPNProfileSigning, oidAppleCertExtCryptoServicesExtEncryption, oidAppleCertExtAST2DiagnosticsServerAuthTest, - oidAppleCertExtAST2DiagnosticsServerAuthProd; + oidAppleCertExtAST2DiagnosticsServerAuthProd, + oidAppleCertExtHomeKitServerAuth, + oidAppleIntmMarkerAppleHomeKitServerCA; /* Compare two decoded OIDs. Returns true iff they are equivalent. */ bool DEROidCompare(const DERItem *oid1, const DERItem *oid2); diff --git a/OSX/sec/Security/Regressions/Security_regressions.h b/OSX/sec/Security/Regressions/Security_regressions.h index 035b3d77..5a9ce794 100644 --- a/OSX/sec/Security/Regressions/Security_regressions.h +++ b/OSX/sec/Security/Regressions/Security_regressions.h @@ -21,7 +21,11 @@ ONE_TEST(si_20_sectrust_activation) ONE_TEST(si_20_sectrust) ONE_TEST(si_21_sectrust_asr) ONE_TEST(si_22_sectrust_iap) +#if !TARGET_OS_WATCH ONE_TEST(si_23_sectrust_ocsp) +#else +DISABLED_ONE_TEST(si_23_sectrust_ocsp) +#endif ONE_TEST(si_24_sectrust_itms) ONE_TEST(si_24_sectrust_nist) ONE_TEST(si_24_sectrust_otatasking) @@ -53,7 +57,11 @@ ONE_TEST(si_63_scep) ONE_TEST(si_64_ossl_cms) ONE_TEST(si_65_cms_cert_policy) ONE_TEST(si_66_smime) +#if !TARGET_OS_WATCH ONE_TEST(si_67_sectrust_blacklist) +#else +DISABLED_ONE_TEST(si_67_sectrust_blacklist) +#endif ONE_TEST(si_68_secmatchissuer) ONE_TEST(si_69_keydesc) ONE_TEST(si_70_sectrust_unified) @@ -90,6 +98,7 @@ ONE_TEST(si_88_sectrust_vpnprofile) ONE_TEST(si_89_cms_hash_agility) ONE_TEST(si_90_emcs) ONE_TEST(si_91_sectrust_ast2) +ONE_TEST(si_92_sectrust_homekit) ONE_TEST(vmdh_40) ONE_TEST(vmdh_41_example) diff --git a/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m b/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m index a0701bf5..33c164f2 100644 --- a/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m +++ b/OSX/sec/Security/Regressions/secitem/si-17-item-system-bluetooth.m @@ -78,7 +78,7 @@ static void tests(void) (__bridge id)kSecUseSystemKeychain : @YES, }; - is(SecItemCopyMatching((CFTypeRef)query, NULL), multiUser ? noErr : errSecItemNotFound, "Blue tooth item - system keychain"); + is(SecItemCopyMatching((CFTypeRef)query, NULL), noErr, "Blue tooth item - system keychain"); } } diff --git a/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.c b/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.c new file mode 100644 index 00000000..e879e3f2 --- /dev/null +++ b/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.c @@ -0,0 +1,109 @@ +/* + * Copyright (c) 2016 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include +#include +#include +#include + +#include "utilities/SecCFRelease.h" +#include "utilities/SecCFWrappers.h" + +#include "Security_regressions.h" + +#include "si-92-sectrust-homekit.h" + +static void tests(void) +{ + SecTrustRef trust = NULL; + SecPolicyRef policy = NULL; + SecCertificateRef cert0 = NULL, cert1 = NULL, rootcert = NULL; + SecTrustResultType trustResult; + CFArrayRef certs = NULL, anchor_certs = NULL; + + isnt(cert0 = SecCertificateCreateWithBytes(NULL, _AppleHomeKitUATServer, sizeof(_AppleHomeKitUATServer)), NULL, "create cert0"); + isnt(cert1 = SecCertificateCreateWithBytes(NULL, _AppleHomeKitCA, sizeof(_AppleHomeKitCA)), NULL, "create cert1"); + isnt(rootcert = SecCertificateCreateWithBytes(NULL, _AppleG3Root, sizeof(_AppleG3Root)), NULL, "create root cert"); + + const void *v_certs[] = { cert0, cert1 }; + certs = CFArrayCreate(NULL, v_certs, sizeof(v_certs)/sizeof(*v_certs), &kCFTypeArrayCallBacks); + anchor_certs = CFArrayCreate(NULL, (const void**)&rootcert, 1, &kCFTypeArrayCallBacks); + + /* Set explicit verify date: 12 February 2016 */ + CFDateRef date = NULL; + isnt(date = CFDateCreate(NULL, 476992610.0), NULL, "Create verify date"); + + /* Evaluate production certs with policy. Should succeed.*/ + isnt(policy = SecPolicyCreateAppleHomeKitServerAuth(CFSTR("homekit.accessories-qa.apple.com")), NULL, "create policy"); + + ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust"); + ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor"); + ok_status(SecTrustSetVerifyDate(trust, date), "set date"); + + ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); + is_status(trustResult, kSecTrustResultUnspecified, "trustResult is kSecTrustResultUnspecified"); + is(SecTrustGetCertificateCount(trust), 3, "cert count is 3"); + + CFReleaseSafe(trust); + CFReleaseSafe(certs); + CFReleaseSafe(cert0); + CFReleaseSafe(cert1); + CFReleaseSafe(anchor_certs); + CFReleaseSafe(rootcert); + + /* Evaluate certs with a different profile against this test. Should fail. */ + isnt(cert0 = SecCertificateCreateWithBytes(NULL, _testLeaf, sizeof(_testLeaf)), NULL, "create cert0"); + isnt(cert1 = SecCertificateCreateWithBytes(NULL, _testServerAuthCA, sizeof(_testServerAuthCA)), NULL, "create cert1"); + isnt(rootcert = SecCertificateCreateWithBytes(NULL, _testRoot, sizeof(_testRoot)), NULL, "create root cert"); + + const void *v_certs2[] = { cert0, cert1 }; + certs = CFArrayCreate(NULL, v_certs2, sizeof(v_certs2)/sizeof(*v_certs2), &kCFTypeArrayCallBacks); + anchor_certs = CFArrayCreate(NULL, (const void**)&rootcert, 1, &kCFTypeArrayCallBacks); + + ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "create trust"); + ok_status(SecTrustSetAnchorCertificates(trust, anchor_certs), "set anchor"); + ok_status(SecTrustSetVerifyDate(trust, date), "set date"); + + ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); + is_status(trustResult, kSecTrustResultRecoverableTrustFailure, "trustResult is kSecTrustResultRecoverableTrustFailure"); + + CFReleaseSafe(date); + CFReleaseSafe(trust); + CFReleaseSafe(policy); + CFReleaseSafe(certs); + CFReleaseSafe(cert0); + CFReleaseSafe(cert1); + CFReleaseSafe(anchor_certs); + CFReleaseSafe(rootcert); + +} + + +int si_92_sectrust_homekit(int argc, char *const *argv) +{ + plan_tests(19); + + tests(); + + return 0; +} diff --git a/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.h b/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.h new file mode 100644 index 00000000..0f68a429 --- /dev/null +++ b/OSX/sec/Security/Regressions/secitem/si-92-sectrust-homekit.h @@ -0,0 +1,409 @@ +/* + * Copyright (c) 2016 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +#ifndef si_92_sectrust_homekit_h +#define si_92_sectrust_homekit_h + +#include + +/* subject:/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */ +/* issuer :/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */ +unsigned char _AppleG3Root[]={ + 0x30,0x82,0x02,0x43,0x30,0x82,0x01,0xC9,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x2D, + 0xC5,0xFC,0x88,0xD2,0xC5,0x4B,0x95,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D, + 0x04,0x03,0x03,0x30,0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12, + 0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20, + 0x47,0x33,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70, + 0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E, + 0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03, + 0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31, + 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D, + 0x31,0x34,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x39,0x30,0x36,0x5A,0x17,0x0D,0x33, + 0x39,0x30,0x34,0x33,0x30,0x31,0x38,0x31,0x39,0x30,0x36,0x5A,0x30,0x67,0x31,0x1B, + 0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x41,0x70,0x70,0x6C,0x65,0x20,0x52, + 0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20,0x47,0x33,0x31,0x26,0x30,0x24,0x06, + 0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74, + 0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72, + 0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70, + 0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04, + 0x06,0x13,0x02,0x55,0x53,0x30,0x76,0x30,0x10,0x06,0x07,0x2A,0x86,0x48,0xCE,0x3D, + 0x02,0x01,0x06,0x05,0x2B,0x81,0x04,0x00,0x22,0x03,0x62,0x00,0x04,0x98,0xE9,0x2F, + 0x3D,0x40,0x72,0xA4,0xED,0x93,0x22,0x72,0x81,0x13,0x1C,0xDD,0x10,0x95,0xF1,0xC5, + 0xA3,0x4E,0x71,0xDC,0x14,0x16,0xD9,0x0E,0xE5,0xA6,0x05,0x2A,0x77,0x64,0x7B,0x5F, + 0x4E,0x38,0xD3,0xBB,0x1C,0x44,0xB5,0x7F,0xF5,0x1F,0xB6,0x32,0x62,0x5D,0xC9,0xE9, + 0x84,0x5B,0x4F,0x30,0x4F,0x11,0x5A,0x00,0xFD,0x58,0x58,0x0C,0xA5,0xF5,0x0F,0x2C, + 0x4D,0x07,0x47,0x13,0x75,0xDA,0x97,0x97,0x97,0x6F,0x31,0x5C,0xED,0x2B,0x9D,0x7B, + 0x20,0x3B,0xD8,0xB9,0x54,0xD9,0x5E,0x99,0xA4,0x3A,0x51,0x0A,0x31,0xA3,0x42,0x30, + 0x40,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xBB,0xB0,0xDE,0xA1, + 0x58,0x33,0x88,0x9A,0xA4,0x8A,0x99,0xDE,0xBE,0xBD,0xEB,0xAF,0xDA,0xCB,0x24,0xAB, + 0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01, + 0xFF,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01, + 0x06,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03,0x03,0x68,0x00, + 0x30,0x65,0x02,0x31,0x00,0x83,0xE9,0xC1,0xC4,0x16,0x5E,0x1A,0x5D,0x34,0x18,0xD9, + 0xED,0xEF,0xF4,0x6C,0x0E,0x00,0x46,0x4B,0xB8,0xDF,0xB2,0x46,0x11,0xC5,0x0F,0xFD, + 0xE6,0x7A,0x8C,0xA1,0xA6,0x6B,0xCE,0xC2,0x03,0xD4,0x9C,0xF5,0x93,0xC6,0x74,0xB8, + 0x6A,0xDF,0xAA,0x23,0x15,0x02,0x30,0x6D,0x66,0x8A,0x10,0xCA,0xD4,0x0D,0xD4,0x4F, + 0xCD,0x8D,0x43,0x3E,0xB4,0x8A,0x63,0xA5,0x33,0x6E,0xE3,0x6D,0xDA,0x17,0xB7,0x64, + 0x1F,0xC8,0x53,0x26,0xF9,0x88,0x62,0x74,0x39,0x0B,0x17,0x5B,0xCB,0x51,0xA8,0x0C, + 0xE8,0x18,0x03,0xE7,0xA2,0xB2,0x28, +}; + +/* subject:/CN=Apple HomeKit Server CA/OU=Apple Certification Authority/O=Apple Inc./C=US */ +/* issuer :/CN=Apple Root CA - G3/OU=Apple Certification Authority/O=Apple Inc./C=US */ +unsigned char _AppleHomeKitCA[]={ + 0x30,0x82,0x02,0x98,0x30,0x82,0x02,0x1F,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x37, + 0xF6,0xF8,0x7D,0xFB,0xC3,0xD4,0x92,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D, + 0x04,0x03,0x02,0x30,0x67,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12, + 0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x20,0x2D,0x20, + 0x47,0x33,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70, + 0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E, + 0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03, + 0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31, + 0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D, + 0x31,0x36,0x30,0x32,0x30,0x39,0x32,0x30,0x30,0x36,0x33,0x30,0x5A,0x17,0x0D,0x33, + 0x31,0x30,0x32,0x30,0x39,0x32,0x30,0x30,0x36,0x33,0x30,0x5A,0x30,0x6C,0x31,0x20, + 0x30,0x1E,0x06,0x03,0x55,0x04,0x03,0x0C,0x17,0x41,0x70,0x70,0x6C,0x65,0x20,0x48, + 0x6F,0x6D,0x65,0x4B,0x69,0x74,0x20,0x53,0x65,0x72,0x76,0x65,0x72,0x20,0x43,0x41, + 0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65, + 0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41, + 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04, + 0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30, + 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x59,0x30,0x13,0x06,0x07, + 0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01, + 0x07,0x03,0x42,0x00,0x04,0xD5,0x1A,0xFF,0x7F,0xA9,0x84,0x21,0x33,0x22,0x0A,0xD0, + 0x05,0x76,0x70,0x09,0xCE,0x59,0x65,0xF6,0x4F,0x53,0xD6,0x0D,0x76,0x90,0xC1,0x6E, + 0xF7,0x8D,0x40,0x32,0xF1,0xB6,0x91,0x06,0xAF,0x51,0xE4,0xF0,0xA7,0x45,0x9C,0xD0, + 