From 5c19dc3ae3bd8e40a9c028b0deddd50ff337692c Mon Sep 17 00:00:00 2001 From: Apple Date: Sun, 6 Dec 2015 01:25:30 +0000 Subject: [PATCH] Security-57336.1.9.tar.gz --- CircleJoinRequested/CircleJoinRequested.m | 1194 +- CircleJoinRequested/PersistantState.h | 25 - CircleJoinRequested/PersistantState.m | 90 - CircleJoinRequested/PersistentState.h | 25 + CircleJoinRequested/PersistentState.m | 91 + Forwarding Headers/SOSCloudCircle.h | 11 + Forwarding Headers/SOSPeerInfo.h | 11 + .../IDSKeychainSyncingProxy-Info.plist | 30 + ...com.apple.private.alloy.keychainsync.plist | Bin 0 -> 373 bytes ...ple.security.idskeychainsyncingproxy.plist | 41 + IDSKeychainSyncingProxy/idksmain.m | 34 + ...idskeychainsyncingproxy.entitlements.plist | 22 + ISACLProtectedItems/ISProtectedItems.plist | 27 + .../ISProtectedItemsController.h | 19 + .../ISProtectedItemsController.m | 42 + ISACLProtectedItems/Info.plist | 26 + ISACLProtectedItems/KeychainItemsAclTest.sh | 61 + Keychain/SyncViewController.m | 4 +- Keychain/ToolsViewController.m | 4 +- .../KeychainSyncAccountNotification.m | 67 +- {Security => OSX}/APPLE_LICENSE | 0 {Security => OSX}/Breadcrumb/README | 0 {Security => OSX}/Breadcrumb/SecBreadcrumb.c | 55 +- {Security => OSX}/Breadcrumb/SecBreadcrumb.h | 0 .../Breadcrumb/bc-10-knife-on-bread.c | 0 .../Breadcrumb/breadcrumb_regressions.h | 0 .../CloudKeychainProxy-Info.plist | 0 .../cloudkeychain.entitlements.plist | 0 ...om.apple.security.cloudkeychainproxy.plist | 2 +- .../en.lproj/InfoPlist.strings | 0 .../IDSKeychainSyncingProxy-Info.plist | 32 + ...com.apple.private.alloy.keychainsync.plist | Bin 0 -> 373 bytes ...ple.security.idskeychainsyncingproxy.plist | 45 + .../en.lproj/InfoPlist.strings | 0 ...idskeychainsyncingproxy.entitlements.plist | 19 + .../Base.lproj/MainMenu.xib | 18 + .../KNAppDelegate.h | 4 +- .../KNAppDelegate.m | 549 + .../KNPersistentState.h | 40 + .../KNPersistentState.m | 96 + .../Keychain Circle Notification-Info.plist | 0 .../Keychain Circle Notification-Prefix.pch | 0 .../NSArray+mapWithBlock.h | 0 .../NSArray+mapWithBlock.m | 0 .../NSDictionary+compactDescription.h | 0 .../NSDictionary+compactDescription.m | 0 .../NSSet+compactDescription.h | 0 .../NSSet+compactDescription.m | 0 .../NSString+compactDescription.h | 0 .../NSString+compactDescription.m | 0 ...ecurity.keychain-circle-notification.plist | 2 + .../en.lproj/InfoPlist.strings | 0 .../en.lproj/Localizable.strings | Bin 0 -> 1208 bytes .../entitlments.plist | 0 .../Keychain Circle Notification/main.m | 0 OSX/Keychain/Base.lproj/MainMenu.xib | 1092 ++ {Security => OSX}/Keychain/Icon.icns | Bin {Security => OSX}/Keychain/KDAppDelegate.h | 0 {Security => OSX}/Keychain/KDAppDelegate.m | 0 {Security => OSX}/Keychain/KDCirclePeer.h | 0 {Security => OSX}/Keychain/KDCirclePeer.m | 0 {Security => OSX}/Keychain/KDSecCircle.h | 0 {Security => OSX}/Keychain/KDSecCircle.m | 16 +- {Security => OSX}/Keychain/KDSecItems.h | 0 {Security => OSX}/Keychain/KDSecItems.m | 0 .../Keychain/Keychain-Info.plist | 0 .../Keychain/Keychain-Prefix.pch | 0 .../Keychain}/en.lproj/Credits.rtf | 0 .../Keychain}/en.lproj/InfoPlist.strings | 0 {Security => OSX}/Keychain/main.m | 0 OSX/OSX.xcodeproj/project.pbxproj | 8132 ++++++++++++++ .../xcshareddata/WorkspaceSettings.xcsettings | 0 .../xcshareddata/xcschemes/World.xcscheme | 132 + .../xcschemes/copyHeaders.xcscheme | 89 + .../xcshareddata/xcschemes/secdtests.xcscheme | 222 + .../xcshareddata/xcschemes/sectests.xcscheme | 91 + {Security => OSX}/README | 0 {Security => OSX}/asl/com.apple.securityd | 2 + OSX/authd/Info.plist | 31 + {Security => OSX}/authd/agent.c | 71 +- {Security => OSX}/authd/agent.h | 2 +- {Security => OSX}/authd/authd_private.h | 6 +- {Security => OSX}/authd/authdb.c | 0 {Security => OSX}/authd/authdb.h | 0 {Security => OSX}/authd/authitems.c | 6 +- {Security => OSX}/authd/authitems.h | 2 +- {Security => OSX}/authd/authorization.plist | 41 +- {Security => OSX}/authd/authtoken.c | 2 +- {Security => OSX}/authd/authtoken.h | 0 {Security => OSX}/authd/authtypes.h | 0 {Security => OSX}/authd/authutilities.c | 0 {Security => OSX}/authd/authutilities.h | 0 {Security => OSX}/authd/ccaudit.c | 0 {Security => OSX}/authd/ccaudit.h | 0 {Security => OSX}/authd/com.apple.authd | 0 {Security => OSX}/authd/com.apple.authd.sb | 7 +- {Security => OSX}/authd/connection.c | 2 +- {Security => OSX}/authd/connection.h | 2 +- {Security => OSX}/authd/crc.c | 0 {Security => OSX}/authd/crc.h | 0 {Security => OSX}/authd/credential.c | 2 +- {Security => OSX}/authd/credential.h | 0 {Security => OSX}/authd/debugging.c | 0 {Security => OSX}/authd/debugging.h | 0 .../authd}/en.lproj/InfoPlist.strings | 0 {Security => OSX}/authd/engine.c | 40 +- {Security => OSX}/authd/engine.h | 2 +- OSX/authd/main.c | 225 + {Security => OSX}/authd/mechanism.c | 2 +- {Security => OSX}/authd/mechanism.h | 0 {Security => OSX}/authd/object.c | 0 {Security => OSX}/authd/object.h | 0 {Security => OSX}/authd/process.c | 8 +- {Security => OSX}/authd/process.h | 0 {Security => OSX}/authd/rule.c | 2 +- {Security => OSX}/authd/rule.h | 0 .../authd/security.auth-Prefix.pch | 0 OSX/authd/server.c | 1169 ++ {Security => OSX}/authd/server.h | 0 {Security => OSX}/authd/session.c | 0 {Security => OSX}/authd/session.h | 0 .../cloud_keychain_diagnose-Prefix.pch | 0 OSX/codesign_tests/CaspianTests/CaspianTests | 275 + .../CaspianTests/LocalCaspianTestRun.sh | 15 + .../codesign_tests/FatDynamicValidation.c | 0 OSX/codesign_tests/SecTask-Entitlements.plist | 9 + OSX/codesign_tests/main.c | 33 + OSX/codesign_tests/teamid.sh | 17 + .../codesign_tests/validation.sh | 4 +- OSX/config/base.xcconfig | 18 + OSX/config/command.xcconfig | 15 + {Security => OSX}/config/debug.xcconfig | 0 OSX/config/executable.xcconfig | 9 + OSX/config/lib.xcconfig | 26 + {Security => OSX}/config/release.xcconfig | 0 {Security => OSX}/config/security.xcconfig | 2 +- {Security => OSX}/config/test.xcconfig | 0 {Security => OSX}/doc/ACLsInCDSA.cwk | Bin {Security => OSX}/doc/APIStrategy.cwk | Bin .../doc/AccessControlArchitecture.cwk | Bin {Security => OSX}/doc/AppleCL_Spec.doc | Bin {Security => OSX}/doc/AppleCSP.doc | Bin {Security => OSX}/doc/AppleTP_Spec.doc | Bin .../doc/Apple_OID_Assignments.rtf | 0 .../doc/ArchitectureOverview.cwk | Bin {Security => OSX}/doc/C++Utilities.cwk | 0 {Security => OSX}/doc/DebuggingAids.cwk | Bin {Security => OSX}/doc/HowToWriteA_CSP.cwk | Bin {Security => OSX}/doc/HowToWriteA_Plugin.cwk | Bin {Security => OSX}/doc/SecuritySupport.doc | Bin .../doc/Supported_CSP_Algorithms.doc | Bin {Security => OSX}/doc/cwk_styles | Bin OSX/gk_reset_check/gk_reset_check.c | 19 + OSX/include/security_asn1/SecAsn1Coder.c | 225 + OSX/include/security_asn1/SecAsn1Coder.h | 153 + .../include/security_asn1}/SecAsn1Templates.c | 0 OSX/include/security_asn1/SecAsn1Templates.h | 135 + OSX/include/security_asn1/SecAsn1Types.h | 244 + .../include/security_asn1}/SecNssCoder.cpp | 0 .../include/security_asn1}/SecNssCoder.h | 0 .../include/security_asn1}/X509Templates.c | 0 .../include/security_asn1}/X509Templates.h | 0 .../include/security_asn1}/asn1Templates.h | 0 .../security_asn1}/certExtensionTemplates.c | 0 .../security_asn1}/certExtensionTemplates.h | 0 .../include/security_asn1}/csrTemplates.c | 0 .../include/security_asn1}/csrTemplates.h | 0 .../include/security_asn1}/keyTemplates.c | 0 .../include/security_asn1}/keyTemplates.h | 0 .../include/security_asn1}/nameTemplates.c | 0 .../include/security_asn1}/nameTemplates.h | 0 .../include/security_asn1}/nsprPortX.c | 0 .../include/security_asn1}/nssUtils.c | 0 .../include/security_asn1}/nssUtils.h | 0 .../include/security_asn1}/nssilckt.h | 0 .../include/security_asn1}/nssilock.h | 0 .../include/security_asn1}/nsslocks.h | 0 OSX/include/security_asn1/ocspTemplates.c | 298 + .../include/security_asn1}/ocspTemplates.h | 0 .../include/security_asn1}/oidsalg.c | 0 .../include/security_asn1}/oidsalg.h | 0 .../include/security_asn1}/oidsattr.c | 0 .../include/security_asn1}/oidsattr.h | 0 OSX/include/security_asn1/oidsbase.h | 363 + OSX/include/security_asn1/oidsocsp.c | 43 + OSX/include/security_asn1/oidsocsp.h | 51 + .../include/security_asn1}/osKeyTemplates.c | 0 .../include/security_asn1}/osKeyTemplates.h | 0 .../include/security_asn1}/pkcs12Templates.c | 0 .../include/security_asn1}/pkcs12Templates.h | 0 .../include/security_asn1}/pkcs7Templates.c | 0 .../include/security_asn1}/pkcs7Templates.h | 0 .../include/security_asn1}/plarena.c | 0 .../include/security_asn1}/plarena.h | 0 .../include/security_asn1}/plarenas.h | 0 .../lib => OSX/include/security_asn1}/plstr.h | 0 .../lib => OSX/include/security_asn1}/prbit.h | 0 .../include/security_asn1}/prcpucfg.h | 0 .../include/security_asn1}/prcvar.h | 0 .../lib => OSX/include/security_asn1}/prenv.h | 0 .../lib => OSX/include/security_asn1}/prerr.h | 0 .../include/security_asn1}/prerror.h | 0 .../include/security_asn1}/prinit.h | 0 .../include/security_asn1}/prinrval.h | 0 .../include/security_asn1}/prlock.h | 0 .../lib => OSX/include/security_asn1}/prlog.h | 0 .../include/security_asn1}/prlong.h | 0 .../lib => OSX/include/security_asn1}/prmem.h | 0 .../lib => OSX/include/security_asn1}/prmon.h | 0 .../include/security_asn1}/protypes.h | 0 .../include/security_asn1}/prthread.h | 0 .../include/security_asn1}/prtime.h | 0 .../include/security_asn1}/prtypes.h | 0 .../include/security_asn1}/prvrsion.h | 0 .../include/security_asn1}/secErrorStr.c | 0 .../include/security_asn1}/secasn1.h | 0 .../include/security_asn1}/secasn1d.c | 0 .../include/security_asn1}/secasn1e.c | 0 .../include/security_asn1}/secasn1t.h | 0 .../include/security_asn1}/secasn1u.c | 0 .../include/security_asn1}/seccomon.h | 0 .../include/security_asn1}/secerr.h | 0 .../include/security_asn1}/secport.c | 0 .../include/security_asn1}/secport.h | 0 .../include/security_asn1}/security_asn1.exp | 0 .../security_cdsa_client}/DLDBList.cpp | 0 .../include/security_cdsa_client}/DLDBList.h | 0 .../security_cdsa_client}/aclclient.cpp | 0 .../include/security_cdsa_client}/aclclient.h | 0 .../security_cdsa_client}/clclient.cpp | 0 .../include/security_cdsa_client}/clclient.h | 0 .../security_cdsa_client}/cryptoclient.cpp | 0 .../security_cdsa_client}/cryptoclient.h | 0 .../security_cdsa_client}/cspclient.cpp | 0 .../include/security_cdsa_client}/cspclient.h | 0 .../security_cdsa_client}/cssmclient.cpp | 0 .../security_cdsa_client}/cssmclient.h | 0 .../security_cdsa_client}/dl_standard.cpp | 0 .../security_cdsa_client}/dl_standard.h | 0 .../security_cdsa_client}/dlclient.cpp | 0 .../include/security_cdsa_client}/dlclient.h | 0 .../security_cdsa_client}/dlclientpriv.cpp | 0 .../security_cdsa_client}/dliterators.cpp | 0 .../security_cdsa_client}/dliterators.h | 0 .../include/security_cdsa_client}/dlquery.cpp | 0 .../include/security_cdsa_client}/dlquery.h | 0 .../include/security_cdsa_client}/genkey.cpp | 0 .../include/security_cdsa_client}/genkey.h | 0 .../security_cdsa_client}/keychainacl.cpp | 0 .../security_cdsa_client}/keychainacl.h | 0 .../security_cdsa_client}/keyclient.cpp | 0 .../include/security_cdsa_client}/keyclient.h | 0 .../security_cdsa_client}/macclient.cpp | 0 .../include/security_cdsa_client}/macclient.h | 0 .../security_cdsa_client}/mds_standard.cpp | 0 .../security_cdsa_client}/mds_standard.h | 0 .../security_cdsa_client}/mdsclient.cpp | 0 .../include/security_cdsa_client}/mdsclient.h | 0 .../security_cdsa_client}/multidldb.cpp | 0 .../include/security_cdsa_client}/multidldb.h | 0 .../security_cdsa_client}/securestorage.cpp | 0 .../security_cdsa_client}/securestorage.h | 0 .../security_cdsa_client}/signclient.cpp | 0 .../security_cdsa_client}/signclient.h | 0 .../security_cdsa_client}/tpclient.cpp | 0 .../include/security_cdsa_client}/tpclient.h | 0 .../include/security_cdsa_client}/wrapkey.cpp | 0 .../include/security_cdsa_client}/wrapkey.h | 0 .../include/security_cdsa_plugin}/ACsession.h | 0 .../include/security_cdsa_plugin}/CLsession.h | 0 .../security_cdsa_plugin}/CSPsession.cpp | 0 .../security_cdsa_plugin}/CSPsession.h | 0 .../security_cdsa_plugin}/DLsession.cpp | 0 .../include/security_cdsa_plugin}/DLsession.h | 0 .../security_cdsa_plugin}/Database.cpp | 0 .../include/security_cdsa_plugin}/Database.h | 0 .../security_cdsa_plugin}/DatabaseSession.cpp | 0 .../security_cdsa_plugin}/DatabaseSession.h | 0 .../security_cdsa_plugin}/DbContext.cpp | 0 .../include/security_cdsa_plugin}/DbContext.h | 0 .../include/security_cdsa_plugin}/TPsession.h | 0 .../include/security_cdsa_plugin}/c++plugin.h | 0 .../security_cdsa_plugin}/csputilities.cpp | 0 .../security_cdsa_plugin}/cssmplugin.cpp | 0 OSX/include/security_cdsa_plugin/cssmplugin.h | 130 + .../security_cdsa_plugin}/generator.cfg | 0 .../security_cdsa_plugin}/generator.mk | 0 .../security_cdsa_plugin}/generator.pl | 0 .../security_cdsa_plugin}/pluginsession.cpp | 0 .../security_cdsa_plugin}/pluginsession.h | 0 .../include/security_cdsa_plugin}/pluginspi.h | 0 .../AuthorizationData.cpp | 0 .../AuthorizationData.h | 0 .../AuthorizationWalkers.h | 0 .../security_cdsa_utilities}/KeySchema.h | 0 .../security_cdsa_utilities}/KeySchema.m4 | 0 .../include/security_cdsa_utilities}/Schema.h | 0 .../security_cdsa_utilities}/Schema.m4 | 0 .../security_cdsa_utilities}/acl_any.cpp | 0 .../security_cdsa_utilities}/acl_any.h | 0 .../acl_codesigning.cpp | 0 .../acl_codesigning.h | 0 .../security_cdsa_utilities}/acl_comment.cpp | 0 .../security_cdsa_utilities}/acl_comment.h | 0 .../security_cdsa_utilities}/acl_password.cpp | 0 .../security_cdsa_utilities}/acl_password.h | 0 .../security_cdsa_utilities}/acl_preauth.cpp | 0 .../security_cdsa_utilities}/acl_preauth.h | 0 .../security_cdsa_utilities}/acl_process.cpp | 0 .../security_cdsa_utilities}/acl_process.h | 0 .../security_cdsa_utilities}/acl_prompted.cpp | 0 .../security_cdsa_utilities}/acl_prompted.h | 0 .../acl_protectedpw.cpp | 0 .../acl_protectedpw.h | 0 .../security_cdsa_utilities}/acl_secret.cpp | 0 .../security_cdsa_utilities}/acl_secret.h | 0 .../acl_threshold.cpp | 0 .../security_cdsa_utilities}/acl_threshold.h | 0 .../security_cdsa_utilities}/aclsubject.cpp | 0 .../security_cdsa_utilities}/aclsubject.h | 0 .../security_cdsa_utilities}/callback.cpp | 0 .../security_cdsa_utilities}/callback.h | 0 .../security_cdsa_utilities}/constdata.cpp | 0 .../security_cdsa_utilities}/constdata.h | 0 .../security_cdsa_utilities}/context.cpp | 0 .../security_cdsa_utilities}/context.h | 0 .../security_cdsa_utilities}/cssmacl.cpp | 0 .../security_cdsa_utilities}/cssmacl.h | 0 .../security_cdsa_utilities}/cssmaclpod.cpp | 0 .../security_cdsa_utilities}/cssmaclpod.h | 0 .../security_cdsa_utilities}/cssmalloc.cpp | 0 .../security_cdsa_utilities}/cssmalloc.h | 0 .../security_cdsa_utilities}/cssmbridge.h | 0 .../security_cdsa_utilities}/cssmcert.cpp | 0 .../security_cdsa_utilities}/cssmcert.h | 0 .../security_cdsa_utilities}/cssmcred.cpp | 0 .../security_cdsa_utilities}/cssmcred.h | 0 .../security_cdsa_utilities}/cssmdata.cpp | 0 .../security_cdsa_utilities}/cssmdata.h | 0 .../security_cdsa_utilities}/cssmdates.cpp | 0 .../security_cdsa_utilities}/cssmdates.h | 0 .../security_cdsa_utilities}/cssmdb.cpp | 0 .../include/security_cdsa_utilities}/cssmdb.h | 0 .../security_cdsa_utilities}/cssmdbname.cpp | 0 .../security_cdsa_utilities}/cssmdbname.h | 0 .../security_cdsa_utilities}/cssmendian.cpp | 0 .../security_cdsa_utilities}/cssmendian.h | 0 .../security_cdsa_utilities}/cssmerrors.cpp | 0 .../security_cdsa_utilities}/cssmerrors.h | 0 .../security_cdsa_utilities}/cssmkey.cpp | 0 .../security_cdsa_utilities}/cssmkey.h | 0 .../security_cdsa_utilities}/cssmlist.cpp | 0 .../security_cdsa_utilities}/cssmlist.h | 0 .../security_cdsa_utilities/cssmpods.cpp | 179 + .../security_cdsa_utilities}/cssmpods.h | 0 .../security_cdsa_utilities}/cssmtrust.cpp | 0 .../security_cdsa_utilities}/cssmtrust.h | 0 .../security_cdsa_utilities}/cssmwalkers.cpp | 0 .../security_cdsa_utilities}/cssmwalkers.h | 0 .../include/security_cdsa_utilities}/db++.cpp | 0 .../include/security_cdsa_utilities}/db++.h | 0 .../security_cdsa_utilities}/digestobject.h | 0 .../security_cdsa_utilities}/generator.mk | 0 .../security_cdsa_utilities}/generator.pl | 0 .../security_cdsa_utilities}/handleobject.cpp | 0 .../security_cdsa_utilities}/handleobject.h | 0 .../handletemplates.cpp | 0 .../security_cdsa_utilities/handletemplates.h | 290 + .../handletemplates_defs.h | 0 .../security_cdsa_utilities}/objectacl.cpp | 0 .../security_cdsa_utilities}/objectacl.h | 0 .../security_cdsa_utilities}/osxverifier.cpp | 0 .../security_cdsa_utilities}/osxverifier.h | 0 .../u32handleobject.cpp | 0 .../u32handleobject.h | 0 .../uniformrandom.cpp | 0 .../security_cdsa_utilities}/uniformrandom.h | 0 .../security_cdsa_utilities}/walkers.cpp | 0 .../security_cdsa_utilities}/walkers.h | 0 .../security_cdsa_utils}/cuCdsaUtils.cpp | 0 .../security_cdsa_utils}/cuCdsaUtils.h | 0 .../security_cdsa_utils}/cuDbUtils.cpp | 0 .../include/security_cdsa_utils}/cuDbUtils.h | 0 .../include/security_cdsa_utils}/cuEnc64.c | 0 .../include/security_cdsa_utils}/cuEnc64.h | 0 .../include/security_cdsa_utils}/cuFileIo.c | 0 .../include/security_cdsa_utils}/cuFileIo.h | 0 .../security_cdsa_utils}/cuOidParser.cpp | 0 .../security_cdsa_utils}/cuOidParser.h | 0 .../include/security_cdsa_utils}/cuPem.cpp | 0 .../include/security_cdsa_utils}/cuPem.h | 0 .../security_cdsa_utils}/cuPrintCert.cpp | 0 .../security_cdsa_utils}/cuPrintCert.h | 0 .../security_cdsa_utils}/cuTimeStr.cpp | 0 .../include/security_cdsa_utils}/cuTimeStr.h | 0 OSX/include/security_codesigning/CSCommon.h | 318 + .../security_codesigning/CSCommonPriv.h | 131 + .../include/security_codesigning}/Code.cpp | 0 .../include/security_codesigning}/Code.h | 0 .../security_codesigning/CodeSigner.cpp | 308 + OSX/include/security_codesigning/CodeSigner.h | 106 + .../security_codesigning}/CodeSigning.h | 0 .../RequirementKeywords.h | 25 + .../security_codesigning/RequirementLexer.cpp | 1269 +++ .../security_codesigning/RequirementLexer.hpp | 77 + .../RequirementParser.cpp | 1331 +++ .../RequirementParser.hpp | 158 + .../RequirementParserTokenTypes.hpp | 76 + .../RequirementParserTokenTypes.txt | 56 + .../security_codesigning}/Requirements.cpp | 0 .../security_codesigning}/Requirements.h | 0 .../security_codesigning/SecAssessment.cpp | 544 + .../security_codesigning/SecAssessment.h | 316 + OSX/include/security_codesigning/SecCode.cpp | 316 + OSX/include/security_codesigning/SecCode.h | 447 + .../security_codesigning}/SecCodeHost.cpp | 0 .../security_codesigning/SecCodeHost.h | 244 + .../security_codesigning}/SecCodeHostLib.c | 0 .../security_codesigning}/SecCodeHostLib.h | 0 .../security_codesigning}/SecCodePriv.h | 0 .../security_codesigning/SecCodeSigner.cpp | 124 + .../security_codesigning/SecCodeSigner.h | 231 + .../security_codesigning}/SecIntegrity.cpp | 0 .../security_codesigning}/SecIntegrity.h | 0 .../security_codesigning}/SecIntegrityLib.c | 0 .../security_codesigning}/SecIntegrityLib.h | 0 .../security_codesigning}/SecRequirement.cpp | 0 .../security_codesigning/SecRequirement.h | 142 + .../SecRequirementPriv.h | 0 .../security_codesigning/SecStaticCode.cpp | 324 + .../security_codesigning/SecStaticCode.h | 168 + .../security_codesigning}/SecStaticCodePriv.h | 0 OSX/include/security_codesigning/SecTask.c | 316 + OSX/include/security_codesigning/SecTask.h | 113 + .../security_codesigning}/SecTaskPriv.h | 0 .../security_codesigning/StaticCode.cpp | 1798 +++ OSX/include/security_codesigning/StaticCode.h | 278 + .../security_codesigning}/antlrplugin.cpp | 0 .../security_codesigning}/antlrplugin.h | 0 .../security_codesigning/bundlediskrep.cpp | 691 ++ .../security_codesigning}/bundlediskrep.h | 0 .../security_codesigning/cdbuilder.cpp | 259 + OSX/include/security_codesigning/cdbuilder.h | 100 + .../security_codesigning/codedirectory.cpp | 324 + .../security_codesigning/codedirectory.h | 289 + .../include/security_codesigning}/cs.cpp | 0 .../include/security_codesigning}/cs.h | 0 .../include/security_codesigning}/cscdefs.c | 0 .../include/security_codesigning}/cscdefs.h | 0 .../security_codesigning}/csdatabase.cpp | 0 .../security_codesigning}/csdatabase.h | 0 .../include/security_codesigning}/cserror.cpp | 0 .../include/security_codesigning}/cserror.h | 0 .../security_codesigning}/csgeneric.cpp | 0 .../include/security_codesigning}/csgeneric.h | 0 .../security_codesigning}/cskernel.cpp | 0 .../include/security_codesigning}/cskernel.h | 0 .../security_codesigning}/csprocess.cpp | 0 .../include/security_codesigning}/csprocess.h | 0 .../security_codesigning/csutilities.cpp | 260 + .../security_codesigning/csutilities.h | 202 + .../security_codesigning}/detachedrep.cpp | 0 .../security_codesigning}/detachedrep.h | 0 .../security_codesigning}/dirscanner.cpp | 0 .../security_codesigning}/dirscanner.h | 0 .../include/security_codesigning}/diskrep.cpp | 0 .../include/security_codesigning}/diskrep.h | 0 OSX/include/security_codesigning/drmaker.cpp | 195 + .../include/security_codesigning}/drmaker.h | 0 .../evaluationmanager.cpp | 366 + .../security_codesigning/evaluationmanager.h | 63 + .../security_codesigning}/filediskrep.cpp | 0 .../security_codesigning}/filediskrep.h | 0 .../security_codesigning}/kerneldiskrep.cpp | 0 .../security_codesigning}/kerneldiskrep.h | 0 OSX/include/security_codesigning/machorep.cpp | 409 + .../include/security_codesigning}/machorep.h | 0 .../security_codesigning/opaquewhitelist.cpp | 269 + .../security_codesigning}/opaquewhitelist.h | 0 .../security_codesigning}/piddiskrep.cpp | 0 .../security_codesigning}/piddiskrep.h | 0 .../security_codesigning}/policydb.cpp | 0 .../include/security_codesigning}/policydb.h | 0 .../security_codesigning/policyengine.cpp | 1106 ++ .../security_codesigning/policyengine.h | 101 + .../security_codesigning}/quarantine++.cpp | 0 .../security_codesigning}/quarantine++.h | 0 .../security_codesigning/reqdumper.cpp | 367 + .../include/security_codesigning}/reqdumper.h | 0 .../security_codesigning/reqinterp.cpp | 583 + OSX/include/security_codesigning/reqinterp.h | 92 + OSX/include/security_codesigning/reqmaker.cpp | 180 + OSX/include/security_codesigning/reqmaker.h | 135 + .../security_codesigning}/reqparser.cpp | 0 .../include/security_codesigning}/reqparser.h | 0 .../security_codesigning/reqreader.cpp | 91 + OSX/include/security_codesigning/reqreader.h | 86 + .../security_codesigning}/requirement.cpp | 0 .../security_codesigning/requirement.h | 215 + .../security_codesigning/resources.cpp | 363 + OSX/include/security_codesigning/resources.h | 140 + .../security_codesigning.d | 0 .../security_codesigning.exp | 0 .../include/security_codesigning}/sigblob.cpp | 0 .../include/security_codesigning}/sigblob.h | 0 OSX/include/security_codesigning/signer.cpp | 670 ++ OSX/include/security_codesigning/signer.h | 103 + .../security_codesigning/signerutils.cpp | 361 + .../security_codesigning}/signerutils.h | 0 .../security_codesigning/singlediskrep.cpp | 139 + .../security_codesigning}/singlediskrep.h | 0 .../include/security_codesigning}/slcrep.cpp | 0 .../include/security_codesigning}/slcrep.h | 0 .../security_codesigning}/syspolicy.sql | 0 .../include/security_codesigning}/xar++.cpp | 0 .../include/security_codesigning}/xar++.h | 0 .../security_codesigning}/xpcengine.cpp | 0 .../include/security_codesigning}/xpcengine.h | 0 .../include/security_comcryption}/comDebug.h | 0 .../security_comcryption}/comcryptPriv.c | 0 .../security_comcryption}/comcryptPriv.h | 0 .../security_comcryption}/comcryption.c | 0 .../security_comcryption}/comcryption.h | 0 .../include/security_cryptkit}/ByteRep.txt | 0 .../security_cryptkit}/CipherFileDES.c | 0 .../security_cryptkit}/CipherFileDES.h | 0 .../security_cryptkit}/CipherFileFEED.c | 0 .../security_cryptkit}/CipherFileFEED.h | 0 .../security_cryptkit}/CipherFileTypes.h | 0 .../include/security_cryptkit}/Crypt.h | 0 .../include/security_cryptkit}/CryptKit.def | 0 .../include/security_cryptkit}/CryptKit.h | 0 .../security_cryptkit}/CryptKitAsn1.cpp | 0 .../include/security_cryptkit}/CryptKitAsn1.h | 0 OSX/include/security_cryptkit/CryptKitDER.cpp | 1244 +++ OSX/include/security_cryptkit/CryptKitDER.h | 198 + .../include/security_cryptkit}/CryptKitSA.h | 0 .../CurveParamDocs/FEEDaffine.nb | 0 .../CurveParamDocs/FEEDsansY.nb | 0 .../security_cryptkit}/CurveParamDocs/README | 0 .../CurveParamDocs/curvegen.c | 0 .../CurveParamDocs/curverecords.nb | 0 .../security_cryptkit}/CurveParamDocs/disc.h | 0 .../CurveParamDocs/ellproj.c | 0 .../CurveParamDocs/ellproj.h | 0 .../CurveParamDocs/factor.c | 0 .../CurveParamDocs/fmodule.c | 0 .../CurveParamDocs/fmodule.h | 0 .../CurveParamDocs/giants.c | 0 .../CurveParamDocs/giants.h | 0 .../CurveParamDocs/schoof.c | 0 .../CurveParamDocs/schoofs.c | 0 .../security_cryptkit}/CurveParamDocs/tools.c | 0 .../security_cryptkit}/CurveParamDocs/tools.h | 0 .../security_cryptkit}/ECDSA_Profile.h | 0 .../security_cryptkit}/ECDSA_Verify_Prefix.h | 0 .../security_cryptkit}/HmacSha1Legacy.c | 0 .../security_cryptkit}/HmacSha1Legacy.h | 0 .../security_cryptkit}/Mathematica.FEE | 0 .../include/security_cryptkit}/NSCipherFile.h | 0 .../include/security_cryptkit}/NSCipherFile.m | 0 .../include/security_cryptkit}/NSCryptors.h | 0 .../include/security_cryptkit}/NSDESCryptor.h | 0 .../include/security_cryptkit}/NSDESCryptor.m | 0 .../security_cryptkit}/NSFEEPublicKey.h | 0 .../security_cryptkit}/NSFEEPublicKey.m | 0 .../NSFEEPublicKeyPrivate.h | 0 .../include/security_cryptkit}/NSMD5Hash.h | 0 .../include/security_cryptkit}/NSMD5Hash.m | 0 .../NSRandomNumberGenerator.h | 0 .../NSRandomNumberGenerator.m | 0 .../include/security_cryptkit}/README | 0 .../include/security_cryptkit}/TOP_README | 0 .../include/security_cryptkit}/buildSrcTree | 0 .../include/security_cryptkit}/byteRep.c | 0 .../include/security_cryptkit}/byteRep.h | 0 .../include/security_cryptkit}/changes | 0 .../include/security_cryptkit}/ckDES.c | 0 .../include/security_cryptkit}/ckDES.h | 0 .../include/security_cryptkit}/ckMD5.c | 0 .../include/security_cryptkit}/ckMD5.h | 0 .../include/security_cryptkit}/ckSHA1.c | 0 .../include/security_cryptkit}/ckSHA1.h | 0 .../include/security_cryptkit}/ckSHA1_priv.c | 0 .../include/security_cryptkit}/ckSHA1_priv.h | 0 .../include/security_cryptkit}/ckconfig.h | 0 .../include/security_cryptkit}/ckutilities.c | 0 .../include/security_cryptkit}/ckutilities.h | 0 .../security_cryptkit}/curveParamData.h | 0 .../security_cryptkit}/curveParamDataOld.h | 0 .../include/security_cryptkit}/curveParams.c | 0 .../include/security_cryptkit}/curveParams.h | 0 .../include/security_cryptkit}/elliptic.c | 0 .../include/security_cryptkit}/elliptic.h | 0 .../security_cryptkit}/ellipticMeasure.h | 0 .../include/security_cryptkit}/ellipticProj.c | 0 .../include/security_cryptkit}/ellipticProj.h | 0 .../include/security_cryptkit}/enc64.c | 0 .../include/security_cryptkit}/enc64.h | 0 .../include/security_cryptkit}/engineNSA127.c | 0 .../include/security_cryptkit}/falloc.c | 0 .../include/security_cryptkit}/falloc.h | 0 .../security_cryptkit}/feeCipherFile.c | 0 .../security_cryptkit}/feeCipherFile.h | 0 .../security_cryptkit}/feeCipherFileAtom.c | 0 .../include/security_cryptkit}/feeDES.c | 0 .../include/security_cryptkit}/feeDES.h | 0 .../include/security_cryptkit}/feeDebug.h | 0 .../security_cryptkit/feeDigitalSignature.c | 674 ++ .../security_cryptkit}/feeDigitalSignature.h | 0 OSX/include/security_cryptkit/feeECDSA.c | 697 ++ OSX/include/security_cryptkit/feeECDSA.h | 84 + .../include/security_cryptkit}/feeFEED.c | 0 .../include/security_cryptkit}/feeFEED.h | 0 OSX/include/security_cryptkit/feeFEEDExp.c | 735 ++ .../include/security_cryptkit}/feeFEEDExp.h | 0 .../include/security_cryptkit}/feeFunctions.h | 0 .../include/security_cryptkit}/feeHash.c | 0 .../include/security_cryptkit}/feeHash.h | 0 .../include/security_cryptkit}/feePublicKey.c | 0 .../include/security_cryptkit}/feePublicKey.h | 0 .../security_cryptkit}/feePublicKeyPrivate.h | 0 .../include/security_cryptkit}/feeRandom.c | 0 .../include/security_cryptkit}/feeRandom.h | 0 OSX/include/security_cryptkit/feeTypes.h | 174 + .../include/security_cryptkit}/giantFFT.c | 0 .../security_cryptkit}/giantIntegers.c | 0 .../security_cryptkit}/giantIntegers.h | 0 .../security_cryptkit}/giantPortCommon.h | 0 .../security_cryptkit}/giantPort_Generic.h | 0 .../security_cryptkit}/giantPort_PPC.c | 0 .../security_cryptkit}/giantPort_PPC.h | 0 .../security_cryptkit}/giantPort_PPC_Gnu.h | 0 .../security_cryptkit}/giantPort_PPC_Gnu.s | 0 .../security_cryptkit}/giantPort_i486.h | 0 .../security_cryptkit}/giantPort_i486.s | 0 .../include/security_cryptkit}/mutils.h | 0 .../include/security_cryptkit}/mutils.m | 0 .../include/security_cryptkit}/platform.c | 0 .../include/security_cryptkit}/platform.h | 0 .../include/security_cryptkit}/unixMakefile | 0 .../security_filedb}/AppleDatabase.cpp | 0 .../include/security_filedb}/AppleDatabase.h | 0 .../include/security_filedb}/AtomicFile.cpp | 0 .../include/security_filedb}/AtomicFile.h | 0 .../include/security_filedb}/DbIndex.cpp | 0 .../include/security_filedb}/DbIndex.h | 0 .../include/security_filedb}/DbQuery.cpp | 0 .../include/security_filedb}/DbQuery.h | 0 .../include/security_filedb}/DbValue.cpp | 0 .../include/security_filedb}/DbValue.h | 0 .../security_filedb}/MetaAttribute.cpp | 0 .../include/security_filedb}/MetaAttribute.h | 0 .../include/security_filedb}/MetaRecord.cpp | 0 .../include/security_filedb}/MetaRecord.h | 0 .../security_filedb}/OverUnderflowCheck.h | 0 .../security_filedb/ReadWriteSection.cpp | 57 + .../security_filedb}/ReadWriteSection.h | 0 .../security_filedb}/SelectionPredicate.cpp | 0 .../security_filedb}/SelectionPredicate.h | 0 .../include/security_keychain}/ACL.cpp | 0 .../include/security_keychain}/ACL.h | 0 .../include/security_keychain}/Access.cpp | 0 .../include/security_keychain}/Access.h | 0 .../AppleBaselineEscrowCertificates.h | 0 .../security_keychain}/CCallbackMgr.cp | 0 .../include/security_keychain}/CCallbackMgr.h | 0 OSX/include/security_keychain/Certificate.cpp | 1471 +++ .../include/security_keychain}/Certificate.h | 0 .../security_keychain}/CertificateRequest.cpp | 0 .../security_keychain}/CertificateRequest.h | 0 .../security_keychain/CertificateValues.cpp | 610 + .../security_keychain}/CertificateValues.h | 0 .../security_keychain}/DLDBListCFPref.cpp | 0 .../security_keychain}/DLDBListCFPref.h | 0 .../security_keychain}/DynamicDLDBList.cpp | 0 .../security_keychain}/DynamicDLDBList.h | 0 .../security_keychain}/ExtendedAttribute.cpp | 0 .../security_keychain}/ExtendedAttribute.h | 0 .../include/security_keychain}/Globals.cpp | 0 .../include/security_keychain}/Globals.h | 0 .../include/security_keychain}/Identity.cpp | 0 .../include/security_keychain}/Identity.h | 0 .../security_keychain}/IdentityCursor.cpp | 0 .../security_keychain}/IdentityCursor.h | 0 .../include/security_keychain}/Item.cpp | 0 .../include/security_keychain}/Item.h | 0 .../include/security_keychain}/KCCursor.cpp | 0 .../include/security_keychain}/KCCursor.h | 0 .../security_keychain}/KCEventNotifier.cpp | 0 .../security_keychain}/KCEventNotifier.h | 0 .../include/security_keychain}/KCExceptions.h | 0 .../security_keychain}/KCUtilities.cpp | 0 .../include/security_keychain}/KCUtilities.h | 0 OSX/include/security_keychain/KeyItem.cpp | 1420 +++ .../include/security_keychain}/KeyItem.h | 0 .../include/security_keychain}/Keychains.cpp | 0 OSX/include/security_keychain/Keychains.h | 267 + .../security_keychain}/MacOSErrorStrings.h | 0 .../include/security_keychain}/Password.cpp | 0 .../include/security_keychain}/Password.h | 0 OSX/include/security_keychain/Policies.cpp | 361 + .../include/security_keychain}/Policies.h | 0 .../security_keychain}/PolicyCursor.cpp | 0 OSX/include/security_keychain/PolicyCursor.h | 93 + .../include/security_keychain}/PrimaryKey.cpp | 0 .../include/security_keychain}/PrimaryKey.h | 0 .../include/security_keychain}/SecACL.cpp | 0 OSX/include/security_keychain/SecACL.h | 228 + OSX/include/security_keychain/SecAccess.cpp | 715 ++ OSX/include/security_keychain/SecAccess.h | 221 + .../security_keychain}/SecAccessPriv.h | 0 .../security_keychain}/SecAsn1TypesP.h | 0 .../include/security_keychain}/SecBase.cpp | 0 OSX/include/security_keychain/SecBase.h | 655 ++ .../include/security_keychain}/SecBase64P.c | 0 .../include/security_keychain}/SecBase64P.h | 0 .../include/security_keychain}/SecBaseP.h | 0 .../include/security_keychain}/SecBasePriv.h | 0 OSX/include/security_keychain/SecBridge.h | 90 + .../include/security_keychain}/SecCFTypes.cpp | 0 .../include/security_keychain}/SecCFTypes.h | 0 .../security_keychain/SecCertificate.cpp | 1538 +++ .../security_keychain/SecCertificate.h | 480 + .../SecCertificateBundle.cpp | 0 .../security_keychain}/SecCertificateBundle.h | 0 .../SecCertificateInternalP.h | 312 + .../security_keychain/SecCertificateOIDs.h | 172 + .../security_keychain/SecCertificateP.c | 4743 ++++++++ .../security_keychain/SecCertificateP.h | 114 + .../security_keychain/SecCertificatePriv.h | 308 + .../security_keychain/SecCertificatePrivP.h | 176 + .../SecCertificateRequest.cpp | 0 .../SecCertificateRequest.h | 0 .../include/security_keychain}/SecExport.cpp | 0 .../security_keychain}/SecExternalRep.cpp | 0 .../security_keychain}/SecExternalRep.h | 0 .../SecFDERecoveryAsymmetricCrypto.cpp | 0 .../SecFDERecoveryAsymmetricCrypto.h | 0 OSX/include/security_keychain/SecFrameworkP.c | 274 + .../security_keychain}/SecFrameworkP.h | 0 OSX/include/security_keychain/SecIdentity.cpp | 1152 ++ OSX/include/security_keychain/SecIdentity.h | 204 + .../security_keychain}/SecIdentityPriv.h | 0 .../security_keychain/SecIdentitySearch.cpp | 118 + .../security_keychain/SecIdentitySearch.h | 91 + .../SecIdentitySearchPriv.h | 0 .../include/security_keychain}/SecImport.cpp | 0 .../security_keychain/SecImportExport.c | 335 + .../security_keychain/SecImportExport.h | 683 ++ .../security_keychain/SecImportExportAgg.cpp | 897 ++ .../security_keychain}/SecImportExportAgg.h | 0 .../SecImportExportCrypto.cpp | 0 .../SecImportExportCrypto.h | 0 .../SecImportExportOpenSSH.cpp | 0 .../SecImportExportOpenSSH.h | 0 .../security_keychain}/SecImportExportPem.cpp | 0 .../security_keychain}/SecImportExportPem.h | 0 .../SecImportExportPkcs8.cpp | 0 .../security_keychain}/SecImportExportPkcs8.h | 0 .../SecImportExportUtils.cpp | 0 .../security_keychain}/SecImportExportUtils.h | 0 .../include/security_keychain}/SecInternal.h | 0 .../include/security_keychain}/SecInternalP.h | 0 OSX/include/security_keychain/SecItem.cpp | 4998 +++++++++ OSX/include/security_keychain/SecItem.h | 1163 ++ .../security_keychain/SecItemConstants.c | 236 + OSX/include/security_keychain/SecItemPriv.h | 395 + OSX/include/security_keychain/SecKey.cpp | 2288 ++++ OSX/include/security_keychain/SecKey.h | 612 + OSX/include/security_keychain/SecKeyPriv.h | 397 + OSX/include/security_keychain/SecKeychain.cpp | 1283 +++ OSX/include/security_keychain/SecKeychain.h | 626 ++ .../SecKeychainAddIToolsPassword.cpp | 0 .../security_keychain/SecKeychainItem.cpp | 912 ++ .../security_keychain/SecKeychainItem.h | 332 + .../SecKeychainItemExtendedAttributes.cpp | 367 + .../SecKeychainItemExtendedAttributes.h | 0 .../security_keychain}/SecKeychainItemPriv.h | 0 .../security_keychain}/SecKeychainPriv.h | 0 .../security_keychain/SecKeychainSearch.cpp | 129 + .../security_keychain/SecKeychainSearch.h | 80 + .../SecKeychainSearchPriv.h | 0 .../SecNetscapeTemplates.cpp | 0 .../security_keychain}/SecNetscapeTemplates.h | 0 .../security_keychain}/SecPassword.cpp | 0 .../include/security_keychain}/SecPassword.h | 0 .../security_keychain}/SecPkcs8Templates.cpp | 0 .../security_keychain}/SecPkcs8Templates.h | 0 OSX/include/security_keychain/SecPolicy.cpp | 963 ++ OSX/include/security_keychain/SecPolicy.h | 424 + OSX/include/security_keychain/SecPolicyPriv.h | 229 + .../security_keychain/SecPolicySearch.cpp | 111 + .../security_keychain/SecPolicySearch.h | 87 + .../include/security_keychain}/SecRSAKeyP.h | 0 .../include/security_keychain}/SecRandom.c | 0 OSX/include/security_keychain/SecRandom.h | 71 + .../include/security_keychain}/SecRandomP.h | 0 .../security_keychain}/SecRecoveryPassword.c | 0 .../security_keychain}/SecRecoveryPassword.h | 0 OSX/include/security_keychain/SecTrust.cpp | 1297 +++ OSX/include/security_keychain/SecTrust.h | 700 ++ OSX/include/security_keychain/SecTrustPriv.h | 181 + .../security_keychain/SecTrustSettings.cpp | 1030 ++ .../security_keychain/SecTrustSettings.h | 322 + .../SecTrustSettingsCertificates.h | 285 + .../security_keychain}/SecTrustSettingsPriv.h | 0 .../SecTrustedApplication.cpp | 213 + .../security_keychain/SecTrustedApplication.h | 85 + .../SecTrustedApplicationPriv.h | 0 .../security_keychain}/SecWrappedKeys.cpp | 0 OSX/include/security_keychain/Security.h | 106 + .../security_keychain}/StorageManager.cpp | 0 .../security_keychain}/StorageManager.h | 0 OSX/include/security_keychain/Trust.cpp | 943 ++ .../include/security_keychain}/Trust.h | 0 .../security_keychain/TrustAdditions.cpp | 1250 +++ .../security_keychain}/TrustAdditions.h | 0 .../include/security_keychain}/TrustItem.cpp | 0 .../include/security_keychain}/TrustItem.h | 0 .../security_keychain}/TrustKeychains.h | 0 .../security_keychain/TrustRevocation.cpp | 732 ++ .../security_keychain/TrustSettings.cpp | 1585 +++ .../security_keychain}/TrustSettings.h | 0 .../security_keychain}/TrustSettingsSchema.h | 0 .../security_keychain}/TrustSettingsUtils.cpp | 0 .../security_keychain}/TrustSettingsUtils.h | 0 .../include/security_keychain}/TrustStore.cpp | 0 .../include/security_keychain}/TrustStore.h | 0 .../security_keychain/TrustedApplication.cpp | 174 + .../security_keychain/TrustedApplication.h | 79 + .../security_keychain}/UnlockReferralItem.cpp | 0 .../security_keychain}/UnlockReferralItem.h | 0 .../security_keychain}/certextensionsP.h | 0 .../security_keychain}/cssmdatetime.cpp | 0 .../include/security_keychain}/cssmdatetime.h | 0 .../security_keychain}/defaultcreds.cpp | 0 .../include/security_keychain}/defaultcreds.h | 0 .../security_keychain}/generateErrStrings.pl | 0 .../security_keychain/security_keychain.exp | 761 ++ .../security_keychain}/tsaDERUtilities.c | 0 .../security_keychain}/tsaDERUtilities.h | 0 .../security_ocspd}/ocspExtensions.cpp | 0 .../include/security_ocspd}/ocspExtensions.h | 0 .../include/security_ocspd}/ocspResponse.cpp | 0 .../include/security_ocspd}/ocspResponse.h | 0 .../include/security_ocspd}/ocspdClient.h | 0 .../include/security_ocspd}/ocspdDbSchema.cpp | 0 .../include/security_ocspd}/ocspdDbSchema.h | 0 .../include/security_ocspd}/ocspdDebug.h | 0 .../include/security_ocspd}/ocspdTypes.h | 0 .../include/security_ocspd}/ocspdUtils.cpp | 0 .../include/security_ocspd}/ocspdUtils.h | 0 .../include/security_pkcs12}/SecPkcs12.cpp | 0 .../include/security_pkcs12}/SecPkcs12.h | 0 .../security_pkcs12}/pkcs12BagAttrs.cpp | 0 .../include/security_pkcs12}/pkcs12BagAttrs.h | 0 .../include/security_pkcs12}/pkcs12Coder.cpp | 0 .../include/security_pkcs12}/pkcs12Coder.h | 0 .../include/security_pkcs12}/pkcs12Crypto.cpp | 0 .../include/security_pkcs12}/pkcs12Crypto.h | 0 .../include/security_pkcs12}/pkcs12Debug.h | 0 .../include/security_pkcs12}/pkcs12Decode.cpp | 0 .../include/security_pkcs12}/pkcs12Encode.cpp | 0 .../security_pkcs12}/pkcs12Keychain.cpp | 0 .../security_pkcs12}/pkcs12SafeBag.cpp | 0 .../include/security_pkcs12}/pkcs12SafeBag.h | 0 .../security_pkcs12}/pkcs12Templates.cpp | 0 .../security_pkcs12}/pkcs12Templates.h | 0 .../include/security_pkcs12}/pkcs12Utils.cpp | 0 .../include/security_pkcs12}/pkcs12Utils.h | 0 .../security_pkcs12}/pkcs7Templates.cpp | 0 .../include/security_pkcs12}/pkcs7Templates.h | 0 .../include/security_pkcs12}/pkcsoids.cpp | 0 .../include/security_pkcs12}/pkcsoids.h | 0 .../include/security_smime}/SecCMS.c | 0 .../include/security_smime}/SecCMS.h | 0 .../include/security_smime}/SecCmsBase.h | 0 .../security_smime}/SecCmsContentInfo.h | 0 .../include/security_smime}/SecCmsDecoder.h | 0 .../security_smime}/SecCmsDigestContext.h | 0 .../security_smime}/SecCmsDigestedData.h | 0 .../include/security_smime}/SecCmsEncoder.h | 0 .../security_smime}/SecCmsEncryptedData.h | 0 .../security_smime}/SecCmsEnvelopedData.h | 0 .../include/security_smime}/SecCmsMessage.h | 0 .../security_smime}/SecCmsRecipientInfo.h | 0 .../security_smime}/SecCmsSignedData.h | 0 .../security_smime}/SecCmsSignerInfo.h | 0 .../include/security_smime}/SecSMIME.h | 0 .../include/security_smime}/SecSMIMEPriv.h | 0 OSX/include/security_smime/cert.c | 854 ++ .../lib => OSX/include/security_smime}/cert.h | 0 .../include/security_smime}/cmsarray.c | 0 .../include/security_smime}/cmsasn1.c | 0 .../include/security_smime}/cmsattr.c | 0 .../include/security_smime}/cmscinfo.c | 0 .../include/security_smime}/cmscipher.c | 0 .../include/security_smime}/cmsdecode.c | 0 .../include/security_smime}/cmsdigdata.c | 0 .../include/security_smime}/cmsdigest.c | 0 .../include/security_smime}/cmsencdata.c | 0 .../include/security_smime}/cmsencode.c | 0 .../include/security_smime}/cmsenvdata.c | 0 .../include/security_smime}/cmslocal.h | 0 .../include/security_smime}/cmsmessage.c | 0 .../include/security_smime}/cmspriv.h | 0 OSX/include/security_smime/cmspubkey.c | 1449 +++ OSX/include/security_smime/cmsrecinfo.c | 716 ++ .../include/security_smime}/cmsreclist.c | 0 .../include/security_smime}/cmsreclist.h | 0 OSX/include/security_smime/cmssigdata.c | 1203 ++ OSX/include/security_smime/cmssiginfo.c | 1439 +++ .../include/security_smime}/cmstpriv.h | 0 .../include/security_smime}/cmsutil.c | 0 .../include/security_smime}/cryptohi.c | 0 .../include/security_smime}/cryptohi.h | 0 .../include/security_smime}/plhash.c | 0 .../include/security_smime}/plhash.h | 0 .../include/security_smime}/secalgid.c | 0 .../include/security_smime}/secitem.c | 0 .../include/security_smime}/secitem.h | 0 .../include/security_smime}/secoid.c | 0 .../include/security_smime}/secoid.h | 0 .../include/security_smime}/secoidt.h | 0 .../security_smime}/security_smime.exp | 0 .../include/security_smime}/siginfoUtils.cpp | 0 .../include/security_smime}/smimeutil.c | 0 .../include/security_smime}/testcms | 0 OSX/include/security_smime/tsaSupport.c | 1412 +++ .../include/security_smime}/tsaSupport.h | 0 .../include/security_smime}/tsaSupportPriv.h | 0 .../include/security_smime}/tsaTemplates.c | 0 .../include/security_smime}/tsaTemplates.h | 0 .../security_utilities}/adornments.cpp | 0 .../include/security_utilities}/adornments.h | 0 .../include/security_utilities}/alloc.cpp | 0 .../include/security_utilities}/alloc.h | 0 .../include/security_utilities}/blob.cpp | 0 .../include/security_utilities}/blob.h | 0 .../security_utilities}/bufferfifo.cpp | 0 .../include/security_utilities}/bufferfifo.h | 0 .../include/security_utilities}/buffers.cpp | 0 .../include/security_utilities}/buffers.h | 0 .../include/security_utilities}/ccaudit.cpp | 0 .../include/security_utilities}/ccaudit.h | 0 .../include/security_utilities}/cfclass.cpp | 0 .../include/security_utilities}/cfclass.h | 0 OSX/include/security_utilities/cfmach++.cpp | 129 + .../include/security_utilities}/cfmach++.h | 0 .../include/security_utilities}/cfmunge.cpp | 0 .../include/security_utilities}/cfmunge.h | 0 .../security_utilities/cfutilities.cpp | 318 + OSX/include/security_utilities/cfutilities.h | 636 ++ .../security_utilities}/coderepository.cpp | 0 .../security_utilities}/coderepository.h | 0 .../include/security_utilities}/crc.c | 0 .../include/security_utilities}/crc.h | 0 .../include/security_utilities}/daemon.cpp | 0 .../include/security_utilities}/daemon.h | 0 .../include/security_utilities}/debugging.cpp | 0 .../include/security_utilities}/debugging.h | 0 .../debugging_internal.cpp | 0 .../security_utilities}/debugging_internal.h | 0 .../security_utilities}/debugsupport.h | 0 .../include/security_utilities}/devrandom.cpp | 0 .../include/security_utilities}/devrandom.h | 0 .../include/security_utilities}/dispatch.cpp | 0 .../include/security_utilities}/dispatch.h | 0 .../include/security_utilities}/dtrace.mk | 0 .../security_utilities}/dyld_cache_format.h | 0 OSX/include/security_utilities/dyldcache.cpp | 146 + OSX/include/security_utilities/dyldcache.h | 160 + .../include/security_utilities}/endian.cpp | 0 .../include/security_utilities}/endian.h | 0 .../include/security_utilities}/errors.cpp | 0 .../include/security_utilities}/errors.h | 0 .../include/security_utilities}/exports | 0 .../include/security_utilities}/fdmover.cpp | 0 .../include/security_utilities}/fdmover.h | 0 .../include/security_utilities}/fdsel.cpp | 0 .../include/security_utilities}/fdsel.h | 0 .../security_utilities}/globalizer.cpp | 0 .../include/security_utilities}/globalizer.h | 0 OSX/include/security_utilities/hashing.cpp | 66 + OSX/include/security_utilities/hashing.h | 186 + .../include/security_utilities}/headermap.cpp | 0 .../include/security_utilities}/headermap.h | 0 .../include/security_utilities}/hosts.cpp | 0 .../include/security_utilities}/hosts.h | 0 .../include/security_utilities}/inetreply.cpp | 0 .../include/security_utilities}/inetreply.h | 0 .../include/security_utilities}/iodevices.cpp | 0 .../include/security_utilities}/iodevices.h | 0 .../include/security_utilities}/ip++.cpp | 0 .../include/security_utilities}/ip++.h | 0 .../include/security_utilities}/kq++.cpp | 0 .../include/security_utilities}/kq++.h | 0 .../include/security_utilities}/ktracecodes.h | 0 .../include/security_utilities}/logging.cpp | 0 .../include/security_utilities}/logging.h | 0 .../include/security_utilities}/mach++.cpp | 0 .../include/security_utilities}/mach++.h | 0 OSX/include/security_utilities/mach_notify.c | 552 + .../include/security_utilities}/mach_notify.h | 0 OSX/include/security_utilities/macho++.cpp | 795 ++ OSX/include/security_utilities/macho++.h | 241 + .../security_utilities}/machrunloopserver.cpp | 0 .../security_utilities}/machrunloopserver.h | 0 .../security_utilities}/machserver.cpp | 0 .../include/security_utilities}/machserver.h | 0 .../include/security_utilities}/memstreams.h | 0 .../include/security_utilities}/memutils.h | 0 .../include/security_utilities}/muscle++.cpp | 0 .../include/security_utilities}/muscle++.h | 0 .../include/security_utilities}/osxcode.cpp | 0 .../include/security_utilities}/osxcode.h | 0 .../include/security_utilities}/pcsc++.cpp | 0 .../include/security_utilities}/pcsc++.h | 0 OSX/include/security_utilities/powerwatch.cpp | 256 + OSX/include/security_utilities/powerwatch.h | 114 + .../include/security_utilities}/refcount.h | 0 .../security_utilities}/seccfobject.cpp | 0 .../include/security_utilities}/seccfobject.h | 0 .../security_utilities}/security_utilities.d | 0 .../security_utilities}/security_utilities.h | 0 .../include/security_utilities}/selector.cpp | 0 .../include/security_utilities}/selector.h | 0 .../security_utilities}/simpleprefs.cpp | 0 .../include/security_utilities}/simpleprefs.h | 0 .../include/security_utilities}/socks++.cpp | 0 .../include/security_utilities}/socks++.h | 0 .../include/security_utilities}/socks++4.cpp | 0 .../include/security_utilities}/socks++4.h | 0 .../include/security_utilities}/socks++5.cpp | 0 .../include/security_utilities}/socks++5.h | 0 OSX/include/security_utilities/sqlite++.cpp | 442 + .../include/security_utilities}/sqlite++.h | 0 .../include/security_utilities}/streams.cpp | 0 .../include/security_utilities}/streams.h | 0 .../include/security_utilities}/superblob.cpp | 0 .../include/security_utilities}/superblob.h | 0 .../include/security_utilities}/threading.cpp | 0 .../include/security_utilities}/threading.h | 0 .../security_utilities}/threading_internal.h | 0 .../include/security_utilities}/timeflow.cpp | 0 .../include/security_utilities}/timeflow.h | 0 .../include/security_utilities}/tqueue.cpp | 0 .../include/security_utilities}/tqueue.h | 0 .../security_utilities}/trackingallocator.cpp | 0 .../security_utilities}/trackingallocator.h | 0 .../security_utilities}/transactions.cpp | 0 .../security_utilities}/transactions.h | 0 .../security_utilities}/typedvalue.cpp | 0 .../include/security_utilities}/typedvalue.h | 0 OSX/include/security_utilities/unix++.cpp | 536 + .../include/security_utilities}/unix++.h | 0 .../include/security_utilities}/unixchild.cpp | 0 .../include/security_utilities}/unixchild.h | 0 .../include/security_utilities}/url.cpp | 0 .../include/security_utilities}/url.h | 0 .../include/security_utilities}/utilities.cpp | 0 .../include/security_utilities}/utilities.h | 0 .../security_utilities}/utility_config.h | 0 .../include/security_utilities}/vproc++.cpp | 0 .../include/security_utilities}/vproc++.h | 0 .../securityd_client}/SharedMemoryClient.cpp | 0 .../securityd_client}/SharedMemoryClient.h | 0 .../securityd_client}/SharedMemoryCommon.h | 0 .../include/securityd_client}/dictionary.cpp | 0 .../include/securityd_client}/dictionary.h | 0 .../securityd_client}/eventlistener.cpp | 0 .../include/securityd_client}/eventlistener.h | 0 .../include/securityd_client}/handletypes.h | 0 .../include/securityd_client}/sec_xdr.c | 0 .../include/securityd_client}/sec_xdr.h | 0 .../include/securityd_client}/sec_xdr_array.c | 0 .../securityd_client}/sec_xdr_reference.c | 0 .../securityd_client}/sec_xdr_sizeof.c | 0 .../include/securityd_client}/sec_xdrmem.c | 0 .../include/securityd_client}/ss_types.h | 0 .../include/securityd_client}/ssblob.cpp | 0 .../include/securityd_client}/ssblob.h | 0 .../include/securityd_client}/ssclient.cpp | 0 OSX/include/securityd_client/ssclient.h | 450 + .../include/securityd_client}/sscommon.h | 0 .../include/securityd_client}/ssnotify.h | 0 .../include/securityd_client}/sstransit.cpp | 0 .../include/securityd_client}/sstransit.h | 0 OSX/include/securityd_client/transition.cpp | 1045 ++ .../include/securityd_client}/ucsp_types.h | 0 .../include/securityd_client}/xdr_auth.c | 0 .../include/securityd_client}/xdr_auth.h | 0 .../include/securityd_client}/xdr_cssm.c | 0 .../include/securityd_client}/xdr_cssm.h | 0 .../include/securityd_client}/xdr_dldb.cpp | 0 .../include/securityd_client}/xdr_dldb.h | 0 OSX/lib/AppWorkaround.plist | 30 + {Security => OSX}/lib/FDEPrefs.plist | 0 {Security => OSX}/lib/Info-Security.plist | 0 {Security => OSX}/lib/Security.order | 0 {Security => OSX}/lib/TimeStampingPrefs.plist | 0 {Security => OSX}/lib/copy_pieces.mk | 0 {Security => OSX}/lib/dummy.cpp | 0 .../lib/en.lproj/FDELocalizable.strings | 0 .../lib/en.lproj/InfoPlist.strings | Bin .../en.lproj/authorization.buttons.strings | 2 + .../en.lproj/authorization.prompts.strings | 6 +- OSX/lib/framework.sb | 4 + OSX/lib/generateErrStrings.pl | 343 + .../lib/plugins/csparser-Info.plist | 0 {Security => OSX}/lib/plugins/csparser.cpp | 0 {Security => OSX}/lib/plugins/csparser.exp | 0 {Security => OSX}/lib/security.exp-in | 150 +- .../Info-security_apple_csp.plist | 0 .../libsecurity_apple_csp/README | 0 {Security => OSX}/libsecurity_apple_csp/TODO | 0 .../docs/libsecurity_apple_csp.plist | 0 .../docs/libsecurity_apple_csp.txt | 0 .../libsecurity_apple_csp/lib/AppleCSP.cpp | 0 .../libsecurity_apple_csp/lib/AppleCSP.h | 0 .../lib/AppleCSPBuiltin.cpp | 0 .../lib/AppleCSPContext.cpp | 0 .../lib/AppleCSPContext.h | 0 .../lib/AppleCSPKeys.cpp | 0 .../libsecurity_apple_csp/lib/AppleCSPKeys.h | 0 .../lib/AppleCSPPlugin.cpp | 0 .../lib/AppleCSPSession.h | 0 .../lib/AppleCSPUtils.cpp | 0 .../libsecurity_apple_csp/lib/AppleCSPUtils.h | 0 .../libsecurity_apple_csp/lib/BinaryKey.h | 0 .../lib/BlockCryptor.cpp | 0 .../libsecurity_apple_csp/lib/BlockCryptor.h | 0 .../libsecurity_apple_csp/lib/CryptKitSpace.h | 0 .../libsecurity_apple_csp/lib/DH_csp.cpp | 0 .../libsecurity_apple_csp/lib/DH_csp.h | 0 .../libsecurity_apple_csp/lib/DH_exchange.cpp | 0 .../libsecurity_apple_csp/lib/DH_exchange.h | 0 .../libsecurity_apple_csp/lib/DH_keys.cpp | 0 .../libsecurity_apple_csp/lib/DH_keys.h | 0 .../libsecurity_apple_csp/lib/DH_utils.cpp | 0 .../libsecurity_apple_csp/lib/DH_utils.h | 0 .../lib/DigestContext.cpp | 0 .../libsecurity_apple_csp/lib/DigestContext.h | 0 .../lib/FEEAsymmetricContext.cpp | 0 .../lib/FEEAsymmetricContext.h | 0 .../libsecurity_apple_csp/lib/FEECSPUtils.cpp | 0 .../libsecurity_apple_csp/lib/FEECSPUtils.h | 0 .../libsecurity_apple_csp/lib/FEEKeys.cpp | 0 .../libsecurity_apple_csp/lib/FEEKeys.h | 0 .../lib/FEESignatureObject.cpp | 23 +- .../lib/FEESignatureObject.h | 9 +- .../libsecurity_apple_csp/lib/HMACSHA1.c | 0 .../libsecurity_apple_csp/lib/HMACSHA1.h | 0 .../libsecurity_apple_csp/lib/MD2Object.cpp | 0 .../libsecurity_apple_csp/lib/MD2Object.h | 0 .../libsecurity_apple_csp/lib/MacContext.cpp | 0 .../libsecurity_apple_csp/lib/MacContext.h | 0 .../libsecurity_apple_csp/lib/NullCryptor.h | 0 .../libsecurity_apple_csp/lib/RSA_DSA_csp.cpp | 0 .../libsecurity_apple_csp/lib/RSA_DSA_csp.h | 0 .../lib/RSA_DSA_keys.cpp | 0 .../libsecurity_apple_csp/lib/RSA_DSA_keys.h | 2 +- .../lib/RSA_DSA_signature.cpp | 0 .../lib/RSA_DSA_signature.h | 0 .../lib/RSA_DSA_utils.cpp | 4 + .../libsecurity_apple_csp/lib/RSA_DSA_utils.h | 0 .../lib/RSA_asymmetric.cpp | 0 .../lib/RSA_asymmetric.h | 0 .../libsecurity_apple_csp/lib/RawSigner.h | 0 .../lib/SHA1_MD5_Object.cpp | 0 .../lib/SHA1_MD5_Object.h | 0 .../libsecurity_apple_csp/lib/SHA2_Object.cpp | 0 .../libsecurity_apple_csp/lib/SHA2_Object.h | 0 .../lib/SignatureContext.cpp | 0 .../lib/SignatureContext.h | 0 .../lib/YarrowConnection.cpp | 0 .../lib/YarrowConnection.h | 0 .../libsecurity_apple_csp/lib/aesCommon.h | 0 .../libsecurity_apple_csp/lib/aescsp.cpp | 0 .../libsecurity_apple_csp/lib/aescspi.h | 0 .../libsecurity_apple_csp/lib/algmaker.cpp | 0 .../libsecurity_apple_csp/lib/ascContext.cpp | 0 .../libsecurity_apple_csp/lib/ascContext.h | 0 .../libsecurity_apple_csp/lib/ascFactory.h | 0 .../libsecurity_apple_csp/lib/bfContext.cpp | 0 .../libsecurity_apple_csp/lib/bfContext.h | 0 .../libsecurity_apple_csp/lib/boxes-ref.c | 0 .../libsecurity_apple_csp/lib/boxes-ref.h | 0 .../lib/bsafeAsymmetric.cpp | 0 .../lib/bsafeContext.cpp | 0 .../libsecurity_apple_csp/lib/bsafeKeyGen.cpp | 0 .../libsecurity_apple_csp/lib/bsafePKCS1.cpp | 0 .../libsecurity_apple_csp/lib/bsafePKCS1.h | 0 .../lib/bsafeSymmetric.cpp | 0 .../libsecurity_apple_csp/lib/bsafecsp.h | 0 .../libsecurity_apple_csp/lib/bsafecspi.h | 0 .../libsecurity_apple_csp/lib/bsobjects.h | 0 .../libsecurity_apple_csp/lib/castContext.cpp | 0 .../libsecurity_apple_csp/lib/castContext.h | 0 .../libsecurity_apple_csp/lib/cryptkitcsp.cpp | 0 .../libsecurity_apple_csp/lib/cryptkitcsp.h | 0 .../libsecurity_apple_csp/lib/cspdebugging.c | 0 .../libsecurity_apple_csp/lib/cspdebugging.h | 0 .../libsecurity_apple_csp/lib/cssmplugin.exp | 0 .../libsecurity_apple_csp/lib/deriveKey.cpp | 0 .../libsecurity_apple_csp/lib/desContext.cpp | 0 .../libsecurity_apple_csp/lib/desContext.h | 0 .../lib/gladmanContext.cpp | 0 .../lib/gladmanContext.h | 0 .../libsecurity_apple_csp/lib/memory.cpp | 0 .../lib/miscAlgFactory.cpp | 0 .../lib/miscAlgFactory.h | 0 .../lib/miscalgorithms.cpp | 0 .../lib/opensshCoding.cpp | 0 .../libsecurity_apple_csp/lib/opensshCoding.h | 0 .../libsecurity_apple_csp/lib/opensshWrap.cpp | 0 .../libsecurity_apple_csp/lib/pbkdDigest.cpp | 0 .../libsecurity_apple_csp/lib/pbkdDigest.h | 0 .../libsecurity_apple_csp/lib/pbkdf2.c | 0 .../libsecurity_apple_csp/lib/pbkdf2.h | 0 .../lib/pkcs12Derive.cpp | 0 .../libsecurity_apple_csp/lib/pkcs12Derive.h | 0 .../libsecurity_apple_csp/lib/pkcs8.cpp | 0 .../libsecurity_apple_csp/lib/pkcs8.h | 0 .../libsecurity_apple_csp/lib/rc2Context.cpp | 0 .../libsecurity_apple_csp/lib/rc2Context.h | 0 .../libsecurity_apple_csp/lib/rc4Context.cpp | 0 .../libsecurity_apple_csp/lib/rc4Context.h | 0 .../libsecurity_apple_csp/lib/rc5Context.cpp | 0 .../libsecurity_apple_csp/lib/rc5Context.h | 0 .../lib/rijndael-alg-ref.c | 0 .../lib/rijndael-alg-ref.h | 0 .../libsecurity_apple_csp/lib/rijndaelApi.c | 0 .../libsecurity_apple_csp/lib/rijndaelApi.h | 0 .../lib/vRijndael-alg-ref.c | 0 .../libsecurity_apple_csp/lib/wrapKey.cpp | 0 .../libsecurity_apple_csp/lib/wrapKeyCms.cpp | 0 .../project.pbxproj | 1486 +++ .../mds/csp_capabilities.mdsinfo | 0 .../mds/csp_capabilities_common.mds | 0 .../mds/csp_common.mdsinfo | 0 .../mds/csp_primary.mdsinfo | 0 .../libsecurity_apple_csp/open_ssl/LICENSE | 0 .../open_ssl/bf/COPYRIGHT | 0 .../libsecurity_apple_csp/open_ssl/bf/README | 0 .../open_ssl/bf/bf_ecb.c | 0 .../open_ssl/bf/bf_enc.c | 0 .../open_ssl/bf/bf_locl.h | 0 .../libsecurity_apple_csp/open_ssl/bf/bf_pi.h | 0 .../open_ssl/bf/bf_skey.c | 0 .../open_ssl/bio/bio_lib.c | 0 .../open_ssl/bio/bss_file.c | 0 .../open_ssl/bn/bn_add.c | 0 .../open_ssl/bn/bn_asm.c | 0 .../open_ssl/bn/bn_blind.c | 0 .../open_ssl/bn/bn_ctx.c | 0 .../open_ssl/bn/bn_div.c | 0 .../open_ssl/bn/bn_err.c | 0 .../open_ssl/bn/bn_exp.c | 0 .../open_ssl/bn/bn_exp2.c | 0 .../open_ssl/bn/bn_gcd.c | 0 .../open_ssl/bn/bn_lcl.h | 0 .../open_ssl/bn/bn_lib.c | 0 .../open_ssl/bn/bn_mont.c | 0 .../open_ssl/bn/bn_mpi.c | 0 .../open_ssl/bn/bn_mul.c | 0 .../open_ssl/bn/bn_prime.c | 0 .../open_ssl/bn/bn_prime.h | 0 .../open_ssl/bn/bn_print.c | 0 .../open_ssl/bn/bn_rand.c | 0 .../open_ssl/bn/bn_recp.c | 0 .../open_ssl/bn/bn_shift.c | 0 .../open_ssl/bn/bn_sqr.c | 0 .../open_ssl/bn/bn_word.c | 0 .../open_ssl/bn/bnspeed.c | 0 .../open_ssl/bn/bntest.c | 0 .../open_ssl/bn/divtest.c | 0 .../libsecurity_apple_csp/open_ssl/bn/exp.c | 0 .../open_ssl/bn/expspeed.c | 0 .../open_ssl/bn/exptest.c | 0 .../open_ssl/bn/vms-helper.c | 0 .../open_ssl/buffer/buf_err.c | 0 .../open_ssl/buffer/buffer.c | 0 .../libsecurity_apple_csp/open_ssl/cryptlib.c | 0 .../libsecurity_apple_csp/open_ssl/cryptlib.h | 0 .../open_ssl/dh/dh_check.c | 0 .../open_ssl/dh/dh_err.c | 0 .../open_ssl/dh/dh_gen.c | 0 .../open_ssl/dh/dh_key.c | 0 .../open_ssl/dh/dh_lib.c | 0 .../open_ssl/dsa/dsa_asn1.c | 0 .../open_ssl/dsa/dsa_err.c | 0 .../open_ssl/dsa/dsa_gen.c | 0 .../open_ssl/dsa/dsa_key.c | 0 .../open_ssl/dsa/dsa_lib.c | 0 .../open_ssl/dsa/dsa_ossl.c | 0 .../open_ssl/dsa/dsa_sign.c | 0 .../open_ssl/dsa/dsa_vrf.c | 0 .../libsecurity_apple_csp/open_ssl/err/err.c | 0 .../open_ssl/err/err_prn.c | 0 .../libsecurity_apple_csp/open_ssl/ex_data.c | 0 .../open_ssl/lhash/lhash.c | 0 .../libsecurity_apple_csp/open_ssl/mem.c | 0 .../open_ssl/misc/rc2_cbc.c | 0 .../open_ssl/misc/rc2_locl.h | 0 .../open_ssl/misc/rc2_skey.c | 0 .../open_ssl/misc/rc5_enc.c | 0 .../open_ssl/misc/rc5_locl.h | 0 .../open_ssl/misc/rc5_skey.c | 0 .../open_ssl/openssl/asn1.h | 0 .../open_ssl/openssl/bio.h | 0 .../open_ssl/openssl/blowfish.h | 0 .../open_ssl/openssl/bn.h | 0 .../open_ssl/openssl/buffer.h | 0 .../open_ssl/openssl/cast.h | 0 .../open_ssl/openssl/crypto.h | 0 .../open_ssl/openssl/dh.h | 0 .../open_ssl/openssl/dsa.h | 0 .../open_ssl/openssl/e_os.h | 0 .../open_ssl/openssl/e_os2.h | 0 .../open_ssl/openssl/err.h | 0 .../open_ssl/openssl/evp.h | 0 .../open_ssl/openssl/lhash.h | 0 .../open_ssl/openssl/objects.h | 0 .../open_ssl/openssl/openssl_pkcs7.h | 0 .../open_ssl/openssl/opensslconf.h | 0 .../open_ssl/openssl/opensslv.h | 0 .../open_ssl/openssl/rand.h | 0 .../open_ssl/openssl/rc2.h | 0 .../open_ssl/openssl/rc5.h | 0 .../open_ssl/openssl/rsa.h | 0 .../open_ssl/openssl/safestack.h | 0 .../open_ssl/openssl/stack.h | 0 .../open_ssl/openssl/x509.h | 0 .../open_ssl/openssl/x509_vfy.h | 0 .../open_ssl/opensslUtils/opensslAsn1.cpp | 0 .../open_ssl/opensslUtils/opensslAsn1.h | 0 .../open_ssl/opensslUtils/opensslUtils.cpp | 0 .../open_ssl/opensslUtils/opensslUtils.h | 0 .../open_ssl/rsa/rsa_chk.c | 0 .../open_ssl/rsa/rsa_eay.c | 0 .../open_ssl/rsa/rsa_err.c | 0 .../open_ssl/rsa/rsa_gen.c | 0 .../open_ssl/rsa/rsa_lib.c | 0 .../open_ssl/rsa/rsa_none.c | 0 .../open_ssl/rsa/rsa_null.c | 0 .../open_ssl/rsa/rsa_pk1.c | 0 .../open_ssl/rsa/rsa_saos.c | 0 .../open_ssl/rsa/rsa_sign.c | 0 .../open_ssl/rsa/rsa_ssl.c | 0 .../open_ssl/stack/stack.c | 0 .../libsecurity_apple_csp/tests/t-dsa.cpp | 0 .../libsecurity_apple_csp/tests/t-rsa.cpp | 0 .../libsecurity_apple_csp/tests/t.cpp | 0 .../Info-security_apple_cspdl.plist | 0 .../lib/AppleCSPDLBuiltin.cpp | 0 .../lib/AppleCSPDLPlugin.cpp | 0 .../lib/CSPDLDatabase.cpp | 0 .../lib/CSPDLDatabase.h | 0 .../lib/CSPDLPlugin.cpp | 0 .../libsecurity_apple_cspdl/lib/CSPDLPlugin.h | 0 .../lib/SSCSPDLSession.cpp | 0 .../lib/SSCSPDLSession.h | 0 .../lib/SSCSPSession.cpp | 2 +- .../lib/SSCSPSession.h | 0 .../libsecurity_apple_cspdl/lib/SSContext.cpp | 0 .../libsecurity_apple_cspdl/lib/SSContext.h | 0 .../lib/SSDLSession.cpp | 0 .../libsecurity_apple_cspdl/lib/SSDLSession.h | 0 .../lib/SSDatabase.cpp | 0 .../libsecurity_apple_cspdl/lib/SSDatabase.h | 0 .../libsecurity_apple_cspdl/lib/SSFactory.cpp | 0 .../libsecurity_apple_cspdl/lib/SSFactory.h | 0 .../libsecurity_apple_cspdl/lib/SSKey.cpp | 0 .../libsecurity_apple_cspdl/lib/SSKey.h | 2 +- .../project.pbxproj | 345 + .../mds/cspdl_common.mdsinfo | 0 .../mds/cspdl_csp_capabilities.mdsinfo | 0 .../mds/cspdl_csp_primary.mdsinfo | 0 .../mds/cspdl_dl_primary.mdsinfo | 0 .../Info-security_apple_file_dl.plist | 0 .../libsecurity_apple_file_dl/TODO | 0 .../libsecurity_apple_file_dl/doc/FORMAT | 0 .../libsecurity_apple_file_dl/doc/ISSUES | 0 .../lib/AppleDLBuiltin.cpp | 0 .../lib/AppleDLPlugin.cpp | 0 .../lib/AppleFileDL.cpp | 0 .../lib/AppleFileDL.h | 0 .../project.pbxproj | 278 + .../mds/dl_common.mdsinfo | 0 .../mds/dl_primary.mdsinfo | 0 .../Info-plugin_apple_x509_cl.plist | 0 .../Info-security_apple_x509_cl.plist | 0 .../libsecurity_apple_x509_cl/TODO | 0 .../lib/AppleX509CL.cpp | 0 .../lib/AppleX509CL.h | 0 .../lib/AppleX509CLBuiltin.cpp | 0 .../lib/AppleX509CLPlugin.cpp | 0 .../lib/AppleX509CLSession.cpp | 0 .../lib/AppleX509CLSession.h | 0 .../lib/CLCachedEntry.cpp | 0 .../lib/CLCachedEntry.h | 0 .../lib/CLCertExtensions.cpp | 0 .../lib/CLCertExtensions.h | 0 .../lib/CLCrlExtensions.cpp | 0 .../lib/CLCrlExtensions.h | 0 .../lib/CLFieldsCommon.cpp | 0 .../lib/CLFieldsCommon.h | 0 .../lib/CSPAttacher.cpp | 0 .../lib/CSPAttacher.h | 0 .../lib/CertFields.cpp | 0 .../lib/CrlFields.cpp | 0 .../lib/DecodedCert.cpp | 0 .../lib/DecodedCert.h | 0 .../lib/DecodedCrl.cpp | 0 .../lib/DecodedCrl.h | 0 .../lib/DecodedExtensions.cpp | 0 .../lib/DecodedExtensions.h | 0 .../lib/DecodedItem.cpp | 0 .../lib/DecodedItem.h | 0 .../libsecurity_apple_x509_cl/lib/LockedMap.h | 0 .../lib/Session_CRL.cpp | 0 .../lib/Session_CSR.cpp | 0 .../lib/Session_Cert.cpp | 0 .../lib/Session_Crypto.cpp | 0 .../lib/clNameUtils.cpp | 0 .../lib/clNameUtils.h | 0 .../lib/clNssUtils.cpp | 0 .../lib/clNssUtils.h | 0 .../lib/cldebugging.h | 0 .../project.pbxproj | 503 + .../mds/cl_common.mdsinfo | 0 .../mds/cl_primary.mdsinfo | 0 .../Info-security_apple_x509_tp.plist | 0 .../libsecurity_apple_x509_tp/lib/AppleTP.cpp | 0 .../libsecurity_apple_x509_tp/lib/AppleTP.h | 0 .../lib/AppleTPSession.cpp | 0 .../lib/AppleTPSession.h | 0 .../lib/AppleX509TPBuiltin.cpp | 0 .../lib/AppleX509TPPlugin.cpp | 0 .../lib/TPCertInfo.cpp | 21 +- .../lib/TPCertInfo.h | 3 + .../lib/TPCrlInfo.cpp | 137 +- .../libsecurity_apple_x509_tp/lib/TPCrlInfo.h | 0 .../lib/TPDatabase.cpp | 0 .../lib/TPDatabase.h | 0 .../lib/TPNetwork.cpp | 0 .../libsecurity_apple_x509_tp/lib/TPNetwork.h | 0 .../lib/certGroupUtils.cpp | 0 .../lib/certGroupUtils.h | 0 .../libsecurity_apple_x509_tp/lib/cuEnc64.c | 0 .../libsecurity_apple_x509_tp/lib/cuEnc64.h | 0 .../lib/ocspRequest.cpp | 0 .../lib/ocspRequest.h | 0 .../lib/tpCertAllowList.c | 222 + .../lib/tpCertAllowList.h | 0 .../lib/tpCertGroup.cpp | 0 .../lib/tpCredRequest.cpp | 0 .../lib/tpCrlVerify.cpp | 0 .../lib/tpCrlVerify.h | 0 .../lib/tpOcspCache.cpp | 0 .../lib/tpOcspCache.h | 0 .../lib/tpOcspCertVfy.cpp | 43 +- .../lib/tpOcspCertVfy.h | 0 .../lib/tpOcspVerify.cpp | 3 +- .../lib/tpOcspVerify.h | 0 .../lib/tpPolicies.cpp | 0 .../lib/tpPolicies.h | 0 .../libsecurity_apple_x509_tp/lib/tpTime.c | 0 .../libsecurity_apple_x509_tp/lib/tpTime.h | 0 .../lib/tpdebugging.h | 0 .../project.pbxproj | 417 + .../mds/tp_common.mdsinfo | 0 .../mds/tp_policyOids.mdsinfo | 0 .../mds/tp_primary.mdsinfo | 0 .../libsecurity_asn1/APPLE_LICENSE | 0 .../libsecurity_asn1/CHANGES.Apple | 0 .../libsecurity_asn1/Info-security_asn1.plist | 0 {Security => OSX}/libsecurity_asn1/Makefile | 0 .../MozillaPublicLicense1.1.html | 0 OSX/libsecurity_asn1/Security/SecAsn1Coder.c | 225 + OSX/libsecurity_asn1/Security/SecAsn1Coder.h | 153 + .../Security/SecAsn1Templates.c | 373 + .../Security/SecAsn1Templates.h | 135 + OSX/libsecurity_asn1/Security/SecAsn1Types.h | 244 + OSX/libsecurity_asn1/Security/SecNssCoder.cpp | 207 + OSX/libsecurity_asn1/Security/SecNssCoder.h | 164 + OSX/libsecurity_asn1/Security/X509Templates.c | 222 + OSX/libsecurity_asn1/Security/X509Templates.h | 199 + OSX/libsecurity_asn1/Security/asn1Templates.h | 33 + .../Security/certExtensionTemplates.c | 322 + .../Security/certExtensionTemplates.h | 274 + OSX/libsecurity_asn1/Security/csrTemplates.c | 69 + OSX/libsecurity_asn1/Security/csrTemplates.h | 77 + OSX/libsecurity_asn1/Security/keyTemplates.c | 225 + OSX/libsecurity_asn1/Security/keyTemplates.h | 276 + OSX/libsecurity_asn1/Security/nameTemplates.c | 262 + OSX/libsecurity_asn1/Security/nameTemplates.h | 195 + OSX/libsecurity_asn1/Security/nsprPortX.c | 250 + OSX/libsecurity_asn1/Security/nssUtils.c | 68 + OSX/libsecurity_asn1/Security/nssUtils.h | 54 + OSX/libsecurity_asn1/Security/nssilckt.h | 220 + OSX/libsecurity_asn1/Security/nssilock.h | 316 + OSX/libsecurity_asn1/Security/nsslocks.h | 67 + OSX/libsecurity_asn1/Security/ocspTemplates.c | 298 + OSX/libsecurity_asn1/Security/ocspTemplates.h | 337 + OSX/libsecurity_asn1/Security/oidsalg.c | 501 + OSX/libsecurity_asn1/Security/oidsalg.h | 167 + OSX/libsecurity_asn1/Security/oidsattr.c | 506 + OSX/libsecurity_asn1/Security/oidsattr.h | 225 + OSX/libsecurity_asn1/Security/oidsbase.h | 363 + OSX/libsecurity_asn1/Security/oidsocsp.c | 43 + OSX/libsecurity_asn1/Security/oidsocsp.h | 51 + .../Security/osKeyTemplates.c | 163 + .../Security/osKeyTemplates.h | 208 + .../Security/pkcs12Templates.c | 289 + .../Security/pkcs12Templates.h | 284 + .../Security/pkcs7Templates.c | 162 + .../Security/pkcs7Templates.h | 165 + OSX/libsecurity_asn1/Security/plarena.c | 423 + OSX/libsecurity_asn1/Security/plarena.h | 222 + OSX/libsecurity_asn1/Security/plarenas.h | 126 + OSX/libsecurity_asn1/Security/plstr.h | 467 + OSX/libsecurity_asn1/Security/prbit.h | 108 + OSX/libsecurity_asn1/Security/prcpucfg.h | 192 + OSX/libsecurity_asn1/Security/prcvar.h | 123 + OSX/libsecurity_asn1/Security/prenv.h | 154 + OSX/libsecurity_asn1/Security/prerr.h | 275 + OSX/libsecurity_asn1/Security/prerror.h | 323 + OSX/libsecurity_asn1/Security/prinit.h | 240 + OSX/libsecurity_asn1/Security/prinrval.h | 172 + OSX/libsecurity_asn1/Security/prlock.h | 123 + OSX/libsecurity_asn1/Security/prlog.h | 262 + OSX/libsecurity_asn1/Security/prlong.h | 425 + OSX/libsecurity_asn1/Security/prmem.h | 156 + OSX/libsecurity_asn1/Security/prmon.h | 110 + OSX/libsecurity_asn1/Security/protypes.h | 251 + OSX/libsecurity_asn1/Security/prthread.h | 283 + OSX/libsecurity_asn1/Security/prtime.h | 295 + OSX/libsecurity_asn1/Security/prtypes.h | 570 + OSX/libsecurity_asn1/Security/prvrsion.h | 134 + OSX/libsecurity_asn1/Security/secErrorStr.c | 208 + OSX/libsecurity_asn1/Security/secasn1.h | 219 + OSX/libsecurity_asn1/Security/secasn1d.c | 3167 ++++++ OSX/libsecurity_asn1/Security/secasn1e.c | 1646 +++ OSX/libsecurity_asn1/Security/secasn1t.h | 143 + OSX/libsecurity_asn1/Security/secasn1u.c | 115 + OSX/libsecurity_asn1/Security/seccomon.h | 125 + OSX/libsecurity_asn1/Security/secerr.h | 206 + OSX/libsecurity_asn1/Security/secport.c | 669 ++ OSX/libsecurity_asn1/Security/secport.h | 290 + .../Security/security_asn1.exp | 166 + .../libsecurity_asn1/asn1/README | 0 .../libsecurity_asn1/asn1/appleoids.asn | 0 .../libsecurity_asn1/asn1/asn-useful.asn1 | 0 .../libsecurity_asn1/asn1/pkcs1.asn1 | 0 .../libsecurity_asn1/asn1/pkcs10.asn | 0 .../libsecurity_asn1/asn1/pkcs1oids.asn | 0 .../libsecurity_asn1/asn1/pkcs5.asn1 | 0 .../libsecurity_asn1/asn1/pkcs7.asn | 0 .../libsecurity_asn1/asn1/pkcs8.asn | 0 .../libsecurity_asn1/asn1/pkcs9oids.asn | 0 .../libsecurity_asn1/asn1/rfc3161.asn1 | 0 .../libsecurity_asn1/asn1/sm_cms.asn | 0 .../libsecurity_asn1/asn1/sm_ess.asn | 0 .../libsecurity_asn1/asn1/sm_vdatypes.asn | 0 .../libsecurity_asn1/asn1/sm_x411mtsas.asn | 0 .../libsecurity_asn1/asn1/sm_x411ub.asn | 0 .../libsecurity_asn1/asn1/sm_x501if.asn | 0 .../libsecurity_asn1/asn1/sm_x501ud.asn | 0 .../libsecurity_asn1/asn1/sm_x509af.asn | 0 .../libsecurity_asn1/asn1/sm_x509ce.asn | 0 .../libsecurity_asn1/asn1/sm_x509cmn.asn | 0 .../libsecurity_asn1/asn1/sm_x520sa.asn | 0 OSX/libsecurity_asn1/config/base.xcconfig | 11 + .../libsecurity_asn1/config/debug.xcconfig | 0 .../libsecurity_asn1/config/lib.xcconfig | 0 .../libsecurity_asn1/config/release.xcconfig | 0 .../docs/libsecurity_asn1.plist | 0 .../docs/libsecurity_asn1.txt | 0 OSX/libsecurity_asn1/lib/SecAsn1Coder.c | 225 + OSX/libsecurity_asn1/lib/SecAsn1Coder.h | 153 + OSX/libsecurity_asn1/lib/SecAsn1Templates.c | 373 + OSX/libsecurity_asn1/lib/SecAsn1Templates.h | 135 + OSX/libsecurity_asn1/lib/SecAsn1Types.h | 244 + OSX/libsecurity_asn1/lib/SecNssCoder.cpp | 207 + OSX/libsecurity_asn1/lib/SecNssCoder.h | 164 + OSX/libsecurity_asn1/lib/X509Templates.c | 222 + OSX/libsecurity_asn1/lib/X509Templates.h | 199 + OSX/libsecurity_asn1/lib/asn1Templates.h | 33 + .../lib/certExtensionTemplates.c | 322 + .../lib/certExtensionTemplates.h | 274 + OSX/libsecurity_asn1/lib/csrTemplates.c | 69 + OSX/libsecurity_asn1/lib/csrTemplates.h | 77 + OSX/libsecurity_asn1/lib/keyTemplates.c | 225 + OSX/libsecurity_asn1/lib/keyTemplates.h | 276 + OSX/libsecurity_asn1/lib/nameTemplates.c | 262 + OSX/libsecurity_asn1/lib/nameTemplates.h | 195 + OSX/libsecurity_asn1/lib/nsprPortX.c | 250 + OSX/libsecurity_asn1/lib/nssUtils.c | 68 + OSX/libsecurity_asn1/lib/nssUtils.h | 54 + OSX/libsecurity_asn1/lib/nssilckt.h | 220 + OSX/libsecurity_asn1/lib/nssilock.h | 316 + OSX/libsecurity_asn1/lib/nsslocks.h | 67 + OSX/libsecurity_asn1/lib/ocspTemplates.c | 298 + OSX/libsecurity_asn1/lib/ocspTemplates.h | 337 + OSX/libsecurity_asn1/lib/oidsalg.c | 501 + OSX/libsecurity_asn1/lib/oidsalg.h | 167 + OSX/libsecurity_asn1/lib/oidsattr.c | 506 + OSX/libsecurity_asn1/lib/oidsattr.h | 225 + OSX/libsecurity_asn1/lib/oidsbase.h | 363 + OSX/libsecurity_asn1/lib/oidsocsp.c | 43 + OSX/libsecurity_asn1/lib/oidsocsp.h | 51 + OSX/libsecurity_asn1/lib/osKeyTemplates.c | 163 + OSX/libsecurity_asn1/lib/osKeyTemplates.h | 208 + OSX/libsecurity_asn1/lib/pkcs12Templates.c | 289 + OSX/libsecurity_asn1/lib/pkcs12Templates.h | 284 + OSX/libsecurity_asn1/lib/pkcs7Templates.c | 162 + OSX/libsecurity_asn1/lib/pkcs7Templates.h | 165 + OSX/libsecurity_asn1/lib/plarena.c | 423 + OSX/libsecurity_asn1/lib/plarena.h | 222 + OSX/libsecurity_asn1/lib/plarenas.h | 126 + OSX/libsecurity_asn1/lib/plstr.h | 467 + OSX/libsecurity_asn1/lib/prbit.h | 108 + OSX/libsecurity_asn1/lib/prcpucfg.h | 192 + OSX/libsecurity_asn1/lib/prcvar.h | 123 + OSX/libsecurity_asn1/lib/prenv.h | 154 + OSX/libsecurity_asn1/lib/prerr.h | 275 + OSX/libsecurity_asn1/lib/prerror.h | 323 + OSX/libsecurity_asn1/lib/prinit.h | 240 + OSX/libsecurity_asn1/lib/prinrval.h | 172 + OSX/libsecurity_asn1/lib/prlock.h | 123 + OSX/libsecurity_asn1/lib/prlog.h | 262 + OSX/libsecurity_asn1/lib/prlong.h | 425 + OSX/libsecurity_asn1/lib/prmem.h | 156 + OSX/libsecurity_asn1/lib/prmon.h | 110 + OSX/libsecurity_asn1/lib/protypes.h | 251 + OSX/libsecurity_asn1/lib/prthread.h | 283 + OSX/libsecurity_asn1/lib/prtime.h | 295 + OSX/libsecurity_asn1/lib/prtypes.h | 570 + OSX/libsecurity_asn1/lib/prvrsion.h | 134 + OSX/libsecurity_asn1/lib/secErrorStr.c | 208 + OSX/libsecurity_asn1/lib/secasn1.h | 219 + OSX/libsecurity_asn1/lib/secasn1d.c | 3167 ++++++ OSX/libsecurity_asn1/lib/secasn1e.c | 1646 +++ OSX/libsecurity_asn1/lib/secasn1t.h | 143 + OSX/libsecurity_asn1/lib/secasn1u.c | 115 + OSX/libsecurity_asn1/lib/seccomon.h | 125 + OSX/libsecurity_asn1/lib/secerr.h | 206 + OSX/libsecurity_asn1/lib/secport.c | 669 ++ OSX/libsecurity_asn1/lib/secport.h | 290 + OSX/libsecurity_asn1/lib/security_asn1.exp | 166 + .../project.pbxproj | 477 + .../security_asn1/SecAsn1Coder.c | 225 + .../security_asn1/SecAsn1Coder.h | 153 + .../security_asn1/SecAsn1Templates.c | 373 + .../security_asn1/SecAsn1Templates.h | 135 + .../security_asn1/SecAsn1Types.h | 244 + .../security_asn1/SecNssCoder.cpp | 207 + .../security_asn1/SecNssCoder.h | 164 + .../security_asn1/X509Templates.c | 222 + .../security_asn1/X509Templates.h | 199 + .../security_asn1/asn1Templates.h | 33 + .../security_asn1/certExtensionTemplates.c | 322 + .../security_asn1/certExtensionTemplates.h | 274 + .../security_asn1/csrTemplates.c | 69 + .../security_asn1/csrTemplates.h | 77 + .../security_asn1/keyTemplates.c | 225 + .../security_asn1/keyTemplates.h | 276 + .../security_asn1/nameTemplates.c | 262 + .../security_asn1/nameTemplates.h | 195 + .../security_asn1/nsprPortX.c | 250 + OSX/libsecurity_asn1/security_asn1/nssUtils.c | 68 + OSX/libsecurity_asn1/security_asn1/nssUtils.h | 54 + OSX/libsecurity_asn1/security_asn1/nssilckt.h | 220 + OSX/libsecurity_asn1/security_asn1/nssilock.h | 316 + OSX/libsecurity_asn1/security_asn1/nsslocks.h | 67 + .../security_asn1/ocspTemplates.c | 298 + .../security_asn1/ocspTemplates.h | 337 + OSX/libsecurity_asn1/security_asn1/oidsalg.c | 501 + OSX/libsecurity_asn1/security_asn1/oidsalg.h | 167 + OSX/libsecurity_asn1/security_asn1/oidsattr.c | 506 + OSX/libsecurity_asn1/security_asn1/oidsattr.h | 225 + OSX/libsecurity_asn1/security_asn1/oidsbase.h | 363 + OSX/libsecurity_asn1/security_asn1/oidsocsp.c | 43 + OSX/libsecurity_asn1/security_asn1/oidsocsp.h | 51 + .../security_asn1/osKeyTemplates.c | 163 + .../security_asn1/osKeyTemplates.h | 208 + .../security_asn1/pkcs12Templates.c | 289 + .../security_asn1/pkcs12Templates.h | 284 + .../security_asn1/pkcs7Templates.c | 162 + .../security_asn1/pkcs7Templates.h | 165 + OSX/libsecurity_asn1/security_asn1/plarena.c | 423 + OSX/libsecurity_asn1/security_asn1/plarena.h | 222 + OSX/libsecurity_asn1/security_asn1/plarenas.h | 126 + OSX/libsecurity_asn1/security_asn1/plstr.h | 467 + OSX/libsecurity_asn1/security_asn1/prbit.h | 108 + OSX/libsecurity_asn1/security_asn1/prcpucfg.h | 192 + OSX/libsecurity_asn1/security_asn1/prcvar.h | 123 + OSX/libsecurity_asn1/security_asn1/prenv.h | 154 + OSX/libsecurity_asn1/security_asn1/prerr.h | 275 + OSX/libsecurity_asn1/security_asn1/prerror.h | 323 + OSX/libsecurity_asn1/security_asn1/prinit.h | 240 + OSX/libsecurity_asn1/security_asn1/prinrval.h | 172 + OSX/libsecurity_asn1/security_asn1/prlock.h | 123 + OSX/libsecurity_asn1/security_asn1/prlog.h | 262 + OSX/libsecurity_asn1/security_asn1/prlong.h | 425 + OSX/libsecurity_asn1/security_asn1/prmem.h | 156 + OSX/libsecurity_asn1/security_asn1/prmon.h | 110 + OSX/libsecurity_asn1/security_asn1/protypes.h | 251 + OSX/libsecurity_asn1/security_asn1/prthread.h | 283 + OSX/libsecurity_asn1/security_asn1/prtime.h | 295 + OSX/libsecurity_asn1/security_asn1/prtypes.h | 570 + OSX/libsecurity_asn1/security_asn1/prvrsion.h | 134 + .../security_asn1/secErrorStr.c | 208 + OSX/libsecurity_asn1/security_asn1/secasn1.h | 219 + OSX/libsecurity_asn1/security_asn1/secasn1d.c | 3167 ++++++ OSX/libsecurity_asn1/security_asn1/secasn1e.c | 1646 +++ OSX/libsecurity_asn1/security_asn1/secasn1t.h | 143 + OSX/libsecurity_asn1/security_asn1/secasn1u.c | 115 + OSX/libsecurity_asn1/security_asn1/seccomon.h | 125 + OSX/libsecurity_asn1/security_asn1/secerr.h | 206 + OSX/libsecurity_asn1/security_asn1/secport.c | 669 ++ OSX/libsecurity_asn1/security_asn1/secport.h | 290 + .../security_asn1/security_asn1.exp | 166 + .../libsecurity_authorization/APPLE_LICENSE | 0 .../Info-security_authorization.plist | 0 .../lib/AuthSession.h | 20 +- .../lib/Authorization.c | 6 +- .../lib/Authorization.cpp | 0 .../lib/Authorization.h | 54 +- .../lib/AuthorizationDB.h | 11 +- .../lib/AuthorizationPlugin.h | 32 +- .../lib/AuthorizationPriv.h | 2 +- .../lib/AuthorizationTags.h | 0 .../lib/AuthorizationTagsPriv.h | 0 .../libsecurity_authorization/lib/privPort.h | 0 .../lib/security_authorization.exp | 0 .../lib/trampolineClient.cpp | 0 .../lib/trampolineServer.cpp | 0 .../project.pbxproj | 315 + .../Info-security_cdsa_client.plist | 0 OSX/libsecurity_cdsa_client/lib/DLDBList.cpp | 53 + OSX/libsecurity_cdsa_client/lib/DLDBList.h | 74 + OSX/libsecurity_cdsa_client/lib/aclclient.cpp | 324 + OSX/libsecurity_cdsa_client/lib/aclclient.h | 199 + OSX/libsecurity_cdsa_client/lib/clclient.cpp | 54 + OSX/libsecurity_cdsa_client/lib/clclient.h | 75 + .../lib/cryptoclient.cpp | 143 + .../lib/cryptoclient.h | 116 + OSX/libsecurity_cdsa_client/lib/cspclient.cpp | 264 + OSX/libsecurity_cdsa_client/lib/cspclient.h | 269 + .../lib/cssmclient.cpp | 528 + OSX/libsecurity_cdsa_client/lib/cssmclient.h | 378 + .../lib/dl_standard.cpp | 195 + OSX/libsecurity_cdsa_client/lib/dl_standard.h | 167 + OSX/libsecurity_cdsa_client/lib/dlclient.cpp | 905 ++ OSX/libsecurity_cdsa_client/lib/dlclient.h | 560 + .../lib/dlclientpriv.cpp | 35 + .../lib/dliterators.cpp | 127 + OSX/libsecurity_cdsa_client/lib/dliterators.h | 272 + OSX/libsecurity_cdsa_client/lib/dlquery.cpp | 128 + OSX/libsecurity_cdsa_client/lib/dlquery.h | 131 + OSX/libsecurity_cdsa_client/lib/genkey.cpp | 94 + OSX/libsecurity_cdsa_client/lib/genkey.h | 79 + .../lib/keychainacl.cpp | 133 + OSX/libsecurity_cdsa_client/lib/keychainacl.h | 89 + OSX/libsecurity_cdsa_client/lib/keyclient.cpp | 120 + OSX/libsecurity_cdsa_client/lib/keyclient.h | 113 + OSX/libsecurity_cdsa_client/lib/macclient.cpp | 102 + OSX/libsecurity_cdsa_client/lib/macclient.h | 90 + .../lib/mds_standard.cpp | 228 + .../lib/mds_standard.h | 205 + OSX/libsecurity_cdsa_client/lib/mdsclient.cpp | 158 + OSX/libsecurity_cdsa_client/lib/mdsclient.h | 102 + OSX/libsecurity_cdsa_client/lib/multidldb.cpp | 235 + OSX/libsecurity_cdsa_client/lib/multidldb.h | 101 + .../lib/securestorage.cpp | 650 ++ .../lib/securestorage.h | 343 + .../lib/signclient.cpp | 97 + OSX/libsecurity_cdsa_client/lib/signclient.h | 93 + OSX/libsecurity_cdsa_client/lib/tpclient.cpp | 136 + OSX/libsecurity_cdsa_client/lib/tpclient.h | 108 + OSX/libsecurity_cdsa_client/lib/wrapkey.cpp | 193 + OSX/libsecurity_cdsa_client/lib/wrapkey.h | 127 + .../project.pbxproj | 404 + .../Info-security_cdsa_plugin.plist | 0 OSX/libsecurity_cdsa_plugin/lib/ACsession.h | 52 + OSX/libsecurity_cdsa_plugin/lib/CLsession.h | 51 + .../lib/CSPsession.cpp | 1156 ++ OSX/libsecurity_cdsa_plugin/lib/CSPsession.h | 545 + OSX/libsecurity_cdsa_plugin/lib/DLsession.cpp | 57 + OSX/libsecurity_cdsa_plugin/lib/DLsession.h | 57 + OSX/libsecurity_cdsa_plugin/lib/Database.cpp | 232 + OSX/libsecurity_cdsa_plugin/lib/Database.h | 248 + .../lib/DatabaseSession.cpp | 692 ++ .../lib/DatabaseSession.h | 140 + OSX/libsecurity_cdsa_plugin/lib/DbContext.cpp | 44 + OSX/libsecurity_cdsa_plugin/lib/DbContext.h | 76 + OSX/libsecurity_cdsa_plugin/lib/TPsession.h | 56 + OSX/libsecurity_cdsa_plugin/lib/c++plugin.h | 42 + .../lib/csputilities.cpp | 152 + .../lib/cssmplugin.cpp | 184 + OSX/libsecurity_cdsa_plugin/lib/cssmplugin.h | 130 + OSX/libsecurity_cdsa_plugin/lib/generator.cfg | 59 + OSX/libsecurity_cdsa_plugin/lib/generator.mk | 29 + OSX/libsecurity_cdsa_plugin/lib/generator.pl | 247 + .../lib/pluginsession.cpp | 91 + .../lib/pluginsession.h | 92 + OSX/libsecurity_cdsa_plugin/lib/pluginspi.h | 123 + .../project.pbxproj | 466 + .../libsecurity_cdsa_utilities/APPLE_LICENSE | 0 .../Info-security_cdsa_utilities.plist | 0 .../lib/AuthorizationData.cpp | 362 + .../lib/AuthorizationData.h | 201 + .../lib/AuthorizationWalkers.h | 82 + .../lib/KeySchema.h | 70 + .../lib/KeySchema.m4 | 129 + OSX/libsecurity_cdsa_utilities/lib/Schema.h | 129 + OSX/libsecurity_cdsa_utilities/lib/Schema.m4 | 471 + .../lib/acl_any.cpp | 63 + OSX/libsecurity_cdsa_utilities/lib/acl_any.h | 60 + .../lib/acl_codesigning.cpp | 198 + .../lib/acl_codesigning.h | 95 + .../lib/acl_comment.cpp | 156 + .../lib/acl_comment.h | 71 + .../lib/acl_password.cpp | 114 + .../lib/acl_password.h | 75 + .../lib/acl_preauth.cpp | 238 + .../lib/acl_preauth.h | 132 + .../lib/acl_process.cpp | 157 + .../lib/acl_process.h | 93 + .../lib/acl_prompted.cpp | 130 + .../lib/acl_prompted.h | 85 + .../lib/acl_protectedpw.cpp | 121 + .../lib/acl_protectedpw.h | 75 + .../lib/acl_secret.cpp | 127 + .../lib/acl_secret.h | 99 + .../lib/acl_threshold.cpp | 180 + .../lib/acl_threshold.h | 86 + .../lib/aclsubject.cpp | 160 + .../lib/aclsubject.h | 224 + .../lib/callback.cpp | 122 + OSX/libsecurity_cdsa_utilities/lib/callback.h | 113 + .../lib/constdata.cpp | 44 + .../lib/constdata.h | 89 + .../lib/context.cpp | 189 + OSX/libsecurity_cdsa_utilities/lib/context.h | 404 + .../lib/cssmacl.cpp | 28 + OSX/libsecurity_cdsa_utilities/lib/cssmacl.h | 63 + .../lib/cssmaclpod.cpp | 223 + .../lib/cssmaclpod.h | 356 + .../lib/cssmalloc.cpp | 87 + .../lib/cssmalloc.h | 155 + .../lib/cssmbridge.h | 62 + .../lib/cssmcert.cpp | 88 + OSX/libsecurity_cdsa_utilities/lib/cssmcert.h | 125 + .../lib/cssmcred.cpp | 112 + OSX/libsecurity_cdsa_utilities/lib/cssmcred.h | 191 + .../lib/cssmdata.cpp | 248 + OSX/libsecurity_cdsa_utilities/lib/cssmdata.h | 560 + .../lib/cssmdates.cpp | 195 + .../lib/cssmdates.h | 127 + OSX/libsecurity_cdsa_utilities/lib/cssmdb.cpp | 590 + OSX/libsecurity_cdsa_utilities/lib/cssmdb.h | 873 ++ .../lib/cssmdbname.cpp | 149 + .../lib/cssmdbname.h | 131 + .../lib/cssmendian.cpp | 53 + .../lib/cssmendian.h | 50 + .../lib/cssmerrors.cpp | 129 + .../lib/cssmerrors.h | 68 + .../lib/cssmkey.cpp | 56 + OSX/libsecurity_cdsa_utilities/lib/cssmkey.h | 151 + .../lib/cssmlist.cpp | 313 + OSX/libsecurity_cdsa_utilities/lib/cssmlist.h | 269 + .../lib/cssmpods.cpp | 179 + OSX/libsecurity_cdsa_utilities/lib/cssmpods.h | 221 + .../lib/cssmtrust.cpp | 48 + .../lib/cssmtrust.h | 178 + .../lib/cssmwalkers.cpp | 28 + .../lib/cssmwalkers.h | 233 + OSX/libsecurity_cdsa_utilities/lib/db++.cpp | 144 + OSX/libsecurity_cdsa_utilities/lib/db++.h | 91 + .../lib/digestobject.h | 133 + .../lib/generator.mk | 26 + .../lib/generator.pl | 89 + .../lib/handleobject.cpp | 31 + .../lib/handleobject.h | 47 + .../lib/handletemplates.cpp | 39 + .../lib/handletemplates.h | 290 + .../lib/handletemplates_defs.h | 204 + .../lib/objectacl.cpp | 662 ++ .../lib/objectacl.h | 250 + .../lib/osxverifier.cpp | 177 + .../lib/osxverifier.h | 93 + .../lib/u32handleobject.cpp | 27 + .../lib/u32handleobject.h | 43 + .../lib/uniformrandom.cpp | 37 + .../lib/uniformrandom.h | 56 + .../lib/walkers.cpp | 47 + OSX/libsecurity_cdsa_utilities/lib/walkers.h | 393 + .../project.pbxproj | 711 ++ .../Info-security_cdsa_utils.plist | 0 .../lib/cuCdsaUtils.cpp | 778 ++ OSX/libsecurity_cdsa_utils/lib/cuCdsaUtils.h | 161 + OSX/libsecurity_cdsa_utils/lib/cuDbUtils.cpp | 574 + OSX/libsecurity_cdsa_utils/lib/cuDbUtils.h | 71 + OSX/libsecurity_cdsa_utils/lib/cuEnc64.c | 392 + OSX/libsecurity_cdsa_utils/lib/cuEnc64.h | 67 + OSX/libsecurity_cdsa_utils/lib/cuFileIo.c | 113 + OSX/libsecurity_cdsa_utils/lib/cuFileIo.h | 41 + .../lib/cuOidParser.cpp | 315 + OSX/libsecurity_cdsa_utils/lib/cuOidParser.h | 62 + OSX/libsecurity_cdsa_utils/lib/cuPem.cpp | 198 + OSX/libsecurity_cdsa_utils/lib/cuPem.h | 50 + .../lib/cuPrintCert.cpp | 1504 +++ OSX/libsecurity_cdsa_utils/lib/cuPrintCert.h | 64 + OSX/libsecurity_cdsa_utils/lib/cuTimeStr.cpp | 293 + OSX/libsecurity_cdsa_utils/lib/cuTimeStr.h | 75 + .../project.pbxproj | 284 + .../libsecurity_checkpw/APPLE_LICENSE | 0 .../Info-security_checkpw.plist | 0 .../libsecurity_checkpw/checkpw.pam | 0 .../libsecurity_checkpw/lib/checkpw.c | 1 - .../libsecurity_checkpw/lib/checkpw.h | 0 .../lib/security_checkpw.exp | 0 .../project.pbxproj | 399 + .../libsecurity_checkpw/test/perf-checkpw.c | 0 .../libsecurity_checkpw/test/test-checkpw.c | 0 .../libsecurity_cms/APPLE_LICENSE | 0 .../libsecurity_cms/Info-security_cms.plist | 0 .../libsecurity_cms/lib/CMSDecoder.cpp | 8 + .../libsecurity_cms/lib/CMSDecoder.h | 43 +- .../libsecurity_cms/lib/CMSEncoder.cpp | 24 +- .../libsecurity_cms/lib/CMSEncoder.h | 72 +- .../libsecurity_cms/lib/CMSPrivate.h | 0 .../libsecurity_cms/lib/CMSUtils.cpp | 0 .../libsecurity_cms/lib/CMSUtils.h | 0 .../libsecurity_cms/lib/security_cms.exp | 0 .../libsecurity_cms.xcodeproj/project.pbxproj | 231 + .../libsecurity_codesigning/APPLE_LICENSE | 0 .../CodeSigningHelper-Info.plist | 0 .../com.apple.CodeSigningHelper.sb | 0 .../CodeSigningHelper/main.c | 0 .../Info-security_codesigning.plist | 0 .../libsecurity_codesigning/antlr2/AUTHORS | 0 .../libsecurity_codesigning/antlr2/ChangeLog | 0 .../antlr2/LICENSE.txt | 0 .../antlr2/Makefile.in | 0 .../libsecurity_codesigning/antlr2/README | 0 .../libsecurity_codesigning/antlr2/TODO | 0 .../libsecurity_codesigning/antlr2/antlr.jar | Bin .../antlr2/antlr/ANTLRException.hpp | 0 .../antlr2/antlr/ANTLRUtil.hpp | 0 .../antlr2/antlr/AST.hpp | 0 .../antlr2/antlr/ASTArray.hpp | 0 .../antlr2/antlr/ASTFactory.hpp | 0 .../antlr2/antlr/ASTNULLType.hpp | 0 .../antlr2/antlr/ASTPair.hpp | 0 .../antlr2/antlr/ASTRefCount.hpp | 0 .../antlr2/antlr/BaseAST.hpp | 0 .../antlr2/antlr/BitSet.hpp | 0 .../antlr2/antlr/CharBuffer.hpp | 0 .../antlr2/antlr/CharInputBuffer.hpp | 0 .../antlr2/antlr/CharScanner.hpp | 0 .../antlr2/antlr/CharStreamException.hpp | 0 .../antlr2/antlr/CharStreamIOException.hpp | 0 .../antlr2/antlr/CircularQueue.hpp | 0 .../antlr2/antlr/CommonAST.hpp | 0 .../antlr/CommonASTWithHiddenTokens.hpp | 0 .../antlr2/antlr/CommonHiddenStreamToken.hpp | 0 .../antlr2/antlr/CommonToken.hpp | 0 .../antlr2/antlr/IOException.hpp | 0 .../antlr2/antlr/InputBuffer.hpp | 0 .../antlr2/antlr/LLkParser.hpp | 0 .../antlr2/antlr/LexerSharedInputState.hpp | 0 .../antlr2/antlr/Makefile.in | 0 .../antlr2/antlr/MismatchedCharException.hpp | 0 .../antlr2/antlr/MismatchedTokenException.hpp | 0 .../antlr2/antlr/NoViableAltException.hpp | 0 .../antlr/NoViableAltForCharException.hpp | 0 .../antlr2/antlr/Parser.hpp | 0 .../antlr2/antlr/ParserSharedInputState.hpp | 0 .../antlr2/antlr/RecognitionException.hpp | 0 .../antlr2/antlr/RefCount.hpp | 0 .../antlr2/antlr/SemanticException.hpp | 0 .../antlr2/antlr/String.hpp | 0 .../antlr2/antlr/Token.hpp | 0 .../antlr2/antlr/TokenBuffer.hpp | 0 .../antlr2/antlr/TokenRefCount.hpp | 0 .../antlr2/antlr/TokenStream.hpp | 0 .../antlr2/antlr/TokenStreamBasicFilter.hpp | 0 .../antlr2/antlr/TokenStreamException.hpp | 0 .../antlr/TokenStreamHiddenTokenFilter.hpp | 0 .../antlr2/antlr/TokenStreamIOException.hpp | 0 .../antlr/TokenStreamRecognitionException.hpp | 0 .../antlr/TokenStreamRetryException.hpp | 0 .../antlr2/antlr/TokenStreamRewriteEngine.hpp | 0 .../antlr2/antlr/TokenStreamSelector.hpp | 0 .../antlr2/antlr/TokenWithIndex.hpp | 0 .../antlr2/antlr/TreeParser.hpp | 0 .../antlr/TreeParserSharedInputState.hpp | 0 .../antlr2/antlr/config.hpp | 0 .../antlr2/contrib/bcb4/README | 0 .../antlr2/contrib/bcb4/antlr.bpr | 0 .../antlr2/contrib/bcb4/antlr.cpp | 0 .../antlr2/doxygen.cfg | 0 .../antlr2/libsecurity_codesigning.plist | 0 .../antlr2/libsecurity_codesigning.txt | 0 .../antlr2/scripts/cr_stripper.sh | 0 .../antlr2/scripts/make_change_log.tcl | 0 .../antlr2/src/ANTLRUtil.cpp | 0 .../antlr2/src/ASTFactory.cpp | 0 .../antlr2/src/ASTNULLType.cpp | 0 .../antlr2/src/ASTRefCount.cpp | 0 .../antlr2/src/BaseAST.cpp | 0 .../antlr2/src/BitSet.cpp | 0 .../antlr2/src/CharBuffer.cpp | 0 .../antlr2/src/CharScanner.cpp | 0 .../antlr2/src/CommonAST.cpp | 0 .../antlr2/src/CommonASTWithHiddenTokens.cpp | 0 .../antlr2/src/CommonHiddenStreamToken.cpp | 0 .../antlr2/src/CommonToken.cpp | 0 .../antlr2/src/InputBuffer.cpp | 0 .../antlr2/src/LLkParser.cpp | 0 .../antlr2/src/Makefile.in | 0 .../antlr2/src/MismatchedCharException.cpp | 0 .../antlr2/src/MismatchedTokenException.cpp | 0 .../antlr2/src/NoViableAltException.cpp | 0 .../src/NoViableAltForCharException.cpp | 0 .../antlr2/src/Parser.cpp | 0 .../antlr2/src/RecognitionException.cpp | 0 .../antlr2/src/String.cpp | 0 .../antlr2/src/Token.cpp | 0 .../antlr2/src/TokenBuffer.cpp | 0 .../antlr2/src/TokenRefCount.cpp | 0 .../antlr2/src/TokenStreamBasicFilter.cpp | 0 .../src/TokenStreamHiddenTokenFilter.cpp | 0 .../antlr2/src/TokenStreamRewriteEngine.cpp | 0 .../antlr2/src/TokenStreamSelector.cpp | 0 .../antlr2/src/TreeParser.cpp | 0 .../antlr2/src/dll.cpp | 0 .../dtrace/codesign-watch.d | 0 .../libsecurity_codesigning/dtrace/reqint.d | 0 .../libsecurity_codesigning/dtrace/sp-watch.d | 0 .../gke/com.apple.gkreport.plist | 0 .../libsecurity_codesigning/gke/gkclear | 0 .../libsecurity_codesigning/gke/gkgenerate | 0 .../libsecurity_codesigning/gke/gkhandmake | 0 .../libsecurity_codesigning/gke/gklist | 0 .../libsecurity_codesigning/gke/gkmerge | 0 .../libsecurity_codesigning/gke/gkrecord | 0 .../libsecurity_codesigning/gke/gkreport | 0 .../libsecurity_codesigning/gke/gkunpack.cpp | 0 OSX/libsecurity_codesigning/lib/CSCommon.h | 318 + .../lib/CSCommonPriv.h | 131 + OSX/libsecurity_codesigning/lib/Code.cpp | 285 + OSX/libsecurity_codesigning/lib/Code.h | 89 + .../lib/CodeSigner.cpp | 308 + OSX/libsecurity_codesigning/lib/CodeSigner.h | 106 + OSX/libsecurity_codesigning/lib/CodeSigning.h | 37 + .../lib/RequirementKeywords.h | 25 + .../lib/RequirementLexer.cpp | 1269 +++ .../lib/RequirementLexer.hpp | 77 + .../lib/RequirementParser.cpp | 1331 +++ .../lib/RequirementParser.hpp | 158 + .../lib/RequirementParserTokenTypes.hpp | 76 + .../lib/RequirementParserTokenTypes.txt | 56 + .../lib/Requirements.cpp | 92 + .../lib/Requirements.h | 64 + .../lib/SecAssessment.cpp | 544 + .../lib/SecAssessment.h | 316 + OSX/libsecurity_codesigning/lib/SecCode.cpp | 316 + OSX/libsecurity_codesigning/lib/SecCode.h | 447 + .../lib/SecCodeHost.cpp | 117 + OSX/libsecurity_codesigning/lib/SecCodeHost.h | 244 + .../lib/SecCodeHostLib.c | 124 + .../lib/SecCodeHostLib.h | 110 + OSX/libsecurity_codesigning/lib/SecCodePriv.h | 185 + .../lib/SecCodeSigner.cpp | 124 + .../lib/SecCodeSigner.h | 231 + .../lib/SecIntegrity.cpp | 26 + .../lib/SecIntegrity.h | 49 + .../lib/SecIntegrityLib.c | 23 + .../lib/SecIntegrityLib.h | 55 + .../lib/SecRequirement.cpp | 309 + .../lib/SecRequirement.h | 142 + .../lib/SecRequirementPriv.h | 197 + .../lib/SecStaticCode.cpp | 324 + .../lib/SecStaticCode.h | 168 + .../lib/SecStaticCodePriv.h | 92 + OSX/libsecurity_codesigning/lib/SecTask.c | 316 + OSX/libsecurity_codesigning/lib/SecTask.h | 113 + OSX/libsecurity_codesigning/lib/SecTaskPriv.h | 56 + .../lib/StaticCode.cpp | 1798 +++ OSX/libsecurity_codesigning/lib/StaticCode.h | 278 + .../lib/antlrplugin.cpp | 130 + OSX/libsecurity_codesigning/lib/antlrplugin.h | 74 + .../lib/bundlediskrep.cpp | 691 ++ .../lib/bundlediskrep.h | 138 + OSX/libsecurity_codesigning/lib/cdbuilder.cpp | 259 + OSX/libsecurity_codesigning/lib/cdbuilder.h | 100 + .../lib/codedirectory.cpp | 324 + .../lib/codedirectory.h | 289 + OSX/libsecurity_codesigning/lib/cs.cpp | 63 + OSX/libsecurity_codesigning/lib/cs.h | 180 + OSX/libsecurity_codesigning/lib/cscdefs.c | 4 + OSX/libsecurity_codesigning/lib/cscdefs.h | 89 + .../lib/csdatabase.cpp | 180 + OSX/libsecurity_codesigning/lib/csdatabase.h | 74 + OSX/libsecurity_codesigning/lib/cserror.cpp | 88 + OSX/libsecurity_codesigning/lib/cserror.h | 67 + OSX/libsecurity_codesigning/lib/csgeneric.cpp | 218 + OSX/libsecurity_codesigning/lib/csgeneric.h | 82 + OSX/libsecurity_codesigning/lib/cskernel.cpp | 219 + OSX/libsecurity_codesigning/lib/cskernel.h | 86 + OSX/libsecurity_codesigning/lib/csprocess.cpp | 87 + OSX/libsecurity_codesigning/lib/csprocess.h | 84 + .../lib/csutilities.cpp | 260 + OSX/libsecurity_codesigning/lib/csutilities.h | 202 + .../lib/detachedrep.cpp | 103 + OSX/libsecurity_codesigning/lib/detachedrep.h | 71 + .../lib/dirscanner.cpp | 200 + OSX/libsecurity_codesigning/lib/dirscanner.h | 119 + OSX/libsecurity_codesigning/lib/diskrep.cpp | 306 + OSX/libsecurity_codesigning/lib/diskrep.h | 234 + OSX/libsecurity_codesigning/lib/drmaker.cpp | 195 + OSX/libsecurity_codesigning/lib/drmaker.h | 69 + .../lib/evaluationmanager.cpp | 366 + .../lib/evaluationmanager.h | 63 + .../lib/filediskrep.cpp | 191 + OSX/libsecurity_codesigning/lib/filediskrep.h | 93 + .../lib/kerneldiskrep.cpp | 91 + .../lib/kerneldiskrep.h | 64 + OSX/libsecurity_codesigning/lib/machorep.cpp | 409 + OSX/libsecurity_codesigning/lib/machorep.h | 104 + .../lib/opaquewhitelist.cpp | 269 + .../lib/opaquewhitelist.h | 60 + .../lib/piddiskrep.cpp | 170 + OSX/libsecurity_codesigning/lib/piddiskrep.h | 70 + OSX/libsecurity_codesigning/lib/policydb.cpp | 475 + OSX/libsecurity_codesigning/lib/policydb.h | 145 + .../lib/policyengine.cpp | 1106 ++ .../lib/policyengine.h | 101 + .../lib/quarantine++.cpp | 107 + .../lib/quarantine++.h | 77 + OSX/libsecurity_codesigning/lib/reqdumper.cpp | 367 + OSX/libsecurity_codesigning/lib/reqdumper.h | 100 + OSX/libsecurity_codesigning/lib/reqinterp.cpp | 583 + OSX/libsecurity_codesigning/lib/reqinterp.h | 92 + OSX/libsecurity_codesigning/lib/reqmaker.cpp | 180 + OSX/libsecurity_codesigning/lib/reqmaker.h | 135 + OSX/libsecurity_codesigning/lib/reqparser.cpp | 125 + OSX/libsecurity_codesigning/lib/reqparser.h | 66 + OSX/libsecurity_codesigning/lib/reqreader.cpp | 91 + OSX/libsecurity_codesigning/lib/reqreader.h | 86 + .../lib/requirement.cpp | 159 + OSX/libsecurity_codesigning/lib/requirement.h | 215 + OSX/libsecurity_codesigning/lib/resources.cpp | 363 + OSX/libsecurity_codesigning/lib/resources.h | 140 + .../lib/security_codesigning.d | 98 + .../lib/security_codesigning.exp | 176 + OSX/libsecurity_codesigning/lib/sigblob.cpp | 67 + OSX/libsecurity_codesigning/lib/sigblob.h | 81 + OSX/libsecurity_codesigning/lib/signer.cpp | 670 ++ OSX/libsecurity_codesigning/lib/signer.h | 103 + .../lib/signerutils.cpp | 361 + OSX/libsecurity_codesigning/lib/signerutils.h | 201 + .../lib/singlediskrep.cpp | 139 + .../lib/singlediskrep.h | 91 + OSX/libsecurity_codesigning/lib/slcrep.cpp | 171 + OSX/libsecurity_codesigning/lib/slcrep.h | 94 + OSX/libsecurity_codesigning/lib/syspolicy.sql | 204 + OSX/libsecurity_codesigning/lib/xar++.cpp | 96 + OSX/libsecurity_codesigning/lib/xar++.h | 66 + OSX/libsecurity_codesigning/lib/xpcengine.cpp | 231 + OSX/libsecurity_codesigning/lib/xpcengine.h | 45 + .../project.pbxproj | 2051 ++++ .../libsecurity_codesigning/req/cfm.ireqs | 0 .../libsecurity_codesigning/req/ppc-host.ireq | 0 .../requirements.grammar | 19 +- .../update_requirement_syntax | 7 + .../Info-security_comcryption.plist | 0 OSX/libsecurity_comcryption/lib/comDebug.h | 212 + .../lib/comcryptPriv.c | 540 + .../lib/comcryptPriv.h | 492 + OSX/libsecurity_comcryption/lib/comcryption.c | 1438 +++ OSX/libsecurity_comcryption/lib/comcryption.h | 175 + .../project.pbxproj | 202 + .../Info-security_cryptkit.plist | 0 .../libsecurity_cryptkit/ckutils/Makefile | 0 .../ckutils/Makefile.common | 0 .../ckutils/atomTime/Makefile | 0 .../ckutils/atomTime/atomTime.c | 0 .../ckutils/badsig/Makefile | 0 .../ckutils/badsig/badsig.c | 0 .../ckutils/blobtest/Makefile | 0 .../ckutils/blobtest/blobtest.c | 0 .../ckutils/cfileTest/Makefile | 0 .../ckutils/cfileTest/cfileTest.c | 0 .../ckutils/ckutilsPlatform.h | 0 .../ckutils/giantAsmBench/Makefile | 0 .../ckutils/giantAsmBench/giantAsmBench.c | 0 .../ckutils/giantBench/Makefile | 0 .../ckutils/giantBench/giantBench.c | 0 .../ckutils/giantDvt/Makefile | 0 .../ckutils/giantDvt/giantDvt.c | 0 .../ckutils/sigTime/Makefile | 0 .../ckutils/sigTime/sigTime.cpp | 0 OSX/libsecurity_cryptkit/lib/ByteRep.txt | 293 + OSX/libsecurity_cryptkit/lib/CipherFileDES.c | 586 + OSX/libsecurity_cryptkit/lib/CipherFileDES.h | 67 + OSX/libsecurity_cryptkit/lib/CipherFileFEED.c | 460 + OSX/libsecurity_cryptkit/lib/CipherFileFEED.h | 69 + .../lib/CipherFileTypes.h | 83 + OSX/libsecurity_cryptkit/lib/Crypt.h | 60 + OSX/libsecurity_cryptkit/lib/CryptKit.def | 113 + OSX/libsecurity_cryptkit/lib/CryptKit.h | 28 + OSX/libsecurity_cryptkit/lib/CryptKitAsn1.cpp | 82 + OSX/libsecurity_cryptkit/lib/CryptKitAsn1.h | 138 + OSX/libsecurity_cryptkit/lib/CryptKitDER.cpp | 1244 +++ OSX/libsecurity_cryptkit/lib/CryptKitDER.h | 198 + OSX/libsecurity_cryptkit/lib/CryptKitSA.h | 23 + .../lib/CurveParamDocs/FEEDaffine.nb | 253 + .../lib/CurveParamDocs/FEEDsansY.nb | 324 + .../lib/CurveParamDocs/README | 62 + .../lib/CurveParamDocs/curvegen.c | 105 + .../lib/CurveParamDocs/curverecords.nb | 898 ++ .../lib/CurveParamDocs/disc.h | 312 + .../lib/CurveParamDocs/ellproj.c | 448 + .../lib/CurveParamDocs/ellproj.h | 59 + .../lib/CurveParamDocs/factor.c | 844 ++ .../lib/CurveParamDocs/fmodule.c | 410 + .../lib/CurveParamDocs/fmodule.h | 36 + .../lib/CurveParamDocs/giants.c | 3517 ++++++ .../lib/CurveParamDocs/giants.h | 314 + .../lib/CurveParamDocs/schoof.c | 1100 ++ .../lib/CurveParamDocs/schoofs.c | 1044 ++ .../lib/CurveParamDocs/tools.c | 445 + .../lib/CurveParamDocs/tools.h | 65 + OSX/libsecurity_cryptkit/lib/ECDSA_Profile.h | 90 + .../lib/ECDSA_Verify_Prefix.h | 6 + OSX/libsecurity_cryptkit/lib/HmacSha1Legacy.c | 165 + OSX/libsecurity_cryptkit/lib/HmacSha1Legacy.h | 69 + OSX/libsecurity_cryptkit/lib/Mathematica.FEE | 57 + OSX/libsecurity_cryptkit/lib/NSCipherFile.h | 111 + OSX/libsecurity_cryptkit/lib/NSCipherFile.m | 360 + OSX/libsecurity_cryptkit/lib/NSCryptors.h | 83 + OSX/libsecurity_cryptkit/lib/NSDESCryptor.h | 39 + OSX/libsecurity_cryptkit/lib/NSDESCryptor.m | 130 + OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.h | 74 + OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.m | 496 + .../lib/NSFEEPublicKeyPrivate.h | 36 + OSX/libsecurity_cryptkit/lib/NSMD5Hash.h | 34 + OSX/libsecurity_cryptkit/lib/NSMD5Hash.m | 79 + .../lib/NSRandomNumberGenerator.h | 36 + .../lib/NSRandomNumberGenerator.m | 83 + OSX/libsecurity_cryptkit/lib/README | 221 + OSX/libsecurity_cryptkit/lib/TOP_README | 30 + OSX/libsecurity_cryptkit/lib/buildSrcTree | 34 + OSX/libsecurity_cryptkit/lib/byteRep.c | 476 + OSX/libsecurity_cryptkit/lib/byteRep.h | 80 + OSX/libsecurity_cryptkit/lib/changes | 222 + OSX/libsecurity_cryptkit/lib/ckDES.c | 545 + OSX/libsecurity_cryptkit/lib/ckDES.h | 70 + OSX/libsecurity_cryptkit/lib/ckMD5.c | 365 + OSX/libsecurity_cryptkit/lib/ckMD5.h | 90 + OSX/libsecurity_cryptkit/lib/ckSHA1.c | 227 + OSX/libsecurity_cryptkit/lib/ckSHA1.h | 75 + OSX/libsecurity_cryptkit/lib/ckSHA1_priv.c | 321 + OSX/libsecurity_cryptkit/lib/ckSHA1_priv.h | 60 + OSX/libsecurity_cryptkit/lib/ckconfig.h | 105 + OSX/libsecurity_cryptkit/lib/ckutilities.c | 416 + OSX/libsecurity_cryptkit/lib/ckutilities.h | 47 + OSX/libsecurity_cryptkit/lib/curveParamData.h | 540 + .../lib/curveParamDataOld.h | 350 + OSX/libsecurity_cryptkit/lib/curveParams.c | 1399 +++ OSX/libsecurity_cryptkit/lib/curveParams.h | 230 + OSX/libsecurity_cryptkit/lib/elliptic.c | 1437 +++ OSX/libsecurity_cryptkit/lib/elliptic.h | 165 + .../lib/ellipticMeasure.h | 85 + OSX/libsecurity_cryptkit/lib/ellipticProj.c | 565 + OSX/libsecurity_cryptkit/lib/ellipticProj.h | 76 + OSX/libsecurity_cryptkit/lib/enc64.c | 417 + OSX/libsecurity_cryptkit/lib/enc64.h | 65 + OSX/libsecurity_cryptkit/lib/engineNSA127.c | 542 + OSX/libsecurity_cryptkit/lib/falloc.c | 109 + OSX/libsecurity_cryptkit/lib/falloc.h | 47 + OSX/libsecurity_cryptkit/lib/feeCipherFile.c | 280 + OSX/libsecurity_cryptkit/lib/feeCipherFile.h | 164 + .../lib/feeCipherFileAtom.c | 400 + OSX/libsecurity_cryptkit/lib/feeDES.c | 529 + OSX/libsecurity_cryptkit/lib/feeDES.h | 141 + OSX/libsecurity_cryptkit/lib/feeDebug.h | 194 + .../lib/feeDigitalSignature.c | 674 ++ .../lib/feeDigitalSignature.h | 111 + OSX/libsecurity_cryptkit/lib/feeECDSA.c | 697 ++ OSX/libsecurity_cryptkit/lib/feeECDSA.h | 84 + OSX/libsecurity_cryptkit/lib/feeFEED.c | 1233 ++ OSX/libsecurity_cryptkit/lib/feeFEED.h | 140 + OSX/libsecurity_cryptkit/lib/feeFEEDExp.c | 735 ++ OSX/libsecurity_cryptkit/lib/feeFEEDExp.h | 126 + OSX/libsecurity_cryptkit/lib/feeFunctions.h | 69 + OSX/libsecurity_cryptkit/lib/feeHash.c | 110 + OSX/libsecurity_cryptkit/lib/feeHash.h | 81 + OSX/libsecurity_cryptkit/lib/feePublicKey.c | 1612 +++ OSX/libsecurity_cryptkit/lib/feePublicKey.h | 341 + .../lib/feePublicKeyPrivate.h | 43 + OSX/libsecurity_cryptkit/lib/feeRandom.c | 206 + OSX/libsecurity_cryptkit/lib/feeRandom.h | 49 + OSX/libsecurity_cryptkit/lib/feeTypes.h | 174 + OSX/libsecurity_cryptkit/lib/giantFFT.c | 519 + OSX/libsecurity_cryptkit/lib/giantIntegers.c | 1744 +++ OSX/libsecurity_cryptkit/lib/giantIntegers.h | 162 + .../lib/giantPortCommon.h | 46 + .../lib/giantPort_Generic.h | 165 + OSX/libsecurity_cryptkit/lib/giantPort_PPC.c | 236 + OSX/libsecurity_cryptkit/lib/giantPort_PPC.h | 119 + .../lib/giantPort_PPC_Gnu.h | 83 + .../lib/giantPort_PPC_Gnu.s | 300 + OSX/libsecurity_cryptkit/lib/giantPort_i486.h | 126 + OSX/libsecurity_cryptkit/lib/giantPort_i486.s | 149 + OSX/libsecurity_cryptkit/lib/mutils.h | 36 + OSX/libsecurity_cryptkit/lib/mutils.m | 44 + OSX/libsecurity_cryptkit/lib/platform.c | 197 + OSX/libsecurity_cryptkit/lib/platform.h | 73 + OSX/libsecurity_cryptkit/lib/unixMakefile | 102 + .../project.pbxproj | 780 ++ .../libsecurity_cssm/APPLE_LICENSE | 0 .../libsecurity_cssm/Info-security_cssm.plist | 0 .../libsecurity_cssm/lib/attachfactory.cpp | 0 .../libsecurity_cssm/lib/attachfactory.h | 0 .../libsecurity_cssm/lib/attachment.cpp | 0 .../libsecurity_cssm/lib/attachment.h | 0 .../libsecurity_cssm/lib/certextensions.h | 0 .../libsecurity_cssm/lib/cspattachment.cpp | 0 .../libsecurity_cssm/lib/cspattachment.h | 0 .../libsecurity_cssm/lib/cssm.cpp | 0 {Security => OSX}/libsecurity_cssm/lib/cssm.h | 0 .../libsecurity_cssm/lib/cssmaci.h | 0 .../libsecurity_cssm/lib/cssmapi.h | 0 OSX/libsecurity_cssm/lib/cssmapple.h | 1161 ++ .../libsecurity_cssm/lib/cssmapplePriv.h | 0 .../libsecurity_cssm/lib/cssmcli.h | 0 .../libsecurity_cssm/lib/cssmconfig.h | 0 .../libsecurity_cssm/lib/cssmcontext.cpp | 0 .../libsecurity_cssm/lib/cssmcontext.h | 0 .../libsecurity_cssm/lib/cssmcspi.h | 0 .../libsecurity_cssm/lib/cssmdli.h | 0 .../libsecurity_cssm/lib/cssmerr.h | 0 .../libsecurity_cssm/lib/cssmint.h | 0 .../libsecurity_cssm/lib/cssmkrapi.h | 0 .../libsecurity_cssm/lib/cssmkrspi.h | 0 .../libsecurity_cssm/lib/cssmmds.cpp | 0 .../libsecurity_cssm/lib/cssmmds.h | 0 .../libsecurity_cssm/lib/cssmspi.h | 0 .../libsecurity_cssm/lib/cssmtpi.h | 0 .../libsecurity_cssm/lib/cssmtype.h | 1 + {Security => OSX}/libsecurity_cssm/lib/eisl.h | 0 .../libsecurity_cssm/lib/emmspi.h | 0 .../libsecurity_cssm/lib/emmtype.h | 0 .../libsecurity_cssm/lib/generator.cfg | 0 .../libsecurity_cssm/lib/generator.mk | 0 .../libsecurity_cssm/lib/generator.pl | 0 .../libsecurity_cssm/lib/guids.cpp | 0 .../libsecurity_cssm/lib/manager.cpp | 0 .../libsecurity_cssm/lib/manager.h | 0 .../libsecurity_cssm/lib/modload_plugin.cpp | 0 .../libsecurity_cssm/lib/modload_plugin.h | 0 .../libsecurity_cssm/lib/modload_static.cpp | 0 .../libsecurity_cssm/lib/modload_static.h | 0 .../libsecurity_cssm/lib/modloader.cpp | 0 .../libsecurity_cssm/lib/modloader.h | 0 .../libsecurity_cssm/lib/module.cpp | 0 .../libsecurity_cssm/lib/module.h | 9 +- .../libsecurity_cssm/lib/oidsalg.c | 0 .../libsecurity_cssm/lib/oidsbase.h | 0 .../libsecurity_cssm/lib/oidscert.cpp | 0 .../libsecurity_cssm/lib/oidscert.h | 0 .../libsecurity_cssm/lib/oidscrl.cpp | 0 .../libsecurity_cssm/lib/oidscrl.h | 0 .../libsecurity_cssm/lib/security_cssm.exp | 0 .../libsecurity_cssm/lib/transition.cpp | 0 .../libsecurity_cssm/lib/x509defs.h | 0 .../project.pbxproj | 514 + .../libsecurity_cssm/mds/cssm.mdsinfo | 0 .../Info-security_filedb.plist | 0 OSX/libsecurity_filedb/lib/AppleDatabase.cpp | 2564 +++++ OSX/libsecurity_filedb/lib/AppleDatabase.h | 666 ++ OSX/libsecurity_filedb/lib/AtomicFile.cpp | 1262 +++ OSX/libsecurity_filedb/lib/AtomicFile.h | 257 + OSX/libsecurity_filedb/lib/DbIndex.cpp | 476 + OSX/libsecurity_filedb/lib/DbIndex.h | 198 + OSX/libsecurity_filedb/lib/DbQuery.cpp | 30 + OSX/libsecurity_filedb/lib/DbQuery.h | 45 + OSX/libsecurity_filedb/lib/DbValue.cpp | 555 + OSX/libsecurity_filedb/lib/DbValue.h | 213 + OSX/libsecurity_filedb/lib/MetaAttribute.cpp | 158 + OSX/libsecurity_filedb/lib/MetaAttribute.h | 162 + OSX/libsecurity_filedb/lib/MetaRecord.cpp | 580 + OSX/libsecurity_filedb/lib/MetaRecord.h | 176 + .../lib/OverUnderflowCheck.h | 85 + .../lib/ReadWriteSection.cpp | 57 + OSX/libsecurity_filedb/lib/ReadWriteSection.h | 209 + .../lib/SelectionPredicate.cpp | 51 + .../lib/SelectionPredicate.h | 52 + .../project.pbxproj | 301 + .../libsecurity_keychain/APPLE_LICENSE | 0 .../Info-security_keychain.plist | 0 OSX/libsecurity_keychain/Security/ACL.cpp | 434 + OSX/libsecurity_keychain/Security/ACL.h | 157 + OSX/libsecurity_keychain/Security/Access.cpp | 380 + OSX/libsecurity_keychain/Security/Access.h | 139 + .../AppleBaselineEscrowCertificates.h | 0 .../Security/CCallbackMgr.cp | 239 + .../Security/CCallbackMgr.h | 102 + .../Security/Certificate.cpp | 1471 +++ .../Security/Certificate.h | 151 + .../Security/CertificateRequest.cpp | 858 ++ .../Security/CertificateRequest.h | 154 + .../Security/CertificateValues.cpp | 610 + .../Security/CertificateValues.h | 74 + .../Security/DLDBListCFPref.cpp | 1079 ++ .../Security/DLDBListCFPref.h | 222 + .../Security/DynamicDLDBList.cpp | 235 + .../Security/DynamicDLDBList.h | 74 + .../Security/ExtendedAttribute.cpp | 192 + .../Security/ExtendedAttribute.h | 90 + OSX/libsecurity_keychain/Security/Globals.cpp | 73 + OSX/libsecurity_keychain/Security/Globals.h | 75 + .../Security/Identity.cpp | 135 + OSX/libsecurity_keychain/Security/Identity.h | 68 + .../Security/IdentityCursor.cpp | 351 + .../Security/IdentityCursor.h | 89 + OSX/libsecurity_keychain/Security/Item.cpp | 1548 +++ OSX/libsecurity_keychain/Security/Item.h | 213 + .../Security/KCCursor.cpp | 308 + OSX/libsecurity_keychain/Security/KCCursor.h | 86 + .../Security/KCEventNotifier.cpp | 79 + .../Security/KCEventNotifier.h | 60 + .../Security/KCExceptions.h | 96 + .../Security/KCUtilities.cpp | 30 + .../Security/KCUtilities.h | 45 + OSX/libsecurity_keychain/Security/KeyItem.cpp | 1420 +++ OSX/libsecurity_keychain/Security/KeyItem.h | 141 + .../Security/Keychains.cpp | 1332 +++ OSX/libsecurity_keychain/Security/Keychains.h | 267 + .../Security/MacOSErrorStrings.h | 61 + .../Security/Password.cpp | 147 + OSX/libsecurity_keychain/Security/Password.h | 81 + .../Security/Policies.cpp | 361 + OSX/libsecurity_keychain/Security/Policies.h | 85 + .../Security/PolicyCursor.cpp | 118 + .../Security/PolicyCursor.h | 93 + .../Security/PrimaryKey.cpp | 134 + .../Security/PrimaryKey.h | 75 + OSX/libsecurity_keychain/Security/SecACL.cpp | 294 + OSX/libsecurity_keychain/Security/SecACL.h | 228 + .../Security/SecAccess.cpp | 715 ++ OSX/libsecurity_keychain/Security/SecAccess.h | 221 + .../Security/SecAccessPriv.h | 76 + .../Security/SecAsn1TypesP.h | 241 + OSX/libsecurity_keychain/Security/SecBase.cpp | 1120 ++ OSX/libsecurity_keychain/Security/SecBase.h | 655 ++ .../Security/SecBase64P.c | 489 + .../Security/SecBase64P.h | 0 OSX/libsecurity_keychain/Security/SecBaseP.h | 91 + .../Security/SecBasePriv.h | 92 + OSX/libsecurity_keychain/Security/SecBridge.h | 90 + .../Security/SecCFTypes.cpp | 70 + .../Security/SecCFTypes.h | 107 + .../Security/SecCertificate.cpp | 1538 +++ .../Security/SecCertificate.h | 480 + .../Security/SecCertificateBundle.cpp | 82 + .../Security/SecCertificateBundle.h | 77 + .../Security/SecCertificateInternalP.h | 312 + .../Security/SecCertificateOIDs.h | 172 + .../Security/SecCertificateP.c | 4743 ++++++++ .../Security/SecCertificateP.h | 114 + .../Security/SecCertificatePriv.h | 308 + .../Security/SecCertificatePrivP.h | 176 + .../Security/SecCertificateRequest.cpp | 190 + .../Security/SecCertificateRequest.h | 191 + .../Security/SecExport.cpp | 340 + .../Security/SecExternalRep.cpp | 541 + .../Security/SecExternalRep.h | 181 + .../SecFDERecoveryAsymmetricCrypto.cpp | 188 + .../Security/SecFDERecoveryAsymmetricCrypto.h | 63 + .../Security/SecFrameworkP.c | 274 + .../Security/SecFrameworkP.h | 64 + .../Security/SecIdentity.cpp | 1152 ++ .../Security/SecIdentity.h | 204 + .../Security/SecIdentityPriv.h | 152 + .../Security/SecIdentitySearch.cpp | 118 + .../Security/SecIdentitySearch.h | 91 + .../Security/SecIdentitySearchPriv.h | 87 + .../Security/SecImport.cpp | 412 + .../Security/SecImportExport.c | 335 + .../Security/SecImportExport.h | 683 ++ .../Security/SecImportExportAgg.cpp | 897 ++ .../Security/SecImportExportAgg.h | 82 + .../Security/SecImportExportCrypto.cpp | 744 ++ .../Security/SecImportExportCrypto.h | 123 + .../Security/SecImportExportOpenSSH.cpp | 633 ++ .../Security/SecImportExportOpenSSH.h | 80 + .../Security/SecImportExportPem.cpp | 504 + .../Security/SecImportExportPem.h | 71 + .../Security/SecImportExportPkcs8.cpp | 978 ++ .../Security/SecImportExportPkcs8.h | 63 + .../Security/SecImportExportUtils.cpp | 972 ++ .../Security/SecImportExportUtils.h | 219 + .../Security/SecInternal.h | 67 + .../Security/SecInternalP.h | 67 + OSX/libsecurity_keychain/Security/SecItem.cpp | 4998 +++++++++ OSX/libsecurity_keychain/Security/SecItem.h | 1163 ++ .../Security/SecItemConstants.c | 236 + .../Security/SecItemPriv.h | 395 + OSX/libsecurity_keychain/Security/SecKey.cpp | 2288 ++++ OSX/libsecurity_keychain/Security/SecKey.h | 612 + .../Security/SecKeyPriv.h | 397 + .../Security/SecKeychain.cpp | 1283 +++ .../Security/SecKeychain.h | 626 ++ .../Security/SecKeychainAddIToolsPassword.cpp | 105 + .../Security/SecKeychainItem.cpp | 912 ++ .../Security/SecKeychainItem.h | 332 + .../SecKeychainItemExtendedAttributes.cpp | 367 + .../SecKeychainItemExtendedAttributes.h | 126 + .../Security/SecKeychainItemPriv.h | 164 + .../Security/SecKeychainPriv.h | 128 + .../Security/SecKeychainSearch.cpp | 129 + .../Security/SecKeychainSearch.h | 80 + .../Security/SecKeychainSearchPriv.h | 57 + .../Security/SecNetscapeTemplates.cpp | 69 + .../Security/SecNetscapeTemplates.h | 93 + .../Security/SecPassword.cpp | 264 + .../Security/SecPassword.h | 95 + .../Security/SecPkcs8Templates.cpp | 94 + .../Security/SecPkcs8Templates.h | 110 + .../Security/SecPolicy.cpp | 963 ++ OSX/libsecurity_keychain/Security/SecPolicy.h | 424 + .../Security/SecPolicyPriv.h | 229 + .../Security/SecPolicySearch.cpp | 111 + .../Security/SecPolicySearch.h | 87 + .../Security/SecRSAKeyP.h | 60 + OSX/libsecurity_keychain/Security/SecRandom.c | 63 + OSX/libsecurity_keychain/Security/SecRandom.h | 71 + .../Security/SecRandomP.h | 58 + .../Security/SecRecoveryPassword.c | 478 + .../Security/SecRecoveryPassword.h | 106 + .../Security/SecTrust.cpp | 1297 +++ OSX/libsecurity_keychain/Security/SecTrust.h | 700 ++ .../Security/SecTrustPriv.h | 181 + .../Security/SecTrustSettings.cpp | 1030 ++ .../Security/SecTrustSettings.h | 322 + .../Security/SecTrustSettingsCertificates.h | 285 + .../Security/SecTrustSettingsPriv.h | 143 + .../Security/SecTrustedApplication.cpp | 213 + .../Security/SecTrustedApplication.h | 85 + .../Security/SecTrustedApplicationPriv.h | 175 + .../Security/SecWrappedKeys.cpp | 494 + OSX/libsecurity_keychain/Security/Security.h | 106 + .../Security/StorageManager.cpp | 1975 ++++ .../Security/StorageManager.h | 183 + OSX/libsecurity_keychain/Security/Trust.cpp | 943 ++ OSX/libsecurity_keychain/Security/Trust.h | 191 + .../Security/TrustAdditions.cpp | 1250 +++ .../Security/TrustAdditions.h | 52 + .../Security/TrustItem.cpp | 192 + OSX/libsecurity_keychain/Security/TrustItem.h | 81 + .../Security/TrustKeychains.h | 55 + .../Security/TrustRevocation.cpp | 732 ++ .../Security/TrustSettings.cpp | 1585 +++ .../Security/TrustSettings.h | 256 + .../Security/TrustSettingsSchema.h | 150 + .../Security/TrustSettingsUtils.cpp | 98 + .../Security/TrustSettingsUtils.h | 57 + .../Security/TrustStore.cpp | 261 + .../Security/TrustStore.h | 79 + .../Security/TrustedApplication.cpp | 174 + .../Security/TrustedApplication.h | 79 + .../Security/UnlockReferralItem.cpp | 127 + .../Security/UnlockReferralItem.h | 66 + .../Security/certextensionsP.h | 546 + .../Security/cssmdatetime.cpp | 465 + .../Security/cssmdatetime.h | 67 + .../Security/defaultcreds.cpp | 195 + .../Security/defaultcreds.h | 78 + .../Security/generateErrStrings.pl | 98 + .../Security/security_keychain.exp | 761 ++ .../Security/tsaDERUtilities.c | 121 + .../Security/tsaDERUtilities.h | 45 + OSX/libsecurity_keychain/lib/ACL.cpp | 434 + OSX/libsecurity_keychain/lib/ACL.h | 157 + OSX/libsecurity_keychain/lib/Access.cpp | 380 + OSX/libsecurity_keychain/lib/Access.h | 139 + .../lib/AppleBaselineEscrowCertificates.h | 178 + OSX/libsecurity_keychain/lib/CCallbackMgr.cp | 239 + OSX/libsecurity_keychain/lib/CCallbackMgr.h | 102 + OSX/libsecurity_keychain/lib/Certificate.cpp | 1471 +++ OSX/libsecurity_keychain/lib/Certificate.h | 151 + .../lib/CertificateRequest.cpp | 858 ++ .../lib/CertificateRequest.h | 154 + .../lib/CertificateValues.cpp | 610 + .../lib/CertificateValues.h | 74 + .../lib/DLDBListCFPref.cpp | 1079 ++ OSX/libsecurity_keychain/lib/DLDBListCFPref.h | 222 + .../lib/DynamicDLDBList.cpp | 235 + .../lib/DynamicDLDBList.h | 74 + .../lib/ExtendedAttribute.cpp | 192 + .../lib/ExtendedAttribute.h | 90 + OSX/libsecurity_keychain/lib/Globals.cpp | 73 + OSX/libsecurity_keychain/lib/Globals.h | 75 + OSX/libsecurity_keychain/lib/Identity.cpp | 135 + OSX/libsecurity_keychain/lib/Identity.h | 68 + .../lib/IdentityCursor.cpp | 351 + OSX/libsecurity_keychain/lib/IdentityCursor.h | 89 + OSX/libsecurity_keychain/lib/Item.cpp | 1548 +++ OSX/libsecurity_keychain/lib/Item.h | 213 + OSX/libsecurity_keychain/lib/KCCursor.cpp | 308 + OSX/libsecurity_keychain/lib/KCCursor.h | 86 + .../lib/KCEventNotifier.cpp | 79 + .../lib/KCEventNotifier.h | 60 + OSX/libsecurity_keychain/lib/KCExceptions.h | 96 + OSX/libsecurity_keychain/lib/KCUtilities.cpp | 30 + OSX/libsecurity_keychain/lib/KCUtilities.h | 45 + OSX/libsecurity_keychain/lib/KeyItem.cpp | 1420 +++ OSX/libsecurity_keychain/lib/KeyItem.h | 141 + OSX/libsecurity_keychain/lib/Keychains.cpp | 1332 +++ OSX/libsecurity_keychain/lib/Keychains.h | 267 + .../lib/MacOSErrorStrings.h | 61 + OSX/libsecurity_keychain/lib/Password.cpp | 147 + OSX/libsecurity_keychain/lib/Password.h | 81 + OSX/libsecurity_keychain/lib/Policies.cpp | 361 + OSX/libsecurity_keychain/lib/Policies.h | 85 + OSX/libsecurity_keychain/lib/PolicyCursor.cpp | 118 + OSX/libsecurity_keychain/lib/PolicyCursor.h | 93 + OSX/libsecurity_keychain/lib/PrimaryKey.cpp | 134 + OSX/libsecurity_keychain/lib/PrimaryKey.h | 75 + OSX/libsecurity_keychain/lib/SecACL.cpp | 294 + OSX/libsecurity_keychain/lib/SecACL.h | 228 + OSX/libsecurity_keychain/lib/SecAccess.cpp | 715 ++ OSX/libsecurity_keychain/lib/SecAccess.h | 221 + OSX/libsecurity_keychain/lib/SecAccessPriv.h | 76 + OSX/libsecurity_keychain/lib/SecAsn1TypesP.h | 241 + OSX/libsecurity_keychain/lib/SecBase.cpp | 1120 ++ OSX/libsecurity_keychain/lib/SecBase.h | 655 ++ OSX/libsecurity_keychain/lib/SecBase64P.c | 489 + OSX/libsecurity_keychain/lib/SecBase64P.h | 247 + OSX/libsecurity_keychain/lib/SecBaseP.h | 91 + OSX/libsecurity_keychain/lib/SecBasePriv.h | 92 + OSX/libsecurity_keychain/lib/SecBridge.h | 90 + OSX/libsecurity_keychain/lib/SecCFTypes.cpp | 70 + OSX/libsecurity_keychain/lib/SecCFTypes.h | 107 + .../lib/SecCertificate.cpp | 1538 +++ OSX/libsecurity_keychain/lib/SecCertificate.h | 480 + .../lib/SecCertificateBundle.cpp | 82 + .../lib/SecCertificateBundle.h | 77 + .../lib/SecCertificateInternalP.h | 312 + .../lib/SecCertificateOIDs.h | 172 + .../lib/SecCertificateP.c | 4743 ++++++++ .../lib/SecCertificateP.h | 114 + .../lib/SecCertificatePriv.h | 308 + .../lib/SecCertificatePrivP.h | 176 + .../lib/SecCertificateRequest.cpp | 190 + .../lib/SecCertificateRequest.h | 191 + OSX/libsecurity_keychain/lib/SecExport.cpp | 340 + .../lib/SecExternalRep.cpp | 541 + OSX/libsecurity_keychain/lib/SecExternalRep.h | 181 + .../lib/SecFDERecoveryAsymmetricCrypto.cpp | 188 + .../lib/SecFDERecoveryAsymmetricCrypto.h | 63 + OSX/libsecurity_keychain/lib/SecFrameworkP.c | 274 + OSX/libsecurity_keychain/lib/SecFrameworkP.h | 64 + OSX/libsecurity_keychain/lib/SecIdentity.cpp | 1152 ++ OSX/libsecurity_keychain/lib/SecIdentity.h | 204 + .../lib/SecIdentityPriv.h | 152 + .../lib/SecIdentitySearch.cpp | 118 + .../lib/SecIdentitySearch.h | 91 + .../lib/SecIdentitySearchPriv.h | 87 + OSX/libsecurity_keychain/lib/SecImport.cpp | 412 + .../lib/SecImportExport.c | 335 + .../lib/SecImportExport.h | 683 ++ .../lib/SecImportExportAgg.cpp | 897 ++ .../lib/SecImportExportAgg.h | 82 + .../lib/SecImportExportCrypto.cpp | 744 ++ .../lib/SecImportExportCrypto.h | 123 + .../lib/SecImportExportOpenSSH.cpp | 633 ++ .../lib/SecImportExportOpenSSH.h | 80 + .../lib/SecImportExportPem.cpp | 504 + .../lib/SecImportExportPem.h | 71 + .../lib/SecImportExportPkcs8.cpp | 978 ++ .../lib/SecImportExportPkcs8.h | 63 + .../lib/SecImportExportUtils.cpp | 972 ++ .../lib/SecImportExportUtils.h | 219 + OSX/libsecurity_keychain/lib/SecInternal.h | 67 + OSX/libsecurity_keychain/lib/SecInternalP.h | 67 + OSX/libsecurity_keychain/lib/SecItem.cpp | 4998 +++++++++ OSX/libsecurity_keychain/lib/SecItem.h | 1163 ++ .../lib/SecItemConstants.c | 236 + OSX/libsecurity_keychain/lib/SecItemPriv.h | 395 + OSX/libsecurity_keychain/lib/SecKey.cpp | 2288 ++++ OSX/libsecurity_keychain/lib/SecKey.h | 612 + OSX/libsecurity_keychain/lib/SecKeyPriv.h | 397 + OSX/libsecurity_keychain/lib/SecKeychain.cpp | 1283 +++ OSX/libsecurity_keychain/lib/SecKeychain.h | 626 ++ .../lib/SecKeychainAddIToolsPassword.cpp | 105 + .../lib/SecKeychainItem.cpp | 912 ++ .../lib/SecKeychainItem.h | 332 + .../lib/SecKeychainItemExtendedAttributes.cpp | 367 + .../lib/SecKeychainItemExtendedAttributes.h | 126 + .../lib/SecKeychainItemPriv.h | 164 + .../lib/SecKeychainPriv.h | 128 + .../lib/SecKeychainSearch.cpp | 129 + .../lib/SecKeychainSearch.h | 80 + .../lib/SecKeychainSearchPriv.h | 57 + .../lib/SecNetscapeTemplates.cpp | 69 + .../lib/SecNetscapeTemplates.h | 93 + OSX/libsecurity_keychain/lib/SecPassword.cpp | 264 + OSX/libsecurity_keychain/lib/SecPassword.h | 95 + .../lib/SecPkcs8Templates.cpp | 94 + .../lib/SecPkcs8Templates.h | 110 + OSX/libsecurity_keychain/lib/SecPolicy.cpp | 963 ++ OSX/libsecurity_keychain/lib/SecPolicy.h | 424 + OSX/libsecurity_keychain/lib/SecPolicyPriv.h | 229 + .../lib/SecPolicySearch.cpp | 111 + .../lib/SecPolicySearch.h | 87 + OSX/libsecurity_keychain/lib/SecRSAKeyP.h | 60 + OSX/libsecurity_keychain/lib/SecRandom.c | 63 + OSX/libsecurity_keychain/lib/SecRandom.h | 71 + OSX/libsecurity_keychain/lib/SecRandomP.h | 58 + .../lib/SecRecoveryPassword.c | 478 + .../lib/SecRecoveryPassword.h | 106 + OSX/libsecurity_keychain/lib/SecTrust.cpp | 1297 +++ OSX/libsecurity_keychain/lib/SecTrust.h | 700 ++ OSX/libsecurity_keychain/lib/SecTrustPriv.h | 181 + .../lib/SecTrustSettings.cpp | 1030 ++ .../lib/SecTrustSettings.h | 322 + .../lib/SecTrustSettingsCertificates.h | 285 + .../lib/SecTrustSettingsPriv.h | 143 + .../lib/SecTrustedApplication.cpp | 213 + .../lib/SecTrustedApplication.h | 85 + .../lib/SecTrustedApplicationPriv.h | 175 + .../lib/SecWrappedKeys.cpp | 494 + OSX/libsecurity_keychain/lib/Security.h | 106 + .../lib/StorageManager.cpp | 1975 ++++ OSX/libsecurity_keychain/lib/StorageManager.h | 183 + OSX/libsecurity_keychain/lib/Trust.cpp | 943 ++ OSX/libsecurity_keychain/lib/Trust.h | 191 + .../lib/TrustAdditions.cpp | 1250 +++ OSX/libsecurity_keychain/lib/TrustAdditions.h | 52 + OSX/libsecurity_keychain/lib/TrustItem.cpp | 192 + OSX/libsecurity_keychain/lib/TrustItem.h | 81 + OSX/libsecurity_keychain/lib/TrustKeychains.h | 55 + .../lib/TrustRevocation.cpp | 732 ++ .../lib/TrustSettings.cpp | 1585 +++ OSX/libsecurity_keychain/lib/TrustSettings.h | 256 + .../lib/TrustSettingsSchema.h | 150 + .../lib/TrustSettingsUtils.cpp | 98 + .../lib/TrustSettingsUtils.h | 57 + OSX/libsecurity_keychain/lib/TrustStore.cpp | 261 + OSX/libsecurity_keychain/lib/TrustStore.h | 79 + .../lib/TrustedApplication.cpp | 174 + .../lib/TrustedApplication.h | 79 + .../lib/UnlockReferralItem.cpp | 127 + .../lib/UnlockReferralItem.h | 66 + .../lib/certextensionsP.h | 546 + OSX/libsecurity_keychain/lib/cssmdatetime.cpp | 465 + OSX/libsecurity_keychain/lib/cssmdatetime.h | 67 + OSX/libsecurity_keychain/lib/defaultcreds.cpp | 195 + OSX/libsecurity_keychain/lib/defaultcreds.h | 78 + .../lib/generateErrStrings.pl | 98 + .../lib/security_keychain.exp | 761 ++ .../lib/tsaDERUtilities.c | 121 + .../lib/tsaDERUtilities.h | 45 + .../libsecurity_keychain/libDER/README.txt | 0 .../Tests/AppleMobilePersonalizedTicket.h | 0 .../libDER/Tests/DER_Ticket.c | 0 .../libDER/Tests/DER_Ticket.h | 0 .../certsCrls/EndCertificateCP.01.01.crt | Bin .../libDER/Tests/certsCrls/Test_CRL_CA1.crl | Bin .../Tests/certsCrls/Test_CRL_CA1.crl.pem | 0 .../Tests/certsCrls/TrustAnchorCP.01.01.crt | Bin .../certsCrls/TrustAnchorCRLCP.01.01.crl | Bin .../libDER/Tests/certsCrls/apple_v3.000.cer | Bin .../libDER/Tests/certsCrls/apple_v3.001.cer | Bin .../libDER/Tests/certsCrls/entrust_v3.100.cer | Bin .../libDER/Tests/certsCrls/entrust_v3.101.cer | Bin .../libDER/Tests/certsCrls/keybank_v3.100.cer | Bin .../libDER/Tests/certsCrls/keybank_v3.101.cer | Bin .../libDER/Tests/certsCrls/keybank_v3.102.cer | Bin .../libDER/Tests/parseCert.c | 0 .../libDER/Tests/parseCrl.c | 0 .../libDER/Tests/parseTicket.c | 0 .../libDER/config/base.xcconfig | 0 .../libDER/config/debug.xcconfig | 0 .../libDER/config/lib.xcconfig | 0 .../libDER/config/release.xcconfig | 0 .../libDER/libDER.xcodeproj/project.pbxproj | 770 ++ .../libDER/libDER/DER_CertCrl.c | 32 +- .../libDER/libDER/DER_CertCrl.h | 21 + .../libDER/libDER/DER_Decode.c | 0 .../libDER/libDER/DER_Decode.h | 0 .../libDER/libDER/DER_Digest.c | 0 .../libDER/libDER/DER_Digest.h | 0 .../libDER/libDER/DER_Encode.c | 0 .../libDER/libDER/DER_Encode.h | 0 .../libDER/libDER/DER_Keys.c | 0 .../libDER/libDER/DER_Keys.h | 0 .../libDER/libDER/asn1Types.h | 0 .../libDER/libDER/libDER.h | 8 - .../libDER/libDER/libDER_config.h | 6 +- OSX/libsecurity_keychain/libDER/libDER/oids.c | 732 ++ OSX/libsecurity_keychain/libDER/libDER/oids.h | 152 + .../libDER/libDER/oidsPriv.h | 87 + .../libDER/libDERUtils/fileIo.c | 0 .../libDER/libDERUtils/fileIo.h | 0 .../libDER/libDERUtils/libDERUtils.c | 0 .../libDER/libDERUtils/libDERUtils.h | 0 .../libDER/libDERUtils/printFields.c | 2 +- .../libDER/libDERUtils/printFields.h | 0 .../project.pbxproj | 1333 +++ .../plist/iToolsTrustedApps.plist | 0 .../regressions/kc-40-seckey.c | 2 +- .../regressions/kc-41-sececkey.c | 504 + .../regressions/kc-42-trust-revocation.c | 735 ++ .../regressions/keychain_regressions.h | 1 + .../regressions/si-33-keychain-backup.c | 0 .../regressions/si-34-one-true-keychain.c | 127 + .../xpc-tsa/XPCTimeStampingService-Info.plist | 0 .../libsecurity_keychain/xpc-tsa/main-tsa.m | 0 .../xpc-tsa/timestampclient.h | 0 .../xpc-tsa/timestampclient.m | 0 .../xpc/XPCKeychainSandboxCheck-Info.plist | 0 .../libsecurity_keychain/xpc/main.c | 0 .../libsecurity_manifest/APPLE_LICENSE | 0 .../Info-security_manifest.plist | 0 .../lib/AppleManifest.cpp | 0 .../libsecurity_manifest/lib/AppleManifest.h | 0 .../libsecurity_manifest/lib/Download.cpp | 0 .../libsecurity_manifest/lib/Download.h | 0 .../libsecurity_manifest/lib/Manifest.cpp | 0 .../libsecurity_manifest/lib/Manifest.h | 0 .../lib/ManifestInternal.cpp | 0 .../lib/ManifestInternal.h | 0 .../lib/ManifestSigner.cpp | 0 .../libsecurity_manifest/lib/ManifestSigner.h | 0 .../libsecurity_manifest/lib/SecManifest.cpp | 0 .../libsecurity_manifest/lib/SecManifest.h | 0 .../lib/SecureDownload.cpp | 0 .../libsecurity_manifest/lib/SecureDownload.h | 0 .../lib/SecureDownloadInternal.c | 0 .../lib/SecureDownloadInternal.h | 0 .../lib/security_manifest.exp | 0 .../project.pbxproj | 357 + .../libsecurity_mds/Info-security_mds.plist | 0 {Security => OSX}/libsecurity_mds/README | 0 .../libsecurity_mds/lib/MDSAttrParser.cpp | 0 .../libsecurity_mds/lib/MDSAttrParser.h | 0 .../libsecurity_mds/lib/MDSAttrStrings.cpp | 0 .../libsecurity_mds/lib/MDSAttrStrings.h | 0 .../libsecurity_mds/lib/MDSAttrUtils.cpp | 0 .../libsecurity_mds/lib/MDSAttrUtils.h | 0 .../libsecurity_mds/lib/MDSDatabase.cpp | 0 .../libsecurity_mds/lib/MDSDatabase.h | 0 .../libsecurity_mds/lib/MDSDictionary.cpp | 0 .../libsecurity_mds/lib/MDSDictionary.h | 0 .../libsecurity_mds/lib/MDSModule.cpp | 0 .../libsecurity_mds/lib/MDSModule.h | 0 .../libsecurity_mds/lib/MDSPrefs.cpp | 0 .../libsecurity_mds/lib/MDSPrefs.h | 0 .../libsecurity_mds/lib/MDSSchema.cpp | 0 .../libsecurity_mds/lib/MDSSchema.h | 0 .../libsecurity_mds/lib/MDSSession.cpp | 30 +- .../libsecurity_mds/lib/MDSSession.h | 0 {Security => OSX}/libsecurity_mds/lib/mds.h | 0 .../libsecurity_mds/lib/mds_schema.h | 0 .../libsecurity_mds/lib/mdsapi.cpp | 0 .../libsecurity_mds/lib/mdspriv.h | 0 .../libsecurity_mds/lib/security_mds.exp | 0 .../libsecurity_mds.xcodeproj/project.pbxproj | 343 + .../Info-security_ocspd.plist | 0 .../libsecurity_ocspd/client/ocspdClient.cpp | 0 OSX/libsecurity_ocspd/client/ocspdClient.h | 152 + .../common/ocspExtensions.cpp | 200 + OSX/libsecurity_ocspd/common/ocspExtensions.h | 179 + OSX/libsecurity_ocspd/common/ocspResponse.cpp | 562 + OSX/libsecurity_ocspd/common/ocspResponse.h | 229 + OSX/libsecurity_ocspd/common/ocspdClient.h | 152 + .../common/ocspdDbSchema.cpp | 54 + OSX/libsecurity_ocspd/common/ocspdDbSchema.h | 106 + OSX/libsecurity_ocspd/common/ocspdDebug.h | 66 + OSX/libsecurity_ocspd/common/ocspdTypes.h | 42 + OSX/libsecurity_ocspd/common/ocspdUtils.cpp | 417 + OSX/libsecurity_ocspd/common/ocspdUtils.h | 111 + .../project.pbxproj | 418 + .../libsecurity_ocspd/mig/mig.mk | 0 .../libsecurity_ocspd/mig/ocspd.defs | 0 .../libsecurity_pkcs12/APPLE_LICENSE | 0 .../Info-security_pkcs12.plist | 0 OSX/libsecurity_pkcs12/lib/SecPkcs12.cpp | 914 ++ OSX/libsecurity_pkcs12/lib/SecPkcs12.h | 571 + OSX/libsecurity_pkcs12/lib/pkcs12BagAttrs.cpp | 164 + OSX/libsecurity_pkcs12/lib/pkcs12BagAttrs.h | 123 + OSX/libsecurity_pkcs12/lib/pkcs12Coder.cpp | 414 + OSX/libsecurity_pkcs12/lib/pkcs12Coder.h | 419 + OSX/libsecurity_pkcs12/lib/pkcs12Crypto.cpp | 647 ++ OSX/libsecurity_pkcs12/lib/pkcs12Crypto.h | 172 + OSX/libsecurity_pkcs12/lib/pkcs12Debug.h | 48 + OSX/libsecurity_pkcs12/lib/pkcs12Decode.cpp | 532 + OSX/libsecurity_pkcs12/lib/pkcs12Encode.cpp | 497 + OSX/libsecurity_pkcs12/lib/pkcs12Keychain.cpp | 458 + OSX/libsecurity_pkcs12/lib/pkcs12SafeBag.cpp | 528 + OSX/libsecurity_pkcs12/lib/pkcs12SafeBag.h | 297 + .../lib/pkcs12Templates.cpp | 293 + OSX/libsecurity_pkcs12/lib/pkcs12Templates.h | 286 + OSX/libsecurity_pkcs12/lib/pkcs12Utils.cpp | 832 ++ OSX/libsecurity_pkcs12/lib/pkcs12Utils.h | 186 + OSX/libsecurity_pkcs12/lib/pkcs7Templates.cpp | 162 + OSX/libsecurity_pkcs12/lib/pkcs7Templates.h | 167 + OSX/libsecurity_pkcs12/lib/pkcsoids.cpp | 35 + OSX/libsecurity_pkcs12/lib/pkcsoids.h | 45 + .../project.pbxproj | 332 + .../libsecurity_sd_cspdl/APPLE_LICENSE | 0 .../Info-security_sd_cspdl.plist | 0 .../lib/SDCSPDLBuiltin.cpp | 0 .../lib/SDCSPDLDatabase.cpp | 0 .../lib/SDCSPDLDatabase.h | 0 .../lib/SDCSPDLPlugin.cpp | 0 .../libsecurity_sd_cspdl/lib/SDCSPDLPlugin.h | 0 .../lib/SDCSPDLSession.cpp | 0 .../libsecurity_sd_cspdl/lib/SDCSPDLSession.h | 0 .../libsecurity_sd_cspdl/lib/SDCSPSession.cpp | 2 +- .../libsecurity_sd_cspdl/lib/SDCSPSession.h | 0 .../libsecurity_sd_cspdl/lib/SDContext.cpp | 0 .../libsecurity_sd_cspdl/lib/SDContext.h | 0 .../libsecurity_sd_cspdl/lib/SDDLSession.cpp | 0 .../libsecurity_sd_cspdl/lib/SDDLSession.h | 0 .../libsecurity_sd_cspdl/lib/SDFactory.cpp | 0 .../libsecurity_sd_cspdl/lib/SDFactory.h | 0 .../libsecurity_sd_cspdl/lib/SDKey.cpp | 0 .../libsecurity_sd_cspdl/lib/SDKey.h | 0 .../project.pbxproj | 340 + .../mds/sd_cspdl_common.mdsinfo | 0 .../libsecurity_smime/APPLE_LICENSE | 0 .../Info-security_smime.plist | 0 {Security => OSX}/libsecurity_smime/TODO | 0 .../docs/libsecurity_smime.plist | 0 .../docs/libsecurity_smime.txt | 0 OSX/libsecurity_smime/lib/SecCMS.c | 140 + OSX/libsecurity_smime/lib/SecCMS.h | 43 + OSX/libsecurity_smime/lib/SecCmsBase.h | 511 + OSX/libsecurity_smime/lib/SecCmsContentInfo.h | 212 + OSX/libsecurity_smime/lib/SecCmsDecoder.h | 143 + .../lib/SecCmsDigestContext.h | 78 + .../lib/SecCmsDigestedData.h | 77 + OSX/libsecurity_smime/lib/SecCmsEncoder.h | 129 + .../lib/SecCmsEncryptedData.h | 76 + .../lib/SecCmsEnvelopedData.h | 80 + OSX/libsecurity_smime/lib/SecCmsMessage.h | 163 + .../lib/SecCmsRecipientInfo.h | 81 + OSX/libsecurity_smime/lib/SecCmsSignedData.h | 197 + OSX/libsecurity_smime/lib/SecCmsSignerInfo.h | 263 + OSX/libsecurity_smime/lib/SecSMIME.h | 56 + OSX/libsecurity_smime/lib/SecSMIMEPriv.h | 170 + OSX/libsecurity_smime/lib/cert.c | 854 ++ OSX/libsecurity_smime/lib/cert.h | 132 + OSX/libsecurity_smime/lib/cmsarray.c | 227 + OSX/libsecurity_smime/lib/cmsasn1.c | 599 + OSX/libsecurity_smime/lib/cmsattr.c | 451 + OSX/libsecurity_smime/lib/cmscinfo.c | 420 + OSX/libsecurity_smime/lib/cmscipher.c | 1199 ++ OSX/libsecurity_smime/lib/cmsdecode.c | 735 ++ OSX/libsecurity_smime/lib/cmsdigdata.c | 229 + OSX/libsecurity_smime/lib/cmsdigest.c | 290 + OSX/libsecurity_smime/lib/cmsencdata.c | 294 + OSX/libsecurity_smime/lib/cmsencode.c | 785 ++ OSX/libsecurity_smime/lib/cmsenvdata.c | 440 + OSX/libsecurity_smime/lib/cmslocal.h | 346 + OSX/libsecurity_smime/lib/cmsmessage.c | 362 + OSX/libsecurity_smime/lib/cmspriv.h | 510 + OSX/libsecurity_smime/lib/cmspubkey.c | 1449 +++ OSX/libsecurity_smime/lib/cmsrecinfo.c | 716 ++ OSX/libsecurity_smime/lib/cmsreclist.c | 237 + OSX/libsecurity_smime/lib/cmsreclist.h | 57 + OSX/libsecurity_smime/lib/cmssigdata.c | 1203 ++ OSX/libsecurity_smime/lib/cmssiginfo.c | 1439 +++ OSX/libsecurity_smime/lib/cmstpriv.h | 502 + OSX/libsecurity_smime/lib/cmsutil.c | 416 + OSX/libsecurity_smime/lib/cryptohi.c | 552 + OSX/libsecurity_smime/lib/cryptohi.h | 143 + OSX/libsecurity_smime/lib/plhash.c | 538 + OSX/libsecurity_smime/lib/plhash.h | 164 + OSX/libsecurity_smime/lib/secalgid.c | 172 + OSX/libsecurity_smime/lib/secitem.c | 304 + OSX/libsecurity_smime/lib/secitem.h | 117 + OSX/libsecurity_smime/lib/secoid.c | 1490 +++ OSX/libsecurity_smime/lib/secoid.h | 118 + OSX/libsecurity_smime/lib/secoidt.h | 61 + OSX/libsecurity_smime/lib/security_smime.exp | 133 + OSX/libsecurity_smime/lib/siginfoUtils.cpp | 62 + OSX/libsecurity_smime/lib/smimeutil.c | 802 ++ OSX/libsecurity_smime/lib/testcms | 43 + OSX/libsecurity_smime/lib/tsaSupport.c | 1412 +++ OSX/libsecurity_smime/lib/tsaSupport.h | 54 + OSX/libsecurity_smime/lib/tsaSupportPriv.h | 60 + OSX/libsecurity_smime/lib/tsaTemplates.c | 255 + OSX/libsecurity_smime/lib/tsaTemplates.h | 129 + .../project.pbxproj | 658 ++ .../regressions/smime-cms-test.c | 2 +- .../regressions/smime_regressions.h | 0 .../libsecurity_ssl/Info-security_ssl.plist | 0 {Security => OSX}/libsecurity_ssl/README | 0 OSX/libsecurity_ssl/Security/CipherSuite.h | 261 + .../Security/SSLRecordInternal.c | 392 + .../Security/SSLRecordInternal.h | 45 + .../Security/SecureTransport.h | 1360 +++ .../Security/SecureTransportPriv.h | 842 ++ .../libsecurity_ssl/Security}/appleSession.c | 0 .../libsecurity_ssl/Security}/appleSession.h | 0 .../libsecurity_ssl/Security}/cipherSpecs.h | 0 OSX/libsecurity_ssl/Security/security_ssl.exp | 94 + .../libsecurity_ssl/Security}/ssl.h | 0 .../libsecurity_ssl/Security}/sslBuildFlags.h | 0 OSX/libsecurity_ssl/Security/sslCipherSpecs.c | 496 + .../Security}/sslCipherSpecs.h | 0 OSX/libsecurity_ssl/Security/sslContext.c | 2644 +++++ OSX/libsecurity_ssl/Security/sslContext.h | 288 + OSX/libsecurity_ssl/Security/sslCrypto.c | 625 ++ OSX/libsecurity_ssl/Security/sslCrypto.h | 87 + .../libsecurity_ssl/Security}/sslDebug.h | 0 OSX/libsecurity_ssl/Security/sslKeychain.c | 251 + .../libsecurity_ssl/Security}/sslKeychain.h | 0 .../libsecurity_ssl/Security}/sslMemory.c | 0 .../libsecurity_ssl/Security}/sslMemory.h | 0 OSX/libsecurity_ssl/Security/sslPriv.h | 53 + OSX/libsecurity_ssl/Security/sslRecord.c | 124 + .../libsecurity_ssl/Security}/sslRecord.h | 0 OSX/libsecurity_ssl/Security/sslTransport.c | 538 + .../libsecurity_ssl/Security}/sslTypes.h | 0 .../libsecurity_ssl/Security}/sslUtils.c | 0 .../libsecurity_ssl/Security}/sslUtils.h | 0 OSX/libsecurity_ssl/Security/tlsCallbacks.c | 254 + .../libsecurity_ssl/Security}/tlsCallbacks.h | 0 .../Security/tls_record_internal.h | 79 + OSX/libsecurity_ssl/config/base.xcconfig | 17 + .../libsecurity_ssl/config/debug.xcconfig | 0 .../libsecurity_ssl/config/kext.xcconfig | 0 .../libsecurity_ssl/config/lib.xcconfig | 0 .../libsecurity_ssl/config/release.xcconfig | 0 .../libsecurity_ssl/config/tests.xcconfig | 0 .../libsecurity_ssl/dtlsEcho/README | 0 .../libsecurity_ssl/dtlsEcho/dtlsEchoClient.c | 0 .../libsecurity_ssl/dtlsEcho/dtlsEchoServer.c | 0 OSX/libsecurity_ssl/lib/CipherSuite.h | 261 + OSX/libsecurity_ssl/lib/SSLRecordInternal.c | 392 + OSX/libsecurity_ssl/lib/SSLRecordInternal.h | 45 + OSX/libsecurity_ssl/lib/SecureTransport.h | 1360 +++ OSX/libsecurity_ssl/lib/SecureTransportPriv.h | 842 ++ OSX/libsecurity_ssl/lib/appleSession.c | 470 + OSX/libsecurity_ssl/lib/appleSession.h | 55 + OSX/libsecurity_ssl/lib/cipherSpecs.h | 108 + OSX/libsecurity_ssl/lib/security_ssl.exp | 94 + OSX/libsecurity_ssl/lib/ssl.h | 36 + OSX/libsecurity_ssl/lib/sslBuildFlags.h | 101 + OSX/libsecurity_ssl/lib/sslCipherSpecs.c | 496 + OSX/libsecurity_ssl/lib/sslCipherSpecs.h | 58 + OSX/libsecurity_ssl/lib/sslContext.c | 2644 +++++ OSX/libsecurity_ssl/lib/sslContext.h | 288 + OSX/libsecurity_ssl/lib/sslCrypto.c | 625 ++ OSX/libsecurity_ssl/lib/sslCrypto.h | 87 + OSX/libsecurity_ssl/lib/sslDebug.h | 131 + OSX/libsecurity_ssl/lib/sslKeychain.c | 251 + OSX/libsecurity_ssl/lib/sslKeychain.h | 53 + OSX/libsecurity_ssl/lib/sslMemory.c | 248 + OSX/libsecurity_ssl/lib/sslMemory.h | 74 + OSX/libsecurity_ssl/lib/sslPriv.h | 53 + OSX/libsecurity_ssl/lib/sslRecord.c | 124 + OSX/libsecurity_ssl/lib/sslRecord.h | 62 + OSX/libsecurity_ssl/lib/sslTransport.c | 538 + OSX/libsecurity_ssl/lib/sslTypes.h | 167 + OSX/libsecurity_ssl/lib/sslUtils.c | 140 + OSX/libsecurity_ssl/lib/sslUtils.h | 82 + OSX/libsecurity_ssl/lib/tlsCallbacks.c | 254 + OSX/libsecurity_ssl/lib/tlsCallbacks.h | 32 + OSX/libsecurity_ssl/lib/tls_record_internal.h | 79 + .../libsecurity_ssl.xcodeproj/project.pbxproj | 830 ++ .../regressions/ClientCert_ecc_ecc.h | 0 .../regressions/ClientCert_ecc_rsa.h | 0 .../regressions/ClientCert_rsa_ecc.h | 0 .../regressions/ClientCert_rsa_rsa.h | 0 .../regressions/ClientKey_ecc.h | 0 .../regressions/ClientKey_rsa.h | 0 .../regressions/CreateCerts.sh | 105 + .../SECG_ecc-secp256r1-client_cert.h | 0 .../SECG_ecc-secp256r1-client_key.h | 0 .../SECG_ecc_rsa-secp256r1-client_cert.h | 0 .../SECG_ecc_rsa-secp256r1-client_key.h | 0 .../libsecurity_ssl/regressions/cert-1.h | 0 OSX/libsecurity_ssl/regressions/gencerts.sh | 15 + .../libsecurity_ssl/regressions/identity-1.h | 0 .../libsecurity_ssl/regressions/privkey-1.h | 0 .../libsecurity_ssl/regressions/ssl-39-echo.c | 0 .../regressions/ssl-40-clientauth.c | 0 .../regressions/ssl-41-clientauth.c | 0 .../regressions/ssl-42-ciphers.c | 702 ++ .../regressions/ssl-43-ciphers.c | 57 +- .../regressions/ssl-44-crashes.c | 36 +- .../regressions/ssl-45-tls12.c | 80 +- .../ssl-46-SSLGetSupportedCiphers.c | 162 +- .../regressions/ssl-47-falsestart.c | 0 .../regressions/ssl-48-split.c | 20 +- OSX/libsecurity_ssl/regressions/ssl-49-sni.c | 281 + .../regressions/ssl-50-server.c | 0 .../regressions/ssl-51-state.c | 8 +- .../regressions/ssl-52-noconn.c | 42 + .../regressions/ssl-53-clientauth.c | 417 + OSX/libsecurity_ssl/regressions/ssl-54-dhe.c | 411 + .../regressions/ssl-55-sessioncache.c | 337 + OSX/libsecurity_ssl/regressions/ssl-utils.c | 305 + .../libsecurity_ssl/regressions/ssl-utils.h | 8 +- .../regressions/ssl_regressions.h | 4 + .../regressions/test-certs/CA-ECC.Cert.der | Bin 0 -> 461 bytes .../regressions/test-certs/CA-ECC.Cert.pem | 12 + .../regressions/test-certs/CA-ECC.Key.der | Bin 0 -> 121 bytes .../regressions/test-certs/CA-ECC.Key.pem | 5 + .../regressions/test-certs/CA-ECC_Cert.h | 42 + .../regressions/test-certs/CA-ECC_Key.h | 14 + .../regressions/test-certs/CA-RSA.Cert.der | Bin 0 -> 859 bytes .../regressions/test-certs/CA-RSA.Cert.pem | 20 + .../regressions/test-certs/CA-RSA.Key.der | Bin 0 -> 1190 bytes .../regressions/test-certs/CA-RSA.Key.pem | 27 + .../regressions/test-certs/CA-RSA_Cert.h | 75 + .../regressions/test-certs/CA-RSA_Key.h | 103 + .../test-certs/ClientECC.Cert.CA-ECC.der | Bin 0 -> 357 bytes .../test-certs/ClientECC.Cert.CA-ECC.pem | 10 + .../test-certs/ClientECC.Cert.CA-RSA.der | Bin 0 -> 551 bytes .../test-certs/ClientECC.Cert.CA-RSA.pem | 14 + .../regressions/test-certs/ClientECC.Key.der | Bin 0 -> 121 bytes .../regressions/test-certs/ClientECC.Key.pem | 5 + .../regressions/test-certs/ClientECC.Req.pem | 8 + .../test-certs/ClientECC_Cert_CA-ECC.h | 33 + .../test-certs/ClientECC_Cert_CA-RSA.h | 49 + .../regressions/test-certs/ClientECC_Key.h | 14 + .../test-certs/ClientRSA.Cert.CA-ECC.der | Bin 0 -> 426 bytes .../test-certs/ClientRSA.Cert.CA-ECC.pem | 11 + .../test-certs/ClientRSA.Cert.CA-RSA.der | Bin 0 -> 622 bytes .../test-certs/ClientRSA.Cert.CA-RSA.pem | 15 + .../regressions/test-certs/ClientRSA.Key.der | Bin 0 -> 607 bytes .../regressions/test-certs/ClientRSA.Key.pem | 15 + .../regressions/test-certs/ClientRSA.Req.pem | 11 + .../test-certs/ClientRSA_Cert_CA-ECC.h | 39 + .../test-certs/ClientRSA_Cert_CA-RSA.h | 55 + .../regressions/test-certs/ClientRSA_Key.h | 54 + .../test-certs/ServerECC.Cert.CA-ECC.der | Bin 0 -> 355 bytes .../test-certs/ServerECC.Cert.CA-ECC.pem | 10 + .../test-certs/ServerECC.Cert.CA-RSA.der | Bin 0 -> 550 bytes .../test-certs/ServerECC.Cert.CA-RSA.pem | 14 + .../regressions/test-certs/ServerECC.Key.der | Bin 0 -> 121 bytes .../regressions/test-certs/ServerECC.Key.pem | 5 + .../regressions/test-certs/ServerECC.Req.pem | 8 + .../test-certs/ServerECC_Cert_CA-ECC.h | 33 + .../test-certs/ServerECC_Cert_CA-RSA.h | 49 + .../regressions/test-certs/ServerECC_Key.h | 14 + .../test-certs/ServerRSA.Cert.CA-ECC.der | Bin 0 -> 427 bytes .../test-certs/ServerRSA.Cert.CA-ECC.pem | 11 + .../test-certs/ServerRSA.Cert.CA-RSA.der | Bin 0 -> 621 bytes .../test-certs/ServerRSA.Cert.CA-RSA.pem | 15 + .../regressions/test-certs/ServerRSA.Key.der | Bin 0 -> 607 bytes .../regressions/test-certs/ServerRSA.Key.pem | 15 + .../regressions/test-certs/ServerRSA.Req.pem | 11 + .../test-certs/ServerRSA_Cert_CA-ECC.h | 39 + .../test-certs/ServerRSA_Cert_CA-RSA.h | 55 + .../regressions/test-certs/ServerRSA_Key.h | 54 + .../test-certs/Untrusted-CA-RSA.Cert.der | Bin 0 -> 859 bytes .../test-certs/Untrusted-CA-RSA.Cert.pem | 20 + .../test-certs/Untrusted-CA-RSA.Key.der | Bin 0 -> 1192 bytes .../test-certs/Untrusted-CA-RSA.Key.pem | 27 + .../test-certs/Untrusted-CA-RSA_Cert.h | 75 + .../test-certs/Untrusted-CA-RSA_Key.h | 103 + ...trustedClientRSA.Cert.Untrusted-CA-RSA.der | Bin 0 -> 633 bytes ...trustedClientRSA.Cert.Untrusted-CA-RSA.pem | 16 + .../test-certs/UntrustedClientRSA.Key.der | Bin 0 -> 610 bytes .../test-certs/UntrustedClientRSA.Key.pem | 15 + .../test-certs/UntrustedClientRSA.Req.pem | 11 + ...UntrustedClientRSA_Cert_Untrusted-CA-RSA.h | 56 + .../test-certs/UntrustedClientRSA_Key.h | 54 + .../regressions/test-certs/eccert.h | 59 + .../regressions/test-certs/ecclientcert.h | 43 + .../regressions/test-certs/ecclientkey.h | 14 + .../regressions/test-certs/ecidentity.h | 86 + .../regressions/test-certs/eckey.h | 14 + .../regressions/test-certs/ecparam.pem | 3 + .../security_ssl/CipherSuite.h | 261 + .../security_ssl/SSLRecordInternal.c | 392 + .../security_ssl/SSLRecordInternal.h | 45 + .../security_ssl/SecureTransport.h | 1360 +++ .../security_ssl/SecureTransportPriv.h | 842 ++ .../security_ssl/appleSession.c | 470 + .../security_ssl/appleSession.h | 55 + .../security_ssl/cipherSpecs.h | 108 + .../security_ssl/security_ssl.exp | 94 + OSX/libsecurity_ssl/security_ssl/ssl.h | 36 + .../security_ssl/sslBuildFlags.h | 101 + .../security_ssl/sslCipherSpecs.c | 496 + .../security_ssl/sslCipherSpecs.h | 58 + OSX/libsecurity_ssl/security_ssl/sslContext.c | 2644 +++++ OSX/libsecurity_ssl/security_ssl/sslContext.h | 288 + OSX/libsecurity_ssl/security_ssl/sslCrypto.c | 625 ++ OSX/libsecurity_ssl/security_ssl/sslCrypto.h | 87 + OSX/libsecurity_ssl/security_ssl/sslDebug.h | 131 + .../security_ssl/sslKeychain.c | 251 + .../security_ssl/sslKeychain.h | 53 + OSX/libsecurity_ssl/security_ssl/sslMemory.c | 248 + OSX/libsecurity_ssl/security_ssl/sslMemory.h | 74 + OSX/libsecurity_ssl/security_ssl/sslPriv.h | 53 + OSX/libsecurity_ssl/security_ssl/sslRecord.c | 124 + OSX/libsecurity_ssl/security_ssl/sslRecord.h | 62 + .../security_ssl/sslTransport.c | 538 + OSX/libsecurity_ssl/security_ssl/sslTypes.h | 167 + OSX/libsecurity_ssl/security_ssl/sslUtils.c | 140 + OSX/libsecurity_ssl/security_ssl/sslUtils.h | 82 + .../security_ssl/tlsCallbacks.c | 254 + .../security_ssl/tlsCallbacks.h | 32 + .../security_ssl/tls_record_internal.h | 79 + .../libsecurity_ssl/sslViewer/fileIo.c | 0 .../libsecurity_ssl/sslViewer/fileIo.h | 0 .../libsecurity_ssl/sslViewer/ioSock.c | 0 .../libsecurity_ssl/sslViewer/ioSock.h | 0 .../libsecurity_ssl/sslViewer/printCert.c | 0 .../libsecurity_ssl/sslViewer/printCert.h | 0 .../libsecurity_ssl/sslViewer/sslAppUtils.cpp | 60 +- .../libsecurity_ssl/sslViewer/sslAppUtils.h | 0 .../libsecurity_ssl/sslViewer/sslServer.1 | 0 .../libsecurity_ssl/sslViewer/sslServer.cpp | 0 .../libsecurity_ssl/sslViewer/sslViewer.1 | 0 .../libsecurity_ssl/sslViewer/sslViewer.cpp | 0 .../sslViewer.xcodeproj/project.pbxproj | 0 .../libsecurity_transform/100-sha2.m | 0 .../libsecurity_transform.Default.xcconfig | 0 .../libsecurity_transform_Deployment.xcconfig | 0 ...libsecurity_transform_Development.xcconfig | 0 .../libsecurity_transform_core.xcconfig | 0 .../security_transform_Default.xcconfig | 0 .../security_transform_Deployment.xcconfig | 0 .../security_transform_Development.xcconfig | 0 .../Info-security_transform.plist | 0 .../libsecurity_transform/NSData+HexString.h | 0 .../libsecurity_transform/NSData+HexString.m | 0 .../libsecurity_transform/custom.h | 0 .../libsecurity_transform/custom.mm | 0 .../lib/CEncryptDecrypt.c | 2 - .../lib/CoreFoundationBasics.cpp | 0 .../lib/CoreFoundationBasics.h | 0 .../libsecurity_transform/lib/Digest.cpp | 0 .../libsecurity_transform/lib/Digest.h | 0 .../libsecurity_transform/lib/Digest_block.c | 0 .../libsecurity_transform/lib/Digest_block.h | 0 .../lib/EncodeDecodeTransforms.c | 0 .../lib/EncryptTransform.cpp | 2 +- .../lib/EncryptTransform.h | 0 .../lib/EncryptTransformUtilities.cpp | 0 .../lib/EncryptTransformUtilities.h | 0 .../lib/GroupTransform.cpp | 0 .../lib/GroupTransform.h | 0 .../libsecurity_transform/lib/LinkedList.cpp | 0 .../libsecurity_transform/lib/LinkedList.h | 0 .../libsecurity_transform/lib/Monitor.cpp | 0 .../libsecurity_transform/lib/Monitor.h | 0 .../lib/NullTransform.cpp | 0 .../libsecurity_transform/lib/NullTransform.h | 0 .../lib/SecCollectTransform.cpp | 0 .../lib/SecCollectTransform.h | 0 .../lib/SecCustomTransform.cpp | 0 .../lib/SecCustomTransform.h | 40 +- .../lib/SecDecodeTransform.h | 16 +- .../lib/SecDigestTransform.cpp | 0 .../lib/SecDigestTransform.h | 6 +- .../lib/SecEncodeTransform.h | 10 +- .../lib/SecEncryptTransform.cpp | 94 + .../lib/SecEncryptTransform.h | 45 +- .../lib/SecExternalSourceTransform.cpp | 0 .../lib/SecExternalSourceTransform.h | 0 .../lib/SecGroupTransform.cpp | 0 .../lib/SecGroupTransform.h | 0 .../lib/SecMaskGenerationFunctionTransform.c | 0 .../lib/SecMaskGenerationFunctionTransform.h | 0 .../lib/SecNullTransform.cpp | 0 .../lib/SecNullTransform.h | 0 .../lib/SecReadTransform.h | 0 .../lib/SecSignVerifyTransform.c | 4 +- .../lib/SecSignVerifyTransform.h | 21 +- .../lib/SecTransform.cpp | 0 .../libsecurity_transform/lib/SecTransform.h | 20 +- .../lib/SecTransformInternal.h | 0 .../lib/SecTransformReadTransform.cpp | 0 .../lib/SecTransformReadTransform.h | 6 + .../lib/SecTransformValidator.h | 0 .../lib/SingleShotSource.cpp | 0 .../lib/SingleShotSource.h | 0 .../libsecurity_transform/lib/Source.cpp | 0 .../libsecurity_transform/lib/Source.h | 0 .../lib/StreamSource.cpp | 0 .../libsecurity_transform/lib/StreamSource.h | 0 .../libsecurity_transform/lib/Transform.cpp | 0 .../libsecurity_transform/lib/Transform.h | 0 .../lib/TransformFactory.cpp | 0 .../lib/TransformFactory.h | 0 .../libsecurity_transform/lib/Utilities.cpp | 0 .../libsecurity_transform/lib/Utilities.h | 0 .../libsecurity_transform/lib/c++utils.cpp | 0 .../libsecurity_transform/lib/c++utils.h | 0 .../libsecurity_transform/lib/misc.c | 0 .../libsecurity_transform/lib/misc.h | 0 .../lib/security_transform.exp | 0 .../project.pbxproj | 872 ++ .../misc/base32alpha2vals | 0 .../libsecurity_transform/misc/speed-test.h | 0 .../libsecurity_transform/misc/speed-test.mm | 0 .../unit-tests-Info.plist | 0 .../libsecurity_utilities/APPLE_LICENSE | 0 .../Info-security_utilities.plist | 0 OSX/libsecurity_utilities/lib/adornments.cpp | 93 + OSX/libsecurity_utilities/lib/adornments.h | 202 + OSX/libsecurity_utilities/lib/alloc.cpp | 159 + OSX/libsecurity_utilities/lib/alloc.h | 240 + OSX/libsecurity_utilities/lib/blob.cpp | 134 + OSX/libsecurity_utilities/lib/blob.h | 208 + OSX/libsecurity_utilities/lib/bufferfifo.cpp | 94 + OSX/libsecurity_utilities/lib/bufferfifo.h | 76 + OSX/libsecurity_utilities/lib/buffers.cpp | 106 + OSX/libsecurity_utilities/lib/buffers.h | 162 + OSX/libsecurity_utilities/lib/ccaudit.cpp | 152 + OSX/libsecurity_utilities/lib/ccaudit.h | 189 + OSX/libsecurity_utilities/lib/cfclass.cpp | 258 + OSX/libsecurity_utilities/lib/cfclass.h | 55 + OSX/libsecurity_utilities/lib/cfmach++.cpp | 129 + OSX/libsecurity_utilities/lib/cfmach++.h | 71 + OSX/libsecurity_utilities/lib/cfmunge.cpp | 596 + OSX/libsecurity_utilities/lib/cfmunge.h | 136 + OSX/libsecurity_utilities/lib/cfutilities.cpp | 318 + OSX/libsecurity_utilities/lib/cfutilities.h | 636 ++ .../lib/coderepository.cpp | 90 + .../lib/coderepository.h | 110 + OSX/libsecurity_utilities/lib/crc.c | 61 + OSX/libsecurity_utilities/lib/crc.h | 18 + OSX/libsecurity_utilities/lib/daemon.cpp | 112 + OSX/libsecurity_utilities/lib/daemon.h | 43 + OSX/libsecurity_utilities/lib/debugging.cpp | 518 + OSX/libsecurity_utilities/lib/debugging.h | 129 + .../lib/debugging_internal.cpp | 47 + .../lib/debugging_internal.h | 61 + OSX/libsecurity_utilities/lib/debugsupport.h | 210 + OSX/libsecurity_utilities/lib/devrandom.cpp | 82 + OSX/libsecurity_utilities/lib/devrandom.h | 67 + OSX/libsecurity_utilities/lib/dispatch.cpp | 159 + OSX/libsecurity_utilities/lib/dispatch.h | 126 + OSX/libsecurity_utilities/lib/dtrace.mk | 2 + .../lib/dyld_cache_format.h | 69 + OSX/libsecurity_utilities/lib/dyldcache.cpp | 146 + OSX/libsecurity_utilities/lib/dyldcache.h | 160 + OSX/libsecurity_utilities/lib/endian.cpp | 33 + OSX/libsecurity_utilities/lib/endian.h | 141 + OSX/libsecurity_utilities/lib/errors.cpp | 178 + OSX/libsecurity_utilities/lib/errors.h | 139 + OSX/libsecurity_utilities/lib/exports | 1 + OSX/libsecurity_utilities/lib/fdmover.cpp | 104 + OSX/libsecurity_utilities/lib/fdmover.h | 93 + OSX/libsecurity_utilities/lib/fdsel.cpp | 96 + OSX/libsecurity_utilities/lib/fdsel.h | 80 + OSX/libsecurity_utilities/lib/globalizer.cpp | 95 + OSX/libsecurity_utilities/lib/globalizer.h | 208 + OSX/libsecurity_utilities/lib/hashing.cpp | 66 + OSX/libsecurity_utilities/lib/hashing.h | 186 + OSX/libsecurity_utilities/lib/headermap.cpp | 150 + OSX/libsecurity_utilities/lib/headermap.h | 93 + OSX/libsecurity_utilities/lib/hosts.cpp | 151 + OSX/libsecurity_utilities/lib/hosts.h | 82 + OSX/libsecurity_utilities/lib/inetreply.cpp | 91 + OSX/libsecurity_utilities/lib/inetreply.h | 100 + OSX/libsecurity_utilities/lib/iodevices.cpp | 272 + OSX/libsecurity_utilities/lib/iodevices.h | 166 + OSX/libsecurity_utilities/lib/ip++.cpp | 381 + OSX/libsecurity_utilities/lib/ip++.h | 278 + OSX/libsecurity_utilities/lib/kq++.cpp | 69 + OSX/libsecurity_utilities/lib/kq++.h | 95 + OSX/libsecurity_utilities/lib/ktracecodes.h | 144 + OSX/libsecurity_utilities/lib/logging.cpp | 112 + OSX/libsecurity_utilities/lib/logging.h | 73 + OSX/libsecurity_utilities/lib/mach++.cpp | 456 + OSX/libsecurity_utilities/lib/mach++.h | 325 + OSX/libsecurity_utilities/lib/mach_notify.c | 552 + OSX/libsecurity_utilities/lib/mach_notify.h | 136 + OSX/libsecurity_utilities/lib/macho++.cpp | 795 ++ OSX/libsecurity_utilities/lib/macho++.h | 241 + .../lib/machrunloopserver.cpp | 111 + .../lib/machrunloopserver.h | 80 + OSX/libsecurity_utilities/lib/machserver.cpp | 606 + OSX/libsecurity_utilities/lib/machserver.h | 250 + OSX/libsecurity_utilities/lib/memstreams.h | 168 + OSX/libsecurity_utilities/lib/memutils.h | 124 + OSX/libsecurity_utilities/lib/muscle++.cpp | 256 + OSX/libsecurity_utilities/lib/muscle++.h | 198 + OSX/libsecurity_utilities/lib/osxcode.cpp | 260 + OSX/libsecurity_utilities/lib/osxcode.h | 136 + OSX/libsecurity_utilities/lib/pcsc++.cpp | 414 + OSX/libsecurity_utilities/lib/pcsc++.h | 199 + OSX/libsecurity_utilities/lib/powerwatch.cpp | 256 + OSX/libsecurity_utilities/lib/powerwatch.h | 114 + OSX/libsecurity_utilities/lib/refcount.h | 179 + OSX/libsecurity_utilities/lib/seccfobject.cpp | 270 + OSX/libsecurity_utilities/lib/seccfobject.h | 176 + .../lib/security_utilities.d | 84 + .../lib/security_utilities.h | 67 + OSX/libsecurity_utilities/lib/selector.cpp | 204 + OSX/libsecurity_utilities/lib/selector.h | 125 + OSX/libsecurity_utilities/lib/simpleprefs.cpp | 496 + OSX/libsecurity_utilities/lib/simpleprefs.h | 206 + OSX/libsecurity_utilities/lib/socks++.cpp | 162 + OSX/libsecurity_utilities/lib/socks++.h | 222 + OSX/libsecurity_utilities/lib/socks++4.cpp | 134 + OSX/libsecurity_utilities/lib/socks++4.h | 86 + OSX/libsecurity_utilities/lib/socks++5.cpp | 208 + OSX/libsecurity_utilities/lib/socks++5.h | 125 + OSX/libsecurity_utilities/lib/sqlite++.cpp | 442 + OSX/libsecurity_utilities/lib/sqlite++.h | 284 + OSX/libsecurity_utilities/lib/streams.cpp | 144 + OSX/libsecurity_utilities/lib/streams.h | 192 + OSX/libsecurity_utilities/lib/superblob.cpp | 10 + OSX/libsecurity_utilities/lib/superblob.h | 237 + OSX/libsecurity_utilities/lib/threading.cpp | 266 + OSX/libsecurity_utilities/lib/threading.h | 358 + .../lib/threading_internal.h | 125 + OSX/libsecurity_utilities/lib/timeflow.cpp | 117 + OSX/libsecurity_utilities/lib/timeflow.h | 162 + OSX/libsecurity_utilities/lib/tqueue.cpp | 33 + OSX/libsecurity_utilities/lib/tqueue.h | 141 + .../lib/trackingallocator.cpp | 89 + .../lib/trackingallocator.h | 65 + .../lib/transactions.cpp | 54 + OSX/libsecurity_utilities/lib/transactions.h | 107 + OSX/libsecurity_utilities/lib/typedvalue.cpp | 38 + OSX/libsecurity_utilities/lib/typedvalue.h | 86 + OSX/libsecurity_utilities/lib/unix++.cpp | 536 + OSX/libsecurity_utilities/lib/unix++.h | 339 + OSX/libsecurity_utilities/lib/unixchild.cpp | 502 + OSX/libsecurity_utilities/lib/unixchild.h | 136 + OSX/libsecurity_utilities/lib/url.cpp | 150 + OSX/libsecurity_utilities/lib/url.h | 82 + OSX/libsecurity_utilities/lib/utilities.cpp | 125 + OSX/libsecurity_utilities/lib/utilities.h | 315 + .../lib/utility_config.h | 113 + OSX/libsecurity_utilities/lib/vproc++.cpp | 55 + OSX/libsecurity_utilities/lib/vproc++.h | 63 + .../project.pbxproj | 881 ++ {Security => OSX}/libsecurityd/APPLE_LICENSE | 0 .../libsecurityd/Info-securityd_client.plist | 0 .../libsecurityd/Info-securityd_server.plist | 0 OSX/libsecurityd/lib/SharedMemoryClient.cpp | 189 + OSX/libsecurityd/lib/SharedMemoryClient.h | 46 + OSX/libsecurityd/lib/SharedMemoryCommon.h | 43 + OSX/libsecurityd/lib/dictionary.cpp | 365 + OSX/libsecurityd/lib/dictionary.h | 99 + OSX/libsecurityd/lib/eventlistener.cpp | 310 + OSX/libsecurityd/lib/eventlistener.h | 62 + OSX/libsecurityd/lib/handletypes.h | 86 + OSX/libsecurityd/lib/sec_xdr.c | 293 + OSX/libsecurityd/lib/sec_xdr.h | 70 + OSX/libsecurityd/lib/sec_xdr_array.c | 170 + OSX/libsecurityd/lib/sec_xdr_reference.c | 158 + OSX/libsecurityd/lib/sec_xdr_sizeof.c | 217 + OSX/libsecurityd/lib/sec_xdrmem.c | 287 + OSX/libsecurityd/lib/ss_types.h | 105 + OSX/libsecurityd/lib/ssblob.cpp | 80 + OSX/libsecurityd/lib/ssblob.h | 224 + OSX/libsecurityd/lib/ssclient.cpp | 223 + OSX/libsecurityd/lib/ssclient.h | 450 + OSX/libsecurityd/lib/sscommon.h | 104 + OSX/libsecurityd/lib/ssnotify.h | 118 + OSX/libsecurityd/lib/sstransit.cpp | 172 + OSX/libsecurityd/lib/sstransit.h | 139 + OSX/libsecurityd/lib/transition.cpp | 1045 ++ OSX/libsecurityd/lib/ucsp_types.h | 43 + OSX/libsecurityd/lib/xdr_auth.c | 83 + OSX/libsecurityd/lib/xdr_auth.h | 41 + OSX/libsecurityd/lib/xdr_cssm.c | 846 ++ OSX/libsecurityd/lib/xdr_cssm.h | 222 + OSX/libsecurityd/lib/xdr_dldb.cpp | 56 + OSX/libsecurityd/lib/xdr_dldb.h | 74 + .../libsecurityd.xcodeproj/project.pbxproj | 774 ++ .../libsecurityd/mig/cshosting.defs | 0 {Security => OSX}/libsecurityd/mig/mig.mk | 0 .../libsecurityd/mig/ss_types.defs | 0 {Security => OSX}/libsecurityd/mig/ucsp.defs | 9 +- .../libsecurityd/mig/ucspNotify.defs | 0 {Security => OSX}/regressions/README | 0 {Security => OSX}/regressions/inc/IPC/Run3.pm | 0 .../regressions/inc/MyHarness.pm | 0 .../regressions.xcodeproj/project.pbxproj | 351 + {Security => OSX}/regressions/t/security.pl | 0 .../regressions/test/test-00-test.c | 0 .../regressions/test/test_regressions.h | 0 {Security => OSX}/regressions/test/testcert.c | 0 {Security => OSX}/regressions/test/testcert.h | 0 {Security => OSX}/regressions/test/testcpp.h | 0 OSX/regressions/test/testenv.c | 434 + {Security => OSX}/regressions/test/testenv.h | 0 .../regressions/test/testlist_begin.h | 0 .../regressions/test/testlist_end.h | 0 OSX/regressions/test/testmore.c | 377 + {Security => OSX}/regressions/test/testmore.h | 29 +- .../regressions/test/testpolicy.h | 0 .../regressions/test/testpolicy.m | 0 .../CloudKeychainProxy/CloudKeychainProxy.1 | 0 .../IDSKeychainSyncingProxy.1 | 79 + .../SOSCircle/Tool/SOSCommands.h | 81 + .../SOSCircle/Tool/keychain_sync.c | 1264 +++ .../Security}/CKBridge/CKClient.c | 0 .../Security}/CKBridge/CKClient.h | 0 .../CKBridge/SOSCloudKeychainClient.c | 771 ++ .../CKBridge/SOSCloudKeychainClient.h | 124 + .../CKBridge/SOSCloudKeychainConstants.c | 109 + .../CKBridge/SOSCloudKeychainConstants.h | 92 + .../Security}/CKBridge/SOSCloudTransport.c | 0 .../Security}/CKBridge/SOSCloudTransport.h | 0 .../Security/SecureObjectSync/SOSARCDefines.h | 65 + .../Security/SecureObjectSync/SOSAccount.c | 1746 +++ .../Security/SecureObjectSync/SOSAccount.h | 263 + .../SecureObjectSync/SOSAccountBackup.c | 559 + .../SecureObjectSync/SOSAccountCircles.c | 181 + .../SOSAccountCloudParameters.c | 85 + .../SecureObjectSync/SOSAccountCredentials.c | 322 + .../Security/SecureObjectSync/SOSAccountDer.c | 183 + .../SecureObjectSync/SOSAccountFullPeerInfo.c | 199 + .../SecureObjectSync/SOSAccountHSAJoin.c | 99 + .../SecureObjectSync/SOSAccountHSAJoin.h | 19 + .../SecureObjectSync/SOSAccountPeers.c | 167 + .../SecureObjectSync/SOSAccountPersistence.c | 411 + .../SecureObjectSync/SOSAccountPriv.h | 319 + .../SecureObjectSync/SOSAccountRingUpdate.c | 370 + .../SecureObjectSync/SOSAccountRings.c | 225 + .../SecureObjectSync/SOSAccountUpdate.c | 718 ++ .../SecureObjectSync/SOSBackupEvent.c | 161 + .../SecureObjectSync/SOSBackupEvent.h | 41 + .../SecureObjectSync/SOSBackupSliceKeyBag.c | 431 + .../SecureObjectSync/SOSBackupSliceKeyBag.h | 83 + .../SecureObjectSync/SOSChangeTracker.c | 249 + .../SecureObjectSync/SOSChangeTracker.h | 110 + .../Security/SecureObjectSync/SOSCircle.c | 1266 +++ .../Security/SecureObjectSync/SOSCircle.h | 158 + .../Security/SecureObjectSync/SOSCircleDer.c | 170 + .../Security/SecureObjectSync/SOSCircleDer.h | 14 + .../Security/SecureObjectSync/SOSCirclePriv.h | 49 + .../SecureObjectSync/SOSCircleRings.h | 30 + .../Security/SecureObjectSync/SOSCircleV2.c | 13 + .../Security/SecureObjectSync/SOSCircleV2.h | 26 + .../SecureObjectSync/SOSCloudCircle.c | 1140 ++ .../SecureObjectSync/SOSCloudCircle.h | 607 + .../SecureObjectSync/SOSCloudCircleInternal.h | 121 + .../Security/SecureObjectSync/SOSCoder.c | 563 + .../Security/SecureObjectSync/SOSCoder.h | 73 + .../SecureObjectSync/SOSConcordanceTrust.h | 30 + .../Security/SecureObjectSync/SOSDataSource.h | 255 + .../SecureObjectSync/SOSDigestVector.c | 428 + .../SecureObjectSync/SOSDigestVector.h | 0 .../SecureObjectSync/SOSECWrapUnwrap.c | 111 + .../Security/SecureObjectSync/SOSEngine.c | 2308 ++++ .../Security/SecureObjectSync/SOSEngine.h | 143 + .../SecureObjectSync/SOSExports.exp-in | 308 + .../SecureObjectSync/SOSForerunnerSession.c | 1462 +++ .../SecureObjectSync/SOSForerunnerSession.h | 380 + .../SecureObjectSync/SOSFullPeerInfo.c | 587 + .../SecureObjectSync/SOSFullPeerInfo.h | 102 + .../Security/SecureObjectSync/SOSGenCount.c | 86 + .../Security/SecureObjectSync/SOSGenCount.h | 25 + .../Security/SecureObjectSync/SOSInternal.c | 280 + .../Security/SecureObjectSync/SOSInternal.h | 132 + .../Security/SecureObjectSync/SOSKVSKeys.c | 339 + .../Security/SecureObjectSync/SOSKVSKeys.h | 75 + .../Security/SecureObjectSync/SOSManifest.c | 254 + .../Security}/SecureObjectSync/SOSManifest.h | 0 .../Security/SecureObjectSync/SOSMessage.c | 1184 ++ .../Security/SecureObjectSync/SOSMessage.h | 138 + .../Security/SecureObjectSync/SOSPeer.c | 1090 ++ .../Security/SecureObjectSync/SOSPeer.h | 140 + .../Security/SecureObjectSync/SOSPeerCoder.c | 124 + .../Security/SecureObjectSync/SOSPeerCoder.h | 23 + .../Security/SecureObjectSync/SOSPeerInfo.c | 921 ++ .../Security/SecureObjectSync/SOSPeerInfo.h | 212 + .../SecureObjectSync/SOSPeerInfoCollections.c | 254 + .../SecureObjectSync/SOSPeerInfoCollections.h | 68 + .../SecureObjectSync/SOSPeerInfoDER.c | 152 + .../SecureObjectSync/SOSPeerInfoDER.h | 32 + .../SecureObjectSync/SOSPeerInfoInternal.h | 36 + .../SecureObjectSync/SOSPeerInfoPriv.h | 38 + .../SecureObjectSync/SOSPeerInfoRingState.c | 13 + .../SecureObjectSync/SOSPeerInfoRingState.h | 30 + .../SOSPeerInfoSecurityProperties.c | 146 + .../SOSPeerInfoSecurityProperties.h | 35 + .../Security/SecureObjectSync/SOSPeerInfoV2.c | 337 + .../Security/SecureObjectSync/SOSPeerInfoV2.h | 53 + .../Security/SecureObjectSync/SOSPlatform.h | 25 + .../Security/SecureObjectSync/SOSRing.h | 91 + .../Security/SecureObjectSync/SOSRingBackup.c | 251 + .../Security/SecureObjectSync/SOSRingBackup.h | 17 + .../Security/SecureObjectSync/SOSRingBasic.c | 155 + .../Security/SecureObjectSync/SOSRingBasic.h | 16 + .../SOSRingConcordanceTrust.c | 185 + .../SOSRingConcordanceTrust.h | 14 + .../Security/SecureObjectSync/SOSRingDER.c | 115 + .../Security/SecureObjectSync/SOSRingDER.h | 14 + .../SecureObjectSync/SOSRingPeerInfoUtils.c | 41 + .../SecureObjectSync/SOSRingPeerInfoUtils.h | 14 + .../Security/SecureObjectSync/SOSRingTypes.c | 572 + .../Security/SecureObjectSync/SOSRingTypes.h | 58 + .../Security/SecureObjectSync/SOSRingUtils.c | 931 ++ .../Security/SecureObjectSync/SOSRingUtils.h | 146 + .../Security/SecureObjectSync/SOSRingV0.c | 151 + .../Security/SecureObjectSync/SOSRingV0.h | 14 + .../Security/SecureObjectSync/SOSTransport.c | 571 + .../Security/SecureObjectSync/SOSTransport.h | 33 + .../SecureObjectSync/SOSTransportBackupPeer.c | 41 + .../SecureObjectSync/SOSTransportBackupPeer.h | 21 + .../SecureObjectSync/SOSTransportCircle.c | 112 + .../SecureObjectSync/SOSTransportCircle.h | 68 + .../SecureObjectSync/SOSTransportCircleKVS.c | 456 + .../SecureObjectSync/SOSTransportCircleKVS.h | 27 + .../SecureObjectSync/SOSTransportCoder.c | 229 + .../SecureObjectSync/SOSTransportCoder.h | 21 + .../SOSTransportKeyParameter.c | 67 + .../SOSTransportKeyParameter.h | 37 + .../SOSTransportKeyParameterKVS.c | 138 + .../SOSTransportKeyParameterKVS.h | 16 + .../SecureObjectSync/SOSTransportMessage.c | 151 + .../SecureObjectSync/SOSTransportMessage.h | 60 + .../SecureObjectSync/SOSTransportMessageIDS.c | 331 + .../SecureObjectSync/SOSTransportMessageIDS.h | 34 + .../SecureObjectSync/SOSTransportMessageKVS.c | 282 + .../SecureObjectSync/SOSTransportMessageKVS.h | 24 + .../Security/SecureObjectSync/SOSTypes.h | 100 + .../Security/SecureObjectSync/SOSUserKeygen.c | 350 + .../Security/SecureObjectSync/SOSUserKeygen.h | 36 + .../SecureObjectSync/SOSViewManager.c | 190 + .../SecureObjectSync/SOSViewManager.h | 54 + .../SecureObjectSync/SOSViewQueries.c | 93 + .../SecureObjectSync/SOSViewQueries.h | 70 + .../Security/SecureObjectSync/SOSViews.c | 502 + .../Security/SecureObjectSync/SOSViews.h | 85 + .../Security/Tool/SecurityCommands.h | 146 + .../Security/Tool/add_internet_password.c | 0 .../ProjectHeaders}/Security/Tool/codesign.c | 0 .../Security/Tool/keychain_add.c | 133 + .../Security/Tool/keychain_backup.c | 0 .../Security/Tool/keychain_find.c | 560 + .../Security/Tool/keychain_util.c | 373 + .../Security/Tool/keychain_util.h | 0 .../Security/Tool/log_control.c | 192 + .../Security/Tool/pkcs12_util.c | 0 OSX/sec/ProjectHeaders/Security/Tool/scep.c | 608 + .../Security/Tool/show_certificates.c | 293 + OSX/sec/ProjectHeaders/Security/Tool/spc.c | 727 ++ .../SecurityTool/SecurityTool.c | 0 .../SecurityTool/SecurityTool.h | 0 .../SecurityTool/builtin_commands.h | 0 .../SecurityTool/digest_calc.c | 0 .../SecurityTool/entitlements.plist | 0 .../sec/ProjectHeaders}/SecurityTool/leaks.c | 0 .../sec/ProjectHeaders}/SecurityTool/leaks.h | 0 .../ProjectHeaders/SecurityTool/print_cert.c | 195 + .../ProjectHeaders}/SecurityTool/print_cert.h | 0 .../ProjectHeaders}/SecurityTool/security.1 | 0 .../SecurityTool/tool_errors.h | 0 OSX/sec/SOSCircle/CKBridge/CKClient.c | 493 + OSX/sec/SOSCircle/CKBridge/CKClient.h | 62 + .../CKBridge/SOSCloudKeychainClient.c | 771 ++ .../CKBridge/SOSCloudKeychainClient.h | 124 + .../CKBridge/SOSCloudKeychainConstants.c | 109 + .../CKBridge/SOSCloudKeychainConstants.h | 92 + .../SOSCircle/CKBridge/SOSCloudTransport.c | 558 + .../SOSCircle/CKBridge/SOSCloudTransport.h | 69 + .../CloudKeychainProxy/CKDKVSProxy.h | 6 +- .../CloudKeychainProxy/CKDKVSProxy.m | 301 +- .../CloudKeychainProxy/CKDPersistentState.h | 1 + .../CloudKeychainProxy/CKDPersistentState.m | 24 +- .../CloudKeychainProxy/CKDUserInteraction.h | 0 .../CloudKeychainProxy/CKDUserInteraction.m | 2 +- .../SOSCircle/CloudKeychainProxy/ckdmain.m | 0 .../cloudkeychain.entitlements.plist | 0 .../CloudKeychainProxy/cloudkeychainproxy.m | 13 +- .../en.lproj/InfoPlist.strings | 0 .../scripts/PhoneTerms2.applescript | 0 .../scripts/PhoneTerms2.scpt | Bin .../scripts/install_on_devices | 0 .../CloudKeychainProxy/scripts/kcstatus | 0 .../CloudKeychainProxy/scripts/sosbuildroot | 0 .../CloudKeychainProxy/scripts/soscopy | 0 .../CloudKeychainProxy/scripts/soscopysshkeys | 0 .../CloudKeychainProxy/scripts/sosinstallroot | 0 .../CloudKeychainProxy/scripts/sosreset | 0 .../CloudKeychainProxy/scripts/tweak | 0 {Security => OSX}/sec/SOSCircle/Empty.c | 0 .../IDSPersistentState.h | 43 + .../IDSPersistentState.m | 129 + .../IDSKeychainSyncingProxy/IDSProxy.h | 95 + .../IDSKeychainSyncingProxy/IDSProxy.m | 651 ++ .../IDSKeychainSyncingProxy/idksmain.m | 33 + ...idskeychainsyncingproxy.entitlements.plist | 26 + .../idskeychainsyncingproxy.m | 222 + .../SOSCircle/Regressions/CKDKeyValueStore.h | 0 .../SOSCircle/Regressions/CKDKeyValueStore.m | 0 .../Regressions/SOSCircle_regressions.h | 20 + .../Regressions/SOSRegressionUtilities.c | 43 +- .../Regressions/SOSRegressionUtilities.h | 4 +- .../SOSCircle/Regressions/SOSTestDataSource.c | 70 +- .../SOSCircle/Regressions/SOSTestDataSource.h | 4 +- OSX/sec/SOSCircle/Regressions/SOSTestDevice.c | 479 + .../sec/SOSCircle/Regressions/SOSTestDevice.h | 9 +- .../Regressions/sc-130-resignationticket.c | 27 +- OSX/sec/SOSCircle/Regressions/sc-140-hsa2.c | 280 + .../Regressions/sc-150-backupkeyderivation.c | 123 + OSX/sec/SOSCircle/Regressions/sc-150-ring.c | 158 + .../Regressions/sc-153-backupslicekeybag.c | 180 + .../SOSCircle/Regressions/sc-20-keynames.c | 23 +- .../SOSCircle/Regressions/sc-25-soskeygen.c | 97 + .../SOSCircle/Regressions/sc-30-peerinfo.c | 159 + .../Regressions/sc-31-peerinfo-simplefuzz.c | 88 + .../sec/SOSCircle/Regressions/sc-40-circle.c | 10 +- .../Regressions/sc-42-circlegencount.c | 10 +- .../Regressions/sc-45-digestvector.c | 2 +- .../sec/SOSCircle/Regressions/sc-kvstool.m | 0 OSX/sec/SOSCircle/SOSPeerInfoDER.c | 154 + .../SecureObjectSync/SOSARCDefines.h | 65 + .../SOSCircle/SecureObjectSync/SOSAccount.c | 1746 +++ .../SOSCircle/SecureObjectSync/SOSAccount.h | 263 + .../SecureObjectSync/SOSAccountBackup.c | 559 + .../SecureObjectSync/SOSAccountCircles.c | 181 + .../SOSAccountCloudParameters.c | 85 + .../SecureObjectSync/SOSAccountCredentials.c | 322 + .../SecureObjectSync/SOSAccountDer.c | 183 + .../SecureObjectSync/SOSAccountFullPeerInfo.c | 199 + .../SecureObjectSync/SOSAccountHSAJoin.c | 99 + .../SecureObjectSync/SOSAccountHSAJoin.h | 19 + .../SecureObjectSync/SOSAccountPeers.c | 167 + .../SecureObjectSync/SOSAccountPersistence.c | 411 + .../SecureObjectSync/SOSAccountPriv.h | 319 + .../SecureObjectSync/SOSAccountRingUpdate.c | 370 + .../SecureObjectSync/SOSAccountRings.c | 225 + .../SecureObjectSync/SOSAccountUpdate.c | 718 ++ .../SecureObjectSync/SOSBackupEvent.c | 161 + .../SecureObjectSync/SOSBackupEvent.h | 41 + .../SecureObjectSync/SOSBackupSliceKeyBag.c | 431 + .../SecureObjectSync/SOSBackupSliceKeyBag.h | 83 + .../SecureObjectSync/SOSChangeTracker.c | 249 + .../SecureObjectSync/SOSChangeTracker.h | 110 + .../SOSCircle/SecureObjectSync/SOSCircle.c | 1266 +++ .../SOSCircle/SecureObjectSync/SOSCircle.h | 158 + .../SOSCircle/SecureObjectSync/SOSCircleDer.c | 170 + .../SOSCircle/SecureObjectSync/SOSCircleDer.h | 14 + .../SecureObjectSync/SOSCirclePriv.h | 49 + .../SecureObjectSync/SOSCircleRings.h | 30 + .../SOSCircle/SecureObjectSync/SOSCircleV2.c | 13 + .../SOSCircle/SecureObjectSync/SOSCircleV2.h | 26 + .../SecureObjectSync/SOSCloudCircle.c | 1140 ++ .../SecureObjectSync/SOSCloudCircle.h | 607 + .../SecureObjectSync/SOSCloudCircleInternal.h | 121 + OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.c | 563 + OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.h | 73 + .../SecureObjectSync/SOSConcordanceTrust.h | 30 + .../SecureObjectSync/SOSDataSource.h | 255 + .../SecureObjectSync/SOSDigestVector.c | 428 + .../SecureObjectSync/SOSDigestVector.h | 96 + .../SecureObjectSync/SOSECWrapUnwrap.c | 111 + .../SOSCircle/SecureObjectSync/SOSEngine.c | 2308 ++++ .../SOSCircle/SecureObjectSync/SOSEngine.h | 143 + .../SecureObjectSync/SOSExports.exp-in | 308 + .../SecureObjectSync/SOSForerunnerSession.c | 1462 +++ .../SecureObjectSync/SOSForerunnerSession.h | 380 + .../SecureObjectSync/SOSFullPeerInfo.c | 587 + .../SecureObjectSync/SOSFullPeerInfo.h | 102 + .../SOSCircle/SecureObjectSync/SOSGenCount.c | 86 + .../SOSCircle/SecureObjectSync/SOSGenCount.h | 25 + .../SOSCircle/SecureObjectSync/SOSInternal.c | 280 + .../SOSCircle/SecureObjectSync/SOSInternal.h | 132 + .../SOSCircle/SecureObjectSync/SOSKVSKeys.c | 339 + .../SOSCircle/SecureObjectSync/SOSKVSKeys.h | 75 + .../SOSCircle/SecureObjectSync/SOSManifest.c | 254 + .../SOSCircle/SecureObjectSync/SOSManifest.h | 101 + .../SOSCircle/SecureObjectSync/SOSMessage.c | 1184 ++ .../SOSCircle/SecureObjectSync/SOSMessage.h | 138 + OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.c | 1090 ++ OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.h | 140 + .../SOSCircle/SecureObjectSync/SOSPeerCoder.c | 124 + .../SOSCircle/SecureObjectSync/SOSPeerCoder.h | 23 + .../SOSCircle/SecureObjectSync/SOSPeerInfo.c | 921 ++ .../SOSCircle/SecureObjectSync/SOSPeerInfo.h | 212 + .../SecureObjectSync/SOSPeerInfoCollections.c | 254 + .../SecureObjectSync/SOSPeerInfoCollections.h | 68 + .../SecureObjectSync/SOSPeerInfoDER.c | 152 + .../SecureObjectSync/SOSPeerInfoDER.h | 32 + .../SecureObjectSync/SOSPeerInfoInternal.h | 36 + .../SecureObjectSync/SOSPeerInfoPriv.h | 38 + .../SecureObjectSync/SOSPeerInfoRingState.c | 13 + .../SecureObjectSync/SOSPeerInfoRingState.h | 30 + .../SOSPeerInfoSecurityProperties.c | 146 + .../SOSPeerInfoSecurityProperties.h | 35 + .../SecureObjectSync/SOSPeerInfoV2.c | 337 + .../SecureObjectSync/SOSPeerInfoV2.h | 53 + .../SOSCircle/SecureObjectSync/SOSPlatform.h | 25 + OSX/sec/SOSCircle/SecureObjectSync/SOSRing.h | 91 + .../SecureObjectSync/SOSRingBackup.c | 251 + .../SecureObjectSync/SOSRingBackup.h | 17 + .../SOSCircle/SecureObjectSync/SOSRingBasic.c | 155 + .../SOSCircle/SecureObjectSync/SOSRingBasic.h | 16 + .../SOSRingConcordanceTrust.c | 185 + .../SOSRingConcordanceTrust.h | 14 + .../SOSCircle/SecureObjectSync/SOSRingDER.c | 115 + .../SOSCircle/SecureObjectSync/SOSRingDER.h | 14 + .../SecureObjectSync/SOSRingPeerInfoUtils.c | 41 + .../SecureObjectSync/SOSRingPeerInfoUtils.h | 14 + .../SOSCircle/SecureObjectSync/SOSRingTypes.c | 572 + .../SOSCircle/SecureObjectSync/SOSRingTypes.h | 58 + .../SOSCircle/SecureObjectSync/SOSRingUtils.c | 931 ++ .../SOSCircle/SecureObjectSync/SOSRingUtils.h | 146 + .../SOSCircle/SecureObjectSync/SOSRingV0.c | 151 + .../SOSCircle/SecureObjectSync/SOSRingV0.h | 14 + .../SOSCircle/SecureObjectSync/SOSTransport.c | 571 + .../SOSCircle/SecureObjectSync/SOSTransport.h | 33 + .../SecureObjectSync/SOSTransportBackupPeer.c | 41 + .../SecureObjectSync/SOSTransportBackupPeer.h | 21 + .../SecureObjectSync/SOSTransportCircle.c | 112 + .../SecureObjectSync/SOSTransportCircle.h | 68 + .../SecureObjectSync/SOSTransportCircleKVS.c | 456 + .../SecureObjectSync/SOSTransportCircleKVS.h | 27 + .../SecureObjectSync/SOSTransportCoder.c | 229 + .../SecureObjectSync/SOSTransportCoder.h | 21 + .../SOSTransportKeyParameter.c | 67 + .../SOSTransportKeyParameter.h | 37 + .../SOSTransportKeyParameterKVS.c | 138 + .../SOSTransportKeyParameterKVS.h | 16 + .../SecureObjectSync/SOSTransportMessage.c | 151 + .../SecureObjectSync/SOSTransportMessage.h | 60 + .../SecureObjectSync/SOSTransportMessageIDS.c | 331 + .../SecureObjectSync/SOSTransportMessageIDS.h | 34 + .../SecureObjectSync/SOSTransportMessageKVS.c | 282 + .../SecureObjectSync/SOSTransportMessageKVS.h | 24 + OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h | 100 + .../SecureObjectSync/SOSUserKeygen.c | 350 + .../SecureObjectSync/SOSUserKeygen.h | 36 + .../SecureObjectSync/SOSViewManager.c | 190 + .../SecureObjectSync/SOSViewManager.h | 54 + .../SecureObjectSync/SOSViewQueries.c | 93 + .../SecureObjectSync/SOSViewQueries.h | 70 + OSX/sec/SOSCircle/SecureObjectSync/SOSViews.c | 502 + OSX/sec/SOSCircle/SecureObjectSync/SOSViews.h | 85 + OSX/sec/SOSCircle/Tool/SOSCommands.h | 81 + OSX/sec/SOSCircle/Tool/keychain_sync.c | 1264 +++ OSX/sec/SOSCircle/osxshim.c | 40 + .../AppleBaselineEscrowCertificates.h | 178 + .../sec/Security/AuthorizationStatus.h | 0 .../Regressions/Security_regressions.h | 13 +- .../Regressions/crypto/pbkdf2-00-hmac-sha1.c | 0 .../Regressions/crypto/spbkdf-00-hmac-sha1.c | 0 .../Regressions/otr/otr-00-identity.c | 44 +- .../Regressions/otr/otr-30-negotiation.c | 2 +- .../Regressions/otr/otr-40-edgecases.c | 0 .../Security/Regressions/otr/otr-50-roll.c | 186 +- .../Regressions/otr/otr-60-slowroll.c | 180 +- .../sec/Security/Regressions/otr/otr-otrdh.c | 0 .../Security/Regressions/otr/otr-packetdata.c | 0 .../Regressions/secitem/si-00-find-nothing.c | 0 .../Security/Regressions/secitem/si-05-add.c | 8 +- .../Regressions/secitem/si-10-find-internet.c | 0 .../Regressions/secitem/si-11-update-data.c | 0 .../Regressions/secitem/si-12-item-stress.c | 0 .../Regressions/secitem/si-14-dateparse.c | 0 .../Regressions/secitem/si-15-certificate.c | 0 .../secitem/si-16-ec-certificate.c | 0 .../secitem/si-20-sectrust-activation.c | 0 .../Regressions/secitem/si-20-sectrust.c | 4 +- .../Regressions/secitem/si-21-sectrust-asr.c | 0 .../Regressions/secitem/si-22-sectrust-iap.c | 0 .../secitem/si-23-sectrust-ocsp-wwdr.c | 0 .../Regressions/secitem/si-23-sectrust-ocsp.c | 1445 +++ .../secitem/si-24-sectrust-appleid.c | 0 .../si-24-sectrust-digicert-malaysia.c | 0 .../secitem/si-24-sectrust-diginotar.c | 0 .../Regressions/secitem/si-24-sectrust-itms.c | 0 .../secitem/si-24-sectrust-mobileasset.c | 0 .../Regressions/secitem/si-24-sectrust-nist.c | 0 .../secitem/si-24-sectrust-otatasking.c | 0 .../secitem/si-24-sectrust-shoebox.c | 18 +- .../si-25-sectrust-apple-authentication.c | 700 ++ .../secitem/si-25-sectrust-ipsec-eap.c | 0 .../secitem/si-26-applicationsigning.c | 0 .../secitem/si-27-sectrust-exceptions.c | 328 + .../secitem/si-28-sectrustsettings.c | 0 .../secitem/si-29-sectrust-codesigning.c | 23 +- .../secitem/si-30-keychain-upgrade.c | 0 .../Regressions/secitem/si-31-keychain-bad.c | 0 .../secitem/si-31-keychain-unreadable.c | 2 +- .../secitem/si-33-keychain-backup.c | 2 +- .../Regressions/secitem/si-40-seckey-custom.c | 0 .../Regressions/secitem/si-40-seckey.c | 0 .../Regressions/secitem/si-41-sececkey.c | 88 +- .../Regressions/secitem/si-42-identity.c | 2 +- .../Regressions/secitem/si-43-persistent.c | 2 +- .../Regressions/secitem/si-50-secrandom.c | 0 .../Security/Regressions/secitem/si-60-cms.c | 0 .../Regressions/secitem/si-61-pkcs12.c | 143 +- .../Security/Regressions/secitem/si-62-csr.c | 10 +- .../Security/Regressions/secitem/si-63-scep.c | 4 +- .../Security/Regressions/secitem/si-63-scep.h | 0 .../secitem/si-63-scep/getcacert-mdes.h | 0 .../secitem/si-63-scep/getcacert-mdesqa.h | 0 .../Regressions/secitem/si-64-ossl-cms.c | 2 +- .../attached_no_data_signed_data.h | 0 .../si-64-ossl-cms/attached_signed_data.h | 0 .../secitem/si-64-ossl-cms/detached_content.h | 0 .../si-64-ossl-cms/detached_signed_data.h | 0 .../secitem/si-64-ossl-cms/privkey.h | 0 .../secitem/si-64-ossl-cms/signer.h | 0 .../secitem/si-65-cms-cert-policy.c | 0 .../Regressions/secitem/si-66-smime.c | 111 +- .../secitem/si-66-smime/signed-receipt.h | 0 .../secitem/si-67-sectrust-blacklist.c | 20 +- .../Global Trustee.cer.h | 0 .../UTN-USERFirst-Hardware.cer.h | 0 .../addons.mozilla.org.cer.h | 0 .../login.live.com.cer.h | 0 .../login.skype.com.cer.h | 0 .../login.yahoo.com.1.cer.h | 0 .../login.yahoo.com.2.cer.h | 0 .../login.yahoo.com.cer.h | 0 .../mail.google.com.cer.h | 0 .../www.google.com.cer.h | 0 .../secitem/si-68-secmatchissuer.c | 4 +- .../Regressions/secitem/si-69-keydesc.c | 0 .../secitem/si-70-sectrust-unified.c | 6 +- .../secitem/si-71-mobile-store-policy.c | 0 .../Regressions/secitem/si-72-syncableitems.c | 0 .../secitem/si-73-secpasswordgenerate.c | 19 +- .../Regressions/secitem/si-74-OTAPKISigner.c | 0 .../secitem/si-75-AppleIDRecordSigning.c | 64 +- .../secitem/si-76-shared-credentials.c | 6 + .../Regressions/secitem/si-78-query-attrs.c | 0 .../secitem/si-79-smp-cert-policy.c | 0 .../Regressions/secitem/si-80-empty-data.c | 0 .../secitem/si-81-sectrust-appletv.c | 558 + .../secitem/si-81-sectrust-server-auth.c | 0 .../secitem/si-83-seccertificate-sighashalg.c | 643 ++ .../secitem/si-84-sectrust-atv-appsigning.c | 478 + .../secitem/si_77_SecAccessControl.c | 524 + .../sec/Security/Regressions/vmdh/vmdh-40.c | 0 .../Regressions/vmdh/vmdh-41-example.c | 0 .../Regressions/vmdh/vmdh-42-example2.c | 0 OSX/sec/Security/SecAccessControl.c | 447 + OSX/sec/Security/SecAccessControl.h | 85 + .../Security/SecAccessControlExports.exp-in | 35 + OSX/sec/Security/SecAccessControlPriv.h | 128 + OSX/sec/Security/SecBase.h | 119 + {Security => OSX}/sec/Security/SecBase64.c | 0 OSX/sec/Security/SecBase64.h | 247 + OSX/sec/Security/SecBasePriv.h | 133 + {Security => OSX}/sec/Security/SecCMS.c | 0 {Security => OSX}/sec/Security/SecCMS.h | 0 OSX/sec/Security/SecCTKKey.c | 297 + OSX/sec/Security/SecCTKKeyPriv.h | 41 + .../sec/Security/SecCertificate.c | 599 +- OSX/sec/Security/SecCertificate.h | 95 + .../sec/Security/SecCertificateInternal.h | 43 +- .../sec/Security/SecCertificatePath.c | 5 +- .../sec/Security/SecCertificatePath.h | 0 OSX/sec/Security/SecCertificatePriv.h | 254 + .../sec/Security/SecCertificateRequest.c | 3 +- .../sec/Security/SecCertificateRequest.h | 0 {Security => OSX}/sec/Security/SecDH.c | 0 {Security => OSX}/sec/Security/SecDH.h | 0 {Security => OSX}/sec/Security/SecECKey.c | 59 +- {Security => OSX}/sec/Security/SecECKey.h | 0 {Security => OSX}/sec/Security/SecECKeyPriv.h | 0 .../sec/Security/SecExports.exp-in | 96 +- {Security => OSX}/sec/Security/SecFramework.c | 20 +- {Security => OSX}/sec/Security/SecFramework.h | 6 + OSX/sec/Security/SecFrameworkStrings.h | 236 + {Security => OSX}/sec/Security/SecIdentity.c | 0 OSX/sec/Security/SecIdentity.h | 81 + .../sec/Security/SecIdentityPriv.h | 0 OSX/sec/Security/SecImportExport.c | 172 + OSX/sec/Security/SecImportExport.h | 101 + {Security => OSX}/sec/Security/SecInternal.h | 0 OSX/sec/Security/SecItem.c | 1654 +++ OSX/sec/Security/SecItem.h | 1093 ++ OSX/sec/Security/SecItemBackup.c | 583 + OSX/sec/Security/SecItemBackup.h | 111 + OSX/sec/Security/SecItemConstants.c | 255 + OSX/sec/Security/SecItemInternal.h | 87 + OSX/sec/Security/SecItemPriv.h | 396 + {Security => OSX}/sec/Security/SecKey.c | 295 +- OSX/sec/Security/SecKey.h | 310 + .../sec/Security/SecKeyInternal.h | 3 +- OSX/sec/Security/SecKeyPriv.h | 373 + OSX/sec/Security/SecLogging.c | 70 + {Security => OSX}/sec/Security/SecLogging.h | 2 + {Security => OSX}/sec/Security/SecOTR.h | 0 {Security => OSX}/sec/Security/SecOTRDHKey.c | 0 {Security => OSX}/sec/Security/SecOTRDHKey.h | 0 {Security => OSX}/sec/Security/SecOTRErrors.h | 0 .../sec/Security/SecOTRFullIdentity.c | 187 +- .../sec/Security/SecOTRIdentityPriv.h | 1 + {Security => OSX}/sec/Security/SecOTRMath.c | 1 + {Security => OSX}/sec/Security/SecOTRMath.h | 0 .../sec/Security/SecOTRPacketData.c | 0 .../sec/Security/SecOTRPacketData.h | 11 +- .../sec/Security/SecOTRPackets.c | 2 + .../sec/Security/SecOTRPackets.h | 0 .../sec/Security/SecOTRPublicIdentity.c | 0 .../sec/Security/SecOTRSession.c | 102 +- .../sec/Security/SecOTRSession.h | 0 .../sec/Security/SecOTRSessionAKE.c | 3 +- .../sec/Security/SecOTRSessionPriv.h | 2 +- {Security => OSX}/sec/Security/SecOTRUtils.c | 0 {Security => OSX}/sec/Security/SecOnOSX.h | 0 {Security => OSX}/sec/Security/SecPBKDF.c | 0 {Security => OSX}/sec/Security/SecPBKDF.h | 0 .../sec/Security/SecPasswordGenerate.c | 399 +- .../sec/Security/SecPasswordGenerate.h | 11 +- OSX/sec/Security/SecPolicy.c | 2877 +++++ OSX/sec/Security/SecPolicy.h | 404 + .../sec/Security/SecPolicyCerts.h | 0 OSX/sec/Security/SecPolicyInternal.h | 133 + OSX/sec/Security/SecPolicyPriv.h | 558 + {Security => OSX}/sec/Security/SecRSAKey.c | 606 +- {Security => OSX}/sec/Security/SecRSAKey.h | 0 .../sec/Security/SecRSAKeyPriv.h | 0 OSX/sec/Security/SecRandom.h | 67 + {Security => OSX}/sec/Security/SecSCEP.c | 7 +- {Security => OSX}/sec/Security/SecSCEP.h | 0 .../sec/Security/SecServerEncryptionSupport.c | 0 .../sec/Security/SecServerEncryptionSupport.h | 0 .../sec/Security/SecSharedCredential.c | 4 +- .../sec/Security/SecSharedCredential.h | 26 +- OSX/sec/Security/SecTrust.c | 1944 ++++ OSX/sec/Security/SecTrust.h | 701 ++ OSX/sec/Security/SecTrustInternal.h | 42 + OSX/sec/Security/SecTrustPriv.h | 274 + .../sec/Security/SecTrustSettings.c | 82 +- .../sec/Security/SecTrustSettings.h | 0 OSX/sec/Security/SecTrustSettingsPriv.h | 222 + .../sec/Security/SecTrustStore.c | 30 +- .../sec/Security/SecTrustStore.h | 0 {Security => OSX}/sec/Security/Security.h | 0 OSX/sec/Security/SecuritydXPC.c | 436 + {Security => OSX}/sec/Security/SecuritydXPC.h | 10 +- OSX/sec/Security/Tool/SecurityCommands.h | 146 + OSX/sec/Security/Tool/add_internet_password.c | 186 + OSX/sec/Security/Tool/codesign.c | 427 + OSX/sec/Security/Tool/keychain_add.c | 133 + OSX/sec/Security/Tool/keychain_backup.c | 173 + OSX/sec/Security/Tool/keychain_find.c | 560 + OSX/sec/Security/Tool/keychain_util.c | 373 + OSX/sec/Security/Tool/keychain_util.h | 33 + OSX/sec/Security/Tool/log_control.c | 192 + OSX/sec/Security/Tool/pkcs12_util.c | 379 + OSX/sec/Security/Tool/scep.c | 608 + OSX/sec/Security/Tool/show_certificates.c | 293 + OSX/sec/Security/Tool/spc.c | 727 ++ .../sec/Security/certextensions.h | 0 OSX/sec/Security/cssmapple.h | 80 + .../sec/Security/keychain_find.h | 0 {Security => OSX}/sec/Security/p12import.c | 2 +- {Security => OSX}/sec/Security/p12import.h | 0 {Security => OSX}/sec/Security/p12pbegen.c | 0 {Security => OSX}/sec/Security/p12pbegen.h | 0 {Security => OSX}/sec/Security/pbkdf2.c | 0 {Security => OSX}/sec/Security/pbkdf2.h | 0 .../sec/Security/so_01_serverencryption.c | 4 +- {Security => OSX}/sec/Security/vmdh.c | 0 {Security => OSX}/sec/Security/vmdh.h | 0 OSX/sec/SecurityTool/SecurityTool.c | 405 + OSX/sec/SecurityTool/SecurityTool.h | 66 + OSX/sec/SecurityTool/builtin_commands.h | 37 + OSX/sec/SecurityTool/digest_calc.c | 102 + OSX/sec/SecurityTool/entitlements.plist | 17 + OSX/sec/SecurityTool/leaks.c | 109 + OSX/sec/SecurityTool/leaks.h | 37 + OSX/sec/SecurityTool/print_cert.c | 195 + OSX/sec/SecurityTool/print_cert.h | 42 + OSX/sec/SecurityTool/security.1 | 595 + OSX/sec/SecurityTool/tool_errors.h | 76 + .../com.apple.security.swcagent.plist | 0 .../sec/SharedWebCredential/swcagent.m | 40 +- .../sec/SharedWebCredential/swcagent_client.c | 0 .../sec/SharedWebCredential/swcagent_client.h | 5 + {Security => OSX}/sec/config/base.xcconfig | 0 {Security => OSX}/sec/config/debug.xcconfig | 0 OSX/sec/config/lib-arc-only.xcconfig | 9 + OSX/sec/config/lib.xcconfig | 32 + {Security => OSX}/sec/config/release.xcconfig | 0 OSX/sec/ipc/client.c | 266 + .../sec/ipc/com.apple.secd.plist | 6 +- .../sec/ipc/com.apple.securityd.plist | 4 +- OSX/sec/ipc/securityd_client.h | 329 + OSX/sec/ipc/server.c | 1328 +++ OSX/sec/sec.xcodeproj/project.pbxproj | 3732 +++++++ OSX/sec/securityd/OTATrustUtilities.c | 1369 +++ .../sec/securityd/OTATrustUtilities.h | 12 +- .../securityd/Regressions/SOSAccountTesting.h | 600 + .../Regressions/SOSTransportTestTransports.c | 885 ++ .../Regressions/SOSTransportTestTransports.h | 56 + .../Regressions/SecdTestKeychainUtilities.c | 3 + .../Regressions/SecdTestKeychainUtilities.h | 0 .../Regressions/ios6_1_keychain_2_db.h | 0 .../Regressions/ios8-inet-keychain-2.h | 9902 +++++++++++++++++ .../securityd/Regressions/sd-10-policytree.c | 1 - .../sec/securityd/Regressions/secd-01-items.c | 7 +- .../secd-02-upgrade-while-locked.c | 28 +- .../Regressions/secd-03-corrupted-items.c | 8 + .../Regressions/secd-04-corrupted-items.c | 0 .../Regressions/secd-05-corrupted-items.c | 7 +- .../Regressions/secd-30-keychain-upgrade.c | 0 .../Regressions/secd-31-keychain-bad.c | 5 +- .../Regressions/secd-31-keychain-unreadable.c | 13 +- .../Regressions/secd-32-restore-bad-backup.c | 233 + .../Regressions/secd-33-keychain-ctk.c | 660 ++ .../Regressions/secd-34-backup-der-parse.c | 510 + .../secd-35-keychain-migrate-inet.c | 146 + .../Regressions/secd-40-cc-gestalt.c | 47 + .../securityd/Regressions/secd-49-manifests.c | 360 + .../securityd/Regressions/secd-50-account.c | 33 +- .../securityd/Regressions/secd-50-message.c | 257 + .../Regressions/secd-51-account-inflate.c | 301 + .../Regressions/secd-52-account-changed.c | 214 + .../secd-52-offering-gencount-reset.c | 181 + .../Regressions/secd-55-account-circle.c | 34 +- .../secd-55-account-incompatibility.c | 23 +- .../Regressions/secd-56-account-apply.c | 24 +- .../Regressions/secd-57-account-leave.c | 44 +- .../Regressions/secd-58-password-change.c | 33 +- .../Regressions/secd-59-account-cleanup.c | 31 +- .../secd-60-account-cloud-identity.c | 26 +- ...d-61-account-leave-not-in-kansas-anymore.c | 48 +- .../Regressions/secd-62-account-backup.c | 254 + .../Regressions/secd-62-account-hsa-join.c | 162 + .../secd-63-account-resurrection.c | 219 + .../Regressions/secd-64-circlereset.c | 100 + .../Regressions/secd-70-engine-corrupt.c | 53 +- .../Regressions/secd-70-engine-smash.c | 62 + .../securityd/Regressions/secd-70-engine.c | 57 +- .../Regressions/secd-70-otr-remote.c | 34 +- .../Regressions/secd-74-engine-beer-servers.c | 93 + .../Regressions/secd-75-engine-views.c | 129 + .../Regressions/secd-80-views-basic.c | 142 + .../Regressions/secd-81-item-acl-stress.c | 367 + .../securityd/Regressions/secd-81-item-acl.c | 496 + .../Regressions/secd-82-persistent-ref.c | 65 + .../Regressions/secd-82-secproperties-basic.c | 139 + OSX/sec/securityd/Regressions/secd-90-hsa2.c | 64 + .../securityd/Regressions/secd_regressions.h | 73 + .../Regressions/securityd_regressions.h | 0 OSX/sec/securityd/SOSCloudCircleServer.c | 1553 +++ OSX/sec/securityd/SOSCloudCircleServer.h | 154 + .../sec/securityd/SecCAIssuerCache.c | 0 .../sec/securityd/SecCAIssuerCache.h | 0 .../sec/securityd/SecCAIssuerRequest.c | 4 +- .../sec/securityd/SecCAIssuerRequest.h | 0 OSX/sec/securityd/SecDbItem.c | 1728 +++ {Security => OSX}/sec/securityd/SecDbItem.h | 66 +- OSX/sec/securityd/SecDbKeychainItem.c | 1268 +++ OSX/sec/securityd/SecDbKeychainItem.h | 58 + {Security => OSX}/sec/securityd/SecDbQuery.c | 251 +- {Security => OSX}/sec/securityd/SecDbQuery.h | 25 +- OSX/sec/securityd/SecItemBackupServer.c | 165 + OSX/sec/securityd/SecItemBackupServer.h | 44 + OSX/sec/securityd/SecItemDataSource.c | 801 ++ .../sec/securityd/SecItemDataSource.h | 3 +- {Security => OSX}/sec/securityd/SecItemDb.c | 333 +- {Security => OSX}/sec/securityd/SecItemDb.h | 10 +- OSX/sec/securityd/SecItemSchema.c | 640 ++ .../sec/securityd/SecItemSchema.h | 26 +- OSX/sec/securityd/SecItemServer.c | 1994 ++++ .../sec/securityd/SecItemServer.h | 8 +- OSX/sec/securityd/SecKeybagSupport.c | 471 + OSX/sec/securityd/SecKeybagSupport.h | 96 + OSX/sec/securityd/SecLogSettingsServer.c | 48 + .../sec/securityd/SecLogSettingsServer.h | 1 + .../sec/securityd/SecOCSPCache.c | 128 +- .../sec/securityd/SecOCSPCache.h | 10 +- .../sec/securityd/SecOCSPRequest.c | 7 +- .../sec/securityd/SecOCSPRequest.h | 0 .../sec/securityd/SecOCSPResponse.c | 177 +- .../sec/securityd/SecOCSPResponse.h | 23 +- OSX/sec/securityd/SecOTRRemote.c | 124 + .../sec/securityd/SecOTRRemote.h | 0 .../sec/securityd/SecPolicyServer.c | 975 +- .../sec/securityd/SecPolicyServer.h | 23 +- .../sec/securityd/SecTrustServer.c | 222 +- OSX/sec/securityd/SecTrustServer.h | 108 + .../sec/securityd/SecTrustStoreServer.c | 2 +- .../sec/securityd/SecTrustStoreServer.h | 0 {Security => OSX}/sec/securityd/asynchttp.c | 27 +- {Security => OSX}/sec/securityd/asynchttp.h | 9 +- OSX/sec/securityd/entitlements.plist | 22 + OSX/sec/securityd/iCloudTrace.c | 93 + {Security => OSX}/sec/securityd/iCloudTrace.h | 3 +- OSX/sec/securityd/nameconstraints.c | 554 + OSX/sec/securityd/nameconstraints.h | 41 + {Security => OSX}/sec/securityd/policytree.c | 2 +- {Security => OSX}/sec/securityd/policytree.h | 0 OSX/sec/securityd/spi.c | 136 + {Security => OSX}/sec/securityd/spi.h | 0 OSX/secdtests/main.c | 52 + {Security => OSX}/secdtests/testlist.h | 0 .../sectests/SecurityTests-Entitlements.plist | 1 + {Security => OSX}/sectests/main.c | 0 {Security => OSX}/sectests/test/testenv.c | 0 OSX/sectests/testlist.h | 7 + {Security => OSX}/security2/security2.1 | 0 .../security2/security_tool_commands.c | 0 {Security => OSX}/security2/sub_commands.h | 0 OSX/shared_regressions/append_log_to_plist.py | 31 + OSX/shared_regressions/shared_regressions.h | 8 + .../si-82-seccertificate-ct.c | 212 + .../si-82-sectrust-ct-certs.h | 1029 ++ .../si-82-sectrust-ct-logs.plist | 198 + OSX/shared_regressions/si-82-sectrust-ct.c | 1300 +++ OSX/tlsnke/README.tlsnke | 3 + .../tlsnke/tlsnke.xcodeproj/project.pbxproj | 0 .../contents.xcworkspacedata | 0 {Security => OSX}/tlsnke/tlsnke/tlsnke.h | 0 {Security => OSX}/tlsnke/tlsnketest/cert-1.h | 0 .../tlsnke/tlsnketest/dtls_client.c | 0 .../tlsnke/tlsnketest/identity-1.h | 0 {Security => OSX}/tlsnke/tlsnketest/main.c | 0 .../tlsnke/tlsnketest/privkey-1.h | 0 .../tlsnke/tlsnketest/ssl-utils.c | 0 .../tlsnke/tlsnketest/ssl-utils.h | 0 {Security => OSX}/tlsnke/tlsnketest/st_test.c | 0 .../tlsnke/tlsnketest/tlssocket.c | 0 .../tlsnke/tlsnketest/tlssocket.h | 0 OSX/trustd/com.apple.trustd.agent.plist | 43 + OSX/trustd/com.apple.trustd.asl | 4 + OSX/trustd/com.apple.trustd.plist | 30 + OSX/trustd/com.apple.trustd.sb | 30 + OSX/trustd/trustd-Info.plist | 31 + OSX/trustd/trustd-Prefix.pch | 14 + .../utilities/Regressions/su-05-cfwrappers.c | 0 .../utilities/Regressions/su-07-debugging.c | 0 OSX/utilities/Regressions/su-08-secbuffer.c | 65 + .../Regressions/su-10-cfstring-der.c | 0 .../utilities/Regressions/su-11-cfdata-der.c | 0 .../Regressions/su-12-cfboolean-der.c | 0 .../Regressions/su-13-cfnumber-der.c | 0 .../utilities/Regressions/su-14-cfarray-der.c | 0 .../Regressions/su-15-cfdictionary-der.c | 0 .../utilities/Regressions/su-16-cfdate-der.c | 0 OSX/utilities/Regressions/su-17-cfset-der.c | 138 + .../utilities/Regressions/su-40-secdb.c | 0 .../Regressions/su-41-secdb-stress.c | 7 +- .../Regressions/utilities_regressions.h | 2 + .../utilities/SecLogging.mobileconfig | 0 .../SecurityTool/not_on_this_platorm.c | 0 .../utilities/SecurityTool/readline.c | 0 .../utilities/SecurityTool/readline.h | 0 .../SecurityTool/security_tool_commands.h | 0 .../security_tool_commands_table.h | 0 OSX/utilities/config/lib.xcconfig | 4 + OSX/utilities/src/SecAKSWrappers.c | 133 + OSX/utilities/src/SecAKSWrappers.h | 133 + OSX/utilities/src/SecAppleAnchor.c | 587 + OSX/utilities/src/SecAppleAnchorPriv.h | 34 + OSX/utilities/src/SecBuffer.c | 37 + OSX/utilities/src/SecBuffer.h | 40 + OSX/utilities/src/SecCFCCWrappers.c | 43 + OSX/utilities/src/SecCFCCWrappers.h | 43 + OSX/utilities/src/SecCFError.c | 217 + OSX/utilities/src/SecCFError.h | 164 + OSX/utilities/src/SecCFRelease.h | 66 + OSX/utilities/src/SecCFWrappers.c | 240 + OSX/utilities/src/SecCFWrappers.h | 918 ++ OSX/utilities/src/SecCertificateTrace.c | 549 + OSX/utilities/src/SecCertificateTrace.h | 53 + OSX/utilities/src/SecCoreCrypto.c | 68 + OSX/utilities/src/SecCoreCrypto.h | 44 + OSX/utilities/src/SecDb.c | 1387 +++ OSX/utilities/src/SecDb.h | 167 + .../utilities/src/SecDispatchRelease.h | 0 OSX/utilities/src/SecFileLocations.c | 263 + OSX/utilities/src/SecFileLocations.h | 48 + {Security => OSX}/utilities/src/SecIOFormat.h | 0 OSX/utilities/src/SecInternalRelease.c | 46 + OSX/utilities/src/SecInternalReleasePriv.h | 21 + {Security => OSX}/utilities/src/SecMeta.h | 0 OSX/utilities/src/SecSCTUtils.c | 65 + OSX/utilities/src/SecSCTUtils.h | 33 + OSX/utilities/src/SecXPCError.c | 104 + {Security => OSX}/utilities/src/SecXPCError.h | 0 {Security => OSX}/utilities/src/array_size.h | 0 OSX/utilities/src/cloud_keychain_diagnose.c | 1252 +++ {Security => OSX}/utilities/src/comparison.c | 0 OSX/utilities/src/comparison.h | 38 + OSX/utilities/src/debugging.c | 618 + OSX/utilities/src/debugging.h | 157 + .../utilities/src/debugging_test.h | 0 {Security => OSX}/utilities/src/der_array.c | 0 {Security => OSX}/utilities/src/der_boolean.c | 0 {Security => OSX}/utilities/src/der_data.c | 0 {Security => OSX}/utilities/src/der_date.c | 0 {Security => OSX}/utilities/src/der_date.h | 0 .../utilities/src/der_dictionary.c | 0 {Security => OSX}/utilities/src/der_null.c | 0 {Security => OSX}/utilities/src/der_number.c | 0 OSX/utilities/src/der_plist.c | 185 + OSX/utilities/src/der_plist.h | 62 + .../utilities/src/der_plist_internal.c | 0 OSX/utilities/src/der_plist_internal.h | 137 + OSX/utilities/src/der_set.c | 186 + OSX/utilities/src/der_set.h | 27 + {Security => OSX}/utilities/src/der_string.c | 0 {Security => OSX}/utilities/src/fileIo.c | 0 {Security => OSX}/utilities/src/fileIo.h | 0 OSX/utilities/src/iCloudKeychainTrace.c | 455 + .../utilities/src/iCloudKeychainTrace.h | 0 OSX/utilities/src/iOSforOSX-SecAttr.c | 55 + .../utilities/src/iOSforOSX-SecRandom.c | 0 {Security => OSX}/utilities/src/iOSforOSX.c | 0 OSX/utilities/src/iOSforOSX.h | 50 + OSX/utilities/src/simulate_crash.c | 64 + {Security => OSX}/utilities/src/sqlutils.h | 0 .../utilities.xcodeproj/project.pbxproj | 642 ++ OSX/utilities/utilities/SecAKSWrappers.c | 133 + OSX/utilities/utilities/SecAKSWrappers.h | 133 + OSX/utilities/utilities/SecAppleAnchor.c | 587 + OSX/utilities/utilities/SecAppleAnchorPriv.h | 34 + OSX/utilities/utilities/SecBuffer.c | 37 + OSX/utilities/utilities/SecBuffer.h | 40 + OSX/utilities/utilities/SecCFCCWrappers.c | 43 + OSX/utilities/utilities/SecCFCCWrappers.h | 43 + OSX/utilities/utilities/SecCFError.c | 217 + OSX/utilities/utilities/SecCFError.h | 164 + OSX/utilities/utilities/SecCFRelease.h | 66 + OSX/utilities/utilities/SecCFWrappers.c | 240 + OSX/utilities/utilities/SecCFWrappers.h | 918 ++ OSX/utilities/utilities/SecCertificateTrace.c | 549 + OSX/utilities/utilities/SecCertificateTrace.h | 53 + OSX/utilities/utilities/SecCoreCrypto.c | 68 + OSX/utilities/utilities/SecCoreCrypto.h | 44 + OSX/utilities/utilities/SecDb.c | 1387 +++ OSX/utilities/utilities/SecDb.h | 167 + OSX/utilities/utilities/SecDispatchRelease.h | 74 + OSX/utilities/utilities/SecFileLocations.c | 263 + OSX/utilities/utilities/SecFileLocations.h | 48 + OSX/utilities/utilities/SecIOFormat.h | 103 + OSX/utilities/utilities/SecInternalRelease.c | 46 + .../utilities/SecInternalReleasePriv.h | 21 + OSX/utilities/utilities/SecMeta.h | 203 + OSX/utilities/utilities/SecSCTUtils.c | 65 + OSX/utilities/utilities/SecSCTUtils.h | 33 + OSX/utilities/utilities/SecXPCError.c | 104 + OSX/utilities/utilities/SecXPCError.h | 49 + OSX/utilities/utilities/array_size.h | 30 + .../utilities/cloud_keychain_diagnose.c | 1252 +++ OSX/utilities/utilities/comparison.c | 35 + OSX/utilities/utilities/comparison.h | 38 + OSX/utilities/utilities/debugging.c | 618 + OSX/utilities/utilities/debugging.h | 157 + OSX/utilities/utilities/debugging_test.h | 32 + OSX/utilities/utilities/der_array.c | 91 + OSX/utilities/utilities/der_boolean.c | 70 + OSX/utilities/utilities/der_data.c | 103 + OSX/utilities/utilities/der_date.c | 409 + OSX/utilities/utilities/der_date.h | 43 + OSX/utilities/utilities/der_dictionary.c | 244 + OSX/utilities/utilities/der_null.c | 66 + OSX/utilities/utilities/der_number.c | 138 + OSX/utilities/utilities/der_plist.c | 185 + OSX/utilities/utilities/der_plist.h | 62 + OSX/utilities/utilities/der_plist_internal.c | 34 + OSX/utilities/utilities/der_plist_internal.h | 137 + OSX/utilities/utilities/der_set.c | 186 + OSX/utilities/utilities/der_set.h | 27 + OSX/utilities/utilities/der_string.c | 94 + OSX/utilities/utilities/fileIo.c | 100 + OSX/utilities/utilities/fileIo.h | 26 + OSX/utilities/utilities/iCloudKeychainTrace.c | 455 + OSX/utilities/utilities/iCloudKeychainTrace.h | 54 + OSX/utilities/utilities/iOSforOSX-SecAttr.c | 55 + OSX/utilities/utilities/iOSforOSX-SecRandom.c | 29 + OSX/utilities/utilities/iOSforOSX.c | 83 + OSX/utilities/utilities/iOSforOSX.h | 50 + OSX/utilities/utilities/simulate_crash.c | 64 + OSX/utilities/utilities/sqlutils.h | 53 + OTAPKIAssetTool/OTAPKIAssetTool.xcconfig | 14 + OTAPKIAssetTool/OTAServiceApp.m | 16 +- OTAPKIAssetTool/OTAServicemain.m | 3 + README.genanchors | 14 - SOSCCAuthPlugin/Info.plist | 24 + SOSCCAuthPlugin/SOSCCAuthPlugin.h | 14 + SOSCCAuthPlugin/SOSCCAuthPlugin.m | 74 + Security.exp-in | 13 + Security.xcodeproj/project.pbxproj | 1905 +++- .../contents.xcworkspacedata | 7 - .../xcshareddata/xcschemes/Debug.xcscheme | 105 +- .../xcschemes/ProtectedCloudStorage.xcscheme | 59 - .../xcshareddata/xcschemes/Release.xcscheme | 81 +- .../xcschemes/Security_executables.xcscheme | 87 + .../xcschemes/Security_frameworks.xcscheme | 87 + .../xcschemes/Security_temporary_UI.xcscheme | 87 + .../xcshareddata/xcschemes/SyncTest.xcscheme | 86 - .../xcshareddata/xcschemes/SyncTest2.xcscheme | 86 - .../xcschemes/codesigntester.xcscheme | 84 - .../xcschemes/libsecurityd.xcscheme | 63 - .../xcshareddata/xcschemes/phase1.xcscheme | 87 + .../xcshareddata/xcschemes/phase2.xcscheme | 87 + .../xcshareddata/xcschemes/secdtests.xcscheme | 124 +- .../xcshareddata/xcschemes/security.xcscheme | 99 - .../xcshareddata/xcschemes/securityd.xcscheme | 81 - .../xcshareddata/xcschemes/sslEcdsa.xcscheme | 81 - .../xcshareddata/xcschemes/sslServer.xcscheme | 81 - .../xcshareddata/xcschemes/sslViewer.xcscheme | 81 - .../KNAppDelegate.m | 417 - .../KNPersistantState.h | 39 - .../KNPersistantState.m | 102 - .../en.lproj/Localizable.strings | Bin 1868 -> 0 bytes .../en.lproj/MainMenu.xib | 3244 ------ Security/Keychain/en.lproj/Credits.rtf | 29 - Security/Keychain/en.lproj/MainMenu.xib | 6586 ----------- Security/Security.xcodeproj/project.pbxproj | 6515 ----------- .../contents.xcworkspacedata | 7 - .../xcshareddata/WorkspaceSettings.xcsettings | 8 - .../xcshareddata/xcschemes/Security.xcscheme | 91 - .../xcschemes/Security_executables.xcscheme | 59 - .../xcschemes/Security_frameworks.xcscheme | 59 - .../xcshareddata/xcschemes/World.xcscheme | 60 - .../xcshareddata/xcschemes/authd.xcscheme | 59 - .../xcschemes/copyHeaders.xcscheme | 59 - .../xcshareddata/xcschemes/secd.xcscheme | 86 - .../xcshareddata/xcschemes/secdtests.xcscheme | 132 - Security/authd/Info.plist | 31 - Security/authd/main.c | 208 - Security/authd/server.c | 1169 -- Security/config/base.xcconfig | 14 - Security/config/command.xcconfig | 13 - Security/config/executable.xcconfig | 7 - Security/config/lib.xcconfig | 26 - Security/include/security_asn1 | 1 - Security/include/security_cdsa_client | 1 - Security/include/security_cdsa_plugin | 1 - Security/include/security_cdsa_utilities | 1 - Security/include/security_cdsa_utils | 1 - Security/include/security_codesigning | 1 - Security/include/security_comcryption | 1 - Security/include/security_cryptkit | 1 - Security/include/security_filedb | 1 - Security/include/security_keychain | 1 - Security/include/security_ocspd | 1 - Security/include/security_pkcs12 | 1 - Security/include/security_smime | 1 - Security/include/security_utilities | 1 - Security/include/securityd_client | 1 - Security/lib/framework.sb | 2 - Security/lib/generateErrStrings.pl | 343 - .../project.pbxproj | 1486 --- .../project.pbxproj | 345 - .../project.pbxproj | 278 - .../project.pbxproj | 503 - .../lib/tpCertAllowList.c | 1634 --- .../project.pbxproj | 417 - Security/libsecurity_asn1/Security | 1 - .../libsecurity_asn1/config/base.xcconfig | 10 - Security/libsecurity_asn1/lib/SecAsn1Coder.c | 221 - Security/libsecurity_asn1/lib/SecAsn1Coder.h | 149 - .../libsecurity_asn1/lib/SecAsn1Templates.h | 131 - Security/libsecurity_asn1/lib/SecAsn1Types.h | 241 - Security/libsecurity_asn1/lib/ocspTemplates.c | 298 - Security/libsecurity_asn1/lib/oidsbase.h | 356 - Security/libsecurity_asn1/lib/oidsocsp.c | 41 - Security/libsecurity_asn1/lib/oidsocsp.h | 50 - .../project.pbxproj | 477 - Security/libsecurity_asn1/security_asn1 | 1 - .../project.pbxproj | 315 - .../project.pbxproj | 404 - .../libsecurity_cdsa_plugin/lib/cssmplugin.h | 132 - .../project.pbxproj | 466 - .../lib/cssmpods.cpp | 179 - .../lib/handletemplates.h | 295 - .../project.pbxproj | 709 -- .../project.pbxproj | 284 - .../project.pbxproj | 399 - .../libsecurity_cms.xcodeproj/project.pbxproj | 231 - .../libsecurity_codesigning/lib/CSCommon.h | 322 - .../lib/CSCommonPriv.h | 122 - .../lib/CodeSigner.cpp | 302 - .../libsecurity_codesigning/lib/CodeSigner.h | 104 - .../lib/RequirementKeywords.h | 24 - .../lib/RequirementLexer.cpp | 1268 --- .../lib/RequirementLexer.hpp | 77 - .../lib/RequirementParser.cpp | 1303 --- .../lib/RequirementParser.hpp | 153 - .../lib/RequirementParserTokenTypes.hpp | 75 - .../lib/RequirementParserTokenTypes.txt | 55 - .../lib/SecAssessment.cpp | 525 - .../lib/SecAssessment.h | 310 - .../libsecurity_codesigning/lib/SecCode.cpp | 278 - .../libsecurity_codesigning/lib/SecCode.h | 444 - .../libsecurity_codesigning/lib/SecCodeHost.h | 241 - .../lib/SecCodeSigner.cpp | 123 - .../lib/SecCodeSigner.h | 230 - .../lib/SecRequirement.h | 140 - .../lib/SecStaticCode.cpp | 271 - .../lib/SecStaticCode.h | 165 - .../libsecurity_codesigning/lib/SecTask.c | 300 - .../libsecurity_codesigning/lib/SecTask.h | 103 - .../lib/StaticCode.cpp | 1681 --- .../libsecurity_codesigning/lib/StaticCode.h | 272 - .../lib/bundlediskrep.cpp | 691 -- .../libsecurity_codesigning/lib/cdbuilder.cpp | 252 - .../libsecurity_codesigning/lib/cdbuilder.h | 98 - .../lib/codedirectory.cpp | 311 - .../lib/codedirectory.h | 278 - .../lib/csutilities.cpp | 268 - .../libsecurity_codesigning/lib/csutilities.h | 203 - .../libsecurity_codesigning/lib/drmaker.cpp | 197 - .../libsecurity_codesigning/lib/machorep.cpp | 409 - .../lib/opaquewhitelist.cpp | 268 - .../lib/policyengine.cpp | 1108 -- .../lib/policyengine.h | 97 - .../libsecurity_codesigning/lib/reqdumper.cpp | 353 - .../libsecurity_codesigning/lib/reqinterp.cpp | 573 - .../libsecurity_codesigning/lib/reqinterp.h | 88 - .../libsecurity_codesigning/lib/reqmaker.cpp | 174 - .../libsecurity_codesigning/lib/reqmaker.h | 134 - .../libsecurity_codesigning/lib/reqreader.cpp | 93 - .../libsecurity_codesigning/lib/reqreader.h | 86 - .../libsecurity_codesigning/lib/requirement.h | 216 - .../libsecurity_codesigning/lib/resources.cpp | 353 - .../libsecurity_codesigning/lib/resources.h | 138 - .../libsecurity_codesigning/lib/signer.cpp | 668 -- Security/libsecurity_codesigning/lib/signer.h | 101 - .../lib/signerutils.cpp | 361 - .../lib/singlediskrep.cpp | 139 - .../project.pbxproj | 2044 ---- .../project.pbxproj | 200 - .../libsecurity_cryptkit/lib/CryptKitDER.cpp | 1150 -- .../libsecurity_cryptkit/lib/CryptKitDER.h | 179 - .../lib/feeDigitalSignature.c | 674 -- Security/libsecurity_cryptkit/lib/feeECDSA.c | 665 -- Security/libsecurity_cryptkit/lib/feeECDSA.h | 82 - .../libsecurity_cryptkit/lib/feeFEEDExp.c | 735 -- Security/libsecurity_cryptkit/lib/feeTypes.h | 168 - .../project.pbxproj | 780 -- Security/libsecurity_cssm/lib/cssmapple.h | 1160 -- .../project.pbxproj | 514 - .../lib/ReadWriteSection.cpp | 53 - .../project.pbxproj | 301 - Security/libsecurity_keychain/Security | 1 - .../libsecurity_keychain/lib/Certificate.cpp | 1471 --- .../lib/CertificateValues.cpp | 610 - Security/libsecurity_keychain/lib/KeyItem.cpp | 1403 --- Security/libsecurity_keychain/lib/Keychains.h | 267 - .../libsecurity_keychain/lib/Policies.cpp | 338 - .../libsecurity_keychain/lib/PolicyCursor.h | 92 - Security/libsecurity_keychain/lib/SecACL.h | 220 - .../libsecurity_keychain/lib/SecAccess.cpp | 715 -- Security/libsecurity_keychain/lib/SecAccess.h | 217 - Security/libsecurity_keychain/lib/SecBase.h | 648 -- Security/libsecurity_keychain/lib/SecBridge.h | 69 - .../lib/SecCertificate.cpp | 1184 -- .../libsecurity_keychain/lib/SecCertificate.h | 466 - .../lib/SecCertificateInternalP.h | 311 - .../lib/SecCertificateOIDs.h | 168 - .../lib/SecCertificateP.c | 4742 -------- .../lib/SecCertificateP.h | 114 - .../lib/SecCertificatePriv.h | 257 - .../lib/SecCertificatePrivP.h | 176 - .../libsecurity_keychain/lib/SecFrameworkP.c | 274 - .../libsecurity_keychain/lib/SecIdentity.cpp | 1119 -- .../libsecurity_keychain/lib/SecIdentity.h | 198 - .../lib/SecIdentitySearch.cpp | 116 - .../lib/SecIdentitySearch.h | 87 - .../lib/SecImportExport.c | 335 - .../lib/SecImportExport.h | 681 -- .../lib/SecImportExportAgg.cpp | 881 -- Security/libsecurity_keychain/lib/SecItem.cpp | 4932 -------- Security/libsecurity_keychain/lib/SecItem.h | 1113 -- .../lib/SecItemConstants.c | 233 - .../libsecurity_keychain/lib/SecItemPriv.h | 301 - Security/libsecurity_keychain/lib/SecKey.cpp | 2266 ---- Security/libsecurity_keychain/lib/SecKey.h | 604 - .../libsecurity_keychain/lib/SecKeyPriv.h | 392 - .../libsecurity_keychain/lib/SecKeychain.cpp | 1283 --- .../libsecurity_keychain/lib/SecKeychain.h | 646 -- .../lib/SecKeychainItem.cpp | 610 - .../lib/SecKeychainItem.h | 341 - .../lib/SecKeychainItemExtendedAttributes.cpp | 358 - .../lib/SecKeychainSearch.cpp | 89 - .../lib/SecKeychainSearch.h | 76 - .../libsecurity_keychain/lib/SecPolicy.cpp | 453 - Security/libsecurity_keychain/lib/SecPolicy.h | 408 - .../libsecurity_keychain/lib/SecPolicyPriv.h | 147 - .../lib/SecPolicySearch.cpp | 77 - .../lib/SecPolicySearch.h | 83 - Security/libsecurity_keychain/lib/SecRandom.h | 66 - .../libsecurity_keychain/lib/SecTrust.cpp | 901 -- Security/libsecurity_keychain/lib/SecTrust.h | 686 -- .../libsecurity_keychain/lib/SecTrustPriv.h | 175 - .../lib/SecTrustSettings.cpp | 902 -- .../lib/SecTrustSettings.h | 321 - .../lib/SecTrustedApplication.cpp | 240 - .../lib/SecTrustedApplication.h | 82 - Security/libsecurity_keychain/lib/Security.h | 103 - Security/libsecurity_keychain/lib/Trust.cpp | 915 -- .../lib/TrustAdditions.cpp | 1240 --- .../lib/TrustRevocation.cpp | 729 -- .../lib/TrustSettings.cpp | 1559 --- .../lib/TrustedApplication.cpp | 209 - .../lib/TrustedApplication.h | 98 - .../lib/security_keychain.exp | 745 -- .../libDER/libDER.xcodeproj/project.pbxproj | 756 -- .../libsecurity_keychain/libDER/libDER/oids.c | 576 - .../libsecurity_keychain/libDER/libDER/oids.h | 137 - .../project.pbxproj | 1323 --- .../regressions/kc-41-sececkey.c | 358 - .../regressions/kc-42-trust-revocation.c | 390 - .../project.pbxproj | 357 - .../libsecurity_mds.xcodeproj/project.pbxproj | 343 - .../libsecurity_ocspd/common/ocspdClient.h | 1 - .../project.pbxproj | 418 - .../project.pbxproj | 332 - .../project.pbxproj | 340 - Security/libsecurity_smime/lib/cert.c | 828 -- Security/libsecurity_smime/lib/cmspubkey.c | 1449 --- Security/libsecurity_smime/lib/cmsrecinfo.c | 704 -- Security/libsecurity_smime/lib/cmssigdata.c | 1192 -- Security/libsecurity_smime/lib/cmssiginfo.c | 1432 --- Security/libsecurity_smime/lib/tsaSupport.c | 1410 --- .../project.pbxproj | 648 -- Security/libsecurity_ssl/Security | 1 - Security/libsecurity_ssl/config/base.xcconfig | 16 - Security/libsecurity_ssl/lib/CipherSuite.h | 261 - Security/libsecurity_ssl/lib/ModuleAttacher.h | 49 - .../libsecurity_ssl/lib/SSLRecordInternal.c | 418 - .../libsecurity_ssl/lib/SSLRecordInternal.h | 73 - .../libsecurity_ssl/lib/SecureTransport.h | 1352 --- .../libsecurity_ssl/lib/SecureTransportPriv.h | 812 -- Security/libsecurity_ssl/lib/appleCdsa.h | 222 - Security/libsecurity_ssl/lib/cipherSpecs.c | 790 -- Security/libsecurity_ssl/lib/cryptType.h | 71 - Security/libsecurity_ssl/lib/secCrypto.c | 77 - .../libsecurity_ssl/lib/securetransport++.cpp | 307 - .../libsecurity_ssl/lib/securetransport++.h | 112 - Security/libsecurity_ssl/lib/security_ssl.exp | 93 - .../libsecurity_ssl/lib/sslAlertMessage.h | 91 - Security/libsecurity_ssl/lib/sslBER.c | 371 - Security/libsecurity_ssl/lib/sslBER.h | 100 - Security/libsecurity_ssl/lib/sslCipherSpecs.c | 529 - Security/libsecurity_ssl/lib/sslContext.c | 2576 ----- Security/libsecurity_ssl/lib/sslContext.h | 286 - Security/libsecurity_ssl/lib/sslCrypto.c | 579 - Security/libsecurity_ssl/lib/sslCrypto.h | 83 - Security/libsecurity_ssl/lib/sslDigests.c | 88 - Security/libsecurity_ssl/lib/sslDigests.h | 54 - Security/libsecurity_ssl/lib/sslHandshake.h | 223 - Security/libsecurity_ssl/lib/sslKeychain.c | 236 - Security/libsecurity_ssl/lib/sslNullCipher.c | 73 - Security/libsecurity_ssl/lib/sslPriv.h | 58 - Security/libsecurity_ssl/lib/sslRand.c | 95 - Security/libsecurity_ssl/lib/sslRand.h | 38 - Security/libsecurity_ssl/lib/sslRecord.c | 126 - Security/libsecurity_ssl/lib/sslSession.c | 361 - Security/libsecurity_ssl/lib/sslSession.h | 60 - Security/libsecurity_ssl/lib/sslTransport.c | 450 - Security/libsecurity_ssl/lib/symCipher.c | 574 - Security/libsecurity_ssl/lib/symCipher.h | 148 - .../libsecurity_ssl/lib/symCipherParams.c | 112 - Security/libsecurity_ssl/lib/tlsCallbacks.c | 231 - Security/libsecurity_ssl/lib/tls_digest.c | 545 - Security/libsecurity_ssl/lib/tls_digest.h | 80 - Security/libsecurity_ssl/lib/tls_hashhmac.c | 56 - Security/libsecurity_ssl/lib/tls_hashhmac.h | 61 - Security/libsecurity_ssl/lib/tls_hmac.c | 363 - Security/libsecurity_ssl/lib/tls_hmac.h | 108 - .../libsecurity_ssl/lib/tls_record_internal.h | 81 - Security/libsecurity_ssl/lib/tls_ssl.h | 94 - .../libsecurity_ssl.xcodeproj/project.pbxproj | 938 -- .../libsecurity_ssl/regressions/gencerts.sh | 11 - .../regressions/ssl-42-ciphers.c | 686 -- .../libsecurity_ssl/regressions/ssl-49-sni.c | 273 - .../libsecurity_ssl/regressions/ssl-utils.c | 276 - Security/libsecurity_ssl/security_ssl | 1 - .../lib/SecEncryptTransform.cpp | 94 - .../project.pbxproj | 869 -- .../libsecurity_utilities/lib/cfmach++.cpp | 130 - .../libsecurity_utilities/lib/cfutilities.cpp | 291 - .../libsecurity_utilities/lib/cfutilities.h | 620 -- .../libsecurity_utilities/lib/dyldcache.cpp | 143 - .../libsecurity_utilities/lib/dyldcache.h | 155 - .../libsecurity_utilities/lib/hashing.cpp | 53 - Security/libsecurity_utilities/lib/hashing.h | 186 - .../libsecurity_utilities/lib/mach_notify.c | 542 - .../libsecurity_utilities/lib/macho++.cpp | 783 -- Security/libsecurity_utilities/lib/macho++.h | 239 - .../libsecurity_utilities/lib/powerwatch.cpp | 246 - .../libsecurity_utilities/lib/powerwatch.h | 113 - .../libsecurity_utilities/lib/sqlite++.cpp | 440 - Security/libsecurity_utilities/lib/unix++.cpp | 538 - .../project.pbxproj | 879 -- Security/libsecurityd/lib/ssclient.h | 457 - Security/libsecurityd/lib/transition.cpp | 1066 -- .../libsecurityd.xcodeproj/project.pbxproj | 768 -- .../regressions.xcodeproj/project.pbxproj | 351 - Security/regressions/test/testenv.c | 345 - Security/regressions/test/testmore.c | 350 - .../CKBridge/SOSCloudKeychainClient.c | 682 -- .../CKBridge/SOSCloudKeychainClient.h | 122 - .../CKBridge/SOSCloudKeychainConstants.c | 101 - .../CKBridge/SOSCloudKeychainConstants.h | 83 - .../Regressions/SOSCircle_regressions.h | 29 - .../sec/SOSCircle/Regressions/SOSTestDevice.c | 391 - .../SOSCircle/Regressions/sc-103-syncupdate.c | 247 - .../SOSCircle/Regressions/sc-131-transport.c | 48 - .../SOSCircle/Regressions/sc-30-peerinfo.c | 124 - .../Regressions/sc-31-peerinfo-simplefuzz.c | 83 - .../SOSCircle/Regressions/sc-41-cloudcircle.c | 64 - .../sec/SOSCircle/Regressions/sc-50-message.c | 261 - .../Regressions/sc-51-persistentEC.c | 91 - .../sec/SOSCircle/Regressions/sc-60-peer.c | 157 - .../sec/SOSCircle/Regressions/sc-70-engine.c | 391 - .../Regressions/sc-75-circle-engine.c | 296 - .../SOSCircle/Regressions/sc-90-ckdclient.c | 201 - .../SOSCircle/Regressions/sc-95-ckd2client.c | 150 - Security/sec/SOSCircle/SOSARCDefines.h | 65 - .../SOSCircle/SecureObjectSync/SOSAccount.c | 1035 -- .../SOSCircle/SecureObjectSync/SOSAccount.h | 214 - .../SecureObjectSync/SOSAccountCircles.c | 176 - .../SOSAccountCloudParameters.c | 85 - .../SecureObjectSync/SOSAccountCredentials.c | 266 - .../SecureObjectSync/SOSAccountDer.c | 153 - .../SecureObjectSync/SOSAccountFullPeerInfo.c | 186 - .../SecureObjectSync/SOSAccountPeers.c | 176 - .../SecureObjectSync/SOSAccountPersistence.c | 710 -- .../SecureObjectSync/SOSAccountPriv.h | 293 - .../SecureObjectSync/SOSAccountUpdate.c | 483 - .../SOSCircle/SecureObjectSync/SOSCircle.c | 1260 --- .../SOSCircle/SecureObjectSync/SOSCircle.h | 159 - .../SecureObjectSync/SOSCloudCircle.c | 556 - .../SecureObjectSync/SOSCloudCircle.h | 320 - .../SecureObjectSync/SOSCloudCircleInternal.h | 54 - .../sec/SOSCircle/SecureObjectSync/SOSCoder.c | 552 - .../sec/SOSCircle/SecureObjectSync/SOSCoder.h | 72 - .../SecureObjectSync/SOSDataSource.h | 230 - .../SecureObjectSync/SOSDigestVector.c | 379 - .../SOSCircle/SecureObjectSync/SOSEngine.c | 1074 -- .../SOSCircle/SecureObjectSync/SOSEngine.h | 102 - .../SecureObjectSync/SOSExports.exp-in | 68 - .../SecureObjectSync/SOSFullPeerInfo.c | 376 - .../SecureObjectSync/SOSFullPeerInfo.h | 76 - .../SOSCircle/SecureObjectSync/SOSInternal.c | 185 - .../SOSCircle/SecureObjectSync/SOSInternal.h | 106 - .../SOSCircle/SecureObjectSync/SOSKVSKeys.c | 233 - .../SOSCircle/SecureObjectSync/SOSKVSKeys.h | 50 - .../SOSCircle/SecureObjectSync/SOSManifest.c | 228 - .../SOSCircle/SecureObjectSync/SOSMessage.c | 1183 -- .../SOSCircle/SecureObjectSync/SOSMessage.h | 137 - .../sec/SOSCircle/SecureObjectSync/SOSPeer.c | 498 - .../sec/SOSCircle/SecureObjectSync/SOSPeer.h | 112 - .../SOSCircle/SecureObjectSync/SOSPeerCoder.c | 160 - .../SOSCircle/SecureObjectSync/SOSPeerCoder.h | 23 - .../SOSCircle/SecureObjectSync/SOSPeerInfo.c | 774 -- .../SOSCircle/SecureObjectSync/SOSPeerInfo.h | 139 - .../SecureObjectSync/SOSPeerInfoCollections.c | 245 - .../SecureObjectSync/SOSPeerInfoCollections.h | 64 - .../SecureObjectSync/SOSPeerInfoInternal.h | 33 - .../SOSCircle/SecureObjectSync/SOSTransport.c | 438 - .../SOSCircle/SecureObjectSync/SOSTransport.h | 26 - .../SecureObjectSync/SOSTransportCircle.c | 76 - .../SecureObjectSync/SOSTransportCircle.h | 45 - .../SecureObjectSync/SOSTransportCircleKVS.c | 249 - .../SecureObjectSync/SOSTransportCircleKVS.h | 19 - .../SecureObjectSync/SOSTransportCoder.c | 221 - .../SecureObjectSync/SOSTransportCoder.h | 19 - .../SOSTransportKeyParameter.c | 62 - .../SOSTransportKeyParameter.h | 34 - .../SOSTransportKeyParameterKVS.c | 89 - .../SOSTransportKeyParameterKVS.h | 16 - .../SecureObjectSync/SOSTransportMessage.c | 172 - .../SecureObjectSync/SOSTransportMessage.h | 51 - .../SecureObjectSync/SOSTransportMessageKVS.c | 249 - .../SecureObjectSync/SOSTransportMessageKVS.h | 28 - .../SecureObjectSync/SOSUserKeygen.c | 308 - .../SecureObjectSync/SOSUserKeygen.h | 35 - Security/sec/SOSCircle/Tool/SOSCommands.h | 52 - Security/sec/SOSCircle/Tool/keychain_sync.c | 579 - Security/sec/SOSCircle/osxshim.c | 65 - .../Regressions/secitem/si-23-sectrust-ocsp.c | 1097 -- .../secitem/si-27-sectrust-exceptions.c | 390 - .../secitem/si-81-item-acl-stress.c | 287 - .../secitem/si_77_SecAccessControl.c | 247 - Security/sec/Security/SecAccessControl.c | 313 - Security/sec/Security/SecAccessControl.h | 64 - .../Security/SecAccessControlExports.exp-in | 28 - Security/sec/Security/SecAccessControlPriv.h | 128 - Security/sec/Security/SecBase.h | 112 - Security/sec/Security/SecBasePriv.h | 126 - Security/sec/Security/SecCertificate.h | 87 - Security/sec/Security/SecCertificatePriv.h | 201 - Security/sec/Security/SecFrameworkStrings.h | 222 - Security/sec/Security/SecIdentity.h | 75 - Security/sec/Security/SecImportExport.c | 172 - Security/sec/Security/SecImportExport.h | 94 - Security/sec/Security/SecItem.c | 1057 -- Security/sec/Security/SecItem.h | 1006 -- Security/sec/Security/SecItemConstants.c | 224 - Security/sec/Security/SecItemInternal.h | 54 - Security/sec/Security/SecItemPriv.h | 349 - Security/sec/Security/SecKey.h | 296 - Security/sec/Security/SecKeyPriv.h | 341 - Security/sec/Security/SecLogging.c | 53 - Security/sec/Security/SecPolicy.c | 2161 ---- Security/sec/Security/SecPolicy.h | 391 - Security/sec/Security/SecPolicyInternal.h | 123 - Security/sec/Security/SecPolicyPriv.h | 439 - Security/sec/Security/SecRandom.h | 61 - Security/sec/Security/SecTrust.c | 1581 --- Security/sec/Security/SecTrust.h | 681 -- Security/sec/Security/SecTrustPriv.h | 229 - Security/sec/Security/SecTrustSettingsPriv.h | 218 - Security/sec/Security/SecuritydXPC.c | 331 - Security/sec/Security/Tool/SecurityCommands.h | 143 - Security/sec/Security/Tool/keychain_add.c | 130 - Security/sec/Security/Tool/keychain_find.c | 556 - Security/sec/Security/Tool/keychain_util.c | 341 - Security/sec/Security/Tool/log_control.c | 172 - Security/sec/Security/Tool/scep.c | 608 - .../sec/Security/Tool/show_certificates.c | 292 - Security/sec/Security/Tool/spc.c | 727 -- Security/sec/Security/cssmapple.h | 76 - Security/sec/SecurityTool/print_cert.c | 190 - Security/sec/config/lib-arc-only.xcconfig | 9 - Security/sec/config/lib.xcconfig | 34 - Security/sec/ipc/client.c | 187 - Security/sec/ipc/securityd_client.h | 252 - Security/sec/ipc/server.c | 943 -- Security/sec/sec.xcodeproj/project.pbxproj | 3022 ----- Security/sec/securityd/OTATrustUtilities.c | 1190 -- .../securityd/Regressions/SOSAccountTesting.h | 455 - .../Regressions/SOSTransportTestTransports.c | 733 -- .../Regressions/SOSTransportTestTransports.h | 41 - .../Regressions/secd-51-account-inflate.c | 163 - .../Regressions/secd-52-account-changed.c | 205 - .../securityd/Regressions/secd_regressions.h | 48 - Security/sec/securityd/SOSCloudCircleServer.c | 1206 -- Security/sec/securityd/SOSCloudCircleServer.h | 121 - Security/sec/securityd/SecDbItem.c | 1628 --- Security/sec/securityd/SecDbKeychainItem.c | 982 -- Security/sec/securityd/SecDbKeychainItem.h | 50 - Security/sec/securityd/SecItemDataSource.c | 636 -- Security/sec/securityd/SecItemSchema.c | 2 +- Security/sec/securityd/SecItemServer.c | 1885 ---- Security/sec/securityd/SecKeybagSupport.c | 277 - Security/sec/securityd/SecKeybagSupport.h | 97 - Security/sec/securityd/SecLogSettingsServer.c | 35 - Security/sec/securityd/SecOTRRemote.c | 105 - Security/sec/securityd/SecTrustServer.h | 94 - Security/sec/securityd/entitlements.plist | 18 - Security/sec/securityd/iCloudTrace.c | 536 - Security/sec/securityd/spi.c | 109 - Security/secdtests/main.c | 52 - Security/sectests/testlist.h | 6 - Security/tlsnke/loadkext.sh | 8 - .../xcshareddata/xcschemes/Device.xcscheme | 78 - .../xcshareddata/xcschemes/Host.xcscheme | 78 - .../xcshareddata/xcschemes/tlsnke.xcscheme | 60 - .../xcschemes/tlsnketest.xcscheme | 87 - Security/tlsnke/tlsnke/tlsnke-Info.plist | 47 - Security/tlsnke/tlsnke/tlsnke-Prefix.pch | 4 - Security/tlsnke/tlsnke/tlsnke.c | 1118 -- Security/utilities/config/lib.xcconfig | 2 - Security/utilities/src/SecAKSWrappers.c | 94 - Security/utilities/src/SecAKSWrappers.h | 121 - Security/utilities/src/SecCFError.c | 124 - Security/utilities/src/SecCFError.h | 62 - Security/utilities/src/SecCFRelease.h | 57 - Security/utilities/src/SecCFWrappers.c | 120 - Security/utilities/src/SecCFWrappers.h | 827 -- Security/utilities/src/SecCertificateTrace.c | 549 - Security/utilities/src/SecCertificateTrace.h | 53 - Security/utilities/src/SecDb.c | 1299 --- Security/utilities/src/SecDb.h | 157 - Security/utilities/src/SecFileLocations.c | 238 - Security/utilities/src/SecFileLocations.h | 47 - Security/utilities/src/SecXPCError.c | 83 - .../utilities/src/cloud_keychain_diagnose.c | 1245 --- Security/utilities/src/comparison.h | 33 - Security/utilities/src/debugging.c | 568 - Security/utilities/src/debugging.h | 148 - Security/utilities/src/der_plist.c | 147 - Security/utilities/src/der_plist.h | 53 - Security/utilities/src/der_plist_internal.h | 122 - Security/utilities/src/iCloudKeychainTrace.c | 459 - Security/utilities/src/iOSforOSX-SecAttr.c | 47 - Security/utilities/src/iOSforOSX.h | 50 - Security/utilities/src/simulate_crash.c | 53 - Security/utilities/utilities | 1 - .../utilities.xcodeproj/project.pbxproj | 572 - .../SecurityTests-Entitlements.plist | 1 + .../testSubjects/anchorAndDb/anchorAndDb.scr | 2 +- SecurityTests/nist-certs/Expectations.plist | 38 +- SecurityTests/testlist.h | 3 +- SecurityTool/security.1 | 2 +- .../SWCViewController.m | 4 + TODO | 1 + asl/com.apple.securityd | 3 + .../PKITrustData/AppleESCertificates.plist | Bin 2086 -> 0 bytes .../AssetData/PKITrustData/AssetVersion.plist | 8 - .../AssetData/PKITrustData/Blocked.plist | Bin 435 -> 0 bytes .../AssetData/PKITrustData/EVRoots.plist | Bin 3448 -> 0 bytes .../PKITrustData/GrayListedKeys.plist | Bin 381 -> 0 bytes .../AssetData/PKITrustData/certsIndex.data | Bin 5352 -> 0 bytes .../AssetData/PKITrustData/certsTable.data | Bin 242192 -> 0 bytes .../AssetData/PKITrustData/manifest.data | Bin 495 -> 0 bytes .../SecurityCertificatesAssets/Info.plist | 25 - .../BuildOSXRootKeychain/X509Anchors | Bin 282984 -> 0 bytes .../BuildOSXRootKeychain/buildRootKeychain.rb | 628 -- .../BuildOSXRootKeychain/certsha1hashtmp | Bin 100 -> 0 bytes .../BuildOSXRootKeychain/evroot.config | 462 - .../BuildiOSAsset/BuildAsset.rb | 222 - .../BuildiOSAsset/BuildPListFiles.rb | 63 - .../CertificateTool.xcodeproj/project.pbxproj | 2 +- .../contents.xcworkspacedata | 7 - .../AppleBaselineEscrowCertificates.h | 1 - .../CertificateTool/AssetVersion.plist | 8 - .../CertificateTool-Prefix.pch | 7 - .../CertificateTool/CertificateToolApp.h | 59 - .../CertificateTool/CertificateToolApp.m | 795 -- .../CertificateTool/DataConversion.h | 53 - .../CertificateTool/DataConversion.m | 103 - .../CertificateTool/Info.plist | 25 - .../CertificateTool/PSAssetConstants.c | 19 - .../CertificateTool/PSAssetConstants.h | 33 - .../CertificateTool/CertificateTool/PSCert.h | 30 - .../CertificateTool/CertificateTool/PSCert.m | 204 - .../CertificateTool/PSCertData.h | 25 - .../CertificateTool/PSCertData.m | 144 - .../CertificateTool/PSCertKey.h | 21 - .../CertificateTool/PSCertKey.m | 45 - .../CertificateTool/PSCertRecord.h | 20 - .../CertificateTool/PSCertRecord.m | 54 - .../CertificateTool/CertificateTool/PSCerts.h | 22 - .../CertificateTool/CertificateTool/PSCerts.m | 81 - .../CertificateTool/PSUtilities.h | 28 - .../CertificateTool/PSUtilities.m | 382 - .../CertificateTool/ValidateAsset.c | 409 - .../CertificateTool/ValidateAsset.h | 14 - .../CertificateTool/CertificateTool/main.m | 78 - certificates/EVRoots/evroot.config | 462 - certificates/assetData/Info.plist | 27 - certificates/certs/AppleDEVID.cer | Bin 1032 -> 0 bytes certificates/certs/DODCA_13.cer | Bin 1080 -> 0 bytes certificates/certs/DODCA_14.cer | Bin 1080 -> 0 bytes certificates/certs/DODCA_15.cer | Bin 1072 -> 0 bytes certificates/certs/DODCA_16.cer | Bin 1072 -> 0 bytes certificates/certs/DODCA_17.cer | Bin 1072 -> 0 bytes certificates/certs/DODCA_18.cer | Bin 1072 -> 0 bytes certificates/certs/DODCA_19.cer | Bin 1348 -> 0 bytes certificates/certs/DODCA_20.cer | Bin 1348 -> 0 bytes certificates/certs/DODCA_25.der | Bin 1421 -> 0 bytes certificates/certs/DODCA_26.der | Bin 1421 -> 0 bytes certificates/certs/DODCA_27.cer | Bin 1360 -> 0 bytes certificates/certs/DODCA_28.cer | Bin 1360 -> 0 bytes certificates/certs/DODCA_29.cer | Bin 1360 -> 0 bytes certificates/certs/DODCA_30.cer | Bin 1360 -> 0 bytes certificates/certs/DODEMAILCA_13.cer | Bin 1086 -> 0 bytes certificates/certs/DODEMAILCA_14.cer | Bin 1086 -> 0 bytes certificates/certs/DODEMAILCA_15.cer | Bin 1078 -> 0 bytes certificates/certs/DODEMAILCA_16.cer | Bin 1078 -> 0 bytes certificates/certs/DODEMAILCA_17.cer | Bin 1078 -> 0 bytes certificates/certs/DODEMAILCA_18.cer | Bin 1078 -> 0 bytes certificates/certs/DODEMAILCA_19.cer | Bin 1354 -> 0 bytes certificates/certs/DODEMAILCA_20.cer | Bin 1354 -> 0 bytes certificates/certs/DODEMAILCA_21.cer | Bin 1427 -> 0 bytes certificates/certs/DODEMAILCA_22.cer | Bin 1427 -> 0 bytes certificates/certs/DODEMAILCA_23.cer | Bin 1427 -> 0 bytes certificates/certs/DODEMAILCA_24.cer | Bin 1427 -> 0 bytes certificates/certs/DODEMAILCA_25.der | Bin 1427 -> 0 bytes certificates/certs/DODEMAILCA_26.der | Bin 1427 -> 0 bytes certificates/certs/DODEMAILCA_27.cer | Bin 1366 -> 0 bytes certificates/certs/DODEMAILCA_28.cer | Bin 1366 -> 0 bytes certificates/certs/DODEMAILCA_29.cer | Bin 1366 -> 0 bytes certificates/certs/DODEMAILCA_30.cer | Bin 1366 -> 0 bytes certificates/certs/DODINTERMEDIATECA-2.cer | Bin 1360 -> 0 bytes certificates/certs/DODINTERMEDIATECA_1.cer | Bin 1360 -> 0 bytes certificates/certs/DOD_CA-11.cer | Bin 1080 -> 0 bytes certificates/certs/DOD_CA-12.cer | Bin 1080 -> 0 bytes certificates/certs/DOD_CLASS_3_CA-10.cer | Bin 1050 -> 0 bytes certificates/certs/DOD_CLASS_3_CA-5.cer | Bin 1049 -> 0 bytes certificates/certs/DOD_CLASS_3_CA-6.cer | Bin 1049 -> 0 bytes certificates/certs/DOD_CLASS_3_CA-7.cer | Bin 1049 -> 0 bytes certificates/certs/DOD_CLASS_3_CA-8.cer | Bin 1049 -> 0 bytes certificates/certs/DOD_CLASS_3_CA-9.cer | Bin 1049 -> 0 bytes .../certs/DOD_CLASS_3_EMAIL_CA-10.cer | Bin 1056 -> 0 bytes certificates/certs/DOD_CLASS_3_EMAIL_CA-5.cer | Bin 1055 -> 0 bytes certificates/certs/DOD_CLASS_3_EMAIL_CA-6.cer | Bin 1055 -> 0 bytes certificates/certs/DOD_CLASS_3_EMAIL_CA-7.cer | Bin 1055 -> 0 bytes certificates/certs/DOD_CLASS_3_EMAIL_CA-8.cer | Bin 1055 -> 0 bytes certificates/certs/DOD_CLASS_3_EMAIL_CA-9.cer | Bin 1055 -> 0 bytes certificates/certs/DOD_EMAIL_CA-11.cer | Bin 1086 -> 0 bytes certificates/certs/DOD_EMAIL_CA-12.cer | Bin 1086 -> 0 bytes certificates/certs/DoDCA21.cer | Bin 1421 -> 0 bytes certificates/certs/DoDCA22.cer | Bin 1421 -> 0 bytes certificates/certs/DoDCA23.cer | Bin 1421 -> 0 bytes certificates/certs/DoDCA24.cer | Bin 1421 -> 0 bytes .../certs/GeoTrust_True_Credentials_CA_2.cer | Bin 699 -> 0 bytes certificates/certs/IDENTRUSTECA1.cer | Bin 1069 -> 0 bytes certificates/certs/IDENTRUSTECA2.cer | Bin 1434 -> 0 bytes certificates/certs/IDENTRUSTECA3.cer | Bin 1399 -> 0 bytes certificates/certs/ORCECA2.cer | Bin 1037 -> 0 bytes .../certs/ORCECAFOREIGNNATIONALSCA1.cer | Bin 1059 -> 0 bytes certificates/certs/ORCECAHW3.cer | Bin 1431 -> 0 bytes certificates/certs/ORCECAHW4.cer | Bin 1396 -> 0 bytes certificates/certs/ORCECASW3.cer | Bin 1431 -> 0 bytes certificates/certs/ORCECASW4.cer | Bin 1396 -> 0 bytes certificates/certs/ORC_ECA.cer | Bin 1074 -> 0 bytes certificates/certs/Thawte_Code_Signing_CA.cer | Bin 850 -> 0 bytes certificates/certs/Thawte_SGC_CA.der.cer | Bin 807 -> 0 bytes .../certs/Thawte_SSL_Domain_CA_der.cer | Bin 823 -> 0 bytes certificates/certs/VERISIGNCLIENTECA-G2.cer | Bin 1520 -> 0 bytes ...LIENTEXTERNALCERTIFICATIONAUTHORITY_G3.cer | Bin 1481 -> 0 bytes ...gnClientExternalCertificationAuthority.cer | Bin 1176 -> 0 bytes certificates/certs/VeriSign_TSA_CA.crt | Bin 977 -> 0 bytes certificates/certs/VisaNet.crt | Bin 1096 -> 0 bytes certificates/certs/acClasse0_0.cer | Bin 711 -> 0 bytes certificates/certs/acClasse0_1.cer | Bin 783 -> 0 bytes certificates/certs/acClasse1_0.cer | Bin 782 -> 0 bytes certificates/certs/acClasse1_1.cer | Bin 711 -> 0 bytes certificates/certs/acClasse2_0.cer | Bin 782 -> 0 bytes certificates/certs/acClasse2_1.cer | Bin 712 -> 0 bytes certificates/certs/acClasse3_0.cer | Bin 783 -> 0 bytes certificates/certs/acClasse3_1.cer | Bin 711 -> 0 bytes certificates/certs/acClasse4.cer | Bin 794 -> 0 bytes certificates/certs/acClasse5.cer | Bin 774 -> 0 bytes certificates/certs/acCps2_2.cer | Bin 685 -> 0 bytes certificates/certs/belgiumrs.crt | Bin 1023 -> 0 bytes certificates/certs/e-Visa.crt | Bin 1097 -> 0 bytes certificates/certs/gipCps0.cer | Bin 690 -> 0 bytes .../DigiNotar Extended Validation CA.cer | Bin 1542 -> 0 bytes ...iNotar PKIoverheid CA Organisatie - G2.cer | Bin 1696 -> 0 bytes .../distrusted/DigiNotar Qualified CA.cer | Bin 1541 -> 0 bytes .../distrusted/DigiNotar Services 1024 CA.cer | Bin 1403 -> 0 bytes .../distrusted/DigiNotar Services CA.cer | Bin 1541 -> 0 bytes .../distrusted/DigiNotarRootCA2007.crt | Bin 1422 -> 0 bytes certificates/distrusted/DigiNotarRootCAG2.cer | Bin 1428 -> 0 bytes .../distrusted/DigiNotar_PKIoverheid_CA.cer | Bin 1164 -> 0 bytes certificates/distrusted/EASEE-gas CA.cer | Bin 1497 -> 0 bytes ... van Advocaten - Dutch Bar Association.cer | Bin 1560 -> 0 bytes certificates/distrusted/TRIALOrgCA.cer | Bin 1605 -> 0 bytes ...tar_PKIoverheid_Organisatie_TEST_CA_G2.cer | Bin 1734 -> 0 bytes certificates/distrusted/TU Delft CA.cer | Bin 1517 -> 0 bytes .../BuildAsset/BuildAsset-Prefix.pch | 7 - .../ota_cert_tool/BuildAsset/BuildAsset.1 | 79 - certificates/ota_cert_tool/BuildAsset/main.m | 14 - .../ota_cert_tool/Scripts/BuildAsset.rb | 39 - .../ota_cert_tool/Scripts/BuildPlistFiles.rb | 35 - certificates/ota_cert_tool/Scripts/File.rb | 141 - .../SecuritydAssertHelper/Readme.txt | 0 .../SecuritydAssertHelper.1 | 79 - .../SecuritydAssertHelper.m | 39 - .../ota_cert_tool/TestValidator/Readme.txt | 5 - .../TestValidator/Resources/EVRoots.plist | 309 - .../TestValidator/Resources/Manifest.plist | 20 - .../TestValidator/Resources/certs.plist | 97 - .../TestValidator/Resources/distrusted.plist | 22 - .../TestValidator/Resources/revoked.plist | 18 - .../TestValidator/Resources/roots.plist | 193 - .../TestValidator/TestValidator.1 | 79 - .../TestValidator/TestValidator.m | 30 - .../assertValidation-Prefix.pch | 7 - .../project.pbxproj | 904 -- .../contents.xcworkspacedata | 7 - .../ios_ota_cert_tool/CommonBaseXX.c | 9 - .../ios_ota_cert_tool/CommonBaseXX.h | 273 - .../ios_ota_cert_tool/CommonBuffering.c | 114 - .../ios_ota_cert_tool/CommonBufferingPriv.h | 63 - .../ios_ota_cert_tool/Info.plist | 27 - .../ota_cert_tool/ios_ota_cert_tool/PSCert.h | 22 - .../ota_cert_tool/ios_ota_cert_tool/PSCert.m | 37 - .../ios_ota_cert_tool/PSCertKey.h | 21 - .../ios_ota_cert_tool/PSCertKey.m | 47 - .../ota_cert_tool/ios_ota_cert_tool/PSCerts.h | 23 - .../ota_cert_tool/ios_ota_cert_tool/PSCerts.m | 86 - .../ios_ota_cert_tool/PSIOSCertToolApp.h | 51 - .../ios_ota_cert_tool/PSIOSCertToolApp.m | 503 - .../ios_ota_cert_tool/PSUtilities.h | 28 - .../ios_ota_cert_tool/PSUtilities.m | 333 - .../ios_ota_cert_tool/ValidateAsset.c | 508 - .../ios_ota_cert_tool/ValidateAsset.h | 16 - .../ios_ota_cert_tool/ccMemory.h | 71 - .../ios_ota_cert_tool-Prefix.pch | 7 - .../ios_ota_cert_tool/ios_ota_cert_tool.1 | 79 - .../ota_cert_tool/ios_ota_cert_tool/main.m | 71 - certificates/removed/AOLTimeWarner1.der | Bin 1002 -> 0 bytes certificates/removed/AOLTimeWarner2.der | Bin 1514 -> 0 bytes certificates/removed/EntrustRootCA1024.crt | Bin 1244 -> 0 bytes .../removed/Equifax_Secure_eBusiness_CA-2.cer | Bin 804 -> 0 bytes .../removed/JCSSecureSignRootCA11.cer | Bin 881 -> 0 bytes certificates/removed/ValiCertClass1PVA.cer | Bin 747 -> 0 bytes certificates/removed/ValiCertClass2PVA.cer | Bin 747 -> 0 bytes certificates/removed/ValiCertClass3PVA.cer | Bin 747 -> 0 bytes certificates/removed/persbasi.crt | Bin 805 -> 0 bytes certificates/removed/persprem.crt | Bin 813 -> 0 bytes certificates/revoked/*.EGO.GOV.TR.cer | Bin 1345 -> 0 bytes certificates/revoked/*.google.com.cer | Bin 1459 -> 0 bytes certificates/revoked/*.mail.me.com.cer | Bin 1314 -> 0 bytes .../revoked/DigiNotar Public CA 2025.cer | Bin 1543 -> 0 bytes certificates/revoked/DigiNotar092006.cer | Bin 1340 -> 0 bytes certificates/revoked/DigiNotar092706.cer | Bin 1340 -> 0 bytes certificates/revoked/DigiNotar100406.cer | Bin 1374 -> 0 bytes certificates/revoked/DigiNotarRootCA1.cer | Bin 1356 -> 0 bytes certificates/revoked/DigiNotarRootCA2.cer | Bin 1356 -> 0 bytes .../revoked/DigiNotarServices1024CA.cer | Bin 977 -> 0 bytes ...Digisign-Server-ID-Enrich-Entrust-Cert.cer | Bin 1234 -> 0 bytes ...igisign-Server-ID-Enrich-GTETrust-Cert.cer | Bin 975 -> 0 bytes certificates/revoked/Micros CA 2.cer | Bin 1095 -> 0 bytes ...ave Organization Issuing CA, Level 2 2.cer | Bin 1190 -> 0 bytes .../revoked/e-islem.kktcmerkezbankasi.org.cer | Bin 1012 -> 0 bytes certificates/roots/00_BCA.cer | Bin 1134 -> 0 bytes certificates/roots/2048CA.cer | Bin 1120 -> 0 bytes certificates/roots/A-Trust-Qual-01.cer | Bin 1111 -> 0 bytes certificates/roots/A-Trust-Qual-02a.crt | Bin 975 -> 0 bytes certificates/roots/A-Trust-nQual-01.cer | Bin 865 -> 0 bytes certificates/roots/A-Trust-nQual-03.cer | Bin 979 -> 0 bytes certificates/roots/APCAroot.der | Bin 932 -> 0 bytes .../roots/Actalis Authentication Root CA.cer | Bin 1471 -> 0 bytes .../roots/AddTrust Class 1 CA Root.crt | Bin 1052 -> 0 bytes .../roots/AddTrust External CA Root.crt | Bin 1082 -> 0 bytes .../roots/AddTrust Public CA Root.crt | Bin 1049 -> 0 bytes .../roots/AddTrust Qualified CA Root.crt | Bin 1058 -> 0 bytes certificates/roots/AffirmTrust-Commercial.der | Bin 848 -> 0 bytes certificates/roots/AffirmTrust-Networking.der | Bin 848 -> 0 bytes .../roots/AffirmTrust-Premium-ECC.der | Bin 514 -> 0 bytes certificates/roots/AffirmTrust-Premium.der | Bin 1354 -> 0 bytes certificates/roots/AmericaOnline1.der | Bin 936 -> 0 bytes certificates/roots/AmericaOnline2.der | Bin 1448 -> 0 bytes certificates/roots/AppCAG2.cer | Bin 932 -> 0 bytes certificates/roots/Apple Root CA - G2.cer | Bin 1430 -> 0 bytes certificates/roots/Apple Root CA - G3.cer | Bin 583 -> 0 bytes certificates/roots/AppleDEVID.cer | Bin 1032 -> 0 bytes certificates/roots/AppleIncRoot042506.cer | Bin 1215 -> 0 bytes certificates/roots/AppleROOTCA.der | Bin 1470 -> 0 bytes ...rtificacion Raiz del Estado Venezolano.cer | Bin 2463 -> 0 bytes certificates/roots/BIT-Admin-Root-CA.crt | Bin 1369 -> 0 bytes certificates/roots/BIT-AdminCA-CD-T01.crt | Bin 1105 -> 0 bytes certificates/roots/BTCTRT.cer | Bin 891 -> 0 bytes .../roots/Buypass Class 2 Root CA.cer | Bin 1373 -> 0 bytes .../roots/Buypass Class 3 Root CA.cer | Bin 1373 -> 0 bytes certificates/roots/BuypassClass2CA1.cer | Bin 855 -> 0 bytes certificates/roots/BuypassClass3CA1.cer | Bin 855 -> 0 bytes certificates/roots/C1_PCA_G3v2.509 | Bin 1054 -> 0 bytes certificates/roots/C2_PCA_G3v2.509 | Bin 1053 -> 0 bytes certificates/roots/C3_PCA_G3v2.509 | Bin 1054 -> 0 bytes certificates/roots/C4_PCA_G3v2.509 | Bin 1054 -> 0 bytes certificates/roots/CA Disig Root R1.cer | Bin 1389 -> 0 bytes certificates/roots/CA Disig Root R2.cer | Bin 1389 -> 0 bytes certificates/roots/CNNICEVRoot.der | Bin 1019 -> 0 bytes .../roots/COMODOCertificationAuthority.crt | Bin 1057 -> 0 bytes certificates/roots/Certigna.cer | Bin 940 -> 0 bytes certificates/roots/Certinomis - Root CA.cer | Bin 1430 -> 0 bytes certificates/roots/Certinomis-May2013.der | Bin 1440 -> 0 bytes .../roots/Certum Trusted Network CA 2.cer | Bin 1495 -> 0 bytes certificates/roots/Chunghwa-ROOTeCA.der | Bin 1460 -> 0 bytes certificates/roots/Class1_PCA_G2_v2.509 | Bin 774 -> 0 bytes certificates/roots/Class2_PCA_G2_v2.509 | Bin 775 -> 0 bytes certificates/roots/Class3_PCA_G2_v2.509 | Bin 774 -> 0 bytes certificates/roots/Class4_PCA_G2_v2.509 | Bin 774 -> 0 bytes certificates/roots/ComSign-CA.der | Bin 919 -> 0 bytes certificates/roots/ComSign-Global.der | Bin 1541 -> 0 bytes certificates/roots/ComSign-Secured.der | Bin 943 -> 0 bytes .../roots/Comodo_AAA_Certificate_Services.cer | Bin 1078 -> 0 bytes .../Comodo_Secure_Certificate_Services.cer | Bin 1091 -> 0 bytes .../Comodo_Trusted_Certificate_Services.cer | Bin 1095 -> 0 bytes .../roots/D-TRUST_Root_Class_3_CA_2_2009.cer | Bin 1079 -> 0 bytes .../D-TRUST_Root_Class_3_CA_2_EV_2009.cer | Bin 1095 -> 0 bytes certificates/roots/DST Root CA X4.cer | Bin 831 -> 0 bytes .../roots/Deutsche_Telekom_Root_CA_2.der | Bin 931 -> 0 bytes .../roots/DigiCertAssuredIDRootCA.crt | Bin 955 -> 0 bytes .../roots/DigiCertAssuredIDRootG2.der | Bin 922 -> 0 bytes .../roots/DigiCertAssuredIDRootG3.der | Bin 586 -> 0 bytes certificates/roots/DigiCertGlobalRootCA.crt | Bin 947 -> 0 bytes certificates/roots/DigiCertGlobalRootG2.der | Bin 914 -> 0 bytes certificates/roots/DigiCertGlobalRootG3.der | Bin 579 -> 0 bytes .../roots/DigiCertHighAssuranceEVRootCA.crt | Bin 969 -> 0 bytes certificates/roots/DigiCertTrustedRootG4.der | Bin 1428 -> 0 bytes certificates/roots/DoDCLASS3RootCA.cer | Bin 619 -> 0 bytes certificates/roots/DoDRootCA2.der | Bin 884 -> 0 bytes certificates/roots/E-Tugra.der | Bin 1615 -> 0 bytes certificates/roots/EBG_KOKSM.cer | Bin 1515 -> 0 bytes certificates/roots/ECARootCA.der | Bin 668 -> 0 bytes certificates/roots/EchoworxRootCA2.cer | Bin 1259 -> 0 bytes certificates/roots/EntrustEVRoot.crt | Bin 1173 -> 0 bytes certificates/roots/EntrustRoot-EC1.der | Bin 765 -> 0 bytes certificates/roots/EntrustRoot-G2.der | Bin 1090 -> 0 bytes .../roots/Equifax_Secure_Certificate_Auth | Bin 804 -> 0 bytes .../roots/Equifax_Secure_Global_eBusiness | Bin 660 -> 0 bytes .../roots/Equifax_Secure_eBusiness_CA-1.cer | Bin 646 -> 0 bytes certificates/roots/Estonia-Juur-SK.cer | Bin 1258 -> 0 bytes certificates/roots/FBCA-commonpolicy2.cer | Bin 933 -> 0 bytes certificates/roots/FederalCommonPolicyCA.cer | Bin 1124 -> 0 bytes .../roots/Firmaprofesional-CIF-A62634068.der | Bin 1560 -> 0 bytes certificates/roots/GD-Class2-root.crt | Bin 1028 -> 0 bytes certificates/roots/GTEGB18.cer | Bin 606 -> 0 bytes ...t Primary Certification Authority - G2.cer | Bin 690 -> 0 bytes ...t Primary Certification Authority - G3.cer | Bin 1026 -> 0 bytes certificates/roots/GeoTrust_Global_CA.cer | Bin 856 -> 0 bytes certificates/roots/GlobalSign-Root-R3.der | Bin 867 -> 0 bytes .../roots/GlobalSign-RootCA-2028exp.cer | Bin 889 -> 0 bytes certificates/roots/GlobalSignRoot-R4.cer | Bin 485 -> 0 bytes certificates/roots/GlobalSignRoot-R5.cer | Bin 546 -> 0 bytes certificates/roots/GlobalSignRootCA-R2.cer | Bin 958 -> 0 bytes .../GoDaddyRootCertificateAuthorityG2.der | Bin 969 -> 0 bytes .../roots/HKPost-smartid_rt.cacert.crt | Bin 820 -> 0 bytes certificates/roots/HaricaRootCA2011.der | Bin 1077 -> 0 bytes certificates/roots/ICA-20090901.der | Bin 1314 -> 0 bytes certificates/roots/IdenTrust_Root_X3.der | Bin 846 -> 0 bytes certificates/roots/IdenTrust_Root_X6.der | Bin 1037 -> 0 bytes certificates/roots/Izenpe-RAIZ2007.crt | Bin 1524 -> 0 bytes certificates/roots/Izenpe-ca_raiz2003.crt | Bin 1123 -> 0 bytes certificates/roots/Izenpe.com.cer | Bin 1525 -> 0 bytes .../roots/JapanMinistryIAC-ApplicationCA2.der | Bin 1019 -> 0 bytes certificates/roots/KIR-SZAFIR-Trusted.der | Bin 885 -> 0 bytes certificates/roots/KMD-CA-KPerson.crt | Bin 890 -> 0 bytes certificates/roots/KMD-CA-Server.crt | Bin 862 -> 0 bytes certificates/roots/MPHPT_CA.cer | Bin 952 -> 0 bytes .../roots/Microsec e-Szigno Root CA 2009.cer | Bin 1038 -> 0 bytes certificates/roots/NetLockAranyClassGoldF.cer | Bin 1049 -> 0 bytes certificates/roots/NetworkSolutionsEVRoot.crt | Bin 1002 -> 0 bytes certificates/roots/PCA1ss_v4.509 | Bin 577 -> 0 bytes certificates/roots/PCA2ss_v4.509 | Bin 576 -> 0 bytes certificates/roots/PCA3ss_v4.509 | Bin 576 -> 0 bytes certificates/roots/Poland-Certum-CTNCA.der | Bin 959 -> 0 bytes certificates/roots/ROOT-CHAMBERS.crt | Bin 1217 -> 0 bytes certificates/roots/ROOT-CHAMBERSIGN.crt | Bin 1225 -> 0 bytes certificates/roots/RSA_Root_CA.der | Bin 869 -> 0 bytes certificates/roots/SCRoot1ca.cer | Bin 862 -> 0 bytes certificates/roots/SECOM-EVRoot1ca.cer | Bin 897 -> 0 bytes certificates/roots/SECOM-RootCA2.cer | Bin 891 -> 0 bytes certificates/roots/SF-Class2-root.crt | Bin 1043 -> 0 bytes .../SKEE_Certification_Centre_Root_CA.crt | Bin 1031 -> 0 bytes certificates/roots/SoneraClass1.crt | Bin 804 -> 0 bytes certificates/roots/SoneraClass2.crt | Bin 804 -> 0 bytes .../Staat der Nederlanden EV Root CA.cer | Bin 1396 -> 0 bytes .../StarfieldRootCertificateAuthorityG2.der | Bin 993 -> 0 bytes ...ieldServicesRootCertificateAuthorityG2.der | Bin 1011 -> 0 bytes certificates/roots/StartCom May 2013 G2.der | Bin 1383 -> 0 bytes certificates/roots/SwissSign-Gold_G2.der | Bin 1470 -> 0 bytes certificates/roots/SwissSign-Platinum_G2.der | Bin 1477 -> 0 bytes certificates/roots/SwissSign-Silver_G2.der | Bin 1473 -> 0 bytes certificates/roots/Swisscom Root CA 2.cer | Bin 1501 -> 0 bytes certificates/roots/Swisscom Root EV CA 2.cer | Bin 1508 -> 0 bytes ...c Primary Certification Authority - G4.cer | Bin 684 -> 0 bytes ...c Primary Certification Authority - G6.cer | Bin 1018 -> 0 bytes ...c Primary Certification Authority - G4.cer | Bin 684 -> 0 bytes ...c Primary Certification Authority - G6.cer | Bin 1018 -> 0 bytes ...c Primary Certification Authority - G4.cer | Bin 683 -> 0 bytes ...c Primary Certification Authority - G6.cer | Bin 1530 -> 0 bytes .../roots/T-TeleSec GlobalRoot Class 2.cer | Bin 967 -> 0 bytes .../roots/T-TeleSec GlobalRoot Class 3.cer | Bin 967 -> 0 bytes certificates/roots/TDC_ocesca.cer | Bin 1309 -> 0 bytes certificates/roots/TDC_rootca.cer | Bin 1071 -> 0 bytes .../roots/TRUST2408 OCES Primary CA.cer | Bin 1568 -> 0 bytes certificates/roots/TWCARootCA-4096.der | Bin 1349 -> 0 bytes certificates/roots/Taiwan-GRCA2.der | Bin 1359 -> 0 bytes certificates/roots/TeliaSoneraRootCAv1.der | Bin 1340 -> 0 bytes .../roots/Thawte_Personal_Basic_CA.cer | Bin 820 -> 0 bytes .../roots/Thawte_Personal_Freemail_CA.cer | Bin 832 -> 0 bytes .../roots/Thawte_Personal_Premium_CA.cer | Bin 828 -> 0 bytes .../roots/Thawte_Premium_Server_CA.cer | Bin 826 -> 0 bytes certificates/roots/Thawte_Server_CA.cer | Bin 806 -> 0 bytes certificates/roots/Thawte_Timestamping_CA.cer | Bin 692 -> 0 bytes certificates/roots/TrustisFPSRootCA.der | Bin 875 -> 0 bytes certificates/roots/Trustwave-SGCA.der | Bin 960 -> 0 bytes certificates/roots/Trustwave-STCA.der | Bin 956 -> 0 bytes certificates/roots/TubitakSurum3.cer | Bin 1307 -> 0 bytes certificates/roots/UCAGlobalRoot.cer | Bin 1430 -> 0 bytes certificates/roots/UCARoot.cer | Bin 904 -> 0 bytes .../UTN-USERFirst-ClientAuthentication.der | Bin 1190 -> 0 bytes certificates/roots/UTN-USERFirst-Hardware.crt | Bin 1144 -> 0 bytes .../UTN-USERFirst-NetworkApplication.der | Bin 1128 -> 0 bytes certificates/roots/UTN-USERFirst-Object.crt | Bin 1130 -> 0 bytes certificates/roots/UTN_DATACorp_SGC.cer | Bin 1122 -> 0 bytes certificates/roots/Unizeto-CertumCA.cer | Bin 784 -> 0 bytes .../roots/VASLatvijasPasts-SSI-RCA.crt | Bin 1965 -> 0 bytes ...c Primary Certification Authority - G4.cer | Bin 904 -> 0 bytes ...Universal Root Certification Authority.cer | Bin 1213 -> 0 bytes .../roots/VeriSignC3PublicPrimaryCA-G5.cer | Bin 1239 -> 0 bytes .../roots/VerisignSHA1_1024_PCA1_G1.cer | Bin 576 -> 0 bytes .../roots/VerisignSHA1_1024_PCA2_G1.cer | Bin 576 -> 0 bytes .../roots/VerisignSHA1_1024_PCA3_G1.cer | Bin 576 -> 0 bytes .../Visa Information Delivery Root CA.cer | Bin 1021 -> 0 bytes certificates/roots/Visa eCommerce Root.cer | Bin 934 -> 0 bytes certificates/roots/WISeKey-owgrgaca.cer | Bin 1013 -> 0 bytes certificates/roots/WellsSecurePRCA.der | Bin 1217 -> 0 bytes certificates/roots/XGCA.crt | Bin 1076 -> 0 bytes certificates/roots/ac-racine.der | Bin 887 -> 0 bytes .../roots/ac_offline_raiz_certicamara.crt | Bin 1642 -> 0 bytes certificates/roots/belgiumrca.crt | Bin 920 -> 0 bytes certificates/roots/belgiumrca2.crt | Bin 914 -> 0 bytes certificates/roots/certSIGN ROOT CA.cer | Bin 828 -> 0 bytes certificates/roots/certplus_class2.der | Bin 918 -> 0 bytes certificates/roots/cisco-ca2048.der | Bin 839 -> 0 bytes certificates/roots/cnnicroot.cer | Bin 857 -> 0 bytes certificates/roots/disig-root-1.der | Bin 1043 -> 0 bytes certificates/roots/entrust2048.der | Bin 1070 -> 0 bytes certificates/roots/expressz.cer | Bin 1363 -> 0 bytes certificates/roots/geotrust-primary-ca.crt | Bin 896 -> 0 bytes certificates/roots/globalSignRoot.cer | Bin 889 -> 0 bytes certificates/roots/kisa-root-rsa-3280.der | Bin 887 -> 0 bytes certificates/roots/kisa-root-wrsa.der | Bin 1366 -> 0 bytes certificates/roots/kozjegyzoi.cer | Bin 1665 -> 0 bytes .../roots/netlockQA-01-minositett.cer | Bin 1749 -> 0 bytes certificates/roots/persfree.crt | Bin 817 -> 0 bytes certificates/roots/popFinnVrkrootc.der | Bin 1054 -> 0 bytes certificates/roots/qvrca.crt | Bin 1492 -> 0 bytes certificates/roots/qvrca2.crt | Bin 1467 -> 0 bytes certificates/roots/qvrca3.crt | Bin 1697 -> 0 bytes certificates/roots/root_chambers-2008.der | Bin 1875 -> 0 bytes certificates/roots/root_chambersign-2008.der | Bin 1869 -> 0 bytes certificates/roots/serverbasic.crt | Bin 791 -> 0 bytes certificates/roots/serverpremium.crt | Bin 811 -> 0 bytes .../roots/staatDerNederlandenRootCA-G2.crt | Bin 1486 -> 0 bytes .../roots/staatdernederlandenrootca.cer | Bin 958 -> 0 bytes certificates/roots/startcom-sfsca.der | Bin 1997 -> 0 bytes certificates/roots/startcomSHA2.der | Bin 1931 -> 0 bytes certificates/roots/swisscom-sdcs-root.crt | Bin 1501 -> 0 bytes certificates/roots/swisssign.der | Bin 953 -> 0 bytes certificates/roots/tc_Universal_CA-I.cer | Bin 993 -> 0 bytes certificates/roots/tc_Universal_CA-II.cer | Bin 1507 -> 0 bytes certificates/roots/tc_class_2_ii.cer | Bin 1198 -> 0 bytes certificates/roots/tc_class_3_ii.cer | Bin 1198 -> 0 bytes certificates/roots/tc_class_4_ii.cer | Bin 954 -> 0 bytes .../roots/thawte Primary Root CA - G3.cer | Bin 1070 -> 0 bytes certificates/roots/thawte-primary-root-ca.crt | Bin 1060 -> 0 bytes .../roots/thawte_Primary_Root_CA_G2_ECC.cer | Bin 652 -> 0 bytes certificates/roots/trustCenter-root-5.der | Bin 997 -> 0 bytes certificates/roots/turktrust-root1.cer | Bin 1023 -> 0 bytes certificates/roots/turktrust-root2.cer | Bin 1088 -> 0 bytes certificates/roots/turktrust-root3.cer | Bin 1089 -> 0 bytes certificates/roots/twca-root-1.der | Bin 895 -> 0 bytes certificates/roots/uzleti.cer | Bin 1359 -> 0 bytes ckcdiagnose/ckcdiagnose.sh | 150 + evroots.h | 2370 ---- libsecurity_smime/Security | 1 - libsecurity_smime/Security/SecAsn1Item.c | 306 + libsecurity_smime/Security/SecAsn1Item.h | 117 + libsecurity_smime/Security/SecCmsBase.h | 469 + .../Security/SecCmsContentInfo.h | 209 + libsecurity_smime/Security/SecCmsDecoder.h | 140 + .../Security/SecCmsDigestContext.h | 79 + .../Security/SecCmsDigestedData.h | 77 + libsecurity_smime/Security/SecCmsEncoder.h | 134 + .../Security/SecCmsEncryptedData.h | 76 + .../Security/SecCmsEnvelopedData.h | 71 + libsecurity_smime/Security/SecCmsMessage.h | 154 + .../Security/SecCmsRecipientInfo.h | 75 + libsecurity_smime/Security/SecCmsSignedData.h | 192 + libsecurity_smime/Security/SecCmsSignerInfo.h | 197 + libsecurity_smime/Security/SecSMIME.h | 56 + libsecurity_smime/Security/SecSMIMEPriv.h | 173 + libsecurity_smime/Security/cert.c | 723 ++ libsecurity_smime/Security/cert.h | 125 + libsecurity_smime/Security/cmsarray.c | 227 + libsecurity_smime/Security/cmsasn1.c | 593 + libsecurity_smime/Security/cmsattr.c | 454 + libsecurity_smime/Security/cmscinfo.c | 394 + libsecurity_smime/Security/cmscipher.c | 1292 +++ libsecurity_smime/Security/cmsdecode.c | 728 ++ libsecurity_smime/Security/cmsdigdata.c | 237 + libsecurity_smime/Security/cmsdigest.c | 400 + libsecurity_smime/Security/cmsencdata.c | 299 + libsecurity_smime/Security/cmsencode.c | 768 ++ libsecurity_smime/Security/cmsenvdata.c | 456 + libsecurity_smime/Security/cmslocal.h | 338 + libsecurity_smime/Security/cmsmessage.c | 295 + libsecurity_smime/Security/cmspriv.h | 541 + libsecurity_smime/Security/cmspubkey.c | 575 + libsecurity_smime/Security/cmsrecinfo.c | 665 ++ libsecurity_smime/Security/cmsreclist.c | 242 + libsecurity_smime/Security/cmsreclist.h | 57 + libsecurity_smime/Security/cmssigdata.c | 1015 ++ libsecurity_smime/Security/cmssiginfo.c | 1252 +++ libsecurity_smime/Security/cmstpriv.h | 483 + libsecurity_smime/Security/cmsutil.c | 429 + libsecurity_smime/Security/crypto-embedded.c | 387 + libsecurity_smime/Security/cryptohi.c | 548 + libsecurity_smime/Security/cryptohi.h | 144 + libsecurity_smime/Security/plhash.c | 538 + libsecurity_smime/Security/plhash.h | 162 + libsecurity_smime/Security/secalgid.c | 170 + libsecurity_smime/Security/secoid.c | 1553 +++ libsecurity_smime/Security/secoid.h | 120 + libsecurity_smime/Security/secoidt.h | 61 + libsecurity_smime/Security/security_smime.exp | 114 + libsecurity_smime/Security/smimeutil.c | 815 ++ libsecurity_smime/Security/testcms | 43 + libsecurity_smime/lib/cert.c | 12 +- libsecurity_smime/lib/cmssigdata.c | 12 +- libsecurity_smime/lib/cmssiginfo.c | 14 +- libsecurity_smime/lib/crypto-embedded.c | 20 +- .../project.pbxproj | 22 +- libsecurity_smime/security_smime | 1 - .../security_smime/SecAsn1Item.c | 306 + .../security_smime/SecAsn1Item.h | 117 + libsecurity_smime/security_smime/SecCmsBase.h | 469 + .../security_smime/SecCmsContentInfo.h | 209 + .../security_smime/SecCmsDecoder.h | 140 + .../security_smime/SecCmsDigestContext.h | 79 + .../security_smime/SecCmsDigestedData.h | 77 + .../security_smime/SecCmsEncoder.h | 134 + .../security_smime/SecCmsEncryptedData.h | 76 + .../security_smime/SecCmsEnvelopedData.h | 71 + .../security_smime/SecCmsMessage.h | 154 + .../security_smime/SecCmsRecipientInfo.h | 75 + .../security_smime/SecCmsSignedData.h | 192 + .../security_smime/SecCmsSignerInfo.h | 197 + libsecurity_smime/security_smime/SecSMIME.h | 56 + .../security_smime/SecSMIMEPriv.h | 173 + libsecurity_smime/security_smime/cert.c | 723 ++ libsecurity_smime/security_smime/cert.h | 125 + libsecurity_smime/security_smime/cmsarray.c | 227 + libsecurity_smime/security_smime/cmsasn1.c | 593 + libsecurity_smime/security_smime/cmsattr.c | 454 + libsecurity_smime/security_smime/cmscinfo.c | 394 + libsecurity_smime/security_smime/cmscipher.c | 1292 +++ libsecurity_smime/security_smime/cmsdecode.c | 728 ++ libsecurity_smime/security_smime/cmsdigdata.c | 237 + libsecurity_smime/security_smime/cmsdigest.c | 400 + libsecurity_smime/security_smime/cmsencdata.c | 299 + libsecurity_smime/security_smime/cmsencode.c | 768 ++ libsecurity_smime/security_smime/cmsenvdata.c | 456 + libsecurity_smime/security_smime/cmslocal.h | 338 + libsecurity_smime/security_smime/cmsmessage.c | 295 + libsecurity_smime/security_smime/cmspriv.h | 541 + libsecurity_smime/security_smime/cmspubkey.c | 575 + libsecurity_smime/security_smime/cmsrecinfo.c | 665 ++ libsecurity_smime/security_smime/cmsreclist.c | 242 + libsecurity_smime/security_smime/cmsreclist.h | 57 + libsecurity_smime/security_smime/cmssigdata.c | 1015 ++ libsecurity_smime/security_smime/cmssiginfo.c | 1252 +++ libsecurity_smime/security_smime/cmstpriv.h | 483 + libsecurity_smime/security_smime/cmsutil.c | 429 + .../security_smime/crypto-embedded.c | 387 + libsecurity_smime/security_smime/cryptohi.c | 548 + libsecurity_smime/security_smime/cryptohi.h | 144 + libsecurity_smime/security_smime/plhash.c | 538 + libsecurity_smime/security_smime/plhash.h | 162 + libsecurity_smime/security_smime/secalgid.c | 170 + libsecurity_smime/security_smime/secoid.c | 1553 +++ libsecurity_smime/security_smime/secoid.h | 120 + libsecurity_smime/security_smime/secoidt.h | 61 + .../security_smime/security_smime.exp | 114 + libsecurity_smime/security_smime/smimeutil.c | 815 ++ libsecurity_smime/security_smime/testcms | 43 + resources/AppleESCertificates.plist | Bin 2086 -> 0 bytes resources/AssetVersion.plist | 8 - resources/Blocked.plist | Bin 435 -> 0 bytes resources/EVRoots.plist | Bin 3448 -> 0 bytes resources/English.lproj/CloudKeychain.strings | Bin 6498 -> 12608 bytes .../SharedWebCredentials.strings | Bin 4982 -> 4910 bytes resources/GrayListedKeys.plist | Bin 381 -> 0 bytes resources/TrustedLogs.plist | 24 + resources/certsIndex.data | Bin 5352 -> 0 bytes resources/certsTable.data | Bin 242192 -> 0 bytes secacltests/main.c | 24 + secacltests/sec_acl_stress.c | 344 + secacltests/secacltests-entitlements.plist | 20 + secacltests/testlist.h | 4 + secdtests/secdtests-entitlements.plist | 2 + sectask/SecTask.c | 13 +- sectask/SecTask.h | 2 +- securityd/etc/CodeEquivalenceCandidates | 74 - securityd/etc/com.apple.securityd.plist | 2 + securityd/etc/startup.mk | 4 - .../Info-security_agent_client.plist | 5 - .../Info-security_agent_server.plist | 5 - .../libsecurity_agent/lib/agentclient.cpp | 597 - securityd/libsecurity_agent/lib/agentclient.h | 220 - securityd/libsecurity_agent/lib/sa_types.h | 70 - .../libsecurity_agent/lib/secagent_types.h | 53 - securityd/libsecurity_agent/lib/utils.c | 26 - securityd/libsecurity_agent/lib/utils.h | 26 - .../project.pbxproj | 513 - securityd/libsecurity_agent/mig/mig.mk | 39 - securityd/libsecurity_agent/mig/sa_reply.defs | 54 - .../libsecurity_agent/mig/sa_request.defs | 70 - .../libsecurity_agent/security_agent_client | 1 - securityd/security_agent_client | 1 - securityd/security_agent_server | 1 - securityd/securityd.xcodeproj/project.pbxproj | 66 +- .../contents.xcworkspacedata | 7 - .../project.pbxproj | 5 + .../securityd_service/main.c | 97 +- .../securityd_service/securityd_service.h | 1 + .../securityd_service_client.c | 8 +- .../securityd_service_client.h | 1 + securityd/src/AuthorizationMechEval.cpp | 252 +- securityd/src/AuthorizationMechEval.h | 2 +- securityd/src/AuthorizationRule.cpp | 959 +- securityd/src/AuthorizationRule.h | 1 + securityd/src/acl_keychain.cpp | 1 + securityd/src/acl_keychain.h | 1 - securityd/src/agentclient.h | 50 + securityd/src/agentquery.cpp | 623 +- securityd/src/agentquery.h | 69 +- securityd/src/authhost.cpp | 122 +- securityd/src/authhost.h | 4 +- securityd/src/codesigdb.cpp | 351 +- securityd/src/codesigdb.h | 5 +- securityd/src/database.cpp | 1 - securityd/src/database.h | 1 - securityd/src/kcdatabase.cpp | 115 +- securityd/src/kcdatabase.h | 3 +- securityd/src/localdatabase.cpp | 1 - securityd/src/main.cpp | 14 +- securityd/src/pcscmonitor.cpp | 23 +- securityd/src/pcscmonitor.h | 2 + securityd/src/process.h | 1 - securityd/src/securityd.order | 34 - securityd/src/server.h | 3 - securityd/src/session.cpp | 7 +- securityd/src/transition.cpp | 32 +- sslViewer/SSLViewer.c | 1690 +++ sslViewer/SSLViewer.cpp | 1627 --- sslViewer/sslAppUtils.cpp | 325 +- sslViewer/sslServer.cpp | 26 - 5531 files changed, 731938 insertions(+), 216319 deletions(-) delete mode 100644 CircleJoinRequested/PersistantState.h delete mode 100644 CircleJoinRequested/PersistantState.m create mode 100644 CircleJoinRequested/PersistentState.h create mode 100644 CircleJoinRequested/PersistentState.m create mode 100644 Forwarding Headers/SOSCloudCircle.h create mode 100644 Forwarding Headers/SOSPeerInfo.h create mode 100644 IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist create mode 100644 IDSKeychainSyncingProxy/com.apple.private.alloy.keychainsync.plist create mode 100644 IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist create mode 100644 IDSKeychainSyncingProxy/idksmain.m create mode 100644 IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist create mode 100644 ISACLProtectedItems/ISProtectedItems.plist create mode 100644 ISACLProtectedItems/ISProtectedItemsController.h create mode 100644 ISACLProtectedItems/ISProtectedItemsController.m create mode 100644 ISACLProtectedItems/Info.plist create mode 100755 ISACLProtectedItems/KeychainItemsAclTest.sh rename {Security => OSX}/APPLE_LICENSE (100%) rename {Security => OSX}/Breadcrumb/README (100%) rename {Security => OSX}/Breadcrumb/SecBreadcrumb.c (82%) rename {Security => OSX}/Breadcrumb/SecBreadcrumb.h (100%) rename {Security => OSX}/Breadcrumb/bc-10-knife-on-bread.c (100%) rename {Security => OSX}/Breadcrumb/breadcrumb_regressions.h (100%) rename {Security => OSX}/CloudKeychainProxy/CloudKeychainProxy-Info.plist (100%) rename {Security => OSX}/CloudKeychainProxy/cloudkeychain.entitlements.plist (100%) rename {Security => OSX}/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist (98%) rename {Security => OSX}/CloudKeychainProxy/en.lproj/InfoPlist.strings (100%) create mode 100644 OSX/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist create mode 100644 OSX/IDSKeychainSyncingProxy/com.apple.private.alloy.keychainsync.plist create mode 100644 OSX/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist rename {Security/Keychain Circle Notification => OSX/IDSKeychainSyncingProxy}/en.lproj/InfoPlist.strings (100%) create mode 100644 OSX/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist create mode 100644 OSX/Keychain Circle Notification/Base.lproj/MainMenu.xib rename {Security => OSX}/Keychain Circle Notification/KNAppDelegate.h (94%) create mode 100644 OSX/Keychain Circle Notification/KNAppDelegate.m create mode 100644 OSX/Keychain Circle Notification/KNPersistentState.h create mode 100644 OSX/Keychain Circle Notification/KNPersistentState.m rename {Security => OSX}/Keychain Circle Notification/Keychain Circle Notification-Info.plist (100%) rename {Security => OSX}/Keychain Circle Notification/Keychain Circle Notification-Prefix.pch (100%) rename {Security => OSX}/Keychain Circle Notification/NSArray+mapWithBlock.h (100%) rename {Security => OSX}/Keychain Circle Notification/NSArray+mapWithBlock.m (100%) rename {Security => OSX}/Keychain Circle Notification/NSDictionary+compactDescription.h (100%) rename {Security => OSX}/Keychain Circle Notification/NSDictionary+compactDescription.m (100%) rename {Security => OSX}/Keychain Circle Notification/NSSet+compactDescription.h (100%) rename {Security => OSX}/Keychain Circle Notification/NSSet+compactDescription.m (100%) rename {Security => OSX}/Keychain Circle Notification/NSString+compactDescription.h (100%) rename {Security => OSX}/Keychain Circle Notification/NSString+compactDescription.m (100%) rename {Security => OSX}/Keychain Circle Notification/com.apple.security.keychain-circle-notification.plist (94%) rename {Security/Keychain => OSX/Keychain Circle Notification}/en.lproj/InfoPlist.strings (100%) create mode 100644 OSX/Keychain Circle Notification/en.lproj/Localizable.strings rename {Security => OSX}/Keychain Circle Notification/entitlments.plist (100%) rename {Security => OSX}/Keychain Circle Notification/main.m (100%) create mode 100644 OSX/Keychain/Base.lproj/MainMenu.xib rename {Security => OSX}/Keychain/Icon.icns (100%) rename {Security => OSX}/Keychain/KDAppDelegate.h (100%) rename {Security => OSX}/Keychain/KDAppDelegate.m (100%) rename {Security => OSX}/Keychain/KDCirclePeer.h (100%) rename {Security => OSX}/Keychain/KDCirclePeer.m (100%) rename {Security => OSX}/Keychain/KDSecCircle.h (100%) rename {Security => OSX}/Keychain/KDSecCircle.m (91%) rename {Security => OSX}/Keychain/KDSecItems.h (100%) rename {Security => OSX}/Keychain/KDSecItems.m (100%) rename {Security => OSX}/Keychain/Keychain-Info.plist (100%) rename {Security => OSX}/Keychain/Keychain-Prefix.pch (100%) rename {Security/Keychain Circle Notification => OSX/Keychain}/en.lproj/Credits.rtf (100%) rename {Security/authd => OSX/Keychain}/en.lproj/InfoPlist.strings (100%) rename {Security => OSX}/Keychain/main.m (100%) create mode 100644 OSX/OSX.xcodeproj/project.pbxproj rename {Security.xcodeproj => OSX/OSX.xcodeproj}/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings (100%) create mode 100644 OSX/OSX.xcodeproj/xcshareddata/xcschemes/World.xcscheme create mode 100644 OSX/OSX.xcodeproj/xcshareddata/xcschemes/copyHeaders.xcscheme create mode 100644 OSX/OSX.xcodeproj/xcshareddata/xcschemes/secdtests.xcscheme create mode 100644 OSX/OSX.xcodeproj/xcshareddata/xcschemes/sectests.xcscheme rename {Security => OSX}/README (100%) rename {Security => OSX}/asl/com.apple.securityd (91%) create mode 100644 OSX/authd/Info.plist rename {Security => OSX}/authd/agent.c (83%) rename {Security => OSX}/authd/agent.h (99%) rename {Security => OSX}/authd/authd_private.h (93%) rename {Security => OSX}/authd/authdb.c (100%) rename {Security => OSX}/authd/authdb.h (100%) rename {Security => OSX}/authd/authitems.c (99%) rename {Security => OSX}/authd/authitems.h (98%) rename {Security => OSX}/authd/authorization.plist (98%) rename {Security => OSX}/authd/authtoken.c (99%) rename {Security => OSX}/authd/authtoken.h (100%) rename {Security => OSX}/authd/authtypes.h (100%) rename {Security => OSX}/authd/authutilities.c (100%) rename {Security => OSX}/authd/authutilities.h (100%) rename {Security => OSX}/authd/ccaudit.c (100%) rename {Security => OSX}/authd/ccaudit.h (100%) rename {Security => OSX}/authd/com.apple.authd (100%) rename {Security => OSX}/authd/com.apple.authd.sb (79%) rename {Security => OSX}/authd/connection.c (98%) rename {Security => OSX}/authd/connection.h (94%) rename {Security => OSX}/authd/crc.c (100%) rename {Security => OSX}/authd/crc.h (100%) rename {Security => OSX}/authd/credential.c (99%) rename {Security => OSX}/authd/credential.h (100%) rename {Security => OSX}/authd/debugging.c (100%) rename {Security => OSX}/authd/debugging.h (100%) rename {Security/sec/SOSCircle/CloudKeychainProxy => OSX/authd}/en.lproj/InfoPlist.strings (100%) rename {Security => OSX}/authd/engine.c (96%) rename {Security => OSX}/authd/engine.h (95%) create mode 100644 OSX/authd/main.c rename {Security => OSX}/authd/mechanism.c (99%) rename {Security => OSX}/authd/mechanism.h (100%) rename {Security => OSX}/authd/object.c (100%) rename {Security => OSX}/authd/object.h (100%) rename {Security => OSX}/authd/process.c (98%) rename {Security => OSX}/authd/process.h (100%) rename {Security => OSX}/authd/rule.c (99%) rename {Security => OSX}/authd/rule.h (100%) rename {Security => OSX}/authd/security.auth-Prefix.pch (100%) create mode 100644 OSX/authd/server.c rename {Security => OSX}/authd/server.h (100%) rename {Security => OSX}/authd/session.c (100%) rename {Security => OSX}/authd/session.h (100%) rename {Security => OSX}/cloud_keychain_diagnose/cloud_keychain_diagnose-Prefix.pch (100%) create mode 100755 OSX/codesign_tests/CaspianTests/CaspianTests create mode 100755 OSX/codesign_tests/CaspianTests/LocalCaspianTestRun.sh rename {Security => OSX}/codesign_tests/FatDynamicValidation.c (100%) create mode 100644 OSX/codesign_tests/SecTask-Entitlements.plist create mode 100644 OSX/codesign_tests/main.c create mode 100755 OSX/codesign_tests/teamid.sh rename {Security => OSX}/codesign_tests/validation.sh (82%) create mode 100644 OSX/config/base.xcconfig create mode 100644 OSX/config/command.xcconfig rename {Security => OSX}/config/debug.xcconfig (100%) create mode 100644 OSX/config/executable.xcconfig create mode 100644 OSX/config/lib.xcconfig rename {Security => OSX}/config/release.xcconfig (100%) rename {Security => OSX}/config/security.xcconfig (94%) rename {Security => OSX}/config/test.xcconfig (100%) rename {Security => OSX}/doc/ACLsInCDSA.cwk (100%) rename {Security => OSX}/doc/APIStrategy.cwk (100%) rename {Security => OSX}/doc/AccessControlArchitecture.cwk (100%) rename {Security => OSX}/doc/AppleCL_Spec.doc (100%) rename {Security => OSX}/doc/AppleCSP.doc (100%) rename {Security => OSX}/doc/AppleTP_Spec.doc (100%) rename {Security => OSX}/doc/Apple_OID_Assignments.rtf (100%) rename {Security => OSX}/doc/ArchitectureOverview.cwk (100%) rename {Security => OSX}/doc/C++Utilities.cwk (100%) rename {Security => OSX}/doc/DebuggingAids.cwk (100%) rename {Security => OSX}/doc/HowToWriteA_CSP.cwk (100%) rename {Security => OSX}/doc/HowToWriteA_Plugin.cwk (100%) rename {Security => OSX}/doc/SecuritySupport.doc (100%) rename {Security => OSX}/doc/Supported_CSP_Algorithms.doc (100%) rename {Security => OSX}/doc/cwk_styles (100%) create mode 100644 OSX/gk_reset_check/gk_reset_check.c create mode 100644 OSX/include/security_asn1/SecAsn1Coder.c create mode 100644 OSX/include/security_asn1/SecAsn1Coder.h rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/SecAsn1Templates.c (100%) create mode 100644 OSX/include/security_asn1/SecAsn1Templates.h create mode 100644 OSX/include/security_asn1/SecAsn1Types.h rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/SecNssCoder.cpp (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/SecNssCoder.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/X509Templates.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/X509Templates.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/asn1Templates.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/certExtensionTemplates.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/certExtensionTemplates.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/csrTemplates.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/csrTemplates.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/keyTemplates.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/keyTemplates.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/nameTemplates.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/nameTemplates.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/nsprPortX.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/nssUtils.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/nssUtils.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/nssilckt.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/nssilock.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/nsslocks.h (100%) create mode 100644 OSX/include/security_asn1/ocspTemplates.c rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/ocspTemplates.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/oidsalg.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/oidsalg.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/oidsattr.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/oidsattr.h (100%) create mode 100644 OSX/include/security_asn1/oidsbase.h create mode 100644 OSX/include/security_asn1/oidsocsp.c create mode 100644 OSX/include/security_asn1/oidsocsp.h rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/osKeyTemplates.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/osKeyTemplates.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/pkcs12Templates.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/pkcs12Templates.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/pkcs7Templates.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/pkcs7Templates.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/plarena.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/plarena.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/plarenas.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/plstr.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prbit.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prcpucfg.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prcvar.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prenv.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prerr.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prerror.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prinit.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prinrval.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prlock.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prlog.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prlong.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prmem.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prmon.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/protypes.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prthread.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prtime.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prtypes.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/prvrsion.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/secErrorStr.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/secasn1.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/secasn1d.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/secasn1e.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/secasn1t.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/secasn1u.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/seccomon.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/secerr.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/secport.c (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/secport.h (100%) rename {Security/libsecurity_asn1/lib => OSX/include/security_asn1}/security_asn1.exp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/DLDBList.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/DLDBList.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/aclclient.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/aclclient.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/clclient.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/clclient.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/cryptoclient.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/cryptoclient.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/cspclient.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/cspclient.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/cssmclient.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/cssmclient.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/dl_standard.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/dl_standard.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/dlclient.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/dlclient.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/dlclientpriv.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/dliterators.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/dliterators.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/dlquery.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/dlquery.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/genkey.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/genkey.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/keychainacl.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/keychainacl.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/keyclient.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/keyclient.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/macclient.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/macclient.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/mds_standard.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/mds_standard.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/mdsclient.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/mdsclient.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/multidldb.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/multidldb.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/securestorage.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/securestorage.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/signclient.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/signclient.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/tpclient.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/tpclient.h (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/wrapkey.cpp (100%) rename {Security/libsecurity_cdsa_client/lib => OSX/include/security_cdsa_client}/wrapkey.h (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/ACsession.h (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/CLsession.h (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/CSPsession.cpp (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/CSPsession.h (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/DLsession.cpp (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/DLsession.h (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/Database.cpp (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/Database.h (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/DatabaseSession.cpp (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/DatabaseSession.h (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/DbContext.cpp (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/DbContext.h (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/TPsession.h (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/c++plugin.h (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/csputilities.cpp (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/cssmplugin.cpp (100%) create mode 100644 OSX/include/security_cdsa_plugin/cssmplugin.h rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/generator.cfg (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/generator.mk (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/generator.pl (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/pluginsession.cpp (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/pluginsession.h (100%) rename {Security/libsecurity_cdsa_plugin/lib => OSX/include/security_cdsa_plugin}/pluginspi.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/AuthorizationData.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/AuthorizationData.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/AuthorizationWalkers.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/KeySchema.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/KeySchema.m4 (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/Schema.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/Schema.m4 (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_any.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_any.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_codesigning.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_codesigning.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_comment.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_comment.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_password.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_password.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_preauth.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_preauth.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_process.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_process.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_prompted.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_prompted.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_protectedpw.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_protectedpw.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_secret.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_secret.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_threshold.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/acl_threshold.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/aclsubject.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/aclsubject.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/callback.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/callback.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/constdata.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/constdata.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/context.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/context.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmacl.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmacl.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmaclpod.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmaclpod.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmalloc.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmalloc.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmbridge.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmcert.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmcert.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmcred.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmcred.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmdata.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmdata.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmdates.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmdates.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmdb.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmdb.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmdbname.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmdbname.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmendian.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmendian.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmerrors.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmerrors.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmkey.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmkey.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmlist.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmlist.h (100%) create mode 100644 OSX/include/security_cdsa_utilities/cssmpods.cpp rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmpods.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmtrust.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmtrust.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmwalkers.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/cssmwalkers.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/db++.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/db++.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/digestobject.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/generator.mk (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/generator.pl (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/handleobject.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/handleobject.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/handletemplates.cpp (100%) create mode 100644 OSX/include/security_cdsa_utilities/handletemplates.h rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/handletemplates_defs.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/objectacl.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/objectacl.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/osxverifier.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/osxverifier.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/u32handleobject.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/u32handleobject.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/uniformrandom.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/uniformrandom.h (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/walkers.cpp (100%) rename {Security/libsecurity_cdsa_utilities/lib => OSX/include/security_cdsa_utilities}/walkers.h (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuCdsaUtils.cpp (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuCdsaUtils.h (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuDbUtils.cpp (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuDbUtils.h (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuEnc64.c (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuEnc64.h (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuFileIo.c (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuFileIo.h (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuOidParser.cpp (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuOidParser.h (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuPem.cpp (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuPem.h (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuPrintCert.cpp (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuPrintCert.h (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuTimeStr.cpp (100%) rename {Security/libsecurity_cdsa_utils/lib => OSX/include/security_cdsa_utils}/cuTimeStr.h (100%) create mode 100644 OSX/include/security_codesigning/CSCommon.h create mode 100644 OSX/include/security_codesigning/CSCommonPriv.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/Code.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/Code.h (100%) create mode 100644 OSX/include/security_codesigning/CodeSigner.cpp create mode 100644 OSX/include/security_codesigning/CodeSigner.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/CodeSigning.h (100%) create mode 100644 OSX/include/security_codesigning/RequirementKeywords.h create mode 100644 OSX/include/security_codesigning/RequirementLexer.cpp create mode 100644 OSX/include/security_codesigning/RequirementLexer.hpp create mode 100644 OSX/include/security_codesigning/RequirementParser.cpp create mode 100644 OSX/include/security_codesigning/RequirementParser.hpp create mode 100644 OSX/include/security_codesigning/RequirementParserTokenTypes.hpp create mode 100644 OSX/include/security_codesigning/RequirementParserTokenTypes.txt rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/Requirements.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/Requirements.h (100%) create mode 100644 OSX/include/security_codesigning/SecAssessment.cpp create mode 100644 OSX/include/security_codesigning/SecAssessment.h create mode 100644 OSX/include/security_codesigning/SecCode.cpp create mode 100644 OSX/include/security_codesigning/SecCode.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecCodeHost.cpp (100%) create mode 100644 OSX/include/security_codesigning/SecCodeHost.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecCodeHostLib.c (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecCodeHostLib.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecCodePriv.h (100%) create mode 100644 OSX/include/security_codesigning/SecCodeSigner.cpp create mode 100644 OSX/include/security_codesigning/SecCodeSigner.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecIntegrity.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecIntegrity.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecIntegrityLib.c (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecIntegrityLib.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecRequirement.cpp (100%) create mode 100644 OSX/include/security_codesigning/SecRequirement.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecRequirementPriv.h (100%) create mode 100644 OSX/include/security_codesigning/SecStaticCode.cpp create mode 100644 OSX/include/security_codesigning/SecStaticCode.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecStaticCodePriv.h (100%) create mode 100644 OSX/include/security_codesigning/SecTask.c create mode 100644 OSX/include/security_codesigning/SecTask.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/SecTaskPriv.h (100%) create mode 100644 OSX/include/security_codesigning/StaticCode.cpp create mode 100644 OSX/include/security_codesigning/StaticCode.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/antlrplugin.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/antlrplugin.h (100%) create mode 100644 OSX/include/security_codesigning/bundlediskrep.cpp rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/bundlediskrep.h (100%) create mode 100644 OSX/include/security_codesigning/cdbuilder.cpp create mode 100644 OSX/include/security_codesigning/cdbuilder.h create mode 100644 OSX/include/security_codesigning/codedirectory.cpp create mode 100644 OSX/include/security_codesigning/codedirectory.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/cs.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/cs.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/cscdefs.c (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/cscdefs.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/csdatabase.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/csdatabase.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/cserror.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/cserror.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/csgeneric.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/csgeneric.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/cskernel.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/cskernel.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/csprocess.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/csprocess.h (100%) create mode 100644 OSX/include/security_codesigning/csutilities.cpp create mode 100644 OSX/include/security_codesigning/csutilities.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/detachedrep.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/detachedrep.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/dirscanner.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/dirscanner.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/diskrep.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/diskrep.h (100%) create mode 100644 OSX/include/security_codesigning/drmaker.cpp rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/drmaker.h (100%) create mode 100644 OSX/include/security_codesigning/evaluationmanager.cpp create mode 100644 OSX/include/security_codesigning/evaluationmanager.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/filediskrep.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/filediskrep.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/kerneldiskrep.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/kerneldiskrep.h (100%) create mode 100644 OSX/include/security_codesigning/machorep.cpp rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/machorep.h (100%) create mode 100644 OSX/include/security_codesigning/opaquewhitelist.cpp rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/opaquewhitelist.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/piddiskrep.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/piddiskrep.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/policydb.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/policydb.h (100%) create mode 100644 OSX/include/security_codesigning/policyengine.cpp create mode 100644 OSX/include/security_codesigning/policyengine.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/quarantine++.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/quarantine++.h (100%) create mode 100644 OSX/include/security_codesigning/reqdumper.cpp rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/reqdumper.h (100%) create mode 100644 OSX/include/security_codesigning/reqinterp.cpp create mode 100644 OSX/include/security_codesigning/reqinterp.h create mode 100644 OSX/include/security_codesigning/reqmaker.cpp create mode 100644 OSX/include/security_codesigning/reqmaker.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/reqparser.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/reqparser.h (100%) create mode 100644 OSX/include/security_codesigning/reqreader.cpp create mode 100644 OSX/include/security_codesigning/reqreader.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/requirement.cpp (100%) create mode 100644 OSX/include/security_codesigning/requirement.h create mode 100644 OSX/include/security_codesigning/resources.cpp create mode 100644 OSX/include/security_codesigning/resources.h rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/security_codesigning.d (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/security_codesigning.exp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/sigblob.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/sigblob.h (100%) create mode 100644 OSX/include/security_codesigning/signer.cpp create mode 100644 OSX/include/security_codesigning/signer.h create mode 100644 OSX/include/security_codesigning/signerutils.cpp rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/signerutils.h (100%) create mode 100644 OSX/include/security_codesigning/singlediskrep.cpp rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/singlediskrep.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/slcrep.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/slcrep.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/syspolicy.sql (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/xar++.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/xar++.h (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/xpcengine.cpp (100%) rename {Security/libsecurity_codesigning/lib => OSX/include/security_codesigning}/xpcengine.h (100%) rename {Security/libsecurity_comcryption/lib => OSX/include/security_comcryption}/comDebug.h (100%) rename {Security/libsecurity_comcryption/lib => OSX/include/security_comcryption}/comcryptPriv.c (100%) rename {Security/libsecurity_comcryption/lib => OSX/include/security_comcryption}/comcryptPriv.h (100%) rename {Security/libsecurity_comcryption/lib => OSX/include/security_comcryption}/comcryption.c (100%) rename {Security/libsecurity_comcryption/lib => OSX/include/security_comcryption}/comcryption.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ByteRep.txt (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CipherFileDES.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CipherFileDES.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CipherFileFEED.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CipherFileFEED.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CipherFileTypes.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/Crypt.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CryptKit.def (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CryptKit.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CryptKitAsn1.cpp (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CryptKitAsn1.h (100%) create mode 100644 OSX/include/security_cryptkit/CryptKitDER.cpp create mode 100644 OSX/include/security_cryptkit/CryptKitDER.h rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CryptKitSA.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/FEEDaffine.nb (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/FEEDsansY.nb (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/README (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/curvegen.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/curverecords.nb (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/disc.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/ellproj.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/ellproj.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/factor.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/fmodule.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/fmodule.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/giants.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/giants.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/schoof.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/schoofs.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/tools.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/CurveParamDocs/tools.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ECDSA_Profile.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ECDSA_Verify_Prefix.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/HmacSha1Legacy.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/HmacSha1Legacy.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/Mathematica.FEE (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSCipherFile.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSCipherFile.m (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSCryptors.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSDESCryptor.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSDESCryptor.m (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSFEEPublicKey.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSFEEPublicKey.m (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSFEEPublicKeyPrivate.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSMD5Hash.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSMD5Hash.m (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSRandomNumberGenerator.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/NSRandomNumberGenerator.m (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/README (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/TOP_README (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/buildSrcTree (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/byteRep.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/byteRep.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/changes (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ckDES.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ckDES.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ckMD5.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ckMD5.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ckSHA1.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ckSHA1.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ckSHA1_priv.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ckSHA1_priv.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ckconfig.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ckutilities.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ckutilities.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/curveParamData.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/curveParamDataOld.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/curveParams.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/curveParams.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/elliptic.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/elliptic.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ellipticMeasure.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ellipticProj.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/ellipticProj.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/enc64.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/enc64.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/engineNSA127.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/falloc.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/falloc.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeCipherFile.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeCipherFile.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeCipherFileAtom.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeDES.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeDES.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeDebug.h (100%) create mode 100644 OSX/include/security_cryptkit/feeDigitalSignature.c rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeDigitalSignature.h (100%) create mode 100644 OSX/include/security_cryptkit/feeECDSA.c create mode 100644 OSX/include/security_cryptkit/feeECDSA.h rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeFEED.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeFEED.h (100%) create mode 100644 OSX/include/security_cryptkit/feeFEEDExp.c rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeFEEDExp.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeFunctions.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeHash.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeHash.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feePublicKey.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feePublicKey.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feePublicKeyPrivate.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeRandom.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/feeRandom.h (100%) create mode 100644 OSX/include/security_cryptkit/feeTypes.h rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/giantFFT.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/giantIntegers.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/giantIntegers.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/giantPortCommon.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/giantPort_Generic.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/giantPort_PPC.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/giantPort_PPC.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/giantPort_PPC_Gnu.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/giantPort_PPC_Gnu.s (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/giantPort_i486.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/giantPort_i486.s (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/mutils.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/mutils.m (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/platform.c (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/platform.h (100%) rename {Security/libsecurity_cryptkit/lib => OSX/include/security_cryptkit}/unixMakefile (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/AppleDatabase.cpp (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/AppleDatabase.h (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/AtomicFile.cpp (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/AtomicFile.h (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/DbIndex.cpp (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/DbIndex.h (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/DbQuery.cpp (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/DbQuery.h (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/DbValue.cpp (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/DbValue.h (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/MetaAttribute.cpp (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/MetaAttribute.h (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/MetaRecord.cpp (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/MetaRecord.h (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/OverUnderflowCheck.h (100%) create mode 100644 OSX/include/security_filedb/ReadWriteSection.cpp rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/ReadWriteSection.h (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/SelectionPredicate.cpp (100%) rename {Security/libsecurity_filedb/lib => OSX/include/security_filedb}/SelectionPredicate.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/ACL.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/ACL.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Access.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Access.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/AppleBaselineEscrowCertificates.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/CCallbackMgr.cp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/CCallbackMgr.h (100%) create mode 100644 OSX/include/security_keychain/Certificate.cpp rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Certificate.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/CertificateRequest.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/CertificateRequest.h (100%) create mode 100644 OSX/include/security_keychain/CertificateValues.cpp rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/CertificateValues.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/DLDBListCFPref.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/DLDBListCFPref.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/DynamicDLDBList.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/DynamicDLDBList.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/ExtendedAttribute.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/ExtendedAttribute.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Globals.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Globals.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Identity.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Identity.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/IdentityCursor.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/IdentityCursor.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Item.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Item.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/KCCursor.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/KCCursor.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/KCEventNotifier.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/KCEventNotifier.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/KCExceptions.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/KCUtilities.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/KCUtilities.h (100%) create mode 100644 OSX/include/security_keychain/KeyItem.cpp rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/KeyItem.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Keychains.cpp (100%) create mode 100644 OSX/include/security_keychain/Keychains.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/MacOSErrorStrings.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Password.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Password.h (100%) create mode 100644 OSX/include/security_keychain/Policies.cpp rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Policies.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/PolicyCursor.cpp (100%) create mode 100644 OSX/include/security_keychain/PolicyCursor.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/PrimaryKey.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/PrimaryKey.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecACL.cpp (100%) create mode 100644 OSX/include/security_keychain/SecACL.h create mode 100644 OSX/include/security_keychain/SecAccess.cpp create mode 100644 OSX/include/security_keychain/SecAccess.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecAccessPriv.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecAsn1TypesP.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecBase.cpp (100%) create mode 100644 OSX/include/security_keychain/SecBase.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecBase64P.c (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecBase64P.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecBaseP.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecBasePriv.h (100%) create mode 100644 OSX/include/security_keychain/SecBridge.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecCFTypes.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecCFTypes.h (100%) create mode 100644 OSX/include/security_keychain/SecCertificate.cpp create mode 100644 OSX/include/security_keychain/SecCertificate.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecCertificateBundle.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecCertificateBundle.h (100%) create mode 100644 OSX/include/security_keychain/SecCertificateInternalP.h create mode 100644 OSX/include/security_keychain/SecCertificateOIDs.h create mode 100644 OSX/include/security_keychain/SecCertificateP.c create mode 100644 OSX/include/security_keychain/SecCertificateP.h create mode 100644 OSX/include/security_keychain/SecCertificatePriv.h create mode 100644 OSX/include/security_keychain/SecCertificatePrivP.