0xD8,0x6C,0x23,0x26,0x5A,0x05,0x6A,0x6C,0x07,0x4F,0x9C,0x81,0xEE,0x58,0xB0,0x18, + 0x41,0x58,0x9C,0x85,0xFC,0xA3,0x81,0xAF,0x30,0x81,0xAC,0x30,0x1D,0x06,0x03,0x55, + 0x1D,0x0E,0x04,0x16,0x04,0x14,0x9C,0x6A,0xFA,0xC5,0x96,0x06,0x60,0xAC,0x69,0x67, + 0xDD,0x5E,0x81,0xF9,0xDD,0xCA,0x9B,0x2E,0x3A,0x1E,0x30,0x0F,0x06,0x03,0x55,0x1D, + 0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,0x55, + 0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xBB,0xB0,0xDE,0xA1,0x58,0x33,0x88,0x9A, + 0xA4,0x8A,0x99,0xDE,0xBE,0xBD,0xEB,0xAF,0xDA,0xCB,0x24,0xAB,0x30,0x37,0x06,0x03, + 0x55,0x1D,0x1F,0x04,0x30,0x30,0x2E,0x30,0x2C,0xA0,0x2A,0xA0,0x28,0x86,0x26,0x68, + 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E, + 0x63,0x6F,0x6D,0x2F,0x61,0x70,0x70,0x6C,0x65,0x72,0x6F,0x6F,0x74,0x63,0x61,0x67, + 0x33,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04, + 0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64, + 0x06,0x02,0x10,0x04,0x02,0x05,0x00,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D, + 0x04,0x03,0x02,0x03,0x67,0x00,0x30,0x64,0x02,0x30,0x35,0x1E,0xFD,0xB4,0xE4,0x6A, + 0xFD,0x0C,0xA7,0xED,0x5E,0xA9,0x17,0x9E,0x6D,0x81,0x2F,0x35,0x0F,0x09,0x9F,0x7C, + 0x4A,0x02,0xE1,0x25,0x47,0x9D,0xAF,0x7B,0xD3,0x59,0x4F,0x43,0x5A,0xDC,0xFA,0x79, + 0xC2,0x26,0xFC,0x57,0x21,0xEF,0x3B,0x90,0x60,0xB5,0x02,0x30,0x4E,0x6B,0x0E,0xF2, + 0xCF,0xCF,0x68,0x0E,0x9C,0x0D,0x58,0xB4,0x98,0x3D,0x89,0xAD,0xD1,0x71,0x76,0x1C, + 0xCA,0x7A,0x12,0x2F,0xC2,0xCF,0xF0,0x7D,0x1B,0xDB,0x94,0xFD,0xBD,0x3D,0x6D,0x63, + 0x21,0x8D,0xC2,0x8A,0x38,0x6B,0x7E,0xB4,0x0D,0xC7,0x72,0xC1, +}; + +/* subject:/CN=homekit.accessories-qa.apple.com/OU=Embedded Core Technology QA/O=Apple Inc./C=US */ +/* issuer :/CN=Apple HomeKit Server CA/OU=Apple Certification Authority/O=Apple Inc./C=US */ +unsigned char _AppleHomeKitUATServer[792]={ + 0x30,0x82,0x03,0x14,0x30,0x82,0x02,0xBB,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x61, + 0xE7,0xC3,0x29,0xAE,0x15,0xAB,0xC8,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D, + 0x04,0x03,0x02,0x30,0x6C,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x03,0x0C,0x17, + 0x41,0x70,0x70,0x6C,0x65,0x20,0x48,0x6F,0x6D,0x65,0x4B,0x69,0x74,0x20,0x53,0x65, + 0x72,0x76,0x65,0x72,0x20,0x43,0x41,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B, + 0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63, + 0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31, + 0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20, + 0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55, + 0x53,0x30,0x1E,0x17,0x0D,0x31,0x36,0x30,0x32,0x31,0x31,0x30,0x30,0x34,0x32,0x30, + 0x32,0x5A,0x17,0x0D,0x31,0x37,0x30,0x33,0x31,0x32,0x30,0x30,0x34,0x32,0x30,0x32, + 0x5A,0x30,0x73,0x31,0x29,0x30,0x27,0x06,0x03,0x55,0x04,0x03,0x0C,0x20,0x68,0x6F, + 0x6D,0x65,0x6B,0x69,0x74,0x2E,0x61,0x63,0x63,0x65,0x73,0x73,0x6F,0x72,0x69,0x65, + 0x73,0x2D,0x71,0x61,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x31,0x24, + 0x30,0x22,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1B,0x45,0x6D,0x62,0x65,0x64,0x64,0x65, + 0x64,0x20,0x43,0x6F,0x72,0x65,0x20,0x54,0x65,0x63,0x68,0x6E,0x6F,0x6C,0x6F,0x67, + 0x79,0x20,0x51,0x41,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41, + 0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55, + 0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x59,0x30,0x13,0x06,0x07,0x2A,0x86,0x48,0xCE, + 0x3D,0x02,0x01,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07,0x03,0x42,0x00, + 0x04,0xC4,0xFE,0x35,0x16,0x5B,0x50,0x66,0x3B,0x28,0xFA,0x77,0x2B,0x59,0x67,0x7F, + 0xDD,0x83,0x1C,0xC7,0x10,0x71,0x6D,0xA8,0x82,0x08,0xE0,0x81,0x21,0x86,0x6B,0x18, + 0x17,0xE9,0x38,0xB6,0x42,0xC0,0xDE,0x6C,0x81,0x23,0x16,0x2C,0xE3,0x3C,0x6C,0x71, + 0x63,0x45,0xBF,0x14,0x82,0xB5,0xBC,0x59,0x34,0x47,0x86,0x83,0xC0,0xC4,0x4D,0x48, + 0x11,0xA3,0x82,0x01,0x3E,0x30,0x82,0x01,0x3A,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E, + 0x04,0x16,0x04,0x14,0x24,0xCD,0x2A,0x09,0xD1,0xAD,0x73,0x19,0x8C,0x0C,0x2A,0xA0, + 0x7B,0xEE,0x21,0x36,0x96,0x82,0x48,0x8E,0x30,0x0C,0x06,0x03,0x55,0x1D,0x13,0x01, + 0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30, + 0x16,0x80,0x14,0x9C,0x6A,0xFA,0xC5,0x96,0x06,0x60,0xAC,0x69,0x67,0xDD,0x5E,0x81, + 0xF9,0xDD,0xCA,0x9B,0x2E,0x3A,0x1E,0x30,0x36,0x06,0x03,0x55,0x1D,0x1F,0x04,0x2F, + 0x30,0x2D,0x30,0x2B,0xA0,0x29,0xA0,0x27,0x86,0x25,0x68,0x74,0x74,0x70,0x3A,0x2F, + 0x2F,0x63,0x72,0x6C,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x68, + 0x6B,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,0x74,0x68,0x2E,0x63,0x72,0x6C,0x30, + 0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x03,0x88,0x30, + 0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05, + 0x05,0x07,0x03,0x01,0x30,0x7B,0x06,0x03,0x55,0x1D,0x11,0x04,0x74,0x30,0x72,0x82, + 0x20,0x68,0x6F,0x6D,0x65,0x6B,0x69,0x74,0x2E,0x61,0x63,0x63,0x65,0x73,0x73,0x6F, + 0x72,0x69,0x65,0x73,0x2D,0x71,0x61,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F, + 0x6D,0x82,0x25,0x70,0x61,0x73,0x73,0x2E,0x68,0x6F,0x6D,0x65,0x6B,0x69,0x74,0x2E, + 0x61,0x63,0x63,0x65,0x73,0x73,0x6F,0x72,0x69,0x65,0x73,0x2D,0x71,0x61,0x2E,0x61, + 0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x82,0x27,0x72,0x65,0x70,0x6F,0x72,0x74, + 0x2E,0x68,0x6F,0x6D,0x65,0x6B,0x69,0x74,0x2E,0x61,0x63,0x63,0x65,0x73,0x73,0x6F, + 0x72,0x69,0x65,0x73,0x2D,0x71,0x61,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F, + 0x6D,0x30,0x10,0x06,0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x1B,0x09,0x04, + 0x02,0x05,0x00,0x30,0x0A,0x06,0x08,0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,0x03, + 0x47,0x00,0x30,0x44,0x02,0x20,0x71,0x18,0xBA,0xDB,0x3D,0x3F,0x0C,0x54,0xA7,0xC4, + 0x79,0x6A,0x95,0x7D,0x0F,0xBC,0xFC,0x58,0x19,0xC4,0x2A,0xCC,0x17,0xA3,0xE3,0x18, + 0xA8,0xD2,0x9C,0xE0,0xCE,0x50,0x02,0x20,0x39,0x02,0x7B,0x84,0x19,0xE4,0x6B,0x58, + 0xFC,0xB8,0xB1,0x48,0xB1,0x5B,0x26,0xD9,0x70,0x10,0xCC,0x9C,0x4C,0x06,0x8C,0x73, + 0xCB,0xC7,0xAA,0x28,0xA7,0x25,0x2A,0x6F, +}; + +/* subject:/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */ +/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */ +unsigned char _testRoot[1232]={ + 0x30,0x82,0x04,0xCC,0x30,0x82,0x03,0xB4,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x3D, + 0x00,0x4B,0x90,0x3E,0xDE,0xE0,0xD0,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04, + 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A, + 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03, + 0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69, + 0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69, + 0x74,0x79,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73, + 0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30, + 0x1E,0x17,0x0D,0x31,0x35,0x30,0x34,0x32,0x32,0x30,0x32,0x31,0x35,0x34,0x38,0x5A, + 0x17,0x0D,0x33,0x35,0x30,0x32,0x30,0x39,0x32,0x31,0x34,0x30,0x33,0x36,0x5A,0x30, + 0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13, + 0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49, + 0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03,0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70, + 0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F, + 0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x1B,0x30,0x19,0x06, + 0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65, + 0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09, + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00, + 0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xC7,0xD1,0x43,0x53,0x7F,0x0D,0x88, + 0x6B,0xE6,0xB1,0x67,0x9D,0xEE,0x67,0xB6,0xE7,0x77,0x12,0x81,0xC4,0xDF,0x24,0x6B, + 0x7A,0x75,0x24,0xF7,0x01,0x09,0xCE,0x34,0x92,0xF5,0x38,0x08,0x42,0x7E,0xEC,0x9D, + 0xF2,0x5D,0x38,0x91,0xB4,0x93,0x98,0x35,0x11,0x3C,0x98,0x00,0x77,0xD9,0xD7,0xF3, + 0x4A,0xF8,0xF0,0xBC,0xEB,0x97,0x5D,0x4B,0x61,0x2E,0xFB,0xC5,0xCC,0x68,0xB7,0x6D, + 0x69,0x10,0xCC,0xA5,0x61,0x78,0xA8,0x81,0x02,0x9E,0xE7,0x63,0xC5,0xFF,0x29,0x22, + 0x82,0x68,0xAA,0xAA,0x0E,0xFB,0xA9,0xD8,0x16,0x73,0x25,0xBF,0x9D,0x08,0x62,0x2F, + 0x78,0x04,0xF6,0xF6,0x44,0x07,0x37,0x6E,0x99,0x1B,0x93,0xD8,0x7F,0xEE,0x72,0xDE, + 0xE8,0x32,0xF6,0x6D,0x78,0x04,0xA0,0xA8,0x21,0x26,0x8A,0x32,0xE3,0xB1,0x65,0x85, + 0xA1,0x7B,0x1A,0xA9,0x02,0xB2,0xBB,0xEE,0xDD,0xDD,0x8F,0x41,0x49,0xC8,0x3F,0xDC, + 0x1E,0xDF,0x21,0xA3,0x95,0x99,0xBB,0xFC,0x29,0xBA,0x40,0x43,0xB9,0x1C,0xCD,0xC9, + 0x21,0x45,0x73,0xAD,0xFF,0xFD,0xA2,0x6C,0x5C,0x3B,0x1C,0x37,0x91,0x34,0x8E,0x5C, + 0xD3,0xD5,0x03,0x58,0x28,0xC7,0xF2,0x76,0x6F,0x11,0xC0,0xB5,0xBD,0x7E,0xEF,0x23, + 0xB3,0x3D,0xB8,0xBD,0x38,0x66,0x8C,0xF2,0x78,0x95,0xC1,0x8B,0x32,0x65,0x3A,0x9B, + 0x49,0x1A,0x5C,0x41,0x3C,0xC6,0x85,0x50,0xEC,0x85,0xF0,0x59,0x17,0x81,0xE8,0x96, + 0xE8,0x6A,0xCC,0xB3,0xC7,0x46,0xBF,0x81,0x48,0xD1,0x09,0x1B,0xBC,0x73,0x1E,0xD7, + 0xE8,0x27,0xA8,0x49,0x48,0xA2,0x1C,0x41,0x1D,0x02,0x03,0x01,0x00,0x01,0xA3,0x82, + 0x01,0x7A,0x30,0x82,0x01,0x76,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04, + 0x14,0x59,0xB8,0x2B,0x94,0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,0x23,0x33, + 0xC9,0x59,0xC3,0x54,0x98,0x30,0x0F,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04, + 0x05,0x30,0x03,0x01,0x01,0xFF,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30, + 0x16,0x80,0x14,0x59,0xB8,0x2B,0x94,0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52, + 0x23,0x33,0xC9,0x59,0xC3,0x54,0x98,0x30,0x82,0x01,0x11,0x06,0x03,0x55,0x1D,0x20, + 0x04,0x82,0x01,0x08,0x30,0x82,0x01,0x04,0x30,0x82,0x01,0x00,0x06,0x09,0x2A,0x86, + 0x48,0x86,0xF7,0x63,0x64,0x05,0x01,0x30,0x81,0xF2,0x30,0x2A,0x06,0x08,0x2B,0x06, + 0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1E,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F, + 0x77,0x77,0x77,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x61,0x70, + 0x70,0x6C,0x65,0x63,0x61,0x2F,0x30,0x81,0xC3,0x06,0x08,0x2B,0x06,0x01,0x05,0x05, + 0x07,0x02,0x02,0x30,0x81,0xB6,0x0C,0x81,0xB3,0x52,0x65,0x6C,0x69,0x61,0x6E,0x63, + 0x65,0x20,0x6F,0x6E,0x20,0x74,0x68,0x69,0x73,0x20,0x63,0x65,0x72,0x74,0x69,0x66, + 0x69,0x63,0x61,0x74,0x65,0x20,0x62,0x79,0x20,0x61,0x6E,0x79,0x20,0x70,0x61,0x72, + 0x74,0x79,0x20,0x61,0x73,0x73,0x75,0x6D,0x65,0x73,0x20,0x61,0x63,0x63,0x65,0x70, + 0x74,0x61,0x6E,0x63,0x65,0x20,0x6F,0x66,0x20,0x74,0x68,0x65,0x20,0x74,0x68,0x65, + 0x6E,0x20,0x61,0x70,0x70,0x6C,0x69,0x63,0x61,0x62,0x6C,0x65,0x20,0x73,0x74,0x61, + 0x6E,0x64,0x61,0x72,0x64,0x20,0x74,0x65,0x72,0x6D,0x73,0x20,0x61,0x6E,0x64,0x20, + 0x63,0x6F,0x6E,0x64,0x69,0x74,0x69,0x6F,0x6E,0x73,0x20,0x6F,0x66,0x20,0x75,0x73, + 0x65,0x2C,0x20,0x63,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x65,0x20,0x70, + 0x6F,0x6C,0x69,0x63,0x79,0x20,0x61,0x6E,0x64,0x20,0x63,0x65,0x72,0x74,0x69,0x66, + 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x70,0x72,0x61,0x63,0x74,0x69,0x63,0x65, + 0x20,0x73,0x74,0x61,0x74,0x65,0x6D,0x65,0x6E,0x74,0x73,0x2E,0x30,0x0E,0x06,0x03, + 0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x0D,0x06,0x09, + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00, + 0x10,0x5E,0x6C,0x69,0xFC,0xA6,0x0F,0xE2,0x09,0xD5,0x94,0x90,0xA6,0x7C,0x22,0xDC, + 0xEE,0xB0,0x8F,0x24,0x22,0x4F,0xB3,0x67,0xDB,0x32,0xB0,0xD6,0x24,0x87,0xE6,0xF3, + 0xEA,0x9E,0xD0,0x95,0x75,0xAA,0xA7,0x08,0xFF,0xB0,0x35,0xD7,0x1F,0xA3,0xBF,0x89, + 0x55,0x0C,0x1C,0xA4,0xD0,0xF8,0x00,0x17,0x44,0x94,0x36,0x63,0x3B,0x83,0xFE,0x4E, + 0xE5,0xB3,0xEC,0x7B,0x7D,0xCE,0xFE,0xA9,0x54,0xED,0xBB,0x12,0xA6,0x72,0x2B,0xB3, + 0x48,0x00,0xC7,0x8E,0xF5,0x5B,0x68,0xC9,0x24,0x22,0x7F,0xA1,0x4D,0xFC,0x54,0xD9, + 0xD0,0x5D,0x82,0x53,0x71,0x29,0x66,0xCF,0x0F,0x6D,0x32,0xA6,0x3F,0xAE,0x54,0x27, + 0xC2,0x8C,0x12,0x4C,0xF0,0xD6,0xC1,0x80,0x75,0xC3,0x33,0x19,0xD1,0x8B,0x58,0xE6, + 0x00,0x69,0x76,0xE7,0xE5,0x3D,0x47,0xF9,0xC0,0x9C,0xE7,0x19,0x1E,0x95,0xBC,0x52, + 0x15,0xCE,0x94,0xF8,0x30,0x14,0x0B,0x39,0x0E,0x8B,0xAF,0x29,0x30,0x56,0xAF,0x5A, + 0x28,0xAC,0xE1,0x0F,0x51,0x76,0x76,0x9A,0xE7,0xB9,0x7D,0xA3,0x30,0xE8,0xE3,0x71, + 0x15,0xE8,0xBF,0x0D,0x4F,0x12,0x9B,0x65,0xAB,0xEF,0xA4,0xE9,0x42,0xF0,0xD2,0x4D, + 0x20,0x55,0x29,0x88,0x58,0x5C,0x82,0x67,0x63,0x20,0x50,0xC6,0xCA,0x04,0xE8,0xBC, + 0x3D,0x93,0x06,0x21,0xB2,0xC0,0xBF,0x53,0x1E,0xE1,0x8B,0x48,0xA9,0xB9,0xD7,0xE6, + 0x5F,0x4E,0x5A,0x2F,0x43,0xAC,0x35,0xBD,0x26,0x60,0x2F,0x01,0xD5,0x86,0x6B,0x64, + 0xFA,0x67,0x05,0x44,0x55,0x83,0x5B,0x93,0x9C,0x7C,0xA7,0x26,0x4E,0x02,0x2B,0x48, +}; + +/* subject:/CN=Test Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */ +/* issuer :/C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Test Apple Root CA */ +unsigned char _testServerAuthCA[1043]={ + 0x30,0x82,0x04,0x0F,0x30,0x82,0x02,0xF7,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x4B, + 0x28,0xA9,0x3B,0x57,0x8B,0xF6,0x26,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x67,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04, + 0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A, + 0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x26,0x30,0x24,0x06,0x03, + 0x55,0x04,0x0B,0x0C,0x1D,0x41,0x70,0x70,0x6C,0x65,0x20,0x43,0x65,0x72,0x74,0x69, + 0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69, + 0x74,0x79,0x31,0x1B,0x30,0x19,0x06,0x03,0x55,0x04,0x03,0x0C,0x12,0x54,0x65,0x73, + 0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x52,0x6F,0x6F,0x74,0x20,0x43,0x41,0x30, + 0x1E,0x17,0x0D,0x31,0x35,0x30,0x36,0x30,0x38,0x30,0x37,0x35,0x38,0x34,0x35,0x5A, + 0x17,0x0D,0x32,0x39,0x30,0x33,0x30,0x38,0x30,0x31,0x35,0x33,0x30,0x34,0x5A,0x30, + 0x72,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04,0x03,0x0C,0x23,0x54,0x65,0x73,0x74, + 0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65,0x72,0x76,0x65,0x72,0x20,0x41,0x75, + 0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x43,0x41,0x31, + 0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C,0x17,0x43,0x65,0x72,0x74,0x69,0x66, + 0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41,0x75,0x74,0x68,0x6F,0x72,0x69,0x74, + 0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C, + 0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13, + 0x02,0x55,0x53,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02, + 0x82,0x01,0x01,0x00,0xC5,0x7B,0x3F,0x48,0xD3,0x62,0x93,0x93,0x7C,0x0C,0x37,0x69, + 0xDB,0x28,0x05,0x40,0x12,0xD7,0x1F,0x0A,0xB8,0xC3,0xBA,0x24,0x39,0x22,0xDC,0x39, + 0x42,0x1F,0xFD,0x93,0x45,0x3C,0x23,0x0B,0x3E,0xB4,0x96,0xA6,0x55,0x59,0xBA,0xC4, + 0x99,0xE7,0x8A,0x5F,0x8F,0xAE,0x66,0xA7,0x28,0xE2,0x9E,0x68,0xD9,0xEC,0x52,0x67, + 0xFE,0xDD,0xBE,0x59,0xB4,0xAD,0x97,0x63,0x64,0xB0,0x08,0x3C,0xBB,0x6E,0xD1,0x29, + 0xD8,0x58,0xA1,0x99,0x6C,0x2F,0x2F,0xB3,0xF5,0x5C,0x59,0xCA,0xA1,0xE6,0x67,0x44, + 0x3C,0x13,0xB4,0xAE,0x0D,0x00,0xC7,0x53,0xB7,0xF5,0x61,0x58,0xD5,0xC8,0x42,0xFC, + 0xE2,0xFD,0xD5,0x39,0x18,0x80,0xE2,0x72,0xBC,0xF8,0xC3,0x9F,0xCB,0xD8,0x2F,0x83, + 0x40,0x9A,0x3E,0x55,0x5E,0x61,0xA9,0xC4,0x81,0x14,0x2B,0x7B,0x19,0x15,0xAD,0x84, + 0x5E,0x80,0xA8,0x67,0x79,0x05,0x16,0x48,0x5C,0xAE,0x1A,0x2B,0x59,0x9F,0xAA,0x62, + 0x0B,0x2F,0x57,0xCD,0xE8,0xA8,0x5D,0x38,0xAD,0x7C,0x90,0x79,0x50,0xAC,0x4D,0x13, + 0xA4,0xA7,0xF3,0x73,0xED,0xD6,0x93,0x45,0xDD,0xA8,0xC6,0xFE,0x03,0x28,0x4D,0x58, + 0xC1,0x8B,0xC1,0x03,0x0E,0xE7,0xDF,0x78,0xDD,0x21,0xC6,0x6D,0x1E,0xA0,0x38,0xD7, + 0xA7,0xD7,0x04,0x8C,0x7F,0xCA,0x15,0xEA,0x88,0xE9,0xAE,0x8D,0x46,0xE0,0x87,0x94, + 0x3E,0x8F,0x53,0x11,0x88,0x23,0x99,0x7B,0x9D,0xD8,0x69,0x1A,0x22,0xAE,0xB5,0x18, + 0xA5,0x9F,0xEA,0x71,0x31,0x0B,0x27,0x93,0x85,0x1D,0xF7,0xA0,0xC3,0x82,0x0A,0x3F, + 0xEE,0xD2,0xD4,0xEF,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0xB3,0x30,0x81,0xB0,0x30, + 0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xA8,0xCA,0x7A,0x9B,0xA8,0x37, + 0x71,0x9E,0x3D,0xEC,0x5A,0xAB,0x66,0x2E,0xDC,0xD7,0x14,0x3D,0x7B,0xF2,0x30,0x0F, + 0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x05,0x30,0x03,0x01,0x01,0xFF,0x30, + 0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x59,0xB8,0x2B,0x94, + 0x3A,0x1B,0xBA,0xF1,0x00,0xAE,0xEE,0x50,0x52,0x23,0x33,0xC9,0x59,0xC3,0x54,0x98, + 0x30,0x3B,0x06,0x03,0x55,0x1D,0x1F,0x04,0x34,0x30,0x32,0x30,0x30,0xA0,0x2E,0xA0, + 0x2C,0x86,0x2A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2D,0x75,0x61, + 0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D, + 0x2F,0x74,0x65,0x73,0x74,0x72,0x6F,0x6F,0x74,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06, + 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x10,0x06, + 0x0A,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x02,0x0C,0x04,0x02,0x05,0x00,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82, + 0x01,0x01,0x00,0x11,0x24,0x61,0x2B,0x7C,0x5E,0x67,0x29,0x94,0x14,0x19,0x16,0xD5, + 0xD4,0x7A,0xEE,0x53,0x1A,0x64,0xA2,0x6A,0x2B,0x04,0xE6,0x2C,0xA1,0x08,0xBA,0xCA, + 0x81,0xF5,0x28,0x2A,0xCE,0xD5,0x6B,0x52,0xAC,0xE7,0xBD,0xB3,0x23,0xB9,0x67,0x2C, + 0xC7,0x9E,0x61,0xA1,0xD9,0x6C,0x3F,0x4F,0x55,0xD4,0x75,0xAF,0x44,0xAD,0xF8,0xCE, + 0x58,0xA7,0x2E,0xF8,0x6A,0xF0,0x76,0x51,0x31,0x75,0x4C,0xCA,0xF6,0xC3,0x59,0xC7, + 0xE6,0xAE,0x4A,0x20,0x4E,0x5F,0xB9,0xAB,0x1C,0xB6,0x36,0x25,0x60,0x02,0x32,0x47, + 0x7D,0xA0,0xE2,0x36,0xB3,0x3B,0x40,0x20,0x9E,0x38,0x40,0x1C,0x7E,0x83,0x35,0x9C, + 0x9D,0x8B,0xD1,0xF9,0xEA,0xD4,0xF2,0x83,0xE0,0x30,0xEA,0xC3,0xEE,0x3D,0x76,0x98, + 0x9E,0x0A,0x07,0xB5,0xB6,0xFC,0x38,0x32,0xF6,0x41,0xEF,0x8E,0x25,0x2C,0xE3,0xC7, + 0xA7,0xAD,0x88,0x77,0x4D,0x10,0x1D,0x67,0x50,0x64,0xB0,0x02,0x04,0x2C,0xEA,0x4C, + 0x81,0x33,0xBE,0xF3,0xCD,0x43,0x63,0x97,0x44,0xDF,0xBB,0xC6,0xE2,0x37,0x32,0xF1, + 0xE4,0x19,0x1F,0xF5,0xAE,0xDA,0x05,0xC4,0x0B,0xFA,0x30,0xCA,0x77,0x78,0x65,0xD6, + 0x4F,0x2D,0xFE,0x63,0xD3,0x4C,0x3D,0xA9,0x0E,0xC4,0x0F,0xD6,0xCC,0x2A,0x2D,0x06, + 0x9B,0xDE,0x94,0xF6,0x22,0x2E,0x89,0xCB,0x68,0x4E,0xDE,0x79,0xE5,0x83,0xDE,0x64, + 0x63,0xE9,0x77,0x88,0xF1,0x57,0xF2,0x5C,0xB4,0x77,0x3A,0xC8,0x1F,0x6D,0x80,0x4C, + 0x8B,0x68,0xA5,0xFA,0xAD,0x1F,0x5C,0x8C,0x50,0x27,0xED,0xF7,0x43,0x68,0xAD,0x34, + 0x5E,0xF6,0x74, +}; + +/* subject:/CN=ast2.test.domain.here/OU=IS&T/O=Apple Inc./C=US */ +/* issuer :/CN=Test Apple Server Authentication CA/OU=Certification Authority/O=Apple Inc./C=US */ +unsigned char _testLeaf[1223]={ + 0x30,0x82,0x04,0xC3,0x30,0x82,0x03,0xAB,0xA0,0x03,0x02,0x01,0x02,0x02,0x08,0x51, + 0x24,0x24,0xE7,0xA6,0xFC,0x66,0x24,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x72,0x31,0x2C,0x30,0x2A,0x06,0x03,0x55,0x04, + 0x03,0x0C,0x23,0x54,0x65,0x73,0x74,0x20,0x41,0x70,0x70,0x6C,0x65,0x20,0x53,0x65, + 0x72,0x76,0x65,0x72,0x20,0x41,0x75,0x74,0x68,0x65,0x6E,0x74,0x69,0x63,0x61,0x74, + 0x69,0x6F,0x6E,0x20,0x43,0x41,0x31,0x20,0x30,0x1E,0x06,0x03,0x55,0x04,0x0B,0x0C, + 0x17,0x43,0x65,0x72,0x74,0x69,0x66,0x69,0x63,0x61,0x74,0x69,0x6F,0x6E,0x20,0x41, + 0x75,0x74,0x68,0x6F,0x72,0x69,0x74,0x79,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04, + 0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E,0x31,0x0B,0x30, + 0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x1E,0x17,0x0D,0x31,0x35, + 0x31,0x32,0x30,0x39,0x31,0x36,0x30,0x31,0x34,0x31,0x5A,0x17,0x0D,0x31,0x37,0x30, + 0x31,0x30,0x37,0x31,0x36,0x30,0x31,0x34,0x31,0x5A,0x30,0x51,0x31,0x1E,0x30,0x1C, + 0x06,0x03,0x55,0x04,0x03,0x0C,0x15,0x61,0x73,0x74,0x32,0x2E,0x74,0x65,0x73,0x74, + 0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x2E,0x68,0x65,0x72,0x65,0x31,0x0D,0x30,0x0B, + 0x06,0x03,0x55,0x04,0x0B,0x0C,0x04,0x49,0x53,0x26,0x54,0x31,0x13,0x30,0x11,0x06, + 0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E,0x63,0x2E, + 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x30,0x82,0x01, + 0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00, + 0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02,0x82,0x01,0x01,0x00,0xB8,0x3F, + 0x03,0x68,0x0F,0xEB,0x75,0x69,0x6F,0xAB,0x1A,0x2A,0x5F,0x48,0x97,0x73,0x4A,0x90, + 0xD9,0xB2,0x60,0x88,0x3D,0xD6,0xA3,0x7B,0xFE,0x37,0xF1,0x2B,0x57,0xDB,0xE2,0xFE, + 0xDA,0xE9,0x35,0x90,0x4E,0xC1,0x9B,0xB7,0x07,0x7D,0x0C,0xB7,0xAE,0xAF,0x5C,0xD8, + 0xDC,0xD8,0x5A,0x65,0x4D,0x34,0x11,0xDF,0x75,0x27,0x4F,0xA0,0xC0,0x3B,0xF0,0x85, + 0x16,0xDD,0x25,0x6C,0x21,0x23,0xFA,0xD0,0xF7,0x3D,0x37,0x66,0xF2,0x32,0x10,0x95, + 0xA0,0x36,0xE0,0x33,0xB5,0x4D,0x5A,0x33,0xAC,0xB6,0x2E,0xBC,0x22,0xA5,0x20,0xA7, + 0xA9,0x16,0xE4,0xDB,0xE7,0x42,0xC9,0x6A,0xF7,0xDF,0x55,0xF4,0xC3,0x9C,0x1B,0xE9, + 0x56,0x7F,0xF3,0x1F,0xD7,0x94,0x19,0xB0,0x2B,0xBC,0x4B,0xF8,0xDF,0xB2,0x4A,0xDD, + 0xAA,0x1A,0x67,0xD8,0xEA,0xF7,0x30,0xF8,0xB1,0x6B,0x3C,0xC4,0xF7,0xA2,0x70,0xEF, + 0xAA,0xDD,0x49,0x8A,0x27,0x8E,0x71,0xF7,0xC1,0xFE,0x7B,0xD5,0xF2,0x45,0xC8,0xE4, + 0xA9,0x73,0x53,0x90,0xB0,0xFA,0xA0,0xDE,0x71,0xFF,0x58,0x74,0x2C,0xC4,0xD1,0x54, + 0x14,0xCC,0x00,0xF4,0x95,0xEB,0x81,0x85,0xBB,0xCC,0x3D,0xCF,0x7D,0xF3,0xEE,0x75, + 0xE6,0x82,0xCB,0x93,0x79,0x8F,0xD9,0xED,0xE7,0x45,0x6F,0xA8,0xBE,0xA4,0xDE,0x45, + 0x46,0x38,0x14,0xDC,0x79,0xF6,0x1F,0x64,0xD3,0x05,0x45,0xBF,0x50,0x1B,0x81,0x7E, + 0x6C,0x77,0x1B,0xF2,0xBC,0x57,0xFD,0x25,0x94,0xB4,0x9A,0x0B,0x48,0x59,0x8F,0x8A, + 0x0C,0x8F,0xBD,0x4C,0xE2,0x53,0x49,0xBC,0xC6,0x16,0x99,0xF4,0xE6,0x6F,0x02,0x03, + 0x01,0x00,0x01,0xA3,0x82,0x01,0x7C,0x30,0x82,0x01,0x78,0x30,0x53,0x06,0x08,0x2B, + 0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x47,0x30,0x45,0x30,0x43,0x06,0x08,0x2B, + 0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x37,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F, + 0x6F,0x63,0x73,0x70,0x2D,0x75,0x61,0x74,0x2E,0x63,0x6F,0x72,0x70,0x2E,0x61,0x70, + 0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x6F,0x63,0x73,0x70,0x30,0x33,0x2D,0x61, + 0x70,0x70,0x6C,0x65,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75,0x74,0x68,0x30,0x31, + 0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0xC2,0x1E,0xBD,0xED,0x39, + 0xF8,0x62,0x73,0x86,0x05,0xF3,0xBC,0x85,0x73,0xB3,0xA9,0x3C,0x12,0xBA,0xA8,0x30, + 0x0C,0x06,0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x02,0x30,0x00,0x30,0x1F,0x06, + 0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0xA8,0xCA,0x7A,0x9B,0xA8,0x37, + 0x71,0x9E,0x3D,0xEC,0x5A,0xAB,0x66,0x2E,0xDC,0xD7,0x14,0x3D,0x7B,0xF2,0x30,0x49, + 0x06,0x03,0x55,0x1D,0x1F,0x04,0x42,0x30,0x40,0x30,0x3E,0xA0,0x3C,0xA0,0x3A,0x86, + 0x38,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x63,0x72,0x6C,0x2D,0x75,0x61,0x74,0x2E, + 0x63,0x6F,0x72,0x70,0x2E,0x61,0x70,0x70,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x2F,0x74, + 0x65,0x73,0x74,0x61,0x70,0x70,0x6C,0x65,0x73,0x65,0x72,0x76,0x65,0x72,0x61,0x75, + 0x74,0x68,0x63,0x61,0x31,0x2E,0x63,0x72,0x6C,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F, + 0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x13,0x06,0x03,0x55,0x1D,0x25, + 0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x50, + 0x06,0x03,0x55,0x1D,0x11,0x04,0x49,0x30,0x47,0x82,0x15,0x61,0x73,0x74,0x32,0x2E, + 0x74,0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x2E,0x68,0x65,0x72,0x65, + 0x82,0x16,0x61,0x73,0x74,0x32,0x2E,0x74,0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61, + 0x69,0x6E,0x32,0x2E,0x68,0x65,0x72,0x65,0x82,0x16,0x61,0x73,0x74,0x32,0x2E,0x74, + 0x65,0x73,0x74,0x2E,0x64,0x6F,0x6D,0x61,0x69,0x6E,0x33,0x2E,0x68,0x65,0x72,0x65, + 0x30,0x11,0x06,0x0B,0x2A,0x86,0x48,0x86,0xF7,0x63,0x64,0x06,0x1B,0x08,0x02,0x04, + 0x02,0x05,0x00,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B, + 0x05,0x00,0x03,0x82,0x01,0x01,0x00,0xA1,0xF3,0x96,0x32,0xD2,0x94,0x78,0x0F,0x03, + 0xF5,0xCF,0x96,0x8F,0xAC,0xDA,0xA9,0x1E,0x39,0xE5,0xCE,0x24,0xFD,0xA6,0x66,0x06, + 0x00,0xBC,0x66,0x69,0xC1,0xE1,0xF2,0x31,0xB6,0x70,0xBB,0xD6,0xCA,0x7A,0xCC,0xCF, + 0x01,0x1E,0x47,0x80,0x60,0x43,0x05,0x48,0x8E,0x33,0xF7,0xA9,0xFD,0xE8,0xB9,0x05, + 0x9F,0x7E,0xD1,0xF2,0xDA,0x13,0x45,0xD9,0x96,0x16,0x64,0xD5,0x74,0x0F,0xBD,0x1C, + 0x95,0x72,0xD6,0x31,0xBD,0xFB,0x66,0xC6,0xC0,0xD4,0x4C,0x52,0x1D,0xFB,0xB0,0x65, + 0x4F,0xF2,0x4C,0x4D,0xF5,0x68,0xD6,0xB5,0x4C,0x14,0xC1,0xFA,0xF1,0xDF,0x70,0x4E, + 0x14,0x07,0x8C,0xD6,0x55,0x66,0x91,0x97,0xE0,0x95,0x46,0x15,0x25,0x9B,0xCA,0xC4, + 0x64,0x10,0xFA,0xB4,0xDF,0xF3,0x2E,0x3A,0x26,0x74,0xFB,0x44,0x8E,0x8A,0xEA,0xC9, + 0x2E,0x31,0xD9,0xA2,0xB3,0xA0,0xAF,0x5E,0x48,0xE1,0x5A,0xEC,0xE0,0xA7,0x3B,0x35, + 0x1C,0x8F,0xFF,0xAA,0x02,0xBB,0x2F,0x95,0x11,0xA8,0x8B,0xE6,0x3D,0x65,0x1B,0xC0, + 0xBD,0x6C,0xCC,0x11,0x0C,0xFE,0xCD,0x0D,0x30,0xF1,0xE7,0x53,0xA4,0x7E,0xAC,0x50, + 0xC9,0x23,0x01,0xEE,0xD3,0xD5,0xE5,0xAC,0x0F,0x04,0x22,0xDA,0x30,0x14,0x25,0x6A, + 0x64,0x7B,0xA9,0x9E,0xB9,0x59,0x07,0x0B,0x0C,0x39,0x88,0x18,0x5B,0x35,0x61,0x31, + 0x3D,0x4E,0xCE,0xD5,0xB3,0x67,0x82,0x88,0x3C,0x10,0x12,0xA6,0xC0,0x08,0xC3,0xA5, + 0x41,0x39,0x69,0xAE,0x84,0x34,0x9C,0xED,0x4A,0xED,0x3A,0x85,0x9D,0x98,0xF7,0x12, + 0xD1,0x1D,0xCD,0x9B,0xC8,0x60,0x57, +}; + +#endif /* si_92_sectrust_homekit_h */ diff --git a/OSX/sec/Security/SecAccessControlExports.exp-in b/OSX/sec/Security/SecAccessControlExports.exp-in index c3b9371e..2a58b75d 100644 --- a/OSX/sec/Security/SecAccessControlExports.exp-in +++ b/OSX/sec/Security/SecAccessControlExports.exp-in @@ -33,3 +33,4 @@ _kSecUseAuthenticationUIAllow _kSecUseAuthenticationUIFail _kSecUseAuthenticationUISkip _kSecUseAuthenticationContext +_kSecUseCallerName diff --git a/OSX/sec/Security/SecExports.exp-in b/OSX/sec/Security/SecExports.exp-in index 2a2fb56f..6300a347 100644 --- a/OSX/sec/Security/SecExports.exp-in +++ b/OSX/sec/Security/SecExports.exp-in @@ -152,6 +152,7 @@ _SecPolicyCreateAppleAST2Service _SecPolicyCreateAppleSSLService _SecPolicyCreateApplePackageSigning _SecPolicyCreateAppleSWUpdateSigning +_SecPolicyCreateAppleHomeKitServerAuth _SecPolicyCreateBasicX509 _SecPolicyCreateCodeSigning _SecPolicyCreateConfigurationProfileSigner diff --git a/OSX/sec/Security/SecItem.c b/OSX/sec/Security/SecItem.c index 1595e0bf..68b60013 100644 --- a/OSX/sec/Security/SecItem.c +++ b/OSX/sec/Security/SecItem.c @@ -971,6 +971,13 @@ bool SecItemAuthDo(SecCFDictionaryCOW *auth_params, CFErrorRef *error, SecItemAu CFRelease(key); } + CFStringRef caller_name = CFDictionaryGetValue(auth_params->dictionary, kSecUseCallerName); + if (caller_name != NULL) { + CFNumberRef key = CFNumberCreateWithCFIndex(NULL, kLAOptionCallerName); + CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&auth_options), key, caller_name); + CFRelease(key); + } + CFTypeRef auth_ui = CFDictionaryGetValue(auth_params->dictionary, kSecUseAuthenticationUI); if (CFEqualSafe(auth_ui, kSecUseAuthenticationUIFail)) { CFNumberRef key = CFNumberCreateWithCFIndex(NULL, kLAOptionNotInteractive); @@ -1017,6 +1024,13 @@ void SecItemAuthCopyParams(SecCFDictionaryCOW *auth_params, SecCFDictionaryCOW * CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(query), kSecUseOperationPrompt); } + // Store caller name. + CFStringRef caller_name = CFDictionaryGetValue(query->dictionary, kSecUseCallerName); + if (caller_name != NULL) { + CFDictionarySetValue(SecCFDictionaryCOWGetMutable(auth_params), kSecUseCallerName, caller_name); + CFDictionaryRemoveValue(SecCFDictionaryCOWGetMutable(query), kSecUseCallerName); + } + // Find out whether we are allowed to pop up a UI. CFTypeRef auth_ui = CFDictionaryGetValue(query->dictionary, kSecUseAuthenticationUI) ?: (CFEqualSafe(CFDictionaryGetValue(query->dictionary, kSecUseNoAuthenticationUI), kCFBooleanTrue) ? diff --git a/OSX/sec/Security/SecItemConstants.c b/OSX/sec/Security/SecItemConstants.c index d09ce9d4..ddc1f0c8 100644 --- a/OSX/sec/Security/SecItemConstants.c +++ b/OSX/sec/Security/SecItemConstants.c @@ -144,6 +144,7 @@ SEC_CONST_DECL (kSecUseNoAuthenticationUI, "u_NoAuthUI"); SEC_CONST_DECL (kSecUseAuthenticationUI, "u_AuthUI"); SEC_CONST_DECL (kSecUseSystemKeychain, "u_SystemKeychain"); SEC_CONST_DECL (kSecUseSyncBubbleKeychain, "u_SyncBubbleKeychain"); +SEC_CONST_DECL (kSecUseCallerName, "u_CallerName"); /* kSecAttrAccessible Value Constants. */ SEC_CONST_DECL (kSecAttrAccessibleWhenUnlocked, "ak"); diff --git a/OSX/sec/Security/SecItemPriv.h b/OSX/sec/Security/SecItemPriv.h index e8fab148..664242ab 100644 --- a/OSX/sec/Security/SecItemPriv.h +++ b/OSX/sec/Security/SecItemPriv.h @@ -345,12 +345,18 @@ extern const CFStringRef kSecUseSyncBubbleKeychain @constant kSecUseCredentialReference Specifies a CFDataRef containing AppleCredentialManager reference handle to be used when authorizing access to the item. + @constant kSecUseCallerName Specifies a dictionary key whose value + is a CFStringRef that represents a user-visible string describing + the caller name for which the application is attempting to authenticate. + The caller must have 'com.apple.private.LocalAuthentication.CallerName' + entitlement set to YES to use this feature, otherwise it is ignored. */ extern const CFStringRef kSecUseTombstones __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); extern const CFStringRef kSecUseCredentialReference __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); - +extern const CFStringRef kSecUseCallerName + __OSX_AVAILABLE(10.11.4) __IOS_AVAILABLE(9.3) __TVOS_AVAILABLE(9.3) __WATCHOS_AVAILABLE(2.3); /*! @function SecItemCopyDisplayNames diff --git a/OSX/sec/Security/SecPolicy.c b/OSX/sec/Security/SecPolicy.c index 72d35c51..a552287b 100644 --- a/OSX/sec/Security/SecPolicy.c +++ b/OSX/sec/Security/SecPolicy.c @@ -283,6 +283,7 @@ static CFStringRef kSecPolicyOIDApplePayIssuerEncryption = CFSTR("ApplePayIssuer static CFStringRef kSecPolicyOIDAppleOSXProvisioningProfileSigning = CFSTR("AppleOSXProvisioningProfileSigning"); static CFStringRef kSecPolicyOIDAppleATVVPNProfileSigning = CFSTR("AppleATVVPNProfileSigning"); static CFStringRef kSecPolicyOIDAppleAST2Service = CFSTR("AST2Service"); +static CFStringRef kSecPolicyOIDAppleHomeKitServerAuth = CFSTR("HomeKitServerAuth"); /* Policies will now change to multiple categories of checks. @@ -3005,3 +3006,51 @@ errOut: CFReleaseSafe(appleAnchorOptions); return result; } + +SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) { + CFMutableDictionaryRef appleAnchorOptions = NULL; + CFMutableDictionaryRef options = NULL; + SecPolicyRef result = NULL; + CFDataRef oid = NULL; + + options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + require(options, errOut); + + SecPolicyAddBasicX509Options(options); + + CFDictionaryAddValue(options, kSecPolicyCheckSSLHostname, hostname); + + add_eku(options, &oidExtendedKeyUsageServerAuth); + + if (requirePinning(false, CFSTR("HomeKit"))) { + bool allowUAT = allowUATRoot(false, CFSTR("HomeKit"), NULL); + + // Cert chain length 3 + require(SecPolicyAddChainLengthOptions(options, 3), errOut); + + // Apple anchors, allowing test anchors for internal releases properly configured + appleAnchorOptions = CFDictionaryCreateMutableForCFTypes(NULL); + require(appleAnchorOptions, errOut); + if (allowUAT) { + CFDictionarySetValue(appleAnchorOptions, + kSecPolicyAppleAnchorIncludeTestRoots, kCFBooleanTrue); + } + add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions); + + add_leaf_marker(options, &oidAppleCertExtHomeKitServerAuth); + + add_oid(options, kSecPolicyCheckIntermediateMarkerOid, &oidAppleIntmMarkerAppleHomeKitServerCA); + } + + + CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kCFBooleanTrue); + + result = SecPolicyCreate(kSecPolicyOIDAppleHomeKitServerAuth, options); + require(result, errOut); + +errOut: + CFReleaseSafe(appleAnchorOptions); + CFReleaseSafe(options); + CFReleaseSafe(oid); + return result; +} diff --git a/OSX/sec/Security/SecPolicyPriv.h b/OSX/sec/Security/SecPolicyPriv.h index 5bfd8f32..9c0f0c76 100644 --- a/OSX/sec/Security/SecPolicyPriv.h +++ b/OSX/sec/Security/SecPolicyPriv.h @@ -583,6 +583,27 @@ SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void) SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void) __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); +/*! + @function SecPolicyCreateAppleHomeKitServerAuth + @abstract Ensure we're appropriately pinned to the HomeKit service (SSL + Apple restrictions) + @param hostname Required; hostname to verify the certificate name against. + @discussion This policy uses the Basic X.509 policy with validity check + and pinning options: + * The chain is anchored to any of the production Apple Root CAs via full certificate + comparison. Test Apple Root CAs are permitted only on internal releases with defaults write. + * The intermediate has a marker extension with OID 1.2.840.113635.100.6.2.16 + * The leaf has a marker extension with OID 1.2.840.113635.100.6.27.9. + * The leaf has the provided hostname in the DNSName of the SubjectAlternativeName + extension or Common Name. + * The leaf is checked against the Black and Gray lists. + * The leaf has ExtendedKeyUsage with the ServerAuth OID. + * Revocation is checked via CRL. + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. + */ +SecPolicyRef SecPolicyCreateAppleHomeKitServerAuth(CFStringRef hostname) +__OSX_AVAILABLE_STARTING(__MAC_10_11_4, __IPHONE_9_3); + __END_DECLS #endif /* !_SECURITY_SECPOLICYPRIV_H_ */ diff --git a/OSX/sec/Security/SecSharedCredential.c b/OSX/sec/Security/SecSharedCredential.c index a1f6963f..effad87d 100644 --- a/OSX/sec/Security/SecSharedCredential.c +++ b/OSX/sec/Security/SecSharedCredential.c @@ -65,7 +65,7 @@ OSStatus SecAddSharedWebCredentialSync(CFStringRef fqdn, bool xpc_result; bool internal_spi = false; // TODO: support this for SecurityDevTests if(internal_spi && gSecurityd && gSecurityd->sec_add_shared_web_credential) { - xpc_result = gSecurityd->sec_add_shared_web_credential(args, NULL, NULL, SecAccessGroupsGetCurrent(), &raw_result, error); + xpc_result = gSecurityd->sec_add_shared_web_credential(args, NULL, NULL, NULL, SecAccessGroupsGetCurrent(), &raw_result, error); } else { xpc_result = cftype_client_to_bool_cftype_error_request(sec_add_shared_web_credential_id, args, SecSecurityClientGet(), &raw_result, error); } @@ -162,7 +162,7 @@ OSStatus SecCopySharedWebCredentialSync(CFStringRef fqdn, bool xpc_result; bool internal_spi = false; // TODO: support this for SecurityDevTests if(internal_spi && gSecurityd && gSecurityd->sec_copy_shared_web_credential) { - xpc_result = gSecurityd->sec_copy_shared_web_credential(args, NULL, NULL, SecAccessGroupsGetCurrent(), &raw_result, error); + xpc_result = gSecurityd->sec_copy_shared_web_credential(args, NULL, NULL, NULL, SecAccessGroupsGetCurrent(), &raw_result, error); } else { xpc_result = cftype_client_to_bool_cftype_error_request(sec_copy_shared_web_credential_id, args, SecSecurityClientGet(), &raw_result, error); } diff --git a/OSX/sec/ipc/securityd_client.h b/OSX/sec/ipc/securityd_client.h index af006ded..e7ad3dab 100644 --- a/OSX/sec/ipc/securityd_client.h +++ b/OSX/sec/ipc/securityd_client.h @@ -271,8 +271,8 @@ struct securityd { bool (*sec_item_copy_matching)(CFDictionaryRef query, SecurityClient *client, CFTypeRef *result, CFErrorRef* error); bool (*sec_item_update)(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, SecurityClient *client, CFErrorRef* error); bool (*sec_item_delete)(CFDictionaryRef query, SecurityClient *client, CFErrorRef* error); - bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error); - bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error); + bool (*sec_add_shared_web_credential)(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error); + bool (*sec_copy_shared_web_credential)(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef accessGroups, CFTypeRef *result, CFErrorRef *error); SecTrustStoreRef (*sec_trust_store_for_domain)(CFStringRef domainName, CFErrorRef* error); // TODO: remove, has no msg id bool (*sec_trust_store_contains)(SecTrustStoreRef ts, CFDataRef digest, bool *contains, CFErrorRef* error); bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error); diff --git a/OSX/sec/ipc/server.c b/OSX/sec/ipc/server.c index ff7d1e3f..892542d8 100644 --- a/OSX/sec/ipc/server.c +++ b/OSX/sec/ipc/server.c @@ -77,7 +77,7 @@ #include #if TARGET_OS_IPHONE -static int inMultiUser = -1; +static int inMultiUser = 0; #endif @@ -497,8 +497,6 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, #if TARGET_OS_IOS && !TARGET_OS_SIMULATOR if (inMultiUser) { - assert(inMultiUser != -1); - client.activeUser = MKBForegroundUserSessionID(&error); if (client.activeUser == -1 || client.activeUser == 0) { assert(0); @@ -961,7 +959,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, if (query) { CFTypeRef result = NULL; CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL; - if (_SecAddSharedWebCredential(query, &auditToken, appID, domains, &result, &error) && result) { + if (_SecAddSharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) { SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error); CFRelease(result); } @@ -976,7 +974,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, if (query) { CFTypeRef result = NULL; CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL; - if (_SecCopySharedWebCredential(query, &auditToken, appID, domains, &result, &error) && result) { + if (_SecCopySharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) { SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error); CFRelease(result); } @@ -1753,32 +1751,30 @@ int main(int argc, char *argv[]) kill(getpid(), SIGSTOP); } - const char *serviceName = kSecuritydXPCServiceName; -#if TRUSTD_SERVER - serviceName = kTrustdXPCServiceName; - if (argc > 1 && (!strcmp(argv[1], "--agent"))) { - serviceName = kTrustdAgentXPCServiceName; - } -#endif - securityd_init_server(); - securityd_xpc_init(serviceName); - #if TARGET_OS_IOS && !TARGET_OS_SIMULATOR - if (inMultiUser == -1) { + { CFDictionaryRef deviceMode = MKBUserTypeDeviceMode(NULL, NULL); CFTypeRef value = NULL; if (deviceMode && CFDictionaryGetValueIfPresent(deviceMode, kMKBDeviceModeKey, &value) && CFEqual(value, kMKBDeviceModeMultiUser)) { inMultiUser = 1; - } else { - inMultiUser = 0; } CFReleaseNull(deviceMode); } -#elif TARGET_OS_IPHONE - inMultiUser = 0; #endif + + const char *serviceName = kSecuritydXPCServiceName; +#if TRUSTD_SERVER + serviceName = kTrustdXPCServiceName; + if (argc > 1 && (!strcmp(argv[1], "--agent"))) { + serviceName = kTrustdAgentXPCServiceName; + } +#endif + securityd_init_server(); + securityd_xpc_init(serviceName); + + // 13B104+Roots:Device never moved past spinner after using approval to ENABLE icdp #if TARGET_OS_EMBEDDED securityd_soscc_lock_hack(); diff --git a/OSX/sec/sec.xcodeproj/project.pbxproj b/OSX/sec/sec.xcodeproj/project.pbxproj index c2a5765e..44102c59 100644 --- a/OSX/sec/sec.xcodeproj/project.pbxproj +++ b/OSX/sec/sec.xcodeproj/project.pbxproj @@ -407,6 +407,8 @@ CDF9BBE11B03E24D00D1AF0F /* secd-52-offering-gencount-reset.c in Sources */ = {isa = PBXBuildFile; fileRef = CDF9BBE01B03E24D00D1AF0F /* secd-52-offering-gencount-reset.c */; }; D40294A91C20A806008CE4B6 /* si-91-sectrust-ast2.c in Sources */ = {isa = PBXBuildFile; fileRef = D40294A71C20A806008CE4B6 /* si-91-sectrust-ast2.c */; }; D40294AA1C20A806008CE4B6 /* si-91-sectrust-ast2.h in Headers */ = {isa = PBXBuildFile; fileRef = D40294A81C20A806008CE4B6 /* si-91-sectrust-ast2.h */; }; + D41380C91C6E529500F1A4B6 /* si-92-sectrust-homekit.c in Sources */ = {isa = PBXBuildFile; fileRef = D41380C71C6E529500F1A4B6 /* si-92-sectrust-homekit.c */; }; + D41380CA1C6E529500F1A4B6 /* si-92-sectrust-homekit.h in Headers */ = {isa = PBXBuildFile; fileRef = D41380C81C6E529500F1A4B6 /* si-92-sectrust-homekit.h */; }; D4273AA61B5D54E70007D67B /* nameconstraints.c in Sources */ = {isa = PBXBuildFile; fileRef = D4273AA21B5D54CA0007D67B /* nameconstraints.c */; }; D445CDE11B44D53C005040AC /* si-84-sectrust-atv-appsigning.c in Sources */ = {isa = PBXBuildFile; fileRef = D445CDDF1B44D372005040AC /* si-84-sectrust-atv-appsigning.c */; }; D4B4A9A81B8BB9B70097B393 /* si-85-sectrust-ssl-policy.c in Sources */ = {isa = PBXBuildFile; fileRef = D4B4A9A61B8801960097B393 /* si-85-sectrust-ssl-policy.c */; }; @@ -997,6 +999,8 @@ CDF9BBE01B03E24D00D1AF0F /* secd-52-offering-gencount-reset.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "secd-52-offering-gencount-reset.c"; sourceTree = ""; }; D40294A71C20A806008CE4B6 /* si-91-sectrust-ast2.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-91-sectrust-ast2.c"; sourceTree = ""; }; D40294A81C20A806008CE4B6 /* si-91-sectrust-ast2.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-91-sectrust-ast2.h"; sourceTree = ""; }; + D41380C71C6E529500F1A4B6 /* si-92-sectrust-homekit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-92-sectrust-homekit.c"; sourceTree = ""; }; + D41380C81C6E529500F1A4B6 /* si-92-sectrust-homekit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-92-sectrust-homekit.h"; sourceTree = ""; }; D4273AA21B5D54CA0007D67B /* nameconstraints.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = nameconstraints.c; sourceTree = ""; }; D4273AA31B5D54CA0007D67B /* nameconstraints.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = nameconstraints.h; sourceTree = ""; }; D445CDDF1B44D372005040AC /* si-84-sectrust-atv-appsigning.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-84-sectrust-atv-appsigning.c"; sourceTree = ""; }; @@ -1614,6 +1618,8 @@ EB69AB051BF425F300913AF1 /* si-90-emcs.m */, D40294A71C20A806008CE4B6 /* si-91-sectrust-ast2.c */, D40294A81C20A806008CE4B6 /* si-91-sectrust-ast2.h */, + D41380C71C6E529500F1A4B6 /* si-92-sectrust-homekit.c */, + D41380C81C6E529500F1A4B6 /* si-92-sectrust-homekit.h */, ); name = secitem; path = Regressions/secitem; @@ -2212,6 +2218,7 @@ 4CC92A9B15A3ABD400C6D578 /* UTN-USERFirst-Hardware.cer.h in Headers */, 4CC92A9C15A3ABD400C6D578 /* addons.mozilla.org.cer.h in Headers */, 4CC92A9D15A3ABD400C6D578 /* login.live.com.cer.h in Headers */, + D41380CA1C6E529500F1A4B6 /* si-92-sectrust-homekit.h in Headers */, 4CC92A9E15A3ABD400C6D578 /* login.skype.com.cer.h in Headers */, 4CC92A9F15A3ABD400C6D578 /* login.yahoo.com.1.cer.h in Headers */, 4CC92AA015A3ABD400C6D578 /* login.yahoo.com.2.cer.h in Headers */, @@ -2919,6 +2926,7 @@ 4CC92A7515A3ABD400C6D578 /* si-24-sectrust-mobileasset.c in Sources */, 4477A8D918F28AB700B5BB9F /* si-78-query-attrs.c in Sources */, 4CC92A7615A3ABD400C6D578 /* si-24-sectrust-nist.c in Sources */, + D41380C91C6E529500F1A4B6 /* si-92-sectrust-homekit.c in Sources */, 4CC92A7715A3ABD400C6D578 /* si-24-sectrust-otatasking.c in Sources */, 4CC92A7815A3ABD400C6D578 /* si-24-sectrust-shoebox.c in Sources */, EB8F48DD1AE4CC7000CE93A7 /* si-25-sectrust-apple-authentication.c in Sources */, diff --git a/OSX/sec/securityd/SecItemDb.c b/OSX/sec/securityd/SecItemDb.c index 9a4f8667..312fb076 100644 --- a/OSX/sec/securityd/SecItemDb.c +++ b/OSX/sec/securityd/SecItemDb.c @@ -1036,7 +1036,7 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo } } - if (multiUser && CFEqual(agrp, CFSTR("com.apple.apsd"))) { + if (multiUser && CFEqual(agrp, CFSTR("com.apple.apsd")) && cls == &genp_class) { static CFStringRef pushServices[] = { CFSTR("push.apple.com"), CFSTR("push.apple.com,PerAppToken.v0"), @@ -1050,22 +1050,64 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo } } - if (multiUser && CFEqual(agrp, CFSTR("apple"))) { + if (multiUser && CFEqual(agrp, CFSTR("apple")) && cls == &genp_class) { static CFStringRef acountServices[] = { CFSTR("com.apple.account.AppleAccount.token"), CFSTR("com.apple.account.AppleAccount.password"), CFSTR("com.apple.account.AppleAccount.rpassword"), CFSTR("com.apple.account.idms.token"), + CFSTR("com.apple.account.idms.heartbeat-token"), CFSTR("com.apple.account.idms.continuation-key"), CFSTR("com.apple.account.CloudKit.token"), + CFSTR("com.apple.account.IdentityServices.password"), /* accountsd for ids */ + CFSTR("com.apple.account.IdentityServices.rpassword"), + CFSTR("com.apple.account.IdentityServices.token"), + CFSTR("BackupIDSAccountToken"), + CFSTR("com.apple.ids"), + CFSTR("ids"), + CFSTR("IDS"), NULL }; CFStringRef service = CFDictionaryGetValue(item, kSecAttrService); if (isString(service) && matchAnyString(service, acountServices)) { - secdebug("backup", "found sys_bound item: %@", item); + secdebug("backup", "found exact sys_bound item: %@", item); return true; } + if (isString(service) && CFEqual(service, CFSTR("com.apple.facetime"))) { + CFStringRef account = CFDictionaryGetValue(item, kSecAttrAccount); + if (isString(account) && CFEqual(account, CFSTR("registrationV1"))) { + secdebug("backup", "found exact sys_bound item: %@", item); + return true; + } + } + } + + if (multiUser && CFEqual(agrp, CFSTR("ichat")) && cls == &genp_class) { + static CFStringRef acountServices[] = { + CFSTR("ids"), + NULL + }; + CFStringRef service = CFDictionaryGetValue(item, kSecAttrService); + + if (isString(service) && matchAnyString(service, acountServices)) { + secdebug("backup", "found exact sys_bound item: %@", item); + return true; + } + } + + if (multiUser && CFEqual(agrp, CFSTR("ichat")) && cls == &keys_class) { + static CFStringRef exactMatchingLabel[] = { + CFSTR("iMessage Encryption Key"), + CFSTR("iMessage Signing Key"), + }; + CFStringRef label = CFDictionaryGetValue(item, kSecAttrLabel); + if (isString(label)) { + if (matchAnyString(label, exactMatchingLabel)) { + secdebug("backup", "found exact sys_bound item: %@", item); + return true; + } + } } @@ -1078,9 +1120,9 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo access group, this ensures that an import or restore of a backup will never overwrite an existing activation record. */ static bool SecServerDeleteAll(SecDbConnectionRef dbt, CFErrorRef *error) { - return kc_transaction(dbt, error, ^{ + secwarning("SecServerDeleteAll"); - secwarning("SecServerDeleteAll"); + return kc_transaction(dbt, error, ^{ bool ok = (SecDbExec(dbt, CFSTR("DELETE from genp;"), error) && SecDbExec(dbt, CFSTR("DELETE from inet;"), error) && @@ -1095,12 +1137,21 @@ static bool SecServerDeleteAll(SecDbConnectionRef dbt, CFErrorRef *error) { static bool DeleteAllFromTableForMUSRView(SecDbConnectionRef dbt, CFStringRef sql, CFDataRef musr, + bool keepU, CFErrorRef *error) { sqlite3_stmt *stmt = NULL; + CFStringRef sql2 = NULL; bool ok = false; + + if (keepU) { + sql2 = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@ AND pdmn NOT IN ('aku','akpu','cku','dku')"), sql); + } else { + sql2 = CFRetain(sql); + } + require(sql2, fail); - stmt = SecDbCopyStmt(dbt, sql, NULL, error); + stmt = SecDbCopyStmt(dbt, sql2, NULL, error); require(stmt, fail); ok = SecDbBindObject(stmt, 1, musr, error); @@ -1113,20 +1164,24 @@ fail: if (stmt) { ok = SecDbFinalize(stmt, error); } + if (!ok) + secwarning("DeleteAllFromTableForMUSRView failed for %@ for musr: %@: %@", sql2, musr, error ? *error : NULL); + + CFReleaseNull(sql2); return ok; } -bool SecServerDeleteAllForUser(SecDbConnectionRef dbt, CFDataRef musrView, CFErrorRef *error) { +bool SecServerDeleteAllForUser(SecDbConnectionRef dbt, CFDataRef musrView, bool keepU, CFErrorRef *error) { + secwarning("SecServerDeleteAllForUser for user: %@ keepU %s", musrView, keepU ? "yes" : "no"); + return kc_transaction(dbt, error, ^{ bool ok; - secwarning("SecServerDeleteAllForUser for user: %@", musrView); - - ok = (DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM genp WHERE musr = ?"), musrView, error) && - DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM inet WHERE musr = ?"), musrView, error) && - DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM cert WHERE musr = ?"), musrView, error) && - DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM keys WHERE musr = ?"), musrView, error)); + ok = (DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM genp WHERE musr = ?"), musrView, keepU, error) && + DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM inet WHERE musr = ?"), musrView, keepU, error) && + DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM cert WHERE musr = ?"), musrView, keepU, error) && + DeleteAllFromTableForMUSRView(dbt, CFSTR("DELETE FROM keys WHERE musr = ?"), musrView, keepU, error)); return ok; }); @@ -1239,8 +1294,10 @@ SecServerCopyKeychainPlist(SecDbConnectionRef dbt, unsigned class_ix; bool inMultiUser = false; Query q = { .q_keybag = src_keybag }; - q.q_return_type = kSecReturnDataMask | kSecReturnAttributesMask | \ - kSecReturnPersistentRefMask; + q.q_return_type = + kSecReturnDataMask | + kSecReturnAttributesMask | + kSecReturnPersistentRefMask; q.q_limit = kSecMatchUnlimited; q.q_skip_acl_items = true; @@ -1341,12 +1398,34 @@ SecServerImportItem(const void *value, void *context) secdebug("item", "Import Item : %@", dict); - /* We don't filter non sys_bound items during import since we know we - will never have any in this case, we use the kSecSysBoundItemFilter - to indicate that we don't preserve rowid's during import instead. */ - if (state->s->filter == kSecBackupableItemFilter && - SecItemIsSystemBound(dict, state->class, inMultiUser)) - return; + /* We use the kSecSysBoundItemFilte to indicate that we don't + * preserve rowid's during import. + */ + if (state->s->filter == kSecBackupableItemFilter) { + CFTypeRef pdmu; + + /* We don't filter non sys_bound items during import since we know we + * will never have any in this case. + */ + if (SecItemIsSystemBound(dict, state->class, inMultiUser)) + return; + + /* + * Don't bother with u items when in edu mode since our current backup system + * don't keep track of items that blongs to the device (u) but rather just + * merge them into one blob. + */ + if (inMultiUser && (pdmu = CFDictionaryGetValue(dict, kSecAttrAccessible))) { + if (CFEqual(pdmu, kSecAttrAccessibleWhenUnlockedThisDeviceOnly) || + CFEqual(pdmu, kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly) || + CFEqual(pdmu, kSecAttrAccessibleWhenUnlockedThisDeviceOnly) || + CFEqual(pdmu, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly)) + { + secdebug("item", "Skipping KU item : %@", dict); + return; + } + } + } SecDbItemRef item; @@ -1401,7 +1480,7 @@ SecServerImportItem(const void *value, void *context) */ if (item) { - bool insertStatus; + bool insertStatus; if(state->s->filter != kSecSysBoundItemFilter) { SecDbItemExtractRowIdFromBackupDictionary(item, dict, &state->s->error); @@ -1447,7 +1526,11 @@ static void SecServerImportClass(const void *key, const void *value, return; } const SecDbClass *class = kc_class_with_name(key); - if (!class || class == &identity_class) { + if (!class) { + secwarning("Ignoring unknown key class '%@'", key); + return; + } + if (class == &identity_class) { SecError(errSecParam, &state->error, CFSTR("attempt to import an identity")); return; } @@ -1456,11 +1539,15 @@ static void SecServerImportClass(const void *key, const void *value, }; if (isArray(value)) { CFArrayRef items = (CFArrayRef)value; + secwarning("Import %ld items of class %@ (filter %d)", (long)CFArrayGetCount(items), key, state->filter); CFArrayApplyFunction(items, CFRangeMake(0, CFArrayGetCount(items)), SecServerImportItem, &item_state); - } else { + } else if (isDictionary(value)) { CFDictionaryRef item = (CFDictionaryRef)value; + secwarning("Import %ld items of class %@ (filter %d)", (long)CFDictionaryGetCount(item), key, state->filter); SecServerImportItem(item, &item_state); + } else { + secwarning("Unknown value type for class %@ (filter %d)", key, state->filter); } } @@ -1483,7 +1570,7 @@ bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt, SecurityClient *clie if (client->inMultiUser) { CFDataRef musrView = SecMUSRCreateActiveUserUUID(client->uid); require_action(musrView, errOut, ok = false); - require_action(ok = SecServerDeleteAllForUser(dbt, musrView, error), errOut, CFReleaseNull(musrView)); + require_action(ok = SecServerDeleteAllForUser(dbt, musrView, true, error), errOut, CFReleaseNull(musrView)); CFReleaseNull(musrView); } else #endif @@ -1499,12 +1586,14 @@ bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt, SecurityClient *clie .filter = filter, }; /* Import the provided items, preserving rowids. */ + secwarning("Restoring backup items '%ld'", (long)CFDictionaryGetCount(keychain)); CFDictionaryApplyFunction(keychain, SecServerImportClass, &state); if (sys_bound) { state.src_keybag = KEYBAG_NONE; /* Import the items we preserved with random rowids. */ state.filter = kSecSysBoundItemFilter; + secwarning("Restoring sysbound items '%ld'", (long)CFDictionaryGetCount(sys_bound)); CFDictionaryApplyFunction(sys_bound, SecServerImportClass, &state); } if (state.error) { diff --git a/OSX/sec/securityd/SecItemDb.h b/OSX/sec/securityd/SecItemDb.h index 86ed675e..139f8a58 100644 --- a/OSX/sec/securityd/SecItemDb.h +++ b/OSX/sec/securityd/SecItemDb.h @@ -127,7 +127,7 @@ bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt, CFErrorRef *error); #if TARGET_OS_IPHONE -bool SecServerDeleteAllForUser(SecDbConnectionRef dbt, CFDataRef musrView, CFErrorRef *error); +bool SecServerDeleteAllForUser(SecDbConnectionRef dbt, CFDataRef musrView, bool keepU, CFErrorRef *error); #endif bool kc_transaction(SecDbConnectionRef dbt, CFErrorRef *error, bool(^perform)()); diff --git a/OSX/sec/securityd/SecItemServer.c b/OSX/sec/securityd/SecItemServer.c index 86448f4f..7527b7c9 100644 --- a/OSX/sec/securityd/SecItemServer.c +++ b/OSX/sec/securityd/SecItemServer.c @@ -63,7 +63,7 @@ #include #include "swcagent_client.h" -#if TARGET_OS_IPHONE && !TARGET_OS_NANO +#if TARGET_OS_IPHONE && !TARGET_OS_WATCH #include #include @@ -1119,7 +1119,9 @@ _SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, } if (ok) { ok = kc_with_dbt(true, error, ^(SecDbConnectionRef dbt) { - return s3dl_query_update(dbt, q, attributesToUpdate, accessGroups, error); + return kc_transaction(dbt, error, ^{ + return s3dl_query_update(dbt, q, attributesToUpdate, accessGroups, error); + }); }); } if (q) { @@ -1178,7 +1180,9 @@ _SecItemDelete(CFDictionaryRef query, SecurityClient *client, CFErrorRef *error) ok = SecError(errSecItemIllegalQuery, error, CFSTR("rowid and other attributes are mutually exclusive")); } else { ok = kc_with_dbt(true, error, ^(SecDbConnectionRef dbt) { - return s3dl_query_delete(dbt, q, accessGroups, error); + return kc_transaction(dbt, error, ^{ + return s3dl_query_delete(dbt, q, accessGroups, error); + }); }); } ok = query_notify_and_destroy(q, ok, error); @@ -1341,7 +1345,7 @@ _SecEntitlementContainsDomainForService(CFArrayRef domains, CFStringRef domain, #endif static bool -_SecAddNegativeWebCredential(CFStringRef fqdn, CFStringRef appID, bool forSafari) +_SecAddNegativeWebCredential(SecurityClient *client, CFStringRef fqdn, CFStringRef appID, bool forSafari) { bool result = false; if (!fqdn) { return result; } @@ -1377,12 +1381,13 @@ _SecAddNegativeWebCredential(CFStringRef fqdn, CFStringRef appID, bool forSafari CFErrorRef error = NULL; CFStringRef accessGroup = CFSTR("*"); - SecurityClient client = { + SecurityClient swcclient = { .task = NULL, .accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&accessGroup, 1, &kCFTypeArrayCallBacks), .allowSystemKeychain = false, .allowSyncBubbleKeychain = false, .isNetworkExtension = false, + .musr = client->musr, }; CFDictionaryAddValue(attrs, kSecClass, kSecClassInternetPassword); @@ -1392,7 +1397,7 @@ _SecAddNegativeWebCredential(CFStringRef fqdn, CFStringRef appID, bool forSafari CFDictionaryAddValue(attrs, kSecAttrServer, fqdn); CFDictionaryAddValue(attrs, kSecAttrSynchronizable, kCFBooleanTrue); - (void)_SecItemDelete(attrs, &client, &error); + (void)_SecItemDelete(attrs, &swcclient, &error); CFReleaseNull(error); CFDictionaryAddValue(attrs, kSecAttrAccount, kSecSafariPasswordsNotSaved); @@ -1413,12 +1418,12 @@ _SecAddNegativeWebCredential(CFStringRef fqdn, CFStringRef appID, bool forSafari } CFTypeRef addResult = NULL; - result = _SecItemAdd(attrs, &client, &addResult, &error); + result = _SecItemAdd(attrs, &swcclient, &addResult, &error); CFReleaseSafe(addResult); CFReleaseSafe(error); CFReleaseSafe(attrs); - CFReleaseSafe(client.accessGroups); + CFReleaseSafe(swcclient.accessGroups); return result; } @@ -1426,26 +1431,23 @@ _SecAddNegativeWebCredential(CFStringRef fqdn, CFStringRef appID, bool forSafari /* Specialized version of SecItemAdd for shared web credentials */ bool _SecAddSharedWebCredential(CFDictionaryRef attributes, - const audit_token_t *clientAuditToken, - CFStringRef appID, - CFArrayRef domains, - CFTypeRef *result, - CFErrorRef *error) { + SecurityClient *client, + const audit_token_t *clientAuditToken, + CFStringRef appID, + CFArrayRef domains, + CFTypeRef *result, + CFErrorRef *error) +{ - SecurityClient client = {}; + SecurityClient swcclient = {}; CFStringRef fqdn = CFRetainSafe(CFDictionaryGetValue(attributes, kSecAttrServer)); - CFStringRef account = CFRetainSafe(CFDictionaryGetValue(attributes, kSecAttrAccount)); -#if TARGET_OS_IPHONE && !TARGET_OS_WATCH - CFStringRef password = CFRetainSafe(CFDictionaryGetValue(attributes, kSecSharedPassword)); -#else - CFStringRef password = CFRetainSafe(CFDictionaryGetValue(attributes, CFSTR("spwd"))); -#endif + CFStringRef account = CFDictionaryGetValue(attributes, kSecAttrAccount); + CFStringRef password = CFDictionaryGetValue(attributes, CFSTR("spwd") /* kSecSharedPassword */); CFStringRef accessGroup = CFSTR("*"); CFMutableDictionaryRef query = NULL, attrs = NULL; SInt32 port = -1; - bool ok = false, update = false; - //bool approved = false; + bool ok = false; // check autofill enabled status if (!swca_autofill_enabled(clientAuditToken)) { @@ -1509,18 +1511,19 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes, #else // get approval status for this app/domain pair SWCFlags flags = _SecAppDomainApprovalStatus(appID, fqdn, error); - //approved = ((flags & kSWCFlag_SiteApproved) && (flags & kSWCFlag_UserApproved)); if (!(flags & kSWCFlag_SiteApproved)) { goto cleanup; } #endif // give ourselves access to see matching items for kSecSafariAccessGroup - client.task = NULL; - client.accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&accessGroup, 1, &kCFTypeArrayCallBacks); - client.allowSystemKeychain = false; - client.allowSyncBubbleKeychain = false; - client.isNetworkExtension = false; + swcclient.task = NULL; + swcclient.accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&accessGroup, 1, &kCFTypeArrayCallBacks); + swcclient.allowSystemKeychain = false; + swcclient.musr = client->musr; + swcclient.allowSystemKeychain = false; + swcclient.allowSyncBubbleKeychain = false; + swcclient.isNetworkExtension = false; // create lookup query @@ -1537,7 +1540,7 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes, // check for presence of Safari's negative entry ('passwords not saved') CFDictionarySetValue(query, kSecAttrAccount, kSecSafariPasswordsNotSaved); - ok = _SecItemCopyMatching(query, &client, result, error); + ok = _SecItemCopyMatching(query, &swcclient, result, error); if(result) CFReleaseNull(*result); CFReleaseNull(*error); if (ok) { @@ -1555,11 +1558,11 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes, } // look up existing password - if (_SecItemCopyMatching(query, &client, result, error)) { + if (_SecItemCopyMatching(query, &swcclient, result, error)) { // found it, so this becomes either an "update password" or "delete password" operation if(result) CFReleaseNull(*result); CFReleaseNull(*error); - update = (password != NULL); + bool update = (password != NULL); if (update) { attrs = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); CFDataRef credential = CFStringCreateExternalRepresentation(kCFAllocatorDefault, password, kCFStringEncodingUTF8, 0); @@ -1570,18 +1573,18 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes, // confirm the update // (per rdar://16676310 we always prompt, even if there was prior user approval) ok = /*approved ||*/ swca_confirm_operation(swca_update_request_id, clientAuditToken, query, error, - ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); }); + ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(client, fqdn, appID, false); }); if (ok) { - ok = _SecItemUpdate(query, attrs, &client, error); + ok = _SecItemUpdate(query, attrs, &swcclient, error); } } else { // confirm the delete // (per rdar://16676288 we always prompt, even if there was prior user approval) ok = /*approved ||*/ swca_confirm_operation(swca_delete_request_id, clientAuditToken, query, error, - ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); }); + ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(client, fqdn, appID, false); }); if (ok) { - ok = _SecItemDelete(query, &client, error); + ok = _SecItemDelete(query, &swcclient, error); } } if (ok) { @@ -1612,8 +1615,8 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes, CFReleaseSafe(credential); CFDictionarySetValue(query, kSecAttrComment, kSecSafariDefaultComment); - CFReleaseSafe(client.accessGroups); - client.accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&kSecSafariAccessGroup, 1, &kCFTypeArrayCallBacks); + CFReleaseSafe(swcclient.accessGroups); + swcclient.accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&kSecSafariAccessGroup, 1, &kCFTypeArrayCallBacks); // mark the item as created by this function const int32_t creator_value = 'swca'; @@ -1627,41 +1630,31 @@ _SecAddSharedWebCredential(CFDictionaryRef attributes, // confirm the add // (per rdar://16680019, we won't prompt here in the normal case) ok = /*approved ||*/ swca_confirm_operation(swca_add_request_id, clientAuditToken, query, error, - ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); }); + ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(client, fqdn, appID, false); }); } } if (ok) { - ok = _SecItemAdd(query, &client, result, error); + ok = _SecItemAdd(query, &swcclient, result, error); } cleanup: -#if 0 /* debugging */ -{ - const char *op_str = (password) ? ((update) ? "updated" : "added") : "deleted"; - const char *result_str = (ok) ? "true" : "false"; - secerror("result=%s, %s item %@, error=%@", result_str, op_str, *result, *error); -} -#else - (void)update; -#endif CFReleaseSafe(attrs); CFReleaseSafe(query); - CFReleaseSafe(client.accessGroups); + CFReleaseSafe(swcclient.accessGroups); CFReleaseSafe(fqdn); - CFReleaseSafe(account); - CFReleaseSafe(password); return ok; } /* Specialized version of SecItemCopyMatching for shared web credentials */ bool _SecCopySharedWebCredential(CFDictionaryRef query, - const audit_token_t *clientAuditToken, - CFStringRef appID, - CFArrayRef domains, - CFTypeRef *result, - CFErrorRef *error) { - + SecurityClient *client, + const audit_token_t *clientAuditToken, + CFStringRef appID, + CFArrayRef domains, + CFTypeRef *result, + CFErrorRef *error) +{ CFMutableArrayRef credentials = NULL; CFMutableArrayRef foundItems = NULL; CFMutableArrayRef fqdns = NULL; @@ -1678,12 +1671,13 @@ _SecCopySharedWebCredential(CFDictionaryRef query, // give ourselves access to see matching items for kSecSafariAccessGroup CFStringRef accessGroup = CFSTR("*"); - SecurityClient client = { + SecurityClient swcclient = { .task = NULL, .accessGroups = CFArrayCreate(kCFAllocatorDefault, (const void **)&accessGroup, 1, &kCFTypeArrayCallBacks), .allowSystemKeychain = false, .allowSyncBubbleKeychain = false, .isNetworkExtension = false, + .musr = client->musr, }; // On input, the query dictionary contains optional fqdn and account entries. @@ -1749,9 +1743,9 @@ _SecCopySharedWebCredential(CFDictionaryRef query, } } - #if TARGET_IPHONE_SIMULATOR +#if TARGET_IPHONE_SIMULATOR secerror("app/site association entitlements not checked in Simulator"); - #else +#else OSStatus status = errSecMissingEntitlement; if (!appID) { SecError(status, error, CFSTR("Missing application-identifier entitlement")); @@ -1773,7 +1767,7 @@ _SecCopySharedWebCredential(CFDictionaryRef query, CFReleaseSafe(fqdn); goto cleanup; } - #endif +#endif attrs = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); if (!attrs) { @@ -1799,7 +1793,7 @@ _SecCopySharedWebCredential(CFDictionaryRef query, CFDictionaryAddValue(attrs, kSecReturnAttributes, kCFBooleanTrue); CFDictionaryAddValue(attrs, kSecReturnData, kCFBooleanTrue); - ok = _SecItemCopyMatching(attrs, &client, (CFTypeRef*)&items, error); + ok = _SecItemCopyMatching(attrs, &swcclient, (CFTypeRef*)&items, error); if (count > 1) { // ignore interim error since we have multiple domains to search CFReleaseNull(*error); @@ -1932,11 +1926,6 @@ _SecCopySharedWebCredential(CFDictionaryRef query, CFArrayAppendValue(credentials, selected); } -#if 0 - // confirm the access - ok = swca_confirm_operation(swca_copy_request_id, clientAuditToken, query, error, - ^void (CFStringRef fqdn) { _SecAddNegativeWebCredential(fqdn, appID, false); }); -#endif if (ok) { #if TARGET_OS_IPHONE && !TARGET_OS_WATCH // register confirmation with database @@ -1975,11 +1964,9 @@ cleanup: } CFReleaseSafe(foundItems); *result = credentials; - CFReleaseSafe(client.accessGroups); + CFReleaseSafe(swcclient.accessGroups); CFReleaseSafe(fqdns); -#if 0 /* debugging */ - secerror("result=%s, copied items %@, error=%@", (ok) ? "true" : "false", *result, *error); -#endif + return ok; } @@ -2667,7 +2654,7 @@ _SecServerTransmogrifyToSystemKeychain(SecurityClient *client, CFErrorRef *error } /* - * Migrate from user keychain to system keychain when switching to edu mode + * Delete account from local usage */ bool @@ -2683,8 +2670,8 @@ _SecServerDeleteMUSERViews(SecurityClient *client, uid_t uid, CFErrorRef *error) musrView = SecMUSRCreateActiveUserUUID(uid); require(musrView, fail); - require(ok = SecServerDeleteAllForUser(dbt, syncBubbleView, error), fail); - require(ok = SecServerDeleteAllForUser(dbt, musrView, error), fail); + require(ok = SecServerDeleteAllForUser(dbt, syncBubbleView, false, error), fail); + require(ok = SecServerDeleteAllForUser(dbt, musrView, false, error), fail); fail: CFReleaseNull(syncBubbleView); diff --git a/OSX/sec/securityd/SecItemServer.h b/OSX/sec/securityd/SecItemServer.h index 4bc57b94..5ec10c7a 100644 --- a/OSX/sec/securityd/SecItemServer.h +++ b/OSX/sec/securityd/SecItemServer.h @@ -64,8 +64,8 @@ bool _SecServerTransmogrifyToSyncBubble(CFArrayRef services, uid_t uid, Security bool _SecServerDeleteMUSERViews(SecurityClient *client, uid_t uid, CFErrorRef *error); #endif -bool _SecAddSharedWebCredential(CFDictionaryRef attributes, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error); -bool _SecCopySharedWebCredential(CFDictionaryRef query, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error); +bool _SecAddSharedWebCredential(CFDictionaryRef attributes, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error); +bool _SecCopySharedWebCredential(CFDictionaryRef query, SecurityClient *client, const audit_token_t *clientAuditToken, CFStringRef appID, CFArrayRef domains, CFTypeRef *result, CFErrorRef *error); // Hack to log objects from inside SOS code void SecItemServerAppendItemDescription(CFMutableStringRef desc, CFDictionaryRef object); diff --git a/OSX/sec/securityd/SecPolicyServer.c b/OSX/sec/securityd/SecPolicyServer.c index 46257024..9bad034c 100644 --- a/OSX/sec/securityd/SecPolicyServer.c +++ b/OSX/sec/securityd/SecPolicyServer.c @@ -2203,7 +2203,7 @@ static CFStringRef get_valid_sct_operator(CFDataRef sct, int entry_type, CFDataR q = SSLEncodeUint16(q, extensionsLen); memcpy(q, extensionsData, extensionsLen); - CFDataRef logIDData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, logID, 32, NULL); + CFDataRef logIDData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, logID, 32, kCFAllocatorNull); CFDictionaryRef logData = CFArrayGetValueMatching(trustedLogs, ^bool(const void *dict) { const void *key_data; @@ -2215,6 +2215,7 @@ static CFStringRef get_valid_sct_operator(CFDataRef sct, int entry_type, CFDataR CFReleaseSafe(valueID); return result; }); + CFReleaseSafe(logIDData); require(logData, out); /* If an expiry date is specified, and is a valid CFDate, then we check it against issuanceTime or verifyTime */ @@ -2290,8 +2291,8 @@ static CFArrayRef copy_ocsp_scts(SecPVCRef pvc) } SecOCSPSingleResponseDestroy(ocspSingleResponse); } - SecOCSPResponseFinalize(ocspResponse); } + if(ocspResponse) SecOCSPResponseFinalize(ocspResponse); }); if(CFArrayGetCount(SCTs)==0) { diff --git a/OSX/sec/securityd/SecTrustServer.c b/OSX/sec/securityd/SecTrustServer.c index e3e17cb6..a499b047 100644 --- a/OSX/sec/securityd/SecTrustServer.c +++ b/OSX/sec/securityd/SecTrustServer.c @@ -705,7 +705,11 @@ static void SecPathBuilderInit(SecPathBuilderRef builder, builder->nextParentSource = 1; builder->considerPartials = false; +#if !TARGET_OS_WATCH builder->canAccessNetwork = true; +#else + builder->canAccessNetwork = false; +#endif builder->anchorSources = CFArrayCreateMutable(allocator, 0, NULL); builder->parentSources = CFArrayCreateMutable(allocator, 0, NULL); @@ -750,7 +754,9 @@ static void SecPathBuilderInit(SecPathBuilderRef builder, CFArrayAppendValue(builder->anchorSources, &kSecSystemAnchorSource); CFArrayAppendValue(builder->anchorSources, &kSecUserAnchorSource); } - CFArrayAppendValue(builder->parentSources, &kSecCAIssuerSource); + if (builder->canAccessNetwork) { + CFArrayAppendValue(builder->parentSources, &kSecCAIssuerSource); + } /* Now let's get the leaf cert and turn it into a path. */ SecCertificateRef leaf = @@ -813,6 +819,9 @@ static void SecPathBuilderDestroy(SecPathBuilderRef builder) { CFReleaseSafe(builder->rejectedPaths); CFReleaseSafe(builder->candidatePaths); CFReleaseSafe(builder->leafDetails); + CFReleaseSafe(builder->ocspResponses); + CFReleaseSafe(builder->signedCertificateTimestamps); + CFReleaseSafe(builder->trustedLogs); SecPVCDelete(&builder->path); } @@ -825,10 +834,15 @@ void SecPathBuilderSetCanAccessNetwork(SecPathBuilderRef builder, bool allow) { if (builder->canAccessNetwork != allow) { builder->canAccessNetwork = allow; if (allow) { +#if !TARGET_OS_WATCH secdebug("http", "network access re-enabled by policy"); /* re-enabling network_access re-adds kSecCAIssuerSource as a parent source. */ CFArrayAppendValue(builder->parentSources, &kSecCAIssuerSource); +#else + secdebug("http", "network access not allowed on WatchOS"); + builder->canAccessNetwork = false; +#endif } else { secdebug("http", "network access disabled by policy"); /* disabling network_access removes kSecCAIssuerSource from diff --git a/OSX/shared_regressions/si-82-sectrust-ct.c b/OSX/shared_regressions/si-82-sectrust-ct.c index b772072a..e33e85a3 100644 --- a/OSX/shared_regressions/si-82-sectrust-ct.c +++ b/OSX/shared_regressions/si-82-sectrust-ct.c @@ -1124,7 +1124,7 @@ static uint8_t invalid_ocsp_response_der[] = { static void tests() { SecCertificateRef certA=NULL, certD=NULL, certF=NULL, certCA_alpha=NULL, certCA_beta=NULL; - CFDataRef proofD=NULL, proofA_1, proofA_2; + CFDataRef proofD=NULL, proofA_1=NULL, proofA_2=NULL; SecCertificateRef www_digicert_com_cert=NULL, digicert_sha2_ev_server_ca=NULL; SecCertificateRef www_paypal_com_cert=NULL, www_paypal_com_issuer_cert=NULL; SecCertificateRef cfCert = NULL; diff --git a/OSX/utilities/src/SecDb.c b/OSX/utilities/src/SecDb.c index 8ea52f9d..335add40 100644 --- a/OSX/utilities/src/SecDb.c +++ b/OSX/utilities/src/SecDb.c @@ -51,7 +51,6 @@ #define LOGD(ARG,...) secdebug("secdb", ARG, ## __VA_ARGS__) #define HAVE_UNLOCK_NOTIFY 0 -#define USE_BUSY_HANDLER 1 struct __OpaqueSecDbStatement { CFRuntimeBase _base; @@ -417,75 +416,46 @@ static bool SecDbWaitForUnlockNotify(SecDbConnectionRef dbconn, sqlite3_stmt *st #endif -#if USE_BUSY_HANDLER - -// Return 0 to stop retrying. -static int SecDbHandleBusy(void *ctx, int retryCount) { - SecDbConnectionRef dbconn __unused = ctx; - struct timespec sleeptime = { .tv_sec = 0, .tv_nsec = 10000 }; - while (retryCount--) { - // Double sleeptime until we hit one second then add one - // second more every time we sleep. - if (sleeptime.tv_sec) { - sleeptime.tv_sec++; - } else { - sleeptime.tv_nsec *= 2; - if (sleeptime.tv_nsec > NSEC_PER_SEC) { - sleeptime.tv_nsec = 0; - sleeptime.tv_sec++; - } - } - } - struct timespec unslept = {}; - nanosleep(&sleeptime, &unslept); - - return 1; -} +#define BUSY_TIMEOUT_MS (5 * 60 * 1000) /* 5 minutes */ static bool SecDbBusyHandler(SecDbConnectionRef dbconn, CFErrorRef *error) { - return SecDbErrorWithDb(sqlite3_busy_handler(dbconn->handle, SecDbHandleBusy, dbconn), dbconn->handle, error, CFSTR("busy_handler")); + return SecDbErrorWithDb(sqlite3_busy_timeout(dbconn->handle, BUSY_TIMEOUT_MS), dbconn->handle, error, CFSTR("busy_handler")); } -#endif // USE_BUSY_HANDLER +static int sleepBackoff[] = { 10, 20, 50, 100, 250 }; +static int sumBackoff[] = { 10, 30, 80, 180, 430 }; +static int numEntries = sizeof(sleepBackoff)/sizeof(sleepBackoff[0]); // Return true causes the operation to be tried again. -static bool SecDbWaitIfNeeded(SecDbConnectionRef dbconn, int s3e, sqlite3_stmt *stmt, CFStringRef desc, struct timespec *sleeptime, CFErrorRef *error) { +static bool SecDbWaitIfNeeded(SecDbConnectionRef dbconn, int s3e, sqlite3_stmt *stmt, CFStringRef desc, int nTries, CFErrorRef *error) { #if HAVE_UNLOCK_NOTIFY if (s3e == SQLITE_LOCKED) { // Optionally check for extended code being SQLITE_LOCKED_SHAREDCACHE return SecDbWaitForUnlockNotify(dbconn, stmt, error)) } #endif + if (((0xFF & s3e) == SQLITE_BUSY) || ((0xFF & s3e) == SQLITE_LOCKED)) { + int totaltimeout, timeout; -#if !USE_BUSY_HANDLER - if (s3e == SQLITE_LOCKED || s3e == SQLITE_BUSY) { - LOGV("sqlDb: %s", sqlite3_errmsg(dbconn->handle)); - while (s3e == SQLITE_LOCKED || s3e == SQLITE_BUSY) { - struct timespec unslept = {}; - nanosleep(sleeptime, &unslept); - s3e = SQLITE_OK; - if (stmt) - s3e = sqlite3_reset(stmt); - - // Double sleeptime until we hit one second the add one - // second more every time we sleep. - if (sleeptime->tv_sec) { - sleeptime->tv_sec++; - } else { - sleeptime->tv_nsec *= 2; - if (sleeptime->tv_nsec > NSEC_PER_SEC) { - sleeptime->tv_nsec = 0; - sleeptime->tv_sec++; - } - } + _Static_assert(sizeof(sumBackoff) == sizeof(sleepBackoff), "matching arrays not matching"); + _Static_assert(sizeof(sumBackoff[0]) == sizeof(sleepBackoff[0]), "matching arrays not matching"); + + if (nTries < numEntries) { + timeout = sleepBackoff[nTries]; + totaltimeout = sumBackoff[nTries]; + } else { + timeout = sleepBackoff[numEntries - 1]; + totaltimeout = sumBackoff[numEntries - 1] + (timeout * (nTries - numEntries)); + } + if (totaltimeout < BUSY_TIMEOUT_MS) { + LOGE("sqlite busy/locked: %d ntries: %d totaltimeout: %d", s3e, nTries, totaltimeout); + sqlite3_sleep(timeout); + return true; + } else { + LOGE("sqlite busy/locked: too long: %d ms, giving up", totaltimeout); } - if (s3e) - return SecDbErrorWithStmt(s3e, stmt, error, CFSTR("reset")); - } else -#endif // !USE_BUSY_HANDLER - { - return SecDbConnectionCheckCode(dbconn, s3e, error, desc); } - return true; + + return SecDbConnectionCheckCode(dbconn, s3e, error, desc); } enum SecDbStepResult { @@ -498,15 +468,18 @@ typedef enum SecDbStepResult SecDbStepResult; static SecDbStepResult _SecDbStep(SecDbConnectionRef dbconn, sqlite3_stmt *stmt, CFErrorRef *error) { assert(stmt != NULL); int s3e; - struct timespec sleeptime = { .tv_sec = 0, .tv_nsec = 10000 }; + int ntries = 0; for (;;) { s3e = sqlite3_step(stmt); - if (s3e == SQLITE_ROW) + if (s3e == SQLITE_ROW) { + ntries = 0; return kSecDbRowStep; - else if (s3e == SQLITE_DONE) + } else if (s3e == SQLITE_DONE) return kSecDbDoneStep; - else if (!SecDbWaitIfNeeded(dbconn, s3e, stmt, CFSTR("step"), &sleeptime, error)) + else if (!SecDbWaitIfNeeded(dbconn, s3e, stmt, CFSTR("step"), ntries, error)) { return kSecDbErrorStep; + } + ntries++; }; } @@ -841,9 +814,7 @@ static bool SecDbOpenHandle(SecDbConnectionRef dbconn, bool *created, CFErrorRef if (ok && SecDbTraceEnabled()) { sqlite3_trace(dbconn->handle, SecDbTrace, dbconn); } -#if USE_BUSY_HANDLER ok = ok && SecDbBusyHandler(dbconn, error); -#endif }); done: @@ -1179,14 +1150,15 @@ sqlite3_stmt *SecDbPrepareV2(SecDbConnectionRef dbconn, const char *sql, size_t SecDbErrorWithDb(SQLITE_TOOBIG, db, error, CFSTR("prepare_v2: sql bigger than INT_MAX")); return NULL; } - struct timespec sleeptime = { .tv_sec = 0, .tv_nsec = 10000 }; + int ntries = 0; for (;;) { sqlite3_stmt *stmt = NULL; int s3e = sqlite3_prepare_v2(db, sql, (int)sqlLen, &stmt, sqlTail); if (s3e == SQLITE_OK) return stmt; - else if (!SecDbWaitIfNeeded(dbconn, s3e, NULL, CFSTR("preparev2"), &sleeptime, error)) + else if (!SecDbWaitIfNeeded(dbconn, s3e, NULL, CFSTR("preparev2"), ntries, error)) return NULL; + ntries++; } } diff --git a/OSX/utilities/src/iOSforOSX-SecAttr.c b/OSX/utilities/src/iOSforOSX-SecAttr.c index f37ef5f5..1b7dfe2d 100644 --- a/OSX/utilities/src/iOSforOSX-SecAttr.c +++ b/OSX/utilities/src/iOSforOSX-SecAttr.c @@ -51,5 +51,6 @@ SEC_CONST_DECL (kSecUseAuthenticationUISkip, "u_AuthUIS"); SEC_CONST_DECL (kSecUseAuthenticationContext, "u_AuthCtx"); SEC_CONST_DECL (kSecUseToken, "u_Token"); SEC_CONST_DECL (kSecUseTokenObjectID, "u_TokenOID"); +SEC_CONST_DECL (kSecUseCallerName, "u_CallerName"); #endif diff --git a/securityd/src/kcdatabase.cpp b/securityd/src/kcdatabase.cpp index 4326b29d..fbd52a2e 100644 --- a/securityd/src/kcdatabase.cpp +++ b/securityd/src/kcdatabase.cpp @@ -1674,7 +1674,7 @@ void KeychainDbCommon::activity() void KeychainDbCommon::sleepProcessing() { secdebug("KCdb", "common %s(%p) sleep-lock processing", dbName(), this); - if (mParams.lockOnSleep) { + if (mParams.lockOnSleep && !isDefaultSystemKeychain()) { StLock _(*this); lockDb(); } @@ -1693,11 +1693,18 @@ void KeychainDbCommon::lockProcessing() // bool KeychainDbCommon::belongsToSystem() const { - if (const char *name = this->dbName()) - return !strncmp(name, "/Library/Keychains/", 19); - return false; + if (const char *name = this->dbName()) + return !strncmp(name, "/Library/Keychains/", 19); + return false; } +bool KeychainDbCommon::isDefaultSystemKeychain() const +{ + // /Library/Keychains/System.keychain (34) + if (const char *name = this->dbName()) + return !strncmp(name, "/Library/Keychains/System.keychain", 34); + return false; +} // // Keychain global objects diff --git a/securityd/src/kcdatabase.h b/securityd/src/kcdatabase.h index b34da0cd..4013de84 100644 --- a/securityd/src/kcdatabase.h +++ b/securityd/src/kcdatabase.h @@ -123,6 +123,7 @@ public: void lockProcessing(); bool belongsToSystem() const; + bool isDefaultSystemKeychain() const; public: // debugging