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecCertificateRequest.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecCertificateRequest.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecExport.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecExternalRep.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecExternalRep.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecFDERecoveryAsymmetricCrypto.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecFDERecoveryAsymmetricCrypto.h (100%) create mode 100644 OSX/include/security_keychain/SecFrameworkP.c rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecFrameworkP.h (100%) create mode 100644 OSX/include/security_keychain/SecIdentity.cpp create mode 100644 OSX/include/security_keychain/SecIdentity.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecIdentityPriv.h (100%) create mode 100644 OSX/include/security_keychain/SecIdentitySearch.cpp create mode 100644 OSX/include/security_keychain/SecIdentitySearch.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecIdentitySearchPriv.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImport.cpp (100%) create mode 100644 OSX/include/security_keychain/SecImportExport.c create mode 100644 OSX/include/security_keychain/SecImportExport.h create mode 100644 OSX/include/security_keychain/SecImportExportAgg.cpp rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImportExportAgg.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImportExportCrypto.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImportExportCrypto.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImportExportOpenSSH.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImportExportOpenSSH.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImportExportPem.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImportExportPem.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImportExportPkcs8.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImportExportPkcs8.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImportExportUtils.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecImportExportUtils.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecInternal.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecInternalP.h (100%) create mode 100644 OSX/include/security_keychain/SecItem.cpp create mode 100644 OSX/include/security_keychain/SecItem.h create mode 100644 OSX/include/security_keychain/SecItemConstants.c create mode 100644 OSX/include/security_keychain/SecItemPriv.h create mode 100644 OSX/include/security_keychain/SecKey.cpp create mode 100644 OSX/include/security_keychain/SecKey.h create mode 100644 OSX/include/security_keychain/SecKeyPriv.h create mode 100644 OSX/include/security_keychain/SecKeychain.cpp create mode 100644 OSX/include/security_keychain/SecKeychain.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecKeychainAddIToolsPassword.cpp (100%) create mode 100644 OSX/include/security_keychain/SecKeychainItem.cpp create mode 100644 OSX/include/security_keychain/SecKeychainItem.h create mode 100644 OSX/include/security_keychain/SecKeychainItemExtendedAttributes.cpp rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecKeychainItemExtendedAttributes.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecKeychainItemPriv.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecKeychainPriv.h (100%) create mode 100644 OSX/include/security_keychain/SecKeychainSearch.cpp create mode 100644 OSX/include/security_keychain/SecKeychainSearch.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecKeychainSearchPriv.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecNetscapeTemplates.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecNetscapeTemplates.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecPassword.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecPassword.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecPkcs8Templates.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecPkcs8Templates.h (100%) create mode 100644 OSX/include/security_keychain/SecPolicy.cpp create mode 100644 OSX/include/security_keychain/SecPolicy.h create mode 100644 OSX/include/security_keychain/SecPolicyPriv.h create mode 100644 OSX/include/security_keychain/SecPolicySearch.cpp create mode 100644 OSX/include/security_keychain/SecPolicySearch.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecRSAKeyP.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecRandom.c (100%) create mode 100644 OSX/include/security_keychain/SecRandom.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecRandomP.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecRecoveryPassword.c (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecRecoveryPassword.h (100%) create mode 100644 OSX/include/security_keychain/SecTrust.cpp create mode 100644 OSX/include/security_keychain/SecTrust.h create mode 100644 OSX/include/security_keychain/SecTrustPriv.h create mode 100644 OSX/include/security_keychain/SecTrustSettings.cpp create mode 100644 OSX/include/security_keychain/SecTrustSettings.h create mode 100644 OSX/include/security_keychain/SecTrustSettingsCertificates.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecTrustSettingsPriv.h (100%) create mode 100644 OSX/include/security_keychain/SecTrustedApplication.cpp create mode 100644 OSX/include/security_keychain/SecTrustedApplication.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecTrustedApplicationPriv.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/SecWrappedKeys.cpp (100%) create mode 100644 OSX/include/security_keychain/Security.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/StorageManager.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/StorageManager.h (100%) create mode 100644 OSX/include/security_keychain/Trust.cpp rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/Trust.h (100%) create mode 100644 OSX/include/security_keychain/TrustAdditions.cpp rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/TrustAdditions.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/TrustItem.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/TrustItem.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/TrustKeychains.h (100%) create mode 100644 OSX/include/security_keychain/TrustRevocation.cpp create mode 100644 OSX/include/security_keychain/TrustSettings.cpp rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/TrustSettings.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/TrustSettingsSchema.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/TrustSettingsUtils.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/TrustSettingsUtils.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/TrustStore.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/TrustStore.h (100%) create mode 100644 OSX/include/security_keychain/TrustedApplication.cpp create mode 100644 OSX/include/security_keychain/TrustedApplication.h rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/UnlockReferralItem.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/UnlockReferralItem.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/certextensionsP.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/cssmdatetime.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/cssmdatetime.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/defaultcreds.cpp (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/defaultcreds.h (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/generateErrStrings.pl (100%) create mode 100644 OSX/include/security_keychain/security_keychain.exp rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/tsaDERUtilities.c (100%) rename {Security/libsecurity_keychain/lib => OSX/include/security_keychain}/tsaDERUtilities.h (100%) rename {Security/libsecurity_ocspd/common => OSX/include/security_ocspd}/ocspExtensions.cpp (100%) rename {Security/libsecurity_ocspd/common => OSX/include/security_ocspd}/ocspExtensions.h (100%) rename {Security/libsecurity_ocspd/common => OSX/include/security_ocspd}/ocspResponse.cpp (100%) rename {Security/libsecurity_ocspd/common => OSX/include/security_ocspd}/ocspResponse.h (100%) rename {Security/libsecurity_ocspd/client => OSX/include/security_ocspd}/ocspdClient.h (100%) rename {Security/libsecurity_ocspd/common => OSX/include/security_ocspd}/ocspdDbSchema.cpp (100%) rename {Security/libsecurity_ocspd/common => OSX/include/security_ocspd}/ocspdDbSchema.h (100%) rename {Security/libsecurity_ocspd/common => OSX/include/security_ocspd}/ocspdDebug.h (100%) rename {Security/libsecurity_ocspd/common => OSX/include/security_ocspd}/ocspdTypes.h (100%) rename {Security/libsecurity_ocspd/common => OSX/include/security_ocspd}/ocspdUtils.cpp (100%) rename {Security/libsecurity_ocspd/common => OSX/include/security_ocspd}/ocspdUtils.h (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/SecPkcs12.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/SecPkcs12.h (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12BagAttrs.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12BagAttrs.h (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Coder.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Coder.h (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Crypto.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Crypto.h (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Debug.h (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Decode.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Encode.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Keychain.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12SafeBag.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12SafeBag.h (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Templates.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Templates.h (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Utils.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs12Utils.h (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs7Templates.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcs7Templates.h (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcsoids.cpp (100%) rename {Security/libsecurity_pkcs12/lib => OSX/include/security_pkcs12}/pkcsoids.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCMS.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCMS.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsBase.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsContentInfo.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsDecoder.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsDigestContext.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsDigestedData.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsEncoder.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsEncryptedData.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsEnvelopedData.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsMessage.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsRecipientInfo.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsSignedData.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecCmsSignerInfo.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecSMIME.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/SecSMIMEPriv.h (100%) create mode 100644 OSX/include/security_smime/cert.c rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cert.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsarray.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsasn1.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsattr.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmscinfo.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmscipher.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsdecode.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsdigdata.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsdigest.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsencdata.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsencode.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsenvdata.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmslocal.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsmessage.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmspriv.h (100%) create mode 100644 OSX/include/security_smime/cmspubkey.c create mode 100644 OSX/include/security_smime/cmsrecinfo.c rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsreclist.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsreclist.h (100%) create mode 100644 OSX/include/security_smime/cmssigdata.c create mode 100644 OSX/include/security_smime/cmssiginfo.c rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmstpriv.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cmsutil.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cryptohi.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/cryptohi.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/plhash.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/plhash.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/secalgid.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/secitem.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/secitem.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/secoid.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/secoid.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/secoidt.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/security_smime.exp (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/siginfoUtils.cpp (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/smimeutil.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/testcms (100%) create mode 100644 OSX/include/security_smime/tsaSupport.c rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/tsaSupport.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/tsaSupportPriv.h (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/tsaTemplates.c (100%) rename {Security/libsecurity_smime/lib => OSX/include/security_smime}/tsaTemplates.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/adornments.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/adornments.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/alloc.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/alloc.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/blob.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/blob.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/bufferfifo.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/bufferfifo.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/buffers.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/buffers.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/ccaudit.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/ccaudit.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/cfclass.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/cfclass.h (100%) create mode 100644 OSX/include/security_utilities/cfmach++.cpp rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/cfmach++.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/cfmunge.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/cfmunge.h (100%) create mode 100644 OSX/include/security_utilities/cfutilities.cpp create mode 100644 OSX/include/security_utilities/cfutilities.h rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/coderepository.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/coderepository.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/crc.c (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/crc.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/daemon.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/daemon.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/debugging.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/debugging.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/debugging_internal.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/debugging_internal.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/debugsupport.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/devrandom.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/devrandom.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/dispatch.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/dispatch.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/dtrace.mk (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/dyld_cache_format.h (100%) create mode 100644 OSX/include/security_utilities/dyldcache.cpp create mode 100644 OSX/include/security_utilities/dyldcache.h rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/endian.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/endian.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/errors.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/errors.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/exports (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/fdmover.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/fdmover.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/fdsel.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/fdsel.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/globalizer.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/globalizer.h (100%) create mode 100644 OSX/include/security_utilities/hashing.cpp create mode 100644 OSX/include/security_utilities/hashing.h rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/headermap.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/headermap.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/hosts.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/hosts.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/inetreply.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/inetreply.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/iodevices.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/iodevices.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/ip++.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/ip++.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/kq++.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/kq++.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/ktracecodes.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/logging.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/logging.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/mach++.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/mach++.h (100%) create mode 100644 OSX/include/security_utilities/mach_notify.c rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/mach_notify.h (100%) create mode 100644 OSX/include/security_utilities/macho++.cpp create mode 100644 OSX/include/security_utilities/macho++.h rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/machrunloopserver.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/machrunloopserver.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/machserver.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/machserver.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/memstreams.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/memutils.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/muscle++.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/muscle++.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/osxcode.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/osxcode.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/pcsc++.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/pcsc++.h (100%) create mode 100644 OSX/include/security_utilities/powerwatch.cpp create mode 100644 OSX/include/security_utilities/powerwatch.h rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/refcount.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/seccfobject.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/seccfobject.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/security_utilities.d (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/security_utilities.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/selector.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/selector.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/simpleprefs.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/simpleprefs.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/socks++.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/socks++.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/socks++4.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/socks++4.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/socks++5.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/socks++5.h (100%) create mode 100644 OSX/include/security_utilities/sqlite++.cpp rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/sqlite++.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/streams.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/streams.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/superblob.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/superblob.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/threading.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/threading.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/threading_internal.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/timeflow.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/timeflow.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/tqueue.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/tqueue.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/trackingallocator.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/trackingallocator.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/transactions.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/transactions.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/typedvalue.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/typedvalue.h (100%) create mode 100644 OSX/include/security_utilities/unix++.cpp rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/unix++.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/unixchild.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/unixchild.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/url.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/url.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/utilities.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/utilities.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/utility_config.h (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/vproc++.cpp (100%) rename {Security/libsecurity_utilities/lib => OSX/include/security_utilities}/vproc++.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/SharedMemoryClient.cpp (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/SharedMemoryClient.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/SharedMemoryCommon.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/dictionary.cpp (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/dictionary.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/eventlistener.cpp (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/eventlistener.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/handletypes.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/sec_xdr.c (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/sec_xdr.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/sec_xdr_array.c (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/sec_xdr_reference.c (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/sec_xdr_sizeof.c (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/sec_xdrmem.c (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/ss_types.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/ssblob.cpp (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/ssblob.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/ssclient.cpp (100%) create mode 100644 OSX/include/securityd_client/ssclient.h rename {Security/libsecurityd/lib => OSX/include/securityd_client}/sscommon.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/ssnotify.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/sstransit.cpp (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/sstransit.h (100%) create mode 100644 OSX/include/securityd_client/transition.cpp rename {Security/libsecurityd/lib => OSX/include/securityd_client}/ucsp_types.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/xdr_auth.c (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/xdr_auth.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/xdr_cssm.c (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/xdr_cssm.h (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/xdr_dldb.cpp (100%) rename {Security/libsecurityd/lib => OSX/include/securityd_client}/xdr_dldb.h (100%) create mode 100644 OSX/lib/AppWorkaround.plist rename {Security => OSX}/lib/FDEPrefs.plist (100%) rename {Security => OSX}/lib/Info-Security.plist (100%) rename {Security => OSX}/lib/Security.order (100%) rename {Security => OSX}/lib/TimeStampingPrefs.plist (100%) rename {Security => OSX}/lib/copy_pieces.mk (100%) rename {Security => OSX}/lib/dummy.cpp (100%) rename {Security => OSX}/lib/en.lproj/FDELocalizable.strings (100%) rename {Security => OSX}/lib/en.lproj/InfoPlist.strings (100%) rename {Security => OSX}/lib/en.lproj/authorization.buttons.strings (98%) rename {Security => OSX}/lib/en.lproj/authorization.prompts.strings (94%) create mode 100644 OSX/lib/framework.sb create mode 100644 OSX/lib/generateErrStrings.pl rename {Security => OSX}/lib/plugins/csparser-Info.plist (100%) rename {Security => OSX}/lib/plugins/csparser.cpp (100%) rename {Security => OSX}/lib/plugins/csparser.exp (100%) rename {Security => OSX}/lib/security.exp-in (94%) rename {Security => OSX}/libsecurity_apple_csp/Info-security_apple_csp.plist (100%) rename {Security => OSX}/libsecurity_apple_csp/README (100%) rename {Security => OSX}/libsecurity_apple_csp/TODO (100%) rename {Security => OSX}/libsecurity_apple_csp/docs/libsecurity_apple_csp.plist (100%) rename {Security => OSX}/libsecurity_apple_csp/docs/libsecurity_apple_csp.txt (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/AppleCSP.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/AppleCSP.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/AppleCSPBuiltin.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/AppleCSPContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/AppleCSPContext.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/AppleCSPKeys.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/AppleCSPKeys.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/AppleCSPPlugin.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/AppleCSPSession.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/AppleCSPUtils.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/AppleCSPUtils.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/BinaryKey.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/BlockCryptor.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/BlockCryptor.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/CryptKitSpace.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/DH_csp.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/DH_csp.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/DH_exchange.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/DH_exchange.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/DH_keys.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/DH_keys.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/DH_utils.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/DH_utils.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/DigestContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/DigestContext.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/FEEAsymmetricContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/FEEAsymmetricContext.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/FEECSPUtils.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/FEECSPUtils.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/FEEKeys.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/FEEKeys.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/FEESignatureObject.cpp (91%) rename {Security => OSX}/libsecurity_apple_csp/lib/FEESignatureObject.h (94%) rename {Security => OSX}/libsecurity_apple_csp/lib/HMACSHA1.c (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/HMACSHA1.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/MD2Object.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/MD2Object.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/MacContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/MacContext.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/NullCryptor.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/RSA_DSA_csp.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/RSA_DSA_csp.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/RSA_DSA_keys.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/RSA_DSA_keys.h (99%) rename {Security => OSX}/libsecurity_apple_csp/lib/RSA_DSA_signature.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/RSA_DSA_signature.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/RSA_DSA_utils.cpp (99%) rename {Security => OSX}/libsecurity_apple_csp/lib/RSA_DSA_utils.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/RSA_asymmetric.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/RSA_asymmetric.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/RawSigner.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/SHA1_MD5_Object.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/SHA1_MD5_Object.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/SHA2_Object.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/SHA2_Object.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/SignatureContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/SignatureContext.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/YarrowConnection.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/YarrowConnection.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/aesCommon.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/aescsp.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/aescspi.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/algmaker.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/ascContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/ascContext.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/ascFactory.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/bfContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/bfContext.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/boxes-ref.c (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/boxes-ref.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/bsafeAsymmetric.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/bsafeContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/bsafeKeyGen.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/bsafePKCS1.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/bsafePKCS1.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/bsafeSymmetric.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/bsafecsp.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/bsafecspi.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/bsobjects.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/castContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/castContext.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/cryptkitcsp.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/cryptkitcsp.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/cspdebugging.c (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/cspdebugging.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/cssmplugin.exp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/deriveKey.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/desContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/desContext.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/gladmanContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/gladmanContext.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/memory.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/miscAlgFactory.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/miscAlgFactory.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/miscalgorithms.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/opensshCoding.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/opensshCoding.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/opensshWrap.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/pbkdDigest.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/pbkdDigest.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/pbkdf2.c (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/pbkdf2.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/pkcs12Derive.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/pkcs12Derive.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/pkcs8.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/pkcs8.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/rc2Context.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/rc2Context.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/rc4Context.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/rc4Context.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/rc5Context.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/rc5Context.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/rijndael-alg-ref.c (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/rijndael-alg-ref.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/rijndaelApi.c (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/rijndaelApi.h (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/vRijndael-alg-ref.c (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/wrapKey.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/lib/wrapKeyCms.cpp (100%) create mode 100644 OSX/libsecurity_apple_csp/libsecurity_apple_csp.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_apple_csp/mds/csp_capabilities.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_csp/mds/csp_capabilities_common.mds (100%) rename {Security => OSX}/libsecurity_apple_csp/mds/csp_common.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_csp/mds/csp_primary.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/LICENSE (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bf/COPYRIGHT (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bf/README (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bf/bf_ecb.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bf/bf_enc.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bf/bf_locl.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bf/bf_pi.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bf/bf_skey.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bio/bio_lib.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bio/bss_file.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_add.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_asm.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_blind.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_ctx.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_div.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_err.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_exp.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_exp2.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_gcd.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_lcl.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_lib.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_mont.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_mpi.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_mul.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_prime.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_prime.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_print.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_rand.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_recp.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_shift.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_sqr.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bn_word.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bnspeed.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/bntest.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/divtest.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/exp.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/expspeed.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/exptest.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/bn/vms-helper.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/buffer/buf_err.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/buffer/buffer.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/cryptlib.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/cryptlib.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dh/dh_check.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dh/dh_err.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dh/dh_gen.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dh/dh_key.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dh/dh_lib.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dsa/dsa_asn1.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dsa/dsa_err.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dsa/dsa_gen.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dsa/dsa_key.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dsa/dsa_lib.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dsa/dsa_ossl.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dsa/dsa_sign.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/dsa/dsa_vrf.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/err/err.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/err/err_prn.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/ex_data.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/lhash/lhash.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/mem.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/misc/rc2_cbc.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/misc/rc2_locl.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/misc/rc2_skey.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/misc/rc5_enc.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/misc/rc5_locl.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/misc/rc5_skey.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/asn1.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/bio.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/blowfish.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/bn.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/buffer.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/cast.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/crypto.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/dh.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/dsa.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/e_os.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/e_os2.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/err.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/evp.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/lhash.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/objects.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/openssl_pkcs7.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/opensslconf.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/opensslv.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/rand.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/rc2.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/rc5.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/rsa.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/safestack.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/stack.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/x509.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/openssl/x509_vfy.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/opensslUtils/opensslAsn1.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/opensslUtils/opensslAsn1.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/opensslUtils/opensslUtils.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/opensslUtils/opensslUtils.h (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/rsa/rsa_chk.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/rsa/rsa_eay.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/rsa/rsa_err.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/rsa/rsa_gen.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/rsa/rsa_lib.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/rsa/rsa_none.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/rsa/rsa_null.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/rsa/rsa_pk1.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/rsa/rsa_saos.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/rsa/rsa_sign.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/rsa/rsa_ssl.c (100%) rename {Security => OSX}/libsecurity_apple_csp/open_ssl/stack/stack.c (100%) rename {Security => OSX}/libsecurity_apple_csp/tests/t-dsa.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/tests/t-rsa.cpp (100%) rename {Security => OSX}/libsecurity_apple_csp/tests/t.cpp (100%) rename {Security => OSX}/libsecurity_apple_cspdl/Info-security_apple_cspdl.plist (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/AppleCSPDLBuiltin.cpp (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/AppleCSPDLPlugin.cpp (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/CSPDLDatabase.cpp (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/CSPDLDatabase.h (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/CSPDLPlugin.cpp (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/CSPDLPlugin.h (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSCSPDLSession.cpp (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSCSPDLSession.h (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSCSPSession.cpp (99%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSCSPSession.h (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSContext.cpp (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSContext.h (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSDLSession.cpp (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSDLSession.h (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSDatabase.cpp (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSDatabase.h (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSFactory.cpp (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSFactory.h (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSKey.cpp (100%) rename {Security => OSX}/libsecurity_apple_cspdl/lib/SSKey.h (97%) create mode 100644 OSX/libsecurity_apple_cspdl/libsecurity_apple_cspdl.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_apple_cspdl/mds/cspdl_common.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_cspdl/mds/cspdl_csp_capabilities.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_cspdl/mds/cspdl_csp_primary.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_cspdl/mds/cspdl_dl_primary.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_file_dl/Info-security_apple_file_dl.plist (100%) rename {Security => OSX}/libsecurity_apple_file_dl/TODO (100%) rename {Security => OSX}/libsecurity_apple_file_dl/doc/FORMAT (100%) rename {Security => OSX}/libsecurity_apple_file_dl/doc/ISSUES (100%) rename {Security => OSX}/libsecurity_apple_file_dl/lib/AppleDLBuiltin.cpp (100%) rename {Security => OSX}/libsecurity_apple_file_dl/lib/AppleDLPlugin.cpp (100%) rename {Security => OSX}/libsecurity_apple_file_dl/lib/AppleFileDL.cpp (100%) rename {Security => OSX}/libsecurity_apple_file_dl/lib/AppleFileDL.h (100%) create mode 100644 OSX/libsecurity_apple_file_dl/libsecurity_apple_file_dl.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_apple_file_dl/mds/dl_common.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_file_dl/mds/dl_primary.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/Info-plugin_apple_x509_cl.plist (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/Info-security_apple_x509_cl.plist (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/TODO (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/AppleX509CL.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/AppleX509CL.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/AppleX509CLBuiltin.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/AppleX509CLPlugin.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/AppleX509CLSession.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/AppleX509CLSession.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CLCachedEntry.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CLCachedEntry.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CLCertExtensions.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CLCertExtensions.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CLCrlExtensions.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CLCrlExtensions.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CLFieldsCommon.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CLFieldsCommon.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CSPAttacher.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CSPAttacher.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CertFields.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/CrlFields.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/DecodedCert.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/DecodedCert.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/DecodedCrl.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/DecodedCrl.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/DecodedExtensions.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/DecodedExtensions.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/DecodedItem.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/DecodedItem.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/LockedMap.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/Session_CRL.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/Session_CSR.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/Session_Cert.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/Session_Crypto.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/clNameUtils.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/clNameUtils.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/clNssUtils.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/clNssUtils.h (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/lib/cldebugging.h (100%) create mode 100644 OSX/libsecurity_apple_x509_cl/libsecurity_apple_x509_cl.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_apple_x509_cl/mds/cl_common.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_x509_cl/mds/cl_primary.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/Info-security_apple_x509_tp.plist (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/AppleTP.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/AppleTP.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/AppleTPSession.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/AppleTPSession.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/AppleX509TPBuiltin.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/AppleX509TPPlugin.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/TPCertInfo.cpp (99%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/TPCertInfo.h (99%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/TPCrlInfo.cpp (92%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/TPCrlInfo.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/TPDatabase.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/TPDatabase.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/TPNetwork.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/TPNetwork.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/certGroupUtils.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/certGroupUtils.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/cuEnc64.c (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/cuEnc64.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/ocspRequest.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/ocspRequest.h (100%) create mode 100644 OSX/libsecurity_apple_x509_tp/lib/tpCertAllowList.c rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpCertAllowList.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpCertGroup.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpCredRequest.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpCrlVerify.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpCrlVerify.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpOcspCache.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpOcspCache.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpOcspCertVfy.cpp (91%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpOcspCertVfy.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpOcspVerify.cpp (99%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpOcspVerify.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpPolicies.cpp (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpPolicies.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpTime.c (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpTime.h (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/lib/tpdebugging.h (100%) create mode 100644 OSX/libsecurity_apple_x509_tp/libsecurity_apple_x509_tp.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_apple_x509_tp/mds/tp_common.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/mds/tp_policyOids.mdsinfo (100%) rename {Security => OSX}/libsecurity_apple_x509_tp/mds/tp_primary.mdsinfo (100%) rename {Security => OSX}/libsecurity_asn1/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_asn1/CHANGES.Apple (100%) rename {Security => OSX}/libsecurity_asn1/Info-security_asn1.plist (100%) rename {Security => OSX}/libsecurity_asn1/Makefile (100%) rename {Security => OSX}/libsecurity_asn1/MozillaPublicLicense1.1.html (100%) create mode 100644 OSX/libsecurity_asn1/Security/SecAsn1Coder.c create mode 100644 OSX/libsecurity_asn1/Security/SecAsn1Coder.h create mode 100644 OSX/libsecurity_asn1/Security/SecAsn1Templates.c create mode 100644 OSX/libsecurity_asn1/Security/SecAsn1Templates.h create mode 100644 OSX/libsecurity_asn1/Security/SecAsn1Types.h create mode 100644 OSX/libsecurity_asn1/Security/SecNssCoder.cpp create mode 100644 OSX/libsecurity_asn1/Security/SecNssCoder.h create mode 100644 OSX/libsecurity_asn1/Security/X509Templates.c create mode 100644 OSX/libsecurity_asn1/Security/X509Templates.h create mode 100644 OSX/libsecurity_asn1/Security/asn1Templates.h create mode 100644 OSX/libsecurity_asn1/Security/certExtensionTemplates.c create mode 100644 OSX/libsecurity_asn1/Security/certExtensionTemplates.h create mode 100644 OSX/libsecurity_asn1/Security/csrTemplates.c create mode 100644 OSX/libsecurity_asn1/Security/csrTemplates.h create mode 100644 OSX/libsecurity_asn1/Security/keyTemplates.c create mode 100644 OSX/libsecurity_asn1/Security/keyTemplates.h create mode 100644 OSX/libsecurity_asn1/Security/nameTemplates.c create mode 100644 OSX/libsecurity_asn1/Security/nameTemplates.h create mode 100644 OSX/libsecurity_asn1/Security/nsprPortX.c create mode 100644 OSX/libsecurity_asn1/Security/nssUtils.c create mode 100644 OSX/libsecurity_asn1/Security/nssUtils.h create mode 100644 OSX/libsecurity_asn1/Security/nssilckt.h create mode 100644 OSX/libsecurity_asn1/Security/nssilock.h create mode 100644 OSX/libsecurity_asn1/Security/nsslocks.h create mode 100644 OSX/libsecurity_asn1/Security/ocspTemplates.c create mode 100644 OSX/libsecurity_asn1/Security/ocspTemplates.h create mode 100644 OSX/libsecurity_asn1/Security/oidsalg.c create mode 100644 OSX/libsecurity_asn1/Security/oidsalg.h create mode 100644 OSX/libsecurity_asn1/Security/oidsattr.c create mode 100644 OSX/libsecurity_asn1/Security/oidsattr.h create mode 100644 OSX/libsecurity_asn1/Security/oidsbase.h create mode 100644 OSX/libsecurity_asn1/Security/oidsocsp.c create mode 100644 OSX/libsecurity_asn1/Security/oidsocsp.h create mode 100644 OSX/libsecurity_asn1/Security/osKeyTemplates.c create mode 100644 OSX/libsecurity_asn1/Security/osKeyTemplates.h create mode 100644 OSX/libsecurity_asn1/Security/pkcs12Templates.c create mode 100644 OSX/libsecurity_asn1/Security/pkcs12Templates.h create mode 100644 OSX/libsecurity_asn1/Security/pkcs7Templates.c create mode 100644 OSX/libsecurity_asn1/Security/pkcs7Templates.h create mode 100644 OSX/libsecurity_asn1/Security/plarena.c create mode 100644 OSX/libsecurity_asn1/Security/plarena.h create mode 100644 OSX/libsecurity_asn1/Security/plarenas.h create mode 100644 OSX/libsecurity_asn1/Security/plstr.h create mode 100644 OSX/libsecurity_asn1/Security/prbit.h create mode 100644 OSX/libsecurity_asn1/Security/prcpucfg.h create mode 100644 OSX/libsecurity_asn1/Security/prcvar.h create mode 100644 OSX/libsecurity_asn1/Security/prenv.h create mode 100644 OSX/libsecurity_asn1/Security/prerr.h create mode 100644 OSX/libsecurity_asn1/Security/prerror.h create mode 100644 OSX/libsecurity_asn1/Security/prinit.h create mode 100644 OSX/libsecurity_asn1/Security/prinrval.h create mode 100644 OSX/libsecurity_asn1/Security/prlock.h create mode 100644 OSX/libsecurity_asn1/Security/prlog.h create mode 100644 OSX/libsecurity_asn1/Security/prlong.h create mode 100644 OSX/libsecurity_asn1/Security/prmem.h create mode 100644 OSX/libsecurity_asn1/Security/prmon.h create mode 100644 OSX/libsecurity_asn1/Security/protypes.h create mode 100644 OSX/libsecurity_asn1/Security/prthread.h create mode 100644 OSX/libsecurity_asn1/Security/prtime.h create mode 100644 OSX/libsecurity_asn1/Security/prtypes.h create mode 100644 OSX/libsecurity_asn1/Security/prvrsion.h create mode 100644 OSX/libsecurity_asn1/Security/secErrorStr.c create mode 100644 OSX/libsecurity_asn1/Security/secasn1.h create mode 100644 OSX/libsecurity_asn1/Security/secasn1d.c create mode 100644 OSX/libsecurity_asn1/Security/secasn1e.c create mode 100644 OSX/libsecurity_asn1/Security/secasn1t.h create mode 100644 OSX/libsecurity_asn1/Security/secasn1u.c create mode 100644 OSX/libsecurity_asn1/Security/seccomon.h create mode 100644 OSX/libsecurity_asn1/Security/secerr.h create mode 100644 OSX/libsecurity_asn1/Security/secport.c create mode 100644 OSX/libsecurity_asn1/Security/secport.h create mode 100644 OSX/libsecurity_asn1/Security/security_asn1.exp rename {Security => OSX}/libsecurity_asn1/asn1/README (100%) rename {Security => OSX}/libsecurity_asn1/asn1/appleoids.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/asn-useful.asn1 (100%) rename {Security => OSX}/libsecurity_asn1/asn1/pkcs1.asn1 (100%) rename {Security => OSX}/libsecurity_asn1/asn1/pkcs10.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/pkcs1oids.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/pkcs5.asn1 (100%) rename {Security => OSX}/libsecurity_asn1/asn1/pkcs7.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/pkcs8.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/pkcs9oids.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/rfc3161.asn1 (100%) rename {Security => OSX}/libsecurity_asn1/asn1/sm_cms.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/sm_ess.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/sm_vdatypes.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/sm_x411mtsas.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/sm_x411ub.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/sm_x501if.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/sm_x501ud.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/sm_x509af.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/sm_x509ce.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/sm_x509cmn.asn (100%) rename {Security => OSX}/libsecurity_asn1/asn1/sm_x520sa.asn (100%) create mode 100644 OSX/libsecurity_asn1/config/base.xcconfig rename {Security => OSX}/libsecurity_asn1/config/debug.xcconfig (100%) rename {Security => OSX}/libsecurity_asn1/config/lib.xcconfig (100%) rename {Security => OSX}/libsecurity_asn1/config/release.xcconfig (100%) rename {Security => OSX}/libsecurity_asn1/docs/libsecurity_asn1.plist (100%) rename {Security => OSX}/libsecurity_asn1/docs/libsecurity_asn1.txt (100%) create mode 100644 OSX/libsecurity_asn1/lib/SecAsn1Coder.c create mode 100644 OSX/libsecurity_asn1/lib/SecAsn1Coder.h create mode 100644 OSX/libsecurity_asn1/lib/SecAsn1Templates.c create mode 100644 OSX/libsecurity_asn1/lib/SecAsn1Templates.h create mode 100644 OSX/libsecurity_asn1/lib/SecAsn1Types.h create mode 100644 OSX/libsecurity_asn1/lib/SecNssCoder.cpp create mode 100644 OSX/libsecurity_asn1/lib/SecNssCoder.h create mode 100644 OSX/libsecurity_asn1/lib/X509Templates.c create mode 100644 OSX/libsecurity_asn1/lib/X509Templates.h create mode 100644 OSX/libsecurity_asn1/lib/asn1Templates.h create mode 100644 OSX/libsecurity_asn1/lib/certExtensionTemplates.c create mode 100644 OSX/libsecurity_asn1/lib/certExtensionTemplates.h create mode 100644 OSX/libsecurity_asn1/lib/csrTemplates.c create mode 100644 OSX/libsecurity_asn1/lib/csrTemplates.h create mode 100644 OSX/libsecurity_asn1/lib/keyTemplates.c create mode 100644 OSX/libsecurity_asn1/lib/keyTemplates.h create mode 100644 OSX/libsecurity_asn1/lib/nameTemplates.c create mode 100644 OSX/libsecurity_asn1/lib/nameTemplates.h create mode 100644 OSX/libsecurity_asn1/lib/nsprPortX.c create mode 100644 OSX/libsecurity_asn1/lib/nssUtils.c create mode 100644 OSX/libsecurity_asn1/lib/nssUtils.h create mode 100644 OSX/libsecurity_asn1/lib/nssilckt.h create mode 100644 OSX/libsecurity_asn1/lib/nssilock.h create mode 100644 OSX/libsecurity_asn1/lib/nsslocks.h create mode 100644 OSX/libsecurity_asn1/lib/ocspTemplates.c create mode 100644 OSX/libsecurity_asn1/lib/ocspTemplates.h create mode 100644 OSX/libsecurity_asn1/lib/oidsalg.c create mode 100644 OSX/libsecurity_asn1/lib/oidsalg.h create mode 100644 OSX/libsecurity_asn1/lib/oidsattr.c create mode 100644 OSX/libsecurity_asn1/lib/oidsattr.h create mode 100644 OSX/libsecurity_asn1/lib/oidsbase.h create mode 100644 OSX/libsecurity_asn1/lib/oidsocsp.c create mode 100644 OSX/libsecurity_asn1/lib/oidsocsp.h create mode 100644 OSX/libsecurity_asn1/lib/osKeyTemplates.c create mode 100644 OSX/libsecurity_asn1/lib/osKeyTemplates.h create mode 100644 OSX/libsecurity_asn1/lib/pkcs12Templates.c create mode 100644 OSX/libsecurity_asn1/lib/pkcs12Templates.h create mode 100644 OSX/libsecurity_asn1/lib/pkcs7Templates.c create mode 100644 OSX/libsecurity_asn1/lib/pkcs7Templates.h create mode 100644 OSX/libsecurity_asn1/lib/plarena.c create mode 100644 OSX/libsecurity_asn1/lib/plarena.h create mode 100644 OSX/libsecurity_asn1/lib/plarenas.h create mode 100644 OSX/libsecurity_asn1/lib/plstr.h create mode 100644 OSX/libsecurity_asn1/lib/prbit.h create mode 100644 OSX/libsecurity_asn1/lib/prcpucfg.h create mode 100644 OSX/libsecurity_asn1/lib/prcvar.h create mode 100644 OSX/libsecurity_asn1/lib/prenv.h create mode 100644 OSX/libsecurity_asn1/lib/prerr.h create mode 100644 OSX/libsecurity_asn1/lib/prerror.h create mode 100644 OSX/libsecurity_asn1/lib/prinit.h create mode 100644 OSX/libsecurity_asn1/lib/prinrval.h create mode 100644 OSX/libsecurity_asn1/lib/prlock.h create mode 100644 OSX/libsecurity_asn1/lib/prlog.h create mode 100644 OSX/libsecurity_asn1/lib/prlong.h create mode 100644 OSX/libsecurity_asn1/lib/prmem.h create mode 100644 OSX/libsecurity_asn1/lib/prmon.h create mode 100644 OSX/libsecurity_asn1/lib/protypes.h create mode 100644 OSX/libsecurity_asn1/lib/prthread.h create mode 100644 OSX/libsecurity_asn1/lib/prtime.h create mode 100644 OSX/libsecurity_asn1/lib/prtypes.h create mode 100644 OSX/libsecurity_asn1/lib/prvrsion.h create mode 100644 OSX/libsecurity_asn1/lib/secErrorStr.c create mode 100644 OSX/libsecurity_asn1/lib/secasn1.h create mode 100644 OSX/libsecurity_asn1/lib/secasn1d.c create mode 100644 OSX/libsecurity_asn1/lib/secasn1e.c create mode 100644 OSX/libsecurity_asn1/lib/secasn1t.h create mode 100644 OSX/libsecurity_asn1/lib/secasn1u.c create mode 100644 OSX/libsecurity_asn1/lib/seccomon.h create mode 100644 OSX/libsecurity_asn1/lib/secerr.h create mode 100644 OSX/libsecurity_asn1/lib/secport.c create mode 100644 OSX/libsecurity_asn1/lib/secport.h create mode 100644 OSX/libsecurity_asn1/lib/security_asn1.exp create mode 100644 OSX/libsecurity_asn1/libsecurity_asn1.xcodeproj/project.pbxproj create mode 100644 OSX/libsecurity_asn1/security_asn1/SecAsn1Coder.c create mode 100644 OSX/libsecurity_asn1/security_asn1/SecAsn1Coder.h create mode 100644 OSX/libsecurity_asn1/security_asn1/SecAsn1Templates.c create mode 100644 OSX/libsecurity_asn1/security_asn1/SecAsn1Templates.h create mode 100644 OSX/libsecurity_asn1/security_asn1/SecAsn1Types.h create mode 100644 OSX/libsecurity_asn1/security_asn1/SecNssCoder.cpp create mode 100644 OSX/libsecurity_asn1/security_asn1/SecNssCoder.h create mode 100644 OSX/libsecurity_asn1/security_asn1/X509Templates.c create mode 100644 OSX/libsecurity_asn1/security_asn1/X509Templates.h create mode 100644 OSX/libsecurity_asn1/security_asn1/asn1Templates.h create mode 100644 OSX/libsecurity_asn1/security_asn1/certExtensionTemplates.c create mode 100644 OSX/libsecurity_asn1/security_asn1/certExtensionTemplates.h create mode 100644 OSX/libsecurity_asn1/security_asn1/csrTemplates.c create mode 100644 OSX/libsecurity_asn1/security_asn1/csrTemplates.h create mode 100644 OSX/libsecurity_asn1/security_asn1/keyTemplates.c create mode 100644 OSX/libsecurity_asn1/security_asn1/keyTemplates.h create mode 100644 OSX/libsecurity_asn1/security_asn1/nameTemplates.c create mode 100644 OSX/libsecurity_asn1/security_asn1/nameTemplates.h create mode 100644 OSX/libsecurity_asn1/security_asn1/nsprPortX.c create mode 100644 OSX/libsecurity_asn1/security_asn1/nssUtils.c create mode 100644 OSX/libsecurity_asn1/security_asn1/nssUtils.h create mode 100644 OSX/libsecurity_asn1/security_asn1/nssilckt.h create mode 100644 OSX/libsecurity_asn1/security_asn1/nssilock.h create mode 100644 OSX/libsecurity_asn1/security_asn1/nsslocks.h create mode 100644 OSX/libsecurity_asn1/security_asn1/ocspTemplates.c create mode 100644 OSX/libsecurity_asn1/security_asn1/ocspTemplates.h create mode 100644 OSX/libsecurity_asn1/security_asn1/oidsalg.c create mode 100644 OSX/libsecurity_asn1/security_asn1/oidsalg.h create mode 100644 OSX/libsecurity_asn1/security_asn1/oidsattr.c create mode 100644 OSX/libsecurity_asn1/security_asn1/oidsattr.h create mode 100644 OSX/libsecurity_asn1/security_asn1/oidsbase.h create mode 100644 OSX/libsecurity_asn1/security_asn1/oidsocsp.c create mode 100644 OSX/libsecurity_asn1/security_asn1/oidsocsp.h create mode 100644 OSX/libsecurity_asn1/security_asn1/osKeyTemplates.c create mode 100644 OSX/libsecurity_asn1/security_asn1/osKeyTemplates.h create mode 100644 OSX/libsecurity_asn1/security_asn1/pkcs12Templates.c create mode 100644 OSX/libsecurity_asn1/security_asn1/pkcs12Templates.h create mode 100644 OSX/libsecurity_asn1/security_asn1/pkcs7Templates.c create mode 100644 OSX/libsecurity_asn1/security_asn1/pkcs7Templates.h create mode 100644 OSX/libsecurity_asn1/security_asn1/plarena.c create mode 100644 OSX/libsecurity_asn1/security_asn1/plarena.h create mode 100644 OSX/libsecurity_asn1/security_asn1/plarenas.h create mode 100644 OSX/libsecurity_asn1/security_asn1/plstr.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prbit.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prcpucfg.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prcvar.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prenv.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prerr.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prerror.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prinit.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prinrval.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prlock.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prlog.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prlong.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prmem.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prmon.h create mode 100644 OSX/libsecurity_asn1/security_asn1/protypes.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prthread.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prtime.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prtypes.h create mode 100644 OSX/libsecurity_asn1/security_asn1/prvrsion.h create mode 100644 OSX/libsecurity_asn1/security_asn1/secErrorStr.c create mode 100644 OSX/libsecurity_asn1/security_asn1/secasn1.h create mode 100644 OSX/libsecurity_asn1/security_asn1/secasn1d.c create mode 100644 OSX/libsecurity_asn1/security_asn1/secasn1e.c create mode 100644 OSX/libsecurity_asn1/security_asn1/secasn1t.h create mode 100644 OSX/libsecurity_asn1/security_asn1/secasn1u.c create mode 100644 OSX/libsecurity_asn1/security_asn1/seccomon.h create mode 100644 OSX/libsecurity_asn1/security_asn1/secerr.h create mode 100644 OSX/libsecurity_asn1/security_asn1/secport.c create mode 100644 OSX/libsecurity_asn1/security_asn1/secport.h create mode 100644 OSX/libsecurity_asn1/security_asn1/security_asn1.exp rename {Security => OSX}/libsecurity_authorization/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_authorization/Info-security_authorization.plist (100%) rename {Security => OSX}/libsecurity_authorization/lib/AuthSession.h (96%) rename {Security => OSX}/libsecurity_authorization/lib/Authorization.c (99%) rename {Security => OSX}/libsecurity_authorization/lib/Authorization.cpp (100%) rename {Security => OSX}/libsecurity_authorization/lib/Authorization.h (93%) rename {Security => OSX}/libsecurity_authorization/lib/AuthorizationDB.h (96%) rename {Security => OSX}/libsecurity_authorization/lib/AuthorizationPlugin.h (94%) rename {Security => OSX}/libsecurity_authorization/lib/AuthorizationPriv.h (98%) rename {Security => OSX}/libsecurity_authorization/lib/AuthorizationTags.h (100%) rename {Security => OSX}/libsecurity_authorization/lib/AuthorizationTagsPriv.h (100%) rename {Security => OSX}/libsecurity_authorization/lib/privPort.h (100%) rename {Security => OSX}/libsecurity_authorization/lib/security_authorization.exp (100%) rename {Security => OSX}/libsecurity_authorization/lib/trampolineClient.cpp (100%) rename {Security => OSX}/libsecurity_authorization/lib/trampolineServer.cpp (100%) create mode 100644 OSX/libsecurity_authorization/libsecurity_authorization.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_cdsa_client/Info-security_cdsa_client.plist (100%) create mode 100644 OSX/libsecurity_cdsa_client/lib/DLDBList.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/DLDBList.h create mode 100644 OSX/libsecurity_cdsa_client/lib/aclclient.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/aclclient.h create mode 100644 OSX/libsecurity_cdsa_client/lib/clclient.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/clclient.h create mode 100644 OSX/libsecurity_cdsa_client/lib/cryptoclient.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/cryptoclient.h create mode 100644 OSX/libsecurity_cdsa_client/lib/cspclient.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/cspclient.h create mode 100644 OSX/libsecurity_cdsa_client/lib/cssmclient.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/cssmclient.h create mode 100644 OSX/libsecurity_cdsa_client/lib/dl_standard.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/dl_standard.h create mode 100644 OSX/libsecurity_cdsa_client/lib/dlclient.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/dlclient.h create mode 100644 OSX/libsecurity_cdsa_client/lib/dlclientpriv.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/dliterators.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/dliterators.h create mode 100644 OSX/libsecurity_cdsa_client/lib/dlquery.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/dlquery.h create mode 100644 OSX/libsecurity_cdsa_client/lib/genkey.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/genkey.h create mode 100644 OSX/libsecurity_cdsa_client/lib/keychainacl.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/keychainacl.h create mode 100644 OSX/libsecurity_cdsa_client/lib/keyclient.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/keyclient.h create mode 100644 OSX/libsecurity_cdsa_client/lib/macclient.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/macclient.h create mode 100644 OSX/libsecurity_cdsa_client/lib/mds_standard.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/mds_standard.h create mode 100644 OSX/libsecurity_cdsa_client/lib/mdsclient.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/mdsclient.h create mode 100644 OSX/libsecurity_cdsa_client/lib/multidldb.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/multidldb.h create mode 100644 OSX/libsecurity_cdsa_client/lib/securestorage.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/securestorage.h create mode 100644 OSX/libsecurity_cdsa_client/lib/signclient.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/signclient.h create mode 100644 OSX/libsecurity_cdsa_client/lib/tpclient.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/tpclient.h create mode 100644 OSX/libsecurity_cdsa_client/lib/wrapkey.cpp create mode 100644 OSX/libsecurity_cdsa_client/lib/wrapkey.h create mode 100644 OSX/libsecurity_cdsa_client/libsecurity_cdsa_client.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_cdsa_plugin/Info-security_cdsa_plugin.plist (100%) create mode 100644 OSX/libsecurity_cdsa_plugin/lib/ACsession.h create mode 100644 OSX/libsecurity_cdsa_plugin/lib/CLsession.h create mode 100644 OSX/libsecurity_cdsa_plugin/lib/CSPsession.cpp create mode 100644 OSX/libsecurity_cdsa_plugin/lib/CSPsession.h create mode 100644 OSX/libsecurity_cdsa_plugin/lib/DLsession.cpp create mode 100644 OSX/libsecurity_cdsa_plugin/lib/DLsession.h create mode 100644 OSX/libsecurity_cdsa_plugin/lib/Database.cpp create mode 100644 OSX/libsecurity_cdsa_plugin/lib/Database.h create mode 100644 OSX/libsecurity_cdsa_plugin/lib/DatabaseSession.cpp create mode 100644 OSX/libsecurity_cdsa_plugin/lib/DatabaseSession.h create mode 100644 OSX/libsecurity_cdsa_plugin/lib/DbContext.cpp create mode 100644 OSX/libsecurity_cdsa_plugin/lib/DbContext.h create mode 100644 OSX/libsecurity_cdsa_plugin/lib/TPsession.h create mode 100644 OSX/libsecurity_cdsa_plugin/lib/c++plugin.h create mode 100644 OSX/libsecurity_cdsa_plugin/lib/csputilities.cpp create mode 100644 OSX/libsecurity_cdsa_plugin/lib/cssmplugin.cpp create mode 100644 OSX/libsecurity_cdsa_plugin/lib/cssmplugin.h create mode 100644 OSX/libsecurity_cdsa_plugin/lib/generator.cfg create mode 100644 OSX/libsecurity_cdsa_plugin/lib/generator.mk create mode 100644 OSX/libsecurity_cdsa_plugin/lib/generator.pl create mode 100644 OSX/libsecurity_cdsa_plugin/lib/pluginsession.cpp create mode 100644 OSX/libsecurity_cdsa_plugin/lib/pluginsession.h create mode 100644 OSX/libsecurity_cdsa_plugin/lib/pluginspi.h create mode 100644 OSX/libsecurity_cdsa_plugin/libsecurity_cdsa_plugin.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_cdsa_utilities/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_cdsa_utilities/Info-security_cdsa_utilities.plist (100%) create mode 100644 OSX/libsecurity_cdsa_utilities/lib/AuthorizationData.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/AuthorizationData.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/AuthorizationWalkers.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/KeySchema.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/KeySchema.m4 create mode 100644 OSX/libsecurity_cdsa_utilities/lib/Schema.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/Schema.m4 create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_any.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_any.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_codesigning.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_codesigning.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_comment.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_comment.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_password.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_password.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_preauth.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_preauth.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_process.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_process.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_prompted.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_prompted.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_protectedpw.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_protectedpw.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_secret.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_secret.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_threshold.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/acl_threshold.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/aclsubject.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/aclsubject.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/callback.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/callback.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/constdata.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/constdata.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/context.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/context.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmacl.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmacl.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmaclpod.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmaclpod.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmalloc.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmalloc.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmbridge.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmcert.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmcert.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmcred.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmcred.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmdata.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmdata.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmdates.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmdates.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmdb.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmdb.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmdbname.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmdbname.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmendian.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmendian.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmerrors.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmerrors.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmkey.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmkey.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmlist.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmlist.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmpods.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmpods.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmtrust.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmtrust.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmwalkers.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/cssmwalkers.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/db++.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/db++.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/digestobject.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/generator.mk create mode 100644 OSX/libsecurity_cdsa_utilities/lib/generator.pl create mode 100644 OSX/libsecurity_cdsa_utilities/lib/handleobject.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/handleobject.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/handletemplates.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/handletemplates.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/handletemplates_defs.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/objectacl.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/objectacl.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/osxverifier.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/osxverifier.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/u32handleobject.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/u32handleobject.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/uniformrandom.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/uniformrandom.h create mode 100644 OSX/libsecurity_cdsa_utilities/lib/walkers.cpp create mode 100644 OSX/libsecurity_cdsa_utilities/lib/walkers.h create mode 100644 OSX/libsecurity_cdsa_utilities/libsecurity_cdsa_utilities.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_cdsa_utils/Info-security_cdsa_utils.plist (100%) create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuCdsaUtils.cpp create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuCdsaUtils.h create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuDbUtils.cpp create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuDbUtils.h create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuEnc64.c create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuEnc64.h create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuFileIo.c create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuFileIo.h create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuOidParser.cpp create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuOidParser.h create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuPem.cpp create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuPem.h create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuPrintCert.cpp create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuPrintCert.h create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuTimeStr.cpp create mode 100644 OSX/libsecurity_cdsa_utils/lib/cuTimeStr.h create mode 100644 OSX/libsecurity_cdsa_utils/libsecurity_cdsa_utils.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_checkpw/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_checkpw/Info-security_checkpw.plist (100%) rename {Security => OSX}/libsecurity_checkpw/checkpw.pam (100%) rename {Security => OSX}/libsecurity_checkpw/lib/checkpw.c (98%) rename {Security => OSX}/libsecurity_checkpw/lib/checkpw.h (100%) rename {Security => OSX}/libsecurity_checkpw/lib/security_checkpw.exp (100%) create mode 100644 OSX/libsecurity_checkpw/libsecurity_checkpw.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_checkpw/test/perf-checkpw.c (100%) rename {Security => OSX}/libsecurity_checkpw/test/test-checkpw.c (100%) rename {Security => OSX}/libsecurity_cms/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_cms/Info-security_cms.plist (100%) rename {Security => OSX}/libsecurity_cms/lib/CMSDecoder.cpp (99%) rename {Security => OSX}/libsecurity_cms/lib/CMSDecoder.h (91%) rename {Security => OSX}/libsecurity_cms/lib/CMSEncoder.cpp (98%) rename {Security => OSX}/libsecurity_cms/lib/CMSEncoder.h (88%) rename {Security => OSX}/libsecurity_cms/lib/CMSPrivate.h (100%) rename {Security => OSX}/libsecurity_cms/lib/CMSUtils.cpp (100%) rename {Security => OSX}/libsecurity_cms/lib/CMSUtils.h (100%) rename {Security => OSX}/libsecurity_cms/lib/security_cms.exp (100%) create mode 100644 OSX/libsecurity_cms/libsecurity_cms.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_codesigning/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_codesigning/CodeSigningHelper/CodeSigningHelper-Info.plist (100%) rename {Security => OSX}/libsecurity_codesigning/CodeSigningHelper/com.apple.CodeSigningHelper.sb (100%) rename {Security => OSX}/libsecurity_codesigning/CodeSigningHelper/main.c (100%) rename {Security => OSX}/libsecurity_codesigning/Info-security_codesigning.plist (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/AUTHORS (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/ChangeLog (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/LICENSE.txt (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/Makefile.in (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/README (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/TODO (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr.jar (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/ANTLRException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/ANTLRUtil.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/AST.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/ASTArray.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/ASTFactory.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/ASTNULLType.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/ASTPair.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/ASTRefCount.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/BaseAST.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/BitSet.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/CharBuffer.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/CharInputBuffer.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/CharScanner.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/CharStreamException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/CharStreamIOException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/CircularQueue.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/CommonAST.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/CommonASTWithHiddenTokens.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/CommonHiddenStreamToken.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/CommonToken.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/IOException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/InputBuffer.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/LLkParser.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/LexerSharedInputState.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/Makefile.in (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/MismatchedCharException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/MismatchedTokenException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/NoViableAltException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/NoViableAltForCharException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/Parser.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/ParserSharedInputState.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/RecognitionException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/RefCount.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/SemanticException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/String.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/Token.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenBuffer.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenRefCount.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenStream.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenStreamBasicFilter.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenStreamException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenStreamHiddenTokenFilter.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenStreamIOException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenStreamRecognitionException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenStreamRetryException.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenStreamRewriteEngine.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenStreamSelector.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TokenWithIndex.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TreeParser.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/TreeParserSharedInputState.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/antlr/config.hpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/contrib/bcb4/README (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/contrib/bcb4/antlr.bpr (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/contrib/bcb4/antlr.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/doxygen.cfg (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/libsecurity_codesigning.plist (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/libsecurity_codesigning.txt (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/scripts/cr_stripper.sh (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/scripts/make_change_log.tcl (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/ANTLRUtil.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/ASTFactory.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/ASTNULLType.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/ASTRefCount.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/BaseAST.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/BitSet.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/CharBuffer.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/CharScanner.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/CommonAST.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/CommonASTWithHiddenTokens.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/CommonHiddenStreamToken.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/CommonToken.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/InputBuffer.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/LLkParser.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/Makefile.in (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/MismatchedCharException.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/MismatchedTokenException.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/NoViableAltException.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/NoViableAltForCharException.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/Parser.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/RecognitionException.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/String.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/Token.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/TokenBuffer.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/TokenRefCount.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/TokenStreamBasicFilter.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/TokenStreamHiddenTokenFilter.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/TokenStreamRewriteEngine.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/TokenStreamSelector.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/TreeParser.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/antlr2/src/dll.cpp (100%) rename {Security => OSX}/libsecurity_codesigning/dtrace/codesign-watch.d (100%) rename {Security => OSX}/libsecurity_codesigning/dtrace/reqint.d (100%) rename {Security => OSX}/libsecurity_codesigning/dtrace/sp-watch.d (100%) rename {Security => OSX}/libsecurity_codesigning/gke/com.apple.gkreport.plist (100%) rename {Security => OSX}/libsecurity_codesigning/gke/gkclear (100%) rename {Security => OSX}/libsecurity_codesigning/gke/gkgenerate (100%) rename {Security => OSX}/libsecurity_codesigning/gke/gkhandmake (100%) rename {Security => OSX}/libsecurity_codesigning/gke/gklist (100%) rename {Security => OSX}/libsecurity_codesigning/gke/gkmerge (100%) rename {Security => OSX}/libsecurity_codesigning/gke/gkrecord (100%) rename {Security => OSX}/libsecurity_codesigning/gke/gkreport (100%) rename {Security => OSX}/libsecurity_codesigning/gke/gkunpack.cpp (100%) create mode 100644 OSX/libsecurity_codesigning/lib/CSCommon.h create mode 100644 OSX/libsecurity_codesigning/lib/CSCommonPriv.h create mode 100644 OSX/libsecurity_codesigning/lib/Code.cpp create mode 100644 OSX/libsecurity_codesigning/lib/Code.h create mode 100644 OSX/libsecurity_codesigning/lib/CodeSigner.cpp create mode 100644 OSX/libsecurity_codesigning/lib/CodeSigner.h create mode 100644 OSX/libsecurity_codesigning/lib/CodeSigning.h create mode 100644 OSX/libsecurity_codesigning/lib/RequirementKeywords.h create mode 100644 OSX/libsecurity_codesigning/lib/RequirementLexer.cpp create mode 100644 OSX/libsecurity_codesigning/lib/RequirementLexer.hpp create mode 100644 OSX/libsecurity_codesigning/lib/RequirementParser.cpp create mode 100644 OSX/libsecurity_codesigning/lib/RequirementParser.hpp create mode 100644 OSX/libsecurity_codesigning/lib/RequirementParserTokenTypes.hpp create mode 100644 OSX/libsecurity_codesigning/lib/RequirementParserTokenTypes.txt create mode 100644 OSX/libsecurity_codesigning/lib/Requirements.cpp create mode 100644 OSX/libsecurity_codesigning/lib/Requirements.h create mode 100644 OSX/libsecurity_codesigning/lib/SecAssessment.cpp create mode 100644 OSX/libsecurity_codesigning/lib/SecAssessment.h create mode 100644 OSX/libsecurity_codesigning/lib/SecCode.cpp create mode 100644 OSX/libsecurity_codesigning/lib/SecCode.h create mode 100644 OSX/libsecurity_codesigning/lib/SecCodeHost.cpp create mode 100644 OSX/libsecurity_codesigning/lib/SecCodeHost.h create mode 100644 OSX/libsecurity_codesigning/lib/SecCodeHostLib.c create mode 100644 OSX/libsecurity_codesigning/lib/SecCodeHostLib.h create mode 100644 OSX/libsecurity_codesigning/lib/SecCodePriv.h create mode 100644 OSX/libsecurity_codesigning/lib/SecCodeSigner.cpp create mode 100644 OSX/libsecurity_codesigning/lib/SecCodeSigner.h create mode 100644 OSX/libsecurity_codesigning/lib/SecIntegrity.cpp create mode 100644 OSX/libsecurity_codesigning/lib/SecIntegrity.h create mode 100644 OSX/libsecurity_codesigning/lib/SecIntegrityLib.c create mode 100644 OSX/libsecurity_codesigning/lib/SecIntegrityLib.h create mode 100644 OSX/libsecurity_codesigning/lib/SecRequirement.cpp create mode 100644 OSX/libsecurity_codesigning/lib/SecRequirement.h create mode 100644 OSX/libsecurity_codesigning/lib/SecRequirementPriv.h create mode 100644 OSX/libsecurity_codesigning/lib/SecStaticCode.cpp create mode 100644 OSX/libsecurity_codesigning/lib/SecStaticCode.h create mode 100644 OSX/libsecurity_codesigning/lib/SecStaticCodePriv.h create mode 100644 OSX/libsecurity_codesigning/lib/SecTask.c create mode 100644 OSX/libsecurity_codesigning/lib/SecTask.h create mode 100644 OSX/libsecurity_codesigning/lib/SecTaskPriv.h create mode 100644 OSX/libsecurity_codesigning/lib/StaticCode.cpp create mode 100644 OSX/libsecurity_codesigning/lib/StaticCode.h create mode 100644 OSX/libsecurity_codesigning/lib/antlrplugin.cpp create mode 100644 OSX/libsecurity_codesigning/lib/antlrplugin.h create mode 100644 OSX/libsecurity_codesigning/lib/bundlediskrep.cpp create mode 100644 OSX/libsecurity_codesigning/lib/bundlediskrep.h create mode 100644 OSX/libsecurity_codesigning/lib/cdbuilder.cpp create mode 100644 OSX/libsecurity_codesigning/lib/cdbuilder.h create mode 100644 OSX/libsecurity_codesigning/lib/codedirectory.cpp create mode 100644 OSX/libsecurity_codesigning/lib/codedirectory.h create mode 100644 OSX/libsecurity_codesigning/lib/cs.cpp create mode 100644 OSX/libsecurity_codesigning/lib/cs.h create mode 100644 OSX/libsecurity_codesigning/lib/cscdefs.c create mode 100644 OSX/libsecurity_codesigning/lib/cscdefs.h create mode 100644 OSX/libsecurity_codesigning/lib/csdatabase.cpp create mode 100644 OSX/libsecurity_codesigning/lib/csdatabase.h create mode 100644 OSX/libsecurity_codesigning/lib/cserror.cpp create mode 100644 OSX/libsecurity_codesigning/lib/cserror.h create mode 100644 OSX/libsecurity_codesigning/lib/csgeneric.cpp create mode 100644 OSX/libsecurity_codesigning/lib/csgeneric.h create mode 100644 OSX/libsecurity_codesigning/lib/cskernel.cpp create mode 100644 OSX/libsecurity_codesigning/lib/cskernel.h create mode 100644 OSX/libsecurity_codesigning/lib/csprocess.cpp create mode 100644 OSX/libsecurity_codesigning/lib/csprocess.h create mode 100644 OSX/libsecurity_codesigning/lib/csutilities.cpp create mode 100644 OSX/libsecurity_codesigning/lib/csutilities.h create mode 100644 OSX/libsecurity_codesigning/lib/detachedrep.cpp create mode 100644 OSX/libsecurity_codesigning/lib/detachedrep.h create mode 100644 OSX/libsecurity_codesigning/lib/dirscanner.cpp create mode 100644 OSX/libsecurity_codesigning/lib/dirscanner.h create mode 100644 OSX/libsecurity_codesigning/lib/diskrep.cpp create mode 100644 OSX/libsecurity_codesigning/lib/diskrep.h create mode 100644 OSX/libsecurity_codesigning/lib/drmaker.cpp create mode 100644 OSX/libsecurity_codesigning/lib/drmaker.h create mode 100644 OSX/libsecurity_codesigning/lib/evaluationmanager.cpp create mode 100644 OSX/libsecurity_codesigning/lib/evaluationmanager.h create mode 100644 OSX/libsecurity_codesigning/lib/filediskrep.cpp create mode 100644 OSX/libsecurity_codesigning/lib/filediskrep.h create mode 100644 OSX/libsecurity_codesigning/lib/kerneldiskrep.cpp create mode 100644 OSX/libsecurity_codesigning/lib/kerneldiskrep.h create mode 100644 OSX/libsecurity_codesigning/lib/machorep.cpp create mode 100644 OSX/libsecurity_codesigning/lib/machorep.h create mode 100644 OSX/libsecurity_codesigning/lib/opaquewhitelist.cpp create mode 100644 OSX/libsecurity_codesigning/lib/opaquewhitelist.h create mode 100644 OSX/libsecurity_codesigning/lib/piddiskrep.cpp create mode 100644 OSX/libsecurity_codesigning/lib/piddiskrep.h create mode 100644 OSX/libsecurity_codesigning/lib/policydb.cpp create mode 100644 OSX/libsecurity_codesigning/lib/policydb.h create mode 100644 OSX/libsecurity_codesigning/lib/policyengine.cpp create mode 100644 OSX/libsecurity_codesigning/lib/policyengine.h create mode 100644 OSX/libsecurity_codesigning/lib/quarantine++.cpp create mode 100644 OSX/libsecurity_codesigning/lib/quarantine++.h create mode 100644 OSX/libsecurity_codesigning/lib/reqdumper.cpp create mode 100644 OSX/libsecurity_codesigning/lib/reqdumper.h create mode 100644 OSX/libsecurity_codesigning/lib/reqinterp.cpp create mode 100644 OSX/libsecurity_codesigning/lib/reqinterp.h create mode 100644 OSX/libsecurity_codesigning/lib/reqmaker.cpp create mode 100644 OSX/libsecurity_codesigning/lib/reqmaker.h create mode 100644 OSX/libsecurity_codesigning/lib/reqparser.cpp create mode 100644 OSX/libsecurity_codesigning/lib/reqparser.h create mode 100644 OSX/libsecurity_codesigning/lib/reqreader.cpp create mode 100644 OSX/libsecurity_codesigning/lib/reqreader.h create mode 100644 OSX/libsecurity_codesigning/lib/requirement.cpp create mode 100644 OSX/libsecurity_codesigning/lib/requirement.h create mode 100644 OSX/libsecurity_codesigning/lib/resources.cpp create mode 100644 OSX/libsecurity_codesigning/lib/resources.h create mode 100644 OSX/libsecurity_codesigning/lib/security_codesigning.d create mode 100644 OSX/libsecurity_codesigning/lib/security_codesigning.exp create mode 100644 OSX/libsecurity_codesigning/lib/sigblob.cpp create mode 100644 OSX/libsecurity_codesigning/lib/sigblob.h create mode 100644 OSX/libsecurity_codesigning/lib/signer.cpp create mode 100644 OSX/libsecurity_codesigning/lib/signer.h create mode 100644 OSX/libsecurity_codesigning/lib/signerutils.cpp create mode 100644 OSX/libsecurity_codesigning/lib/signerutils.h create mode 100644 OSX/libsecurity_codesigning/lib/singlediskrep.cpp create mode 100644 OSX/libsecurity_codesigning/lib/singlediskrep.h create mode 100644 OSX/libsecurity_codesigning/lib/slcrep.cpp create mode 100644 OSX/libsecurity_codesigning/lib/slcrep.h create mode 100644 OSX/libsecurity_codesigning/lib/syspolicy.sql create mode 100644 OSX/libsecurity_codesigning/lib/xar++.cpp create mode 100644 OSX/libsecurity_codesigning/lib/xar++.h create mode 100644 OSX/libsecurity_codesigning/lib/xpcengine.cpp create mode 100644 OSX/libsecurity_codesigning/lib/xpcengine.h create mode 100644 OSX/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_codesigning/req/cfm.ireqs (100%) rename {Security => OSX}/libsecurity_codesigning/req/ppc-host.ireq (100%) rename {Security => OSX}/libsecurity_codesigning/requirements.grammar (97%) create mode 100755 OSX/libsecurity_codesigning/update_requirement_syntax rename {Security => OSX}/libsecurity_comcryption/Info-security_comcryption.plist (100%) create mode 100644 OSX/libsecurity_comcryption/lib/comDebug.h create mode 100644 OSX/libsecurity_comcryption/lib/comcryptPriv.c create mode 100644 OSX/libsecurity_comcryption/lib/comcryptPriv.h create mode 100644 OSX/libsecurity_comcryption/lib/comcryption.c create mode 100644 OSX/libsecurity_comcryption/lib/comcryption.h create mode 100644 OSX/libsecurity_comcryption/libsecurity_comcryption.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_cryptkit/Info-security_cryptkit.plist (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/Makefile (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/Makefile.common (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/atomTime/Makefile (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/atomTime/atomTime.c (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/badsig/Makefile (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/badsig/badsig.c (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/blobtest/Makefile (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/blobtest/blobtest.c (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/cfileTest/Makefile (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/cfileTest/cfileTest.c (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/ckutilsPlatform.h (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/giantAsmBench/Makefile (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/giantAsmBench/giantAsmBench.c (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/giantBench/Makefile (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/giantBench/giantBench.c (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/giantDvt/Makefile (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/giantDvt/giantDvt.c (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/sigTime/Makefile (100%) rename {Security => OSX}/libsecurity_cryptkit/ckutils/sigTime/sigTime.cpp (100%) create mode 100644 OSX/libsecurity_cryptkit/lib/ByteRep.txt create mode 100644 OSX/libsecurity_cryptkit/lib/CipherFileDES.c create mode 100644 OSX/libsecurity_cryptkit/lib/CipherFileDES.h create mode 100644 OSX/libsecurity_cryptkit/lib/CipherFileFEED.c create mode 100644 OSX/libsecurity_cryptkit/lib/CipherFileFEED.h create mode 100644 OSX/libsecurity_cryptkit/lib/CipherFileTypes.h create mode 100644 OSX/libsecurity_cryptkit/lib/Crypt.h create mode 100644 OSX/libsecurity_cryptkit/lib/CryptKit.def create mode 100644 OSX/libsecurity_cryptkit/lib/CryptKit.h create mode 100644 OSX/libsecurity_cryptkit/lib/CryptKitAsn1.cpp create mode 100644 OSX/libsecurity_cryptkit/lib/CryptKitAsn1.h create mode 100644 OSX/libsecurity_cryptkit/lib/CryptKitDER.cpp create mode 100644 OSX/libsecurity_cryptkit/lib/CryptKitDER.h create mode 100644 OSX/libsecurity_cryptkit/lib/CryptKitSA.h create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/FEEDaffine.nb create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/FEEDsansY.nb create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/README create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/curvegen.c create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/curverecords.nb create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/disc.h create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/ellproj.c create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/ellproj.h create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/factor.c create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/fmodule.c create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/fmodule.h create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/giants.c create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/giants.h create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/schoof.c create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/schoofs.c create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/tools.c create mode 100644 OSX/libsecurity_cryptkit/lib/CurveParamDocs/tools.h create mode 100644 OSX/libsecurity_cryptkit/lib/ECDSA_Profile.h create mode 100644 OSX/libsecurity_cryptkit/lib/ECDSA_Verify_Prefix.h create mode 100644 OSX/libsecurity_cryptkit/lib/HmacSha1Legacy.c create mode 100644 OSX/libsecurity_cryptkit/lib/HmacSha1Legacy.h create mode 100644 OSX/libsecurity_cryptkit/lib/Mathematica.FEE create mode 100644 OSX/libsecurity_cryptkit/lib/NSCipherFile.h create mode 100644 OSX/libsecurity_cryptkit/lib/NSCipherFile.m create mode 100644 OSX/libsecurity_cryptkit/lib/NSCryptors.h create mode 100644 OSX/libsecurity_cryptkit/lib/NSDESCryptor.h create mode 100644 OSX/libsecurity_cryptkit/lib/NSDESCryptor.m create mode 100644 OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.h create mode 100644 OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.m create mode 100644 OSX/libsecurity_cryptkit/lib/NSFEEPublicKeyPrivate.h create mode 100644 OSX/libsecurity_cryptkit/lib/NSMD5Hash.h create mode 100644 OSX/libsecurity_cryptkit/lib/NSMD5Hash.m create mode 100644 OSX/libsecurity_cryptkit/lib/NSRandomNumberGenerator.h create mode 100644 OSX/libsecurity_cryptkit/lib/NSRandomNumberGenerator.m create mode 100644 OSX/libsecurity_cryptkit/lib/README create mode 100644 OSX/libsecurity_cryptkit/lib/TOP_README create mode 100644 OSX/libsecurity_cryptkit/lib/buildSrcTree create mode 100644 OSX/libsecurity_cryptkit/lib/byteRep.c create mode 100644 OSX/libsecurity_cryptkit/lib/byteRep.h create mode 100644 OSX/libsecurity_cryptkit/lib/changes create mode 100644 OSX/libsecurity_cryptkit/lib/ckDES.c create mode 100644 OSX/libsecurity_cryptkit/lib/ckDES.h create mode 100644 OSX/libsecurity_cryptkit/lib/ckMD5.c create mode 100644 OSX/libsecurity_cryptkit/lib/ckMD5.h create mode 100644 OSX/libsecurity_cryptkit/lib/ckSHA1.c create mode 100644 OSX/libsecurity_cryptkit/lib/ckSHA1.h create mode 100644 OSX/libsecurity_cryptkit/lib/ckSHA1_priv.c create mode 100644 OSX/libsecurity_cryptkit/lib/ckSHA1_priv.h create mode 100644 OSX/libsecurity_cryptkit/lib/ckconfig.h create mode 100644 OSX/libsecurity_cryptkit/lib/ckutilities.c create mode 100644 OSX/libsecurity_cryptkit/lib/ckutilities.h create mode 100644 OSX/libsecurity_cryptkit/lib/curveParamData.h create mode 100644 OSX/libsecurity_cryptkit/lib/curveParamDataOld.h create mode 100644 OSX/libsecurity_cryptkit/lib/curveParams.c create mode 100644 OSX/libsecurity_cryptkit/lib/curveParams.h create mode 100644 OSX/libsecurity_cryptkit/lib/elliptic.c create mode 100644 OSX/libsecurity_cryptkit/lib/elliptic.h create mode 100644 OSX/libsecurity_cryptkit/lib/ellipticMeasure.h create mode 100644 OSX/libsecurity_cryptkit/lib/ellipticProj.c create mode 100644 OSX/libsecurity_cryptkit/lib/ellipticProj.h create mode 100644 OSX/libsecurity_cryptkit/lib/enc64.c create mode 100644 OSX/libsecurity_cryptkit/lib/enc64.h create mode 100644 OSX/libsecurity_cryptkit/lib/engineNSA127.c create mode 100644 OSX/libsecurity_cryptkit/lib/falloc.c create mode 100644 OSX/libsecurity_cryptkit/lib/falloc.h create mode 100644 OSX/libsecurity_cryptkit/lib/feeCipherFile.c create mode 100644 OSX/libsecurity_cryptkit/lib/feeCipherFile.h create mode 100644 OSX/libsecurity_cryptkit/lib/feeCipherFileAtom.c create mode 100644 OSX/libsecurity_cryptkit/lib/feeDES.c create mode 100644 OSX/libsecurity_cryptkit/lib/feeDES.h create mode 100644 OSX/libsecurity_cryptkit/lib/feeDebug.h create mode 100644 OSX/libsecurity_cryptkit/lib/feeDigitalSignature.c create mode 100644 OSX/libsecurity_cryptkit/lib/feeDigitalSignature.h create mode 100644 OSX/libsecurity_cryptkit/lib/feeECDSA.c create mode 100644 OSX/libsecurity_cryptkit/lib/feeECDSA.h create mode 100644 OSX/libsecurity_cryptkit/lib/feeFEED.c create mode 100644 OSX/libsecurity_cryptkit/lib/feeFEED.h create mode 100644 OSX/libsecurity_cryptkit/lib/feeFEEDExp.c create mode 100644 OSX/libsecurity_cryptkit/lib/feeFEEDExp.h create mode 100644 OSX/libsecurity_cryptkit/lib/feeFunctions.h create mode 100644 OSX/libsecurity_cryptkit/lib/feeHash.c create mode 100644 OSX/libsecurity_cryptkit/lib/feeHash.h create mode 100644 OSX/libsecurity_cryptkit/lib/feePublicKey.c create mode 100644 OSX/libsecurity_cryptkit/lib/feePublicKey.h create mode 100644 OSX/libsecurity_cryptkit/lib/feePublicKeyPrivate.h create mode 100644 OSX/libsecurity_cryptkit/lib/feeRandom.c create mode 100644 OSX/libsecurity_cryptkit/lib/feeRandom.h create mode 100644 OSX/libsecurity_cryptkit/lib/feeTypes.h create mode 100644 OSX/libsecurity_cryptkit/lib/giantFFT.c create mode 100644 OSX/libsecurity_cryptkit/lib/giantIntegers.c create mode 100644 OSX/libsecurity_cryptkit/lib/giantIntegers.h create mode 100644 OSX/libsecurity_cryptkit/lib/giantPortCommon.h create mode 100644 OSX/libsecurity_cryptkit/lib/giantPort_Generic.h create mode 100644 OSX/libsecurity_cryptkit/lib/giantPort_PPC.c create mode 100644 OSX/libsecurity_cryptkit/lib/giantPort_PPC.h create mode 100644 OSX/libsecurity_cryptkit/lib/giantPort_PPC_Gnu.h create mode 100644 OSX/libsecurity_cryptkit/lib/giantPort_PPC_Gnu.s create mode 100644 OSX/libsecurity_cryptkit/lib/giantPort_i486.h create mode 100644 OSX/libsecurity_cryptkit/lib/giantPort_i486.s create mode 100644 OSX/libsecurity_cryptkit/lib/mutils.h create mode 100644 OSX/libsecurity_cryptkit/lib/mutils.m create mode 100644 OSX/libsecurity_cryptkit/lib/platform.c create mode 100644 OSX/libsecurity_cryptkit/lib/platform.h create mode 100644 OSX/libsecurity_cryptkit/lib/unixMakefile create mode 100644 OSX/libsecurity_cryptkit/libsecurity_cryptkit.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_cssm/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_cssm/Info-security_cssm.plist (100%) rename {Security => OSX}/libsecurity_cssm/lib/attachfactory.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/attachfactory.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/attachment.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/attachment.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/certextensions.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cspattachment.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/cspattachment.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssm.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssm.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmaci.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmapi.h (100%) create mode 100644 OSX/libsecurity_cssm/lib/cssmapple.h rename {Security => OSX}/libsecurity_cssm/lib/cssmapplePriv.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmcli.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmconfig.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmcontext.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmcontext.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmcspi.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmdli.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmerr.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmint.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmkrapi.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmkrspi.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmmds.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmmds.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmspi.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmtpi.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/cssmtype.h (99%) rename {Security => OSX}/libsecurity_cssm/lib/eisl.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/emmspi.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/emmtype.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/generator.cfg (100%) rename {Security => OSX}/libsecurity_cssm/lib/generator.mk (100%) rename {Security => OSX}/libsecurity_cssm/lib/generator.pl (100%) rename {Security => OSX}/libsecurity_cssm/lib/guids.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/manager.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/manager.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/modload_plugin.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/modload_plugin.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/modload_static.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/modload_static.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/modloader.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/modloader.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/module.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/module.h (95%) rename {Security => OSX}/libsecurity_cssm/lib/oidsalg.c (100%) rename {Security => OSX}/libsecurity_cssm/lib/oidsbase.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/oidscert.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/oidscert.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/oidscrl.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/oidscrl.h (100%) rename {Security => OSX}/libsecurity_cssm/lib/security_cssm.exp (100%) rename {Security => OSX}/libsecurity_cssm/lib/transition.cpp (100%) rename {Security => OSX}/libsecurity_cssm/lib/x509defs.h (100%) create mode 100644 OSX/libsecurity_cssm/libsecurity_cssm.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_cssm/mds/cssm.mdsinfo (100%) rename {Security => OSX}/libsecurity_filedb/Info-security_filedb.plist (100%) create mode 100644 OSX/libsecurity_filedb/lib/AppleDatabase.cpp create mode 100644 OSX/libsecurity_filedb/lib/AppleDatabase.h create mode 100644 OSX/libsecurity_filedb/lib/AtomicFile.cpp create mode 100644 OSX/libsecurity_filedb/lib/AtomicFile.h create mode 100644 OSX/libsecurity_filedb/lib/DbIndex.cpp create mode 100644 OSX/libsecurity_filedb/lib/DbIndex.h create mode 100644 OSX/libsecurity_filedb/lib/DbQuery.cpp create mode 100644 OSX/libsecurity_filedb/lib/DbQuery.h create mode 100644 OSX/libsecurity_filedb/lib/DbValue.cpp create mode 100644 OSX/libsecurity_filedb/lib/DbValue.h create mode 100644 OSX/libsecurity_filedb/lib/MetaAttribute.cpp create mode 100644 OSX/libsecurity_filedb/lib/MetaAttribute.h create mode 100644 OSX/libsecurity_filedb/lib/MetaRecord.cpp create mode 100644 OSX/libsecurity_filedb/lib/MetaRecord.h create mode 100644 OSX/libsecurity_filedb/lib/OverUnderflowCheck.h create mode 100644 OSX/libsecurity_filedb/lib/ReadWriteSection.cpp create mode 100644 OSX/libsecurity_filedb/lib/ReadWriteSection.h create mode 100644 OSX/libsecurity_filedb/lib/SelectionPredicate.cpp create mode 100644 OSX/libsecurity_filedb/lib/SelectionPredicate.h create mode 100644 OSX/libsecurity_filedb/libsecurity_filedb.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_keychain/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_keychain/Info-security_keychain.plist (100%) create mode 100644 OSX/libsecurity_keychain/Security/ACL.cpp create mode 100644 OSX/libsecurity_keychain/Security/ACL.h create mode 100644 OSX/libsecurity_keychain/Security/Access.cpp create mode 100644 OSX/libsecurity_keychain/Security/Access.h rename {Security/sec => OSX/libsecurity_keychain}/Security/AppleBaselineEscrowCertificates.h (100%) create mode 100644 OSX/libsecurity_keychain/Security/CCallbackMgr.cp create mode 100644 OSX/libsecurity_keychain/Security/CCallbackMgr.h create mode 100644 OSX/libsecurity_keychain/Security/Certificate.cpp create mode 100644 OSX/libsecurity_keychain/Security/Certificate.h create mode 100644 OSX/libsecurity_keychain/Security/CertificateRequest.cpp create mode 100644 OSX/libsecurity_keychain/Security/CertificateRequest.h create mode 100644 OSX/libsecurity_keychain/Security/CertificateValues.cpp create mode 100644 OSX/libsecurity_keychain/Security/CertificateValues.h create mode 100644 OSX/libsecurity_keychain/Security/DLDBListCFPref.cpp create mode 100644 OSX/libsecurity_keychain/Security/DLDBListCFPref.h create mode 100644 OSX/libsecurity_keychain/Security/DynamicDLDBList.cpp create mode 100644 OSX/libsecurity_keychain/Security/DynamicDLDBList.h create mode 100644 OSX/libsecurity_keychain/Security/ExtendedAttribute.cpp create mode 100644 OSX/libsecurity_keychain/Security/ExtendedAttribute.h create mode 100644 OSX/libsecurity_keychain/Security/Globals.cpp create mode 100644 OSX/libsecurity_keychain/Security/Globals.h create mode 100644 OSX/libsecurity_keychain/Security/Identity.cpp create mode 100644 OSX/libsecurity_keychain/Security/Identity.h create mode 100644 OSX/libsecurity_keychain/Security/IdentityCursor.cpp create mode 100644 OSX/libsecurity_keychain/Security/IdentityCursor.h create mode 100644 OSX/libsecurity_keychain/Security/Item.cpp create mode 100644 OSX/libsecurity_keychain/Security/Item.h create mode 100644 OSX/libsecurity_keychain/Security/KCCursor.cpp create mode 100644 OSX/libsecurity_keychain/Security/KCCursor.h create mode 100644 OSX/libsecurity_keychain/Security/KCEventNotifier.cpp create mode 100644 OSX/libsecurity_keychain/Security/KCEventNotifier.h create mode 100644 OSX/libsecurity_keychain/Security/KCExceptions.h create mode 100644 OSX/libsecurity_keychain/Security/KCUtilities.cpp create mode 100644 OSX/libsecurity_keychain/Security/KCUtilities.h create mode 100644 OSX/libsecurity_keychain/Security/KeyItem.cpp create mode 100644 OSX/libsecurity_keychain/Security/KeyItem.h create mode 100644 OSX/libsecurity_keychain/Security/Keychains.cpp create mode 100644 OSX/libsecurity_keychain/Security/Keychains.h create mode 100644 OSX/libsecurity_keychain/Security/MacOSErrorStrings.h create mode 100644 OSX/libsecurity_keychain/Security/Password.cpp create mode 100644 OSX/libsecurity_keychain/Security/Password.h create mode 100644 OSX/libsecurity_keychain/Security/Policies.cpp create mode 100644 OSX/libsecurity_keychain/Security/Policies.h create mode 100644 OSX/libsecurity_keychain/Security/PolicyCursor.cpp create mode 100644 OSX/libsecurity_keychain/Security/PolicyCursor.h create mode 100644 OSX/libsecurity_keychain/Security/PrimaryKey.cpp create mode 100644 OSX/libsecurity_keychain/Security/PrimaryKey.h create mode 100644 OSX/libsecurity_keychain/Security/SecACL.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecACL.h create mode 100644 OSX/libsecurity_keychain/Security/SecAccess.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecAccess.h create mode 100644 OSX/libsecurity_keychain/Security/SecAccessPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecAsn1TypesP.h create mode 100644 OSX/libsecurity_keychain/Security/SecBase.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecBase.h create mode 100644 OSX/libsecurity_keychain/Security/SecBase64P.c rename Security/sec/Security/SecBase64.h => OSX/libsecurity_keychain/Security/SecBase64P.h (100%) create mode 100644 OSX/libsecurity_keychain/Security/SecBaseP.h create mode 100644 OSX/libsecurity_keychain/Security/SecBasePriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecBridge.h create mode 100644 OSX/libsecurity_keychain/Security/SecCFTypes.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecCFTypes.h create mode 100644 OSX/libsecurity_keychain/Security/SecCertificate.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecCertificate.h create mode 100644 OSX/libsecurity_keychain/Security/SecCertificateBundle.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecCertificateBundle.h create mode 100644 OSX/libsecurity_keychain/Security/SecCertificateInternalP.h create mode 100644 OSX/libsecurity_keychain/Security/SecCertificateOIDs.h create mode 100644 OSX/libsecurity_keychain/Security/SecCertificateP.c create mode 100644 OSX/libsecurity_keychain/Security/SecCertificateP.h create mode 100644 OSX/libsecurity_keychain/Security/SecCertificatePriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecCertificatePrivP.h create mode 100644 OSX/libsecurity_keychain/Security/SecCertificateRequest.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecCertificateRequest.h create mode 100644 OSX/libsecurity_keychain/Security/SecExport.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecExternalRep.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecExternalRep.h create mode 100644 OSX/libsecurity_keychain/Security/SecFDERecoveryAsymmetricCrypto.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecFDERecoveryAsymmetricCrypto.h create mode 100644 OSX/libsecurity_keychain/Security/SecFrameworkP.c create mode 100644 OSX/libsecurity_keychain/Security/SecFrameworkP.h create mode 100644 OSX/libsecurity_keychain/Security/SecIdentity.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecIdentity.h create mode 100644 OSX/libsecurity_keychain/Security/SecIdentityPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecIdentitySearch.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecIdentitySearch.h create mode 100644 OSX/libsecurity_keychain/Security/SecIdentitySearchPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecImport.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecImportExport.c create mode 100644 OSX/libsecurity_keychain/Security/SecImportExport.h create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportAgg.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportAgg.h create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportCrypto.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportCrypto.h create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportOpenSSH.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportOpenSSH.h create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportPem.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportPem.h create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportPkcs8.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportPkcs8.h create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportUtils.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecImportExportUtils.h create mode 100644 OSX/libsecurity_keychain/Security/SecInternal.h create mode 100644 OSX/libsecurity_keychain/Security/SecInternalP.h create mode 100644 OSX/libsecurity_keychain/Security/SecItem.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecItem.h create mode 100644 OSX/libsecurity_keychain/Security/SecItemConstants.c create mode 100644 OSX/libsecurity_keychain/Security/SecItemPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecKey.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecKey.h create mode 100644 OSX/libsecurity_keychain/Security/SecKeyPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecKeychain.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecKeychain.h create mode 100644 OSX/libsecurity_keychain/Security/SecKeychainAddIToolsPassword.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecKeychainItem.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecKeychainItem.h create mode 100644 OSX/libsecurity_keychain/Security/SecKeychainItemExtendedAttributes.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecKeychainItemExtendedAttributes.h create mode 100644 OSX/libsecurity_keychain/Security/SecKeychainItemPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecKeychainPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecKeychainSearch.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecKeychainSearch.h create mode 100644 OSX/libsecurity_keychain/Security/SecKeychainSearchPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecNetscapeTemplates.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecNetscapeTemplates.h create mode 100644 OSX/libsecurity_keychain/Security/SecPassword.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecPassword.h create mode 100644 OSX/libsecurity_keychain/Security/SecPkcs8Templates.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecPkcs8Templates.h create mode 100644 OSX/libsecurity_keychain/Security/SecPolicy.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecPolicy.h create mode 100644 OSX/libsecurity_keychain/Security/SecPolicyPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecPolicySearch.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecPolicySearch.h create mode 100644 OSX/libsecurity_keychain/Security/SecRSAKeyP.h create mode 100644 OSX/libsecurity_keychain/Security/SecRandom.c create mode 100644 OSX/libsecurity_keychain/Security/SecRandom.h create mode 100644 OSX/libsecurity_keychain/Security/SecRandomP.h create mode 100644 OSX/libsecurity_keychain/Security/SecRecoveryPassword.c create mode 100644 OSX/libsecurity_keychain/Security/SecRecoveryPassword.h create mode 100644 OSX/libsecurity_keychain/Security/SecTrust.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecTrust.h create mode 100644 OSX/libsecurity_keychain/Security/SecTrustPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecTrustSettings.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecTrustSettings.h create mode 100644 OSX/libsecurity_keychain/Security/SecTrustSettingsCertificates.h create mode 100644 OSX/libsecurity_keychain/Security/SecTrustSettingsPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecTrustedApplication.cpp create mode 100644 OSX/libsecurity_keychain/Security/SecTrustedApplication.h create mode 100644 OSX/libsecurity_keychain/Security/SecTrustedApplicationPriv.h create mode 100644 OSX/libsecurity_keychain/Security/SecWrappedKeys.cpp create mode 100644 OSX/libsecurity_keychain/Security/Security.h create mode 100644 OSX/libsecurity_keychain/Security/StorageManager.cpp create mode 100644 OSX/libsecurity_keychain/Security/StorageManager.h create mode 100644 OSX/libsecurity_keychain/Security/Trust.cpp create mode 100644 OSX/libsecurity_keychain/Security/Trust.h create mode 100644 OSX/libsecurity_keychain/Security/TrustAdditions.cpp create mode 100644 OSX/libsecurity_keychain/Security/TrustAdditions.h create mode 100644 OSX/libsecurity_keychain/Security/TrustItem.cpp create mode 100644 OSX/libsecurity_keychain/Security/TrustItem.h create mode 100644 OSX/libsecurity_keychain/Security/TrustKeychains.h create mode 100644 OSX/libsecurity_keychain/Security/TrustRevocation.cpp create mode 100644 OSX/libsecurity_keychain/Security/TrustSettings.cpp create mode 100644 OSX/libsecurity_keychain/Security/TrustSettings.h create mode 100644 OSX/libsecurity_keychain/Security/TrustSettingsSchema.h create mode 100644 OSX/libsecurity_keychain/Security/TrustSettingsUtils.cpp create mode 100644 OSX/libsecurity_keychain/Security/TrustSettingsUtils.h create mode 100644 OSX/libsecurity_keychain/Security/TrustStore.cpp create mode 100644 OSX/libsecurity_keychain/Security/TrustStore.h create mode 100644 OSX/libsecurity_keychain/Security/TrustedApplication.cpp create mode 100644 OSX/libsecurity_keychain/Security/TrustedApplication.h create mode 100644 OSX/libsecurity_keychain/Security/UnlockReferralItem.cpp create mode 100644 OSX/libsecurity_keychain/Security/UnlockReferralItem.h create mode 100644 OSX/libsecurity_keychain/Security/certextensionsP.h create mode 100644 OSX/libsecurity_keychain/Security/cssmdatetime.cpp create mode 100644 OSX/libsecurity_keychain/Security/cssmdatetime.h create mode 100644 OSX/libsecurity_keychain/Security/defaultcreds.cpp create mode 100644 OSX/libsecurity_keychain/Security/defaultcreds.h create mode 100644 OSX/libsecurity_keychain/Security/generateErrStrings.pl create mode 100644 OSX/libsecurity_keychain/Security/security_keychain.exp create mode 100644 OSX/libsecurity_keychain/Security/tsaDERUtilities.c create mode 100644 OSX/libsecurity_keychain/Security/tsaDERUtilities.h create mode 100644 OSX/libsecurity_keychain/lib/ACL.cpp create mode 100644 OSX/libsecurity_keychain/lib/ACL.h create mode 100644 OSX/libsecurity_keychain/lib/Access.cpp create mode 100644 OSX/libsecurity_keychain/lib/Access.h create mode 100644 OSX/libsecurity_keychain/lib/AppleBaselineEscrowCertificates.h create mode 100644 OSX/libsecurity_keychain/lib/CCallbackMgr.cp create mode 100644 OSX/libsecurity_keychain/lib/CCallbackMgr.h create mode 100644 OSX/libsecurity_keychain/lib/Certificate.cpp create mode 100644 OSX/libsecurity_keychain/lib/Certificate.h create mode 100644 OSX/libsecurity_keychain/lib/CertificateRequest.cpp create mode 100644 OSX/libsecurity_keychain/lib/CertificateRequest.h create mode 100644 OSX/libsecurity_keychain/lib/CertificateValues.cpp create mode 100644 OSX/libsecurity_keychain/lib/CertificateValues.h create mode 100644 OSX/libsecurity_keychain/lib/DLDBListCFPref.cpp create mode 100644 OSX/libsecurity_keychain/lib/DLDBListCFPref.h create mode 100644 OSX/libsecurity_keychain/lib/DynamicDLDBList.cpp create mode 100644 OSX/libsecurity_keychain/lib/DynamicDLDBList.h create mode 100644 OSX/libsecurity_keychain/lib/ExtendedAttribute.cpp create mode 100644 OSX/libsecurity_keychain/lib/ExtendedAttribute.h create mode 100644 OSX/libsecurity_keychain/lib/Globals.cpp create mode 100644 OSX/libsecurity_keychain/lib/Globals.h create mode 100644 OSX/libsecurity_keychain/lib/Identity.cpp create mode 100644 OSX/libsecurity_keychain/lib/Identity.h create mode 100644 OSX/libsecurity_keychain/lib/IdentityCursor.cpp create mode 100644 OSX/libsecurity_keychain/lib/IdentityCursor.h create mode 100644 OSX/libsecurity_keychain/lib/Item.cpp create mode 100644 OSX/libsecurity_keychain/lib/Item.h create mode 100644 OSX/libsecurity_keychain/lib/KCCursor.cpp create mode 100644 OSX/libsecurity_keychain/lib/KCCursor.h create mode 100644 OSX/libsecurity_keychain/lib/KCEventNotifier.cpp create mode 100644 OSX/libsecurity_keychain/lib/KCEventNotifier.h create mode 100644 OSX/libsecurity_keychain/lib/KCExceptions.h create mode 100644 OSX/libsecurity_keychain/lib/KCUtilities.cpp create mode 100644 OSX/libsecurity_keychain/lib/KCUtilities.h create mode 100644 OSX/libsecurity_keychain/lib/KeyItem.cpp create mode 100644 OSX/libsecurity_keychain/lib/KeyItem.h create mode 100644 OSX/libsecurity_keychain/lib/Keychains.cpp create mode 100644 OSX/libsecurity_keychain/lib/Keychains.h create mode 100644 OSX/libsecurity_keychain/lib/MacOSErrorStrings.h create mode 100644 OSX/libsecurity_keychain/lib/Password.cpp create mode 100644 OSX/libsecurity_keychain/lib/Password.h create mode 100644 OSX/libsecurity_keychain/lib/Policies.cpp create mode 100644 OSX/libsecurity_keychain/lib/Policies.h create mode 100644 OSX/libsecurity_keychain/lib/PolicyCursor.cpp create mode 100644 OSX/libsecurity_keychain/lib/PolicyCursor.h create mode 100644 OSX/libsecurity_keychain/lib/PrimaryKey.cpp create mode 100644 OSX/libsecurity_keychain/lib/PrimaryKey.h create mode 100644 OSX/libsecurity_keychain/lib/SecACL.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecACL.h create mode 100644 OSX/libsecurity_keychain/lib/SecAccess.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecAccess.h create mode 100644 OSX/libsecurity_keychain/lib/SecAccessPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecAsn1TypesP.h create mode 100644 OSX/libsecurity_keychain/lib/SecBase.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecBase.h create mode 100644 OSX/libsecurity_keychain/lib/SecBase64P.c create mode 100644 OSX/libsecurity_keychain/lib/SecBase64P.h create mode 100644 OSX/libsecurity_keychain/lib/SecBaseP.h create mode 100644 OSX/libsecurity_keychain/lib/SecBasePriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecBridge.h create mode 100644 OSX/libsecurity_keychain/lib/SecCFTypes.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecCFTypes.h create mode 100644 OSX/libsecurity_keychain/lib/SecCertificate.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecCertificate.h create mode 100644 OSX/libsecurity_keychain/lib/SecCertificateBundle.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecCertificateBundle.h create mode 100644 OSX/libsecurity_keychain/lib/SecCertificateInternalP.h create mode 100644 OSX/libsecurity_keychain/lib/SecCertificateOIDs.h create mode 100644 OSX/libsecurity_keychain/lib/SecCertificateP.c create mode 100644 OSX/libsecurity_keychain/lib/SecCertificateP.h create mode 100644 OSX/libsecurity_keychain/lib/SecCertificatePriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecCertificatePrivP.h create mode 100644 OSX/libsecurity_keychain/lib/SecCertificateRequest.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecCertificateRequest.h create mode 100644 OSX/libsecurity_keychain/lib/SecExport.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecExternalRep.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecExternalRep.h create mode 100644 OSX/libsecurity_keychain/lib/SecFDERecoveryAsymmetricCrypto.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecFDERecoveryAsymmetricCrypto.h create mode 100644 OSX/libsecurity_keychain/lib/SecFrameworkP.c create mode 100644 OSX/libsecurity_keychain/lib/SecFrameworkP.h create mode 100644 OSX/libsecurity_keychain/lib/SecIdentity.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecIdentity.h create mode 100644 OSX/libsecurity_keychain/lib/SecIdentityPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecIdentitySearch.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecIdentitySearch.h create mode 100644 OSX/libsecurity_keychain/lib/SecIdentitySearchPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecImport.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecImportExport.c create mode 100644 OSX/libsecurity_keychain/lib/SecImportExport.h create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportAgg.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportAgg.h create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportCrypto.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportCrypto.h create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportOpenSSH.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportOpenSSH.h create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportPem.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportPem.h create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportPkcs8.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportPkcs8.h create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportUtils.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecImportExportUtils.h create mode 100644 OSX/libsecurity_keychain/lib/SecInternal.h create mode 100644 OSX/libsecurity_keychain/lib/SecInternalP.h create mode 100644 OSX/libsecurity_keychain/lib/SecItem.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecItem.h create mode 100644 OSX/libsecurity_keychain/lib/SecItemConstants.c create mode 100644 OSX/libsecurity_keychain/lib/SecItemPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecKey.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecKey.h create mode 100644 OSX/libsecurity_keychain/lib/SecKeyPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecKeychain.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecKeychain.h create mode 100644 OSX/libsecurity_keychain/lib/SecKeychainAddIToolsPassword.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecKeychainItem.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecKeychainItem.h create mode 100644 OSX/libsecurity_keychain/lib/SecKeychainItemExtendedAttributes.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecKeychainItemExtendedAttributes.h create mode 100644 OSX/libsecurity_keychain/lib/SecKeychainItemPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecKeychainPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecKeychainSearch.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecKeychainSearch.h create mode 100644 OSX/libsecurity_keychain/lib/SecKeychainSearchPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecNetscapeTemplates.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecNetscapeTemplates.h create mode 100644 OSX/libsecurity_keychain/lib/SecPassword.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecPassword.h create mode 100644 OSX/libsecurity_keychain/lib/SecPkcs8Templates.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecPkcs8Templates.h create mode 100644 OSX/libsecurity_keychain/lib/SecPolicy.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecPolicy.h create mode 100644 OSX/libsecurity_keychain/lib/SecPolicyPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecPolicySearch.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecPolicySearch.h create mode 100644 OSX/libsecurity_keychain/lib/SecRSAKeyP.h create mode 100644 OSX/libsecurity_keychain/lib/SecRandom.c create mode 100644 OSX/libsecurity_keychain/lib/SecRandom.h create mode 100644 OSX/libsecurity_keychain/lib/SecRandomP.h create mode 100644 OSX/libsecurity_keychain/lib/SecRecoveryPassword.c create mode 100644 OSX/libsecurity_keychain/lib/SecRecoveryPassword.h create mode 100644 OSX/libsecurity_keychain/lib/SecTrust.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecTrust.h create mode 100644 OSX/libsecurity_keychain/lib/SecTrustPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecTrustSettings.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecTrustSettings.h create mode 100644 OSX/libsecurity_keychain/lib/SecTrustSettingsCertificates.h create mode 100644 OSX/libsecurity_keychain/lib/SecTrustSettingsPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecTrustedApplication.cpp create mode 100644 OSX/libsecurity_keychain/lib/SecTrustedApplication.h create mode 100644 OSX/libsecurity_keychain/lib/SecTrustedApplicationPriv.h create mode 100644 OSX/libsecurity_keychain/lib/SecWrappedKeys.cpp create mode 100644 OSX/libsecurity_keychain/lib/Security.h create mode 100644 OSX/libsecurity_keychain/lib/StorageManager.cpp create mode 100644 OSX/libsecurity_keychain/lib/StorageManager.h create mode 100644 OSX/libsecurity_keychain/lib/Trust.cpp create mode 100644 OSX/libsecurity_keychain/lib/Trust.h create mode 100644 OSX/libsecurity_keychain/lib/TrustAdditions.cpp create mode 100644 OSX/libsecurity_keychain/lib/TrustAdditions.h create mode 100644 OSX/libsecurity_keychain/lib/TrustItem.cpp create mode 100644 OSX/libsecurity_keychain/lib/TrustItem.h create mode 100644 OSX/libsecurity_keychain/lib/TrustKeychains.h create mode 100644 OSX/libsecurity_keychain/lib/TrustRevocation.cpp create mode 100644 OSX/libsecurity_keychain/lib/TrustSettings.cpp create mode 100644 OSX/libsecurity_keychain/lib/TrustSettings.h create mode 100644 OSX/libsecurity_keychain/lib/TrustSettingsSchema.h create mode 100644 OSX/libsecurity_keychain/lib/TrustSettingsUtils.cpp create mode 100644 OSX/libsecurity_keychain/lib/TrustSettingsUtils.h create mode 100644 OSX/libsecurity_keychain/lib/TrustStore.cpp create mode 100644 OSX/libsecurity_keychain/lib/TrustStore.h create mode 100644 OSX/libsecurity_keychain/lib/TrustedApplication.cpp create mode 100644 OSX/libsecurity_keychain/lib/TrustedApplication.h create mode 100644 OSX/libsecurity_keychain/lib/UnlockReferralItem.cpp create mode 100644 OSX/libsecurity_keychain/lib/UnlockReferralItem.h create mode 100644 OSX/libsecurity_keychain/lib/certextensionsP.h create mode 100644 OSX/libsecurity_keychain/lib/cssmdatetime.cpp create mode 100644 OSX/libsecurity_keychain/lib/cssmdatetime.h create mode 100644 OSX/libsecurity_keychain/lib/defaultcreds.cpp create mode 100644 OSX/libsecurity_keychain/lib/defaultcreds.h create mode 100644 OSX/libsecurity_keychain/lib/generateErrStrings.pl create mode 100644 OSX/libsecurity_keychain/lib/security_keychain.exp create mode 100644 OSX/libsecurity_keychain/lib/tsaDERUtilities.c create mode 100644 OSX/libsecurity_keychain/lib/tsaDERUtilities.h rename {Security => OSX}/libsecurity_keychain/libDER/README.txt (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/AppleMobilePersonalizedTicket.h (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/DER_Ticket.c (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/DER_Ticket.h (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/EndCertificateCP.01.01.crt (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/Test_CRL_CA1.crl (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/Test_CRL_CA1.crl.pem (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/TrustAnchorCP.01.01.crt (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/TrustAnchorCRLCP.01.01.crl (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/apple_v3.000.cer (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/apple_v3.001.cer (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/entrust_v3.100.cer (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/entrust_v3.101.cer (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/keybank_v3.100.cer (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/keybank_v3.101.cer (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/certsCrls/keybank_v3.102.cer (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/parseCert.c (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/parseCrl.c (100%) rename {Security => OSX}/libsecurity_keychain/libDER/Tests/parseTicket.c (100%) rename {Security => OSX}/libsecurity_keychain/libDER/config/base.xcconfig (100%) rename {Security => OSX}/libsecurity_keychain/libDER/config/debug.xcconfig (100%) rename {Security => OSX}/libsecurity_keychain/libDER/config/lib.xcconfig (100%) rename {Security => OSX}/libsecurity_keychain/libDER/config/release.xcconfig (100%) create mode 100644 OSX/libsecurity_keychain/libDER/libDER.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_keychain/libDER/libDER/DER_CertCrl.c (90%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/DER_CertCrl.h (92%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/DER_Decode.c (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/DER_Decode.h (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/DER_Digest.c (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/DER_Digest.h (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/DER_Encode.c (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/DER_Encode.h (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/DER_Keys.c (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/DER_Keys.h (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/asn1Types.h (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/libDER.h (95%) rename {Security => OSX}/libsecurity_keychain/libDER/libDER/libDER_config.h (97%) create mode 100644 OSX/libsecurity_keychain/libDER/libDER/oids.c create mode 100644 OSX/libsecurity_keychain/libDER/libDER/oids.h create mode 100644 OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h rename {Security => OSX}/libsecurity_keychain/libDER/libDERUtils/fileIo.c (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDERUtils/fileIo.h (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDERUtils/libDERUtils.c (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDERUtils/libDERUtils.h (100%) rename {Security => OSX}/libsecurity_keychain/libDER/libDERUtils/printFields.c (99%) rename {Security => OSX}/libsecurity_keychain/libDER/libDERUtils/printFields.h (100%) create mode 100644 OSX/libsecurity_keychain/libsecurity_keychain.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_keychain/plist/iToolsTrustedApps.plist (100%) rename {Security => OSX}/libsecurity_keychain/regressions/kc-40-seckey.c (99%) create mode 100644 OSX/libsecurity_keychain/regressions/kc-41-sececkey.c create mode 100644 OSX/libsecurity_keychain/regressions/kc-42-trust-revocation.c rename {Security => OSX}/libsecurity_keychain/regressions/keychain_regressions.h (88%) rename {Security => OSX}/libsecurity_keychain/regressions/si-33-keychain-backup.c (100%) create mode 100644 OSX/libsecurity_keychain/regressions/si-34-one-true-keychain.c rename {Security => OSX}/libsecurity_keychain/xpc-tsa/XPCTimeStampingService-Info.plist (100%) rename {Security => OSX}/libsecurity_keychain/xpc-tsa/main-tsa.m (100%) rename {Security => OSX}/libsecurity_keychain/xpc-tsa/timestampclient.h (100%) rename {Security => OSX}/libsecurity_keychain/xpc-tsa/timestampclient.m (100%) rename {Security => OSX}/libsecurity_keychain/xpc/XPCKeychainSandboxCheck-Info.plist (100%) rename {Security => OSX}/libsecurity_keychain/xpc/main.c (100%) rename {Security => OSX}/libsecurity_manifest/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_manifest/Info-security_manifest.plist (100%) rename {Security => OSX}/libsecurity_manifest/lib/AppleManifest.cpp (100%) rename {Security => OSX}/libsecurity_manifest/lib/AppleManifest.h (100%) rename {Security => OSX}/libsecurity_manifest/lib/Download.cpp (100%) rename {Security => OSX}/libsecurity_manifest/lib/Download.h (100%) rename {Security => OSX}/libsecurity_manifest/lib/Manifest.cpp (100%) rename {Security => OSX}/libsecurity_manifest/lib/Manifest.h (100%) rename {Security => OSX}/libsecurity_manifest/lib/ManifestInternal.cpp (100%) rename {Security => OSX}/libsecurity_manifest/lib/ManifestInternal.h (100%) rename {Security => OSX}/libsecurity_manifest/lib/ManifestSigner.cpp (100%) rename {Security => OSX}/libsecurity_manifest/lib/ManifestSigner.h (100%) rename {Security => OSX}/libsecurity_manifest/lib/SecManifest.cpp (100%) rename {Security => OSX}/libsecurity_manifest/lib/SecManifest.h (100%) rename {Security => OSX}/libsecurity_manifest/lib/SecureDownload.cpp (100%) rename {Security => OSX}/libsecurity_manifest/lib/SecureDownload.h (100%) rename {Security => OSX}/libsecurity_manifest/lib/SecureDownloadInternal.c (100%) rename {Security => OSX}/libsecurity_manifest/lib/SecureDownloadInternal.h (100%) rename {Security => OSX}/libsecurity_manifest/lib/security_manifest.exp (100%) create mode 100644 OSX/libsecurity_manifest/libsecurity_manifest.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_mds/Info-security_mds.plist (100%) rename {Security => OSX}/libsecurity_mds/README (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSAttrParser.cpp (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSAttrParser.h (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSAttrStrings.cpp (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSAttrStrings.h (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSAttrUtils.cpp (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSAttrUtils.h (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSDatabase.cpp (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSDatabase.h (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSDictionary.cpp (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSDictionary.h (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSModule.cpp (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSModule.h (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSPrefs.cpp (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSPrefs.h (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSSchema.cpp (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSSchema.h (100%) rename {Security => OSX}/libsecurity_mds/lib/MDSSession.cpp (98%) rename {Security => OSX}/libsecurity_mds/lib/MDSSession.h (100%) rename {Security => OSX}/libsecurity_mds/lib/mds.h (100%) rename {Security => OSX}/libsecurity_mds/lib/mds_schema.h (100%) rename {Security => OSX}/libsecurity_mds/lib/mdsapi.cpp (100%) rename {Security => OSX}/libsecurity_mds/lib/mdspriv.h (100%) rename {Security => OSX}/libsecurity_mds/lib/security_mds.exp (100%) create mode 100644 OSX/libsecurity_mds/libsecurity_mds.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_ocspd/Info-security_ocspd.plist (100%) rename {Security => OSX}/libsecurity_ocspd/client/ocspdClient.cpp (100%) create mode 100644 OSX/libsecurity_ocspd/client/ocspdClient.h create mode 100644 OSX/libsecurity_ocspd/common/ocspExtensions.cpp create mode 100644 OSX/libsecurity_ocspd/common/ocspExtensions.h create mode 100644 OSX/libsecurity_ocspd/common/ocspResponse.cpp create mode 100644 OSX/libsecurity_ocspd/common/ocspResponse.h create mode 100644 OSX/libsecurity_ocspd/common/ocspdClient.h create mode 100644 OSX/libsecurity_ocspd/common/ocspdDbSchema.cpp create mode 100644 OSX/libsecurity_ocspd/common/ocspdDbSchema.h create mode 100644 OSX/libsecurity_ocspd/common/ocspdDebug.h create mode 100644 OSX/libsecurity_ocspd/common/ocspdTypes.h create mode 100644 OSX/libsecurity_ocspd/common/ocspdUtils.cpp create mode 100644 OSX/libsecurity_ocspd/common/ocspdUtils.h create mode 100644 OSX/libsecurity_ocspd/libsecurity_ocspd.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_ocspd/mig/mig.mk (100%) rename {Security => OSX}/libsecurity_ocspd/mig/ocspd.defs (100%) rename {Security => OSX}/libsecurity_pkcs12/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_pkcs12/Info-security_pkcs12.plist (100%) create mode 100644 OSX/libsecurity_pkcs12/lib/SecPkcs12.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/SecPkcs12.h create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12BagAttrs.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12BagAttrs.h create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Coder.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Coder.h create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Crypto.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Crypto.h create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Debug.h create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Decode.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Encode.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Keychain.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12SafeBag.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12SafeBag.h create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Templates.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Templates.h create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Utils.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs12Utils.h create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs7Templates.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/pkcs7Templates.h create mode 100644 OSX/libsecurity_pkcs12/lib/pkcsoids.cpp create mode 100644 OSX/libsecurity_pkcs12/lib/pkcsoids.h create mode 100644 OSX/libsecurity_pkcs12/libsecurity_pkcs12.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_sd_cspdl/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_sd_cspdl/Info-security_sd_cspdl.plist (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDCSPDLBuiltin.cpp (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDCSPDLDatabase.cpp (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDCSPDLDatabase.h (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDCSPDLPlugin.cpp (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDCSPDLPlugin.h (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDCSPDLSession.cpp (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDCSPDLSession.h (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDCSPSession.cpp (99%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDCSPSession.h (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDContext.cpp (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDContext.h (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDDLSession.cpp (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDDLSession.h (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDFactory.cpp (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDFactory.h (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDKey.cpp (100%) rename {Security => OSX}/libsecurity_sd_cspdl/lib/SDKey.h (100%) create mode 100644 OSX/libsecurity_sd_cspdl/libsecurity_sd_cspdl.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_sd_cspdl/mds/sd_cspdl_common.mdsinfo (100%) rename {Security => OSX}/libsecurity_smime/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_smime/Info-security_smime.plist (100%) rename {Security => OSX}/libsecurity_smime/TODO (100%) rename {Security => OSX}/libsecurity_smime/docs/libsecurity_smime.plist (100%) rename {Security => OSX}/libsecurity_smime/docs/libsecurity_smime.txt (100%) create mode 100644 OSX/libsecurity_smime/lib/SecCMS.c create mode 100644 OSX/libsecurity_smime/lib/SecCMS.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsBase.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsContentInfo.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsDecoder.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsDigestContext.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsDigestedData.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsEncoder.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsEncryptedData.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsEnvelopedData.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsMessage.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsRecipientInfo.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsSignedData.h create mode 100644 OSX/libsecurity_smime/lib/SecCmsSignerInfo.h create mode 100644 OSX/libsecurity_smime/lib/SecSMIME.h create mode 100644 OSX/libsecurity_smime/lib/SecSMIMEPriv.h create mode 100644 OSX/libsecurity_smime/lib/cert.c create mode 100644 OSX/libsecurity_smime/lib/cert.h create mode 100644 OSX/libsecurity_smime/lib/cmsarray.c create mode 100644 OSX/libsecurity_smime/lib/cmsasn1.c create mode 100644 OSX/libsecurity_smime/lib/cmsattr.c create mode 100644 OSX/libsecurity_smime/lib/cmscinfo.c create mode 100644 OSX/libsecurity_smime/lib/cmscipher.c create mode 100644 OSX/libsecurity_smime/lib/cmsdecode.c create mode 100644 OSX/libsecurity_smime/lib/cmsdigdata.c create mode 100644 OSX/libsecurity_smime/lib/cmsdigest.c create mode 100644 OSX/libsecurity_smime/lib/cmsencdata.c create mode 100644 OSX/libsecurity_smime/lib/cmsencode.c create mode 100644 OSX/libsecurity_smime/lib/cmsenvdata.c create mode 100644 OSX/libsecurity_smime/lib/cmslocal.h create mode 100644 OSX/libsecurity_smime/lib/cmsmessage.c create mode 100644 OSX/libsecurity_smime/lib/cmspriv.h create mode 100644 OSX/libsecurity_smime/lib/cmspubkey.c create mode 100644 OSX/libsecurity_smime/lib/cmsrecinfo.c create mode 100644 OSX/libsecurity_smime/lib/cmsreclist.c create mode 100644 OSX/libsecurity_smime/lib/cmsreclist.h create mode 100644 OSX/libsecurity_smime/lib/cmssigdata.c create mode 100644 OSX/libsecurity_smime/lib/cmssiginfo.c create mode 100644 OSX/libsecurity_smime/lib/cmstpriv.h create mode 100644 OSX/libsecurity_smime/lib/cmsutil.c create mode 100644 OSX/libsecurity_smime/lib/cryptohi.c create mode 100644 OSX/libsecurity_smime/lib/cryptohi.h create mode 100644 OSX/libsecurity_smime/lib/plhash.c create mode 100644 OSX/libsecurity_smime/lib/plhash.h create mode 100644 OSX/libsecurity_smime/lib/secalgid.c create mode 100644 OSX/libsecurity_smime/lib/secitem.c create mode 100644 OSX/libsecurity_smime/lib/secitem.h create mode 100644 OSX/libsecurity_smime/lib/secoid.c create mode 100644 OSX/libsecurity_smime/lib/secoid.h create mode 100644 OSX/libsecurity_smime/lib/secoidt.h create mode 100644 OSX/libsecurity_smime/lib/security_smime.exp create mode 100644 OSX/libsecurity_smime/lib/siginfoUtils.cpp create mode 100644 OSX/libsecurity_smime/lib/smimeutil.c create mode 100755 OSX/libsecurity_smime/lib/testcms create mode 100644 OSX/libsecurity_smime/lib/tsaSupport.c create mode 100644 OSX/libsecurity_smime/lib/tsaSupport.h create mode 100644 OSX/libsecurity_smime/lib/tsaSupportPriv.h create mode 100644 OSX/libsecurity_smime/lib/tsaTemplates.c create mode 100644 OSX/libsecurity_smime/lib/tsaTemplates.h create mode 100644 OSX/libsecurity_smime/libsecurity_smime.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_smime/regressions/smime-cms-test.c (99%) rename {Security => OSX}/libsecurity_smime/regressions/smime_regressions.h (100%) rename {Security => OSX}/libsecurity_ssl/Info-security_ssl.plist (100%) rename {Security => OSX}/libsecurity_ssl/README (100%) create mode 100644 OSX/libsecurity_ssl/Security/CipherSuite.h create mode 100644 OSX/libsecurity_ssl/Security/SSLRecordInternal.c create mode 100644 OSX/libsecurity_ssl/Security/SSLRecordInternal.h create mode 100644 OSX/libsecurity_ssl/Security/SecureTransport.h create mode 100644 OSX/libsecurity_ssl/Security/SecureTransportPriv.h rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/appleSession.c (100%) rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/appleSession.h (100%) rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/cipherSpecs.h (100%) create mode 100644 OSX/libsecurity_ssl/Security/security_ssl.exp rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/ssl.h (100%) rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/sslBuildFlags.h (100%) create mode 100644 OSX/libsecurity_ssl/Security/sslCipherSpecs.c rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/sslCipherSpecs.h (100%) create mode 100644 OSX/libsecurity_ssl/Security/sslContext.c create mode 100644 OSX/libsecurity_ssl/Security/sslContext.h create mode 100644 OSX/libsecurity_ssl/Security/sslCrypto.c create mode 100644 OSX/libsecurity_ssl/Security/sslCrypto.h rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/sslDebug.h (100%) create mode 100644 OSX/libsecurity_ssl/Security/sslKeychain.c rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/sslKeychain.h (100%) rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/sslMemory.c (100%) rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/sslMemory.h (100%) create mode 100644 OSX/libsecurity_ssl/Security/sslPriv.h create mode 100644 OSX/libsecurity_ssl/Security/sslRecord.c rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/sslRecord.h (100%) create mode 100644 OSX/libsecurity_ssl/Security/sslTransport.c rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/sslTypes.h (100%) rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/sslUtils.c (100%) rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/sslUtils.h (100%) create mode 100644 OSX/libsecurity_ssl/Security/tlsCallbacks.c rename {Security/libsecurity_ssl/lib => OSX/libsecurity_ssl/Security}/tlsCallbacks.h (100%) create mode 100644 OSX/libsecurity_ssl/Security/tls_record_internal.h create mode 100644 OSX/libsecurity_ssl/config/base.xcconfig rename {Security => OSX}/libsecurity_ssl/config/debug.xcconfig (100%) rename {Security => OSX}/libsecurity_ssl/config/kext.xcconfig (100%) rename {Security => OSX}/libsecurity_ssl/config/lib.xcconfig (100%) rename {Security => OSX}/libsecurity_ssl/config/release.xcconfig (100%) rename {Security => OSX}/libsecurity_ssl/config/tests.xcconfig (100%) rename {Security => OSX}/libsecurity_ssl/dtlsEcho/README (100%) rename {Security => OSX}/libsecurity_ssl/dtlsEcho/dtlsEchoClient.c (100%) rename {Security => OSX}/libsecurity_ssl/dtlsEcho/dtlsEchoServer.c (100%) create mode 100644 OSX/libsecurity_ssl/lib/CipherSuite.h create mode 100644 OSX/libsecurity_ssl/lib/SSLRecordInternal.c create mode 100644 OSX/libsecurity_ssl/lib/SSLRecordInternal.h create mode 100644 OSX/libsecurity_ssl/lib/SecureTransport.h create mode 100644 OSX/libsecurity_ssl/lib/SecureTransportPriv.h create mode 100644 OSX/libsecurity_ssl/lib/appleSession.c create mode 100644 OSX/libsecurity_ssl/lib/appleSession.h create mode 100644 OSX/libsecurity_ssl/lib/cipherSpecs.h create mode 100644 OSX/libsecurity_ssl/lib/security_ssl.exp create mode 100644 OSX/libsecurity_ssl/lib/ssl.h create mode 100644 OSX/libsecurity_ssl/lib/sslBuildFlags.h create mode 100644 OSX/libsecurity_ssl/lib/sslCipherSpecs.c create mode 100644 OSX/libsecurity_ssl/lib/sslCipherSpecs.h create mode 100644 OSX/libsecurity_ssl/lib/sslContext.c create mode 100644 OSX/libsecurity_ssl/lib/sslContext.h create mode 100644 OSX/libsecurity_ssl/lib/sslCrypto.c create mode 100644 OSX/libsecurity_ssl/lib/sslCrypto.h create mode 100644 OSX/libsecurity_ssl/lib/sslDebug.h create mode 100644 OSX/libsecurity_ssl/lib/sslKeychain.c create mode 100644 OSX/libsecurity_ssl/lib/sslKeychain.h create mode 100644 OSX/libsecurity_ssl/lib/sslMemory.c create mode 100644 OSX/libsecurity_ssl/lib/sslMemory.h create mode 100644 OSX/libsecurity_ssl/lib/sslPriv.h create mode 100644 OSX/libsecurity_ssl/lib/sslRecord.c create mode 100644 OSX/libsecurity_ssl/lib/sslRecord.h create mode 100644 OSX/libsecurity_ssl/lib/sslTransport.c create mode 100644 OSX/libsecurity_ssl/lib/sslTypes.h create mode 100644 OSX/libsecurity_ssl/lib/sslUtils.c create mode 100644 OSX/libsecurity_ssl/lib/sslUtils.h create mode 100644 OSX/libsecurity_ssl/lib/tlsCallbacks.c create mode 100644 OSX/libsecurity_ssl/lib/tlsCallbacks.h create mode 100644 OSX/libsecurity_ssl/lib/tls_record_internal.h create mode 100644 OSX/libsecurity_ssl/libsecurity_ssl.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_ssl/regressions/ClientCert_ecc_ecc.h (100%) rename {Security => OSX}/libsecurity_ssl/regressions/ClientCert_ecc_rsa.h (100%) rename {Security => OSX}/libsecurity_ssl/regressions/ClientCert_rsa_ecc.h (100%) rename {Security => OSX}/libsecurity_ssl/regressions/ClientCert_rsa_rsa.h (100%) rename {Security => OSX}/libsecurity_ssl/regressions/ClientKey_ecc.h (100%) rename {Security => OSX}/libsecurity_ssl/regressions/ClientKey_rsa.h (100%) create mode 100755 OSX/libsecurity_ssl/regressions/CreateCerts.sh rename {Security => OSX}/libsecurity_ssl/regressions/SECG_ecc-secp256r1-client_cert.h (100%) rename {Security => OSX}/libsecurity_ssl/regressions/SECG_ecc-secp256r1-client_key.h (100%) rename {Security => OSX}/libsecurity_ssl/regressions/SECG_ecc_rsa-secp256r1-client_cert.h (100%) rename {Security => OSX}/libsecurity_ssl/regressions/SECG_ecc_rsa-secp256r1-client_key.h (100%) rename {Security => OSX}/libsecurity_ssl/regressions/cert-1.h (100%) create mode 100755 OSX/libsecurity_ssl/regressions/gencerts.sh rename {Security => OSX}/libsecurity_ssl/regressions/identity-1.h (100%) rename {Security => OSX}/libsecurity_ssl/regressions/privkey-1.h (100%) rename {Security => OSX}/libsecurity_ssl/regressions/ssl-39-echo.c (100%) rename {Security => OSX}/libsecurity_ssl/regressions/ssl-40-clientauth.c (100%) rename {Security => OSX}/libsecurity_ssl/regressions/ssl-41-clientauth.c (100%) create mode 100644 OSX/libsecurity_ssl/regressions/ssl-42-ciphers.c rename {Security => OSX}/libsecurity_ssl/regressions/ssl-43-ciphers.c (93%) rename {Security => OSX}/libsecurity_ssl/regressions/ssl-44-crashes.c (86%) rename {Security => OSX}/libsecurity_ssl/regressions/ssl-45-tls12.c (80%) rename {Security => OSX}/libsecurity_ssl/regressions/ssl-46-SSLGetSupportedCiphers.c (77%) rename {Security => OSX}/libsecurity_ssl/regressions/ssl-47-falsestart.c (100%) rename {Security => OSX}/libsecurity_ssl/regressions/ssl-48-split.c (96%) create mode 100644 OSX/libsecurity_ssl/regressions/ssl-49-sni.c rename {Security => OSX}/libsecurity_ssl/regressions/ssl-50-server.c (100%) rename {Security => OSX}/libsecurity_ssl/regressions/ssl-51-state.c (98%) create mode 100644 OSX/libsecurity_ssl/regressions/ssl-52-noconn.c create mode 100644 OSX/libsecurity_ssl/regressions/ssl-53-clientauth.c create mode 100644 OSX/libsecurity_ssl/regressions/ssl-54-dhe.c create mode 100644 OSX/libsecurity_ssl/regressions/ssl-55-sessioncache.c create mode 100644 OSX/libsecurity_ssl/regressions/ssl-utils.c rename {Security => OSX}/libsecurity_ssl/regressions/ssl-utils.h (85%) rename {Security => OSX}/libsecurity_ssl/regressions/ssl_regressions.h (85%) create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-ECC.Cert.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-ECC.Cert.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-ECC.Key.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-ECC.Key.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-ECC_Cert.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-ECC_Key.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-RSA.Cert.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-RSA.Cert.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-RSA.Key.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-RSA.Key.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-RSA_Cert.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/CA-RSA_Key.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientECC.Cert.CA-ECC.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientECC.Cert.CA-ECC.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientECC.Cert.CA-RSA.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientECC.Cert.CA-RSA.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientECC.Key.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientECC.Key.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientECC.Req.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientECC_Cert_CA-ECC.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientECC_Cert_CA-RSA.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientECC_Key.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientRSA.Cert.CA-ECC.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientRSA.Cert.CA-ECC.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientRSA.Cert.CA-RSA.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientRSA.Cert.CA-RSA.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientRSA.Key.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientRSA.Key.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientRSA.Req.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientRSA_Cert_CA-ECC.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientRSA_Cert_CA-RSA.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ClientRSA_Key.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerECC.Cert.CA-ECC.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerECC.Cert.CA-ECC.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerECC.Cert.CA-RSA.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerECC.Cert.CA-RSA.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerECC.Key.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerECC.Key.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerECC.Req.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerECC_Cert_CA-ECC.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerECC_Cert_CA-RSA.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerECC_Key.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerRSA.Cert.CA-ECC.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerRSA.Cert.CA-ECC.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerRSA.Cert.CA-RSA.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerRSA.Cert.CA-RSA.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerRSA.Key.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerRSA.Key.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerRSA.Req.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerRSA_Cert_CA-ECC.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerRSA_Cert_CA-RSA.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ServerRSA_Key.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/Untrusted-CA-RSA.Cert.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/Untrusted-CA-RSA.Cert.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/Untrusted-CA-RSA.Key.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/Untrusted-CA-RSA.Key.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/Untrusted-CA-RSA_Cert.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/Untrusted-CA-RSA_Key.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/UntrustedClientRSA.Cert.Untrusted-CA-RSA.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/UntrustedClientRSA.Cert.Untrusted-CA-RSA.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/UntrustedClientRSA.Key.der create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/UntrustedClientRSA.Key.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/UntrustedClientRSA.Req.pem create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/UntrustedClientRSA_Cert_Untrusted-CA-RSA.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/UntrustedClientRSA_Key.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/eccert.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ecclientcert.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ecclientkey.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ecidentity.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/eckey.h create mode 100644 OSX/libsecurity_ssl/regressions/test-certs/ecparam.pem create mode 100644 OSX/libsecurity_ssl/security_ssl/CipherSuite.h create mode 100644 OSX/libsecurity_ssl/security_ssl/SSLRecordInternal.c create mode 100644 OSX/libsecurity_ssl/security_ssl/SSLRecordInternal.h create mode 100644 OSX/libsecurity_ssl/security_ssl/SecureTransport.h create mode 100644 OSX/libsecurity_ssl/security_ssl/SecureTransportPriv.h create mode 100644 OSX/libsecurity_ssl/security_ssl/appleSession.c create mode 100644 OSX/libsecurity_ssl/security_ssl/appleSession.h create mode 100644 OSX/libsecurity_ssl/security_ssl/cipherSpecs.h create mode 100644 OSX/libsecurity_ssl/security_ssl/security_ssl.exp create mode 100644 OSX/libsecurity_ssl/security_ssl/ssl.h create mode 100644 OSX/libsecurity_ssl/security_ssl/sslBuildFlags.h create mode 100644 OSX/libsecurity_ssl/security_ssl/sslCipherSpecs.c create mode 100644 OSX/libsecurity_ssl/security_ssl/sslCipherSpecs.h create mode 100644 OSX/libsecurity_ssl/security_ssl/sslContext.c create mode 100644 OSX/libsecurity_ssl/security_ssl/sslContext.h create mode 100644 OSX/libsecurity_ssl/security_ssl/sslCrypto.c create mode 100644 OSX/libsecurity_ssl/security_ssl/sslCrypto.h create mode 100644 OSX/libsecurity_ssl/security_ssl/sslDebug.h create mode 100644 OSX/libsecurity_ssl/security_ssl/sslKeychain.c create mode 100644 OSX/libsecurity_ssl/security_ssl/sslKeychain.h create mode 100644 OSX/libsecurity_ssl/security_ssl/sslMemory.c create mode 100644 OSX/libsecurity_ssl/security_ssl/sslMemory.h create mode 100644 OSX/libsecurity_ssl/security_ssl/sslPriv.h create mode 100644 OSX/libsecurity_ssl/security_ssl/sslRecord.c create mode 100644 OSX/libsecurity_ssl/security_ssl/sslRecord.h create mode 100644 OSX/libsecurity_ssl/security_ssl/sslTransport.c create mode 100644 OSX/libsecurity_ssl/security_ssl/sslTypes.h create mode 100644 OSX/libsecurity_ssl/security_ssl/sslUtils.c create mode 100644 OSX/libsecurity_ssl/security_ssl/sslUtils.h create mode 100644 OSX/libsecurity_ssl/security_ssl/tlsCallbacks.c create mode 100644 OSX/libsecurity_ssl/security_ssl/tlsCallbacks.h create mode 100644 OSX/libsecurity_ssl/security_ssl/tls_record_internal.h rename {Security => OSX}/libsecurity_ssl/sslViewer/fileIo.c (100%) rename {Security => OSX}/libsecurity_ssl/sslViewer/fileIo.h (100%) rename {Security => OSX}/libsecurity_ssl/sslViewer/ioSock.c (100%) rename {Security => OSX}/libsecurity_ssl/sslViewer/ioSock.h (100%) rename {Security => OSX}/libsecurity_ssl/sslViewer/printCert.c (100%) rename {Security => OSX}/libsecurity_ssl/sslViewer/printCert.h (100%) rename {Security => OSX}/libsecurity_ssl/sslViewer/sslAppUtils.cpp (97%) rename {Security => OSX}/libsecurity_ssl/sslViewer/sslAppUtils.h (100%) rename {Security => OSX}/libsecurity_ssl/sslViewer/sslServer.1 (100%) rename {Security => OSX}/libsecurity_ssl/sslViewer/sslServer.cpp (100%) rename {Security => OSX}/libsecurity_ssl/sslViewer/sslViewer.1 (100%) rename {Security => OSX}/libsecurity_ssl/sslViewer/sslViewer.cpp (100%) rename {Security => OSX}/libsecurity_ssl/sslViewer/sslViewer.xcodeproj/project.pbxproj (100%) rename {Security => OSX}/libsecurity_transform/100-sha2.m (100%) rename {Security => OSX}/libsecurity_transform/Configurations/libsecurity_transform.Default.xcconfig (100%) rename {Security => OSX}/libsecurity_transform/Configurations/libsecurity_transform_Deployment.xcconfig (100%) rename {Security => OSX}/libsecurity_transform/Configurations/libsecurity_transform_Development.xcconfig (100%) rename {Security => OSX}/libsecurity_transform/Configurations/libsecurity_transform_core.xcconfig (100%) rename {Security => OSX}/libsecurity_transform/Configurations/security_transform_Default.xcconfig (100%) rename {Security => OSX}/libsecurity_transform/Configurations/security_transform_Deployment.xcconfig (100%) rename {Security => OSX}/libsecurity_transform/Configurations/security_transform_Development.xcconfig (100%) rename {Security => OSX}/libsecurity_transform/Info-security_transform.plist (100%) rename {Security => OSX}/libsecurity_transform/NSData+HexString.h (100%) rename {Security => OSX}/libsecurity_transform/NSData+HexString.m (100%) rename {Security => OSX}/libsecurity_transform/custom.h (100%) rename {Security => OSX}/libsecurity_transform/custom.mm (100%) rename {Security => OSX}/libsecurity_transform/lib/CEncryptDecrypt.c (96%) rename {Security => OSX}/libsecurity_transform/lib/CoreFoundationBasics.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/CoreFoundationBasics.h (100%) rename {Security => OSX}/libsecurity_transform/lib/Digest.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/Digest.h (100%) rename {Security => OSX}/libsecurity_transform/lib/Digest_block.c (100%) rename {Security => OSX}/libsecurity_transform/lib/Digest_block.h (100%) rename {Security => OSX}/libsecurity_transform/lib/EncodeDecodeTransforms.c (100%) rename {Security => OSX}/libsecurity_transform/lib/EncryptTransform.cpp (99%) rename {Security => OSX}/libsecurity_transform/lib/EncryptTransform.h (100%) rename {Security => OSX}/libsecurity_transform/lib/EncryptTransformUtilities.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/EncryptTransformUtilities.h (100%) rename {Security => OSX}/libsecurity_transform/lib/GroupTransform.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/GroupTransform.h (100%) rename {Security => OSX}/libsecurity_transform/lib/LinkedList.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/LinkedList.h (100%) rename {Security => OSX}/libsecurity_transform/lib/Monitor.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/Monitor.h (100%) rename {Security => OSX}/libsecurity_transform/lib/NullTransform.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/NullTransform.h (100%) rename {Security => OSX}/libsecurity_transform/lib/SecCollectTransform.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/SecCollectTransform.h (100%) rename {Security => OSX}/libsecurity_transform/lib/SecCustomTransform.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/SecCustomTransform.h (98%) rename {Security => OSX}/libsecurity_transform/lib/SecDecodeTransform.h (94%) rename {Security => OSX}/libsecurity_transform/lib/SecDigestTransform.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/SecDigestTransform.h (95%) rename {Security => OSX}/libsecurity_transform/lib/SecEncodeTransform.h (96%) create mode 100644 OSX/libsecurity_transform/lib/SecEncryptTransform.cpp rename {Security => OSX}/libsecurity_transform/lib/SecEncryptTransform.h (86%) rename {Security => OSX}/libsecurity_transform/lib/SecExternalSourceTransform.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/SecExternalSourceTransform.h (100%) rename {Security => OSX}/libsecurity_transform/lib/SecGroupTransform.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/SecGroupTransform.h (100%) rename {Security => OSX}/libsecurity_transform/lib/SecMaskGenerationFunctionTransform.c (100%) rename {Security => OSX}/libsecurity_transform/lib/SecMaskGenerationFunctionTransform.h (100%) rename {Security => OSX}/libsecurity_transform/lib/SecNullTransform.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/SecNullTransform.h (100%) rename {Security => OSX}/libsecurity_transform/lib/SecReadTransform.h (100%) rename {Security => OSX}/libsecurity_transform/lib/SecSignVerifyTransform.c (98%) rename {Security => OSX}/libsecurity_transform/lib/SecSignVerifyTransform.h (90%) rename {Security => OSX}/libsecurity_transform/lib/SecTransform.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/SecTransform.h (98%) rename {Security => OSX}/libsecurity_transform/lib/SecTransformInternal.h (100%) rename {Security => OSX}/libsecurity_transform/lib/SecTransformReadTransform.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/SecTransformReadTransform.h (95%) rename {Security => OSX}/libsecurity_transform/lib/SecTransformValidator.h (100%) rename {Security => OSX}/libsecurity_transform/lib/SingleShotSource.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/SingleShotSource.h (100%) rename {Security => OSX}/libsecurity_transform/lib/Source.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/Source.h (100%) rename {Security => OSX}/libsecurity_transform/lib/StreamSource.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/StreamSource.h (100%) rename {Security => OSX}/libsecurity_transform/lib/Transform.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/Transform.h (100%) rename {Security => OSX}/libsecurity_transform/lib/TransformFactory.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/TransformFactory.h (100%) rename {Security => OSX}/libsecurity_transform/lib/Utilities.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/Utilities.h (100%) rename {Security => OSX}/libsecurity_transform/lib/c++utils.cpp (100%) rename {Security => OSX}/libsecurity_transform/lib/c++utils.h (100%) rename {Security => OSX}/libsecurity_transform/lib/misc.c (100%) rename {Security => OSX}/libsecurity_transform/lib/misc.h (100%) rename {Security => OSX}/libsecurity_transform/lib/security_transform.exp (100%) create mode 100644 OSX/libsecurity_transform/libsecurity_transform.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurity_transform/misc/base32alpha2vals (100%) rename {Security => OSX}/libsecurity_transform/misc/speed-test.h (100%) rename {Security => OSX}/libsecurity_transform/misc/speed-test.mm (100%) rename {Security => OSX}/libsecurity_transform/unit-tests-Info.plist (100%) rename {Security => OSX}/libsecurity_utilities/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurity_utilities/Info-security_utilities.plist (100%) create mode 100644 OSX/libsecurity_utilities/lib/adornments.cpp create mode 100644 OSX/libsecurity_utilities/lib/adornments.h create mode 100644 OSX/libsecurity_utilities/lib/alloc.cpp create mode 100644 OSX/libsecurity_utilities/lib/alloc.h create mode 100644 OSX/libsecurity_utilities/lib/blob.cpp create mode 100644 OSX/libsecurity_utilities/lib/blob.h create mode 100644 OSX/libsecurity_utilities/lib/bufferfifo.cpp create mode 100644 OSX/libsecurity_utilities/lib/bufferfifo.h create mode 100644 OSX/libsecurity_utilities/lib/buffers.cpp create mode 100644 OSX/libsecurity_utilities/lib/buffers.h create mode 100644 OSX/libsecurity_utilities/lib/ccaudit.cpp create mode 100644 OSX/libsecurity_utilities/lib/ccaudit.h create mode 100644 OSX/libsecurity_utilities/lib/cfclass.cpp create mode 100644 OSX/libsecurity_utilities/lib/cfclass.h create mode 100644 OSX/libsecurity_utilities/lib/cfmach++.cpp create mode 100644 OSX/libsecurity_utilities/lib/cfmach++.h create mode 100644 OSX/libsecurity_utilities/lib/cfmunge.cpp create mode 100644 OSX/libsecurity_utilities/lib/cfmunge.h create mode 100644 OSX/libsecurity_utilities/lib/cfutilities.cpp create mode 100644 OSX/libsecurity_utilities/lib/cfutilities.h create mode 100644 OSX/libsecurity_utilities/lib/coderepository.cpp create mode 100644 OSX/libsecurity_utilities/lib/coderepository.h create mode 100644 OSX/libsecurity_utilities/lib/crc.c create mode 100644 OSX/libsecurity_utilities/lib/crc.h create mode 100644 OSX/libsecurity_utilities/lib/daemon.cpp create mode 100644 OSX/libsecurity_utilities/lib/daemon.h create mode 100644 OSX/libsecurity_utilities/lib/debugging.cpp create mode 100644 OSX/libsecurity_utilities/lib/debugging.h create mode 100644 OSX/libsecurity_utilities/lib/debugging_internal.cpp create mode 100644 OSX/libsecurity_utilities/lib/debugging_internal.h create mode 100644 OSX/libsecurity_utilities/lib/debugsupport.h create mode 100644 OSX/libsecurity_utilities/lib/devrandom.cpp create mode 100644 OSX/libsecurity_utilities/lib/devrandom.h create mode 100644 OSX/libsecurity_utilities/lib/dispatch.cpp create mode 100644 OSX/libsecurity_utilities/lib/dispatch.h create mode 100644 OSX/libsecurity_utilities/lib/dtrace.mk create mode 100644 OSX/libsecurity_utilities/lib/dyld_cache_format.h create mode 100644 OSX/libsecurity_utilities/lib/dyldcache.cpp create mode 100644 OSX/libsecurity_utilities/lib/dyldcache.h create mode 100644 OSX/libsecurity_utilities/lib/endian.cpp create mode 100644 OSX/libsecurity_utilities/lib/endian.h create mode 100644 OSX/libsecurity_utilities/lib/errors.cpp create mode 100644 OSX/libsecurity_utilities/lib/errors.h create mode 100644 OSX/libsecurity_utilities/lib/exports create mode 100644 OSX/libsecurity_utilities/lib/fdmover.cpp create mode 100644 OSX/libsecurity_utilities/lib/fdmover.h create mode 100644 OSX/libsecurity_utilities/lib/fdsel.cpp create mode 100644 OSX/libsecurity_utilities/lib/fdsel.h create mode 100644 OSX/libsecurity_utilities/lib/globalizer.cpp create mode 100644 OSX/libsecurity_utilities/lib/globalizer.h create mode 100644 OSX/libsecurity_utilities/lib/hashing.cpp create mode 100644 OSX/libsecurity_utilities/lib/hashing.h create mode 100644 OSX/libsecurity_utilities/lib/headermap.cpp create mode 100644 OSX/libsecurity_utilities/lib/headermap.h create mode 100644 OSX/libsecurity_utilities/lib/hosts.cpp create mode 100644 OSX/libsecurity_utilities/lib/hosts.h create mode 100644 OSX/libsecurity_utilities/lib/inetreply.cpp create mode 100644 OSX/libsecurity_utilities/lib/inetreply.h create mode 100644 OSX/libsecurity_utilities/lib/iodevices.cpp create mode 100644 OSX/libsecurity_utilities/lib/iodevices.h create mode 100644 OSX/libsecurity_utilities/lib/ip++.cpp create mode 100644 OSX/libsecurity_utilities/lib/ip++.h create mode 100644 OSX/libsecurity_utilities/lib/kq++.cpp create mode 100644 OSX/libsecurity_utilities/lib/kq++.h create mode 100644 OSX/libsecurity_utilities/lib/ktracecodes.h create mode 100644 OSX/libsecurity_utilities/lib/logging.cpp create mode 100644 OSX/libsecurity_utilities/lib/logging.h create mode 100644 OSX/libsecurity_utilities/lib/mach++.cpp create mode 100644 OSX/libsecurity_utilities/lib/mach++.h create mode 100644 OSX/libsecurity_utilities/lib/mach_notify.c create mode 100644 OSX/libsecurity_utilities/lib/mach_notify.h create mode 100644 OSX/libsecurity_utilities/lib/macho++.cpp create mode 100644 OSX/libsecurity_utilities/lib/macho++.h create mode 100644 OSX/libsecurity_utilities/lib/machrunloopserver.cpp create mode 100644 OSX/libsecurity_utilities/lib/machrunloopserver.h create mode 100644 OSX/libsecurity_utilities/lib/machserver.cpp create mode 100644 OSX/libsecurity_utilities/lib/machserver.h create mode 100644 OSX/libsecurity_utilities/lib/memstreams.h create mode 100644 OSX/libsecurity_utilities/lib/memutils.h create mode 100644 OSX/libsecurity_utilities/lib/muscle++.cpp create mode 100644 OSX/libsecurity_utilities/lib/muscle++.h create mode 100644 OSX/libsecurity_utilities/lib/osxcode.cpp create mode 100644 OSX/libsecurity_utilities/lib/osxcode.h create mode 100644 OSX/libsecurity_utilities/lib/pcsc++.cpp create mode 100644 OSX/libsecurity_utilities/lib/pcsc++.h create mode 100644 OSX/libsecurity_utilities/lib/powerwatch.cpp create mode 100644 OSX/libsecurity_utilities/lib/powerwatch.h create mode 100644 OSX/libsecurity_utilities/lib/refcount.h create mode 100644 OSX/libsecurity_utilities/lib/seccfobject.cpp create mode 100644 OSX/libsecurity_utilities/lib/seccfobject.h create mode 100644 OSX/libsecurity_utilities/lib/security_utilities.d create mode 100644 OSX/libsecurity_utilities/lib/security_utilities.h create mode 100644 OSX/libsecurity_utilities/lib/selector.cpp create mode 100644 OSX/libsecurity_utilities/lib/selector.h create mode 100644 OSX/libsecurity_utilities/lib/simpleprefs.cpp create mode 100644 OSX/libsecurity_utilities/lib/simpleprefs.h create mode 100644 OSX/libsecurity_utilities/lib/socks++.cpp create mode 100644 OSX/libsecurity_utilities/lib/socks++.h create mode 100644 OSX/libsecurity_utilities/lib/socks++4.cpp create mode 100644 OSX/libsecurity_utilities/lib/socks++4.h create mode 100644 OSX/libsecurity_utilities/lib/socks++5.cpp create mode 100644 OSX/libsecurity_utilities/lib/socks++5.h create mode 100644 OSX/libsecurity_utilities/lib/sqlite++.cpp create mode 100644 OSX/libsecurity_utilities/lib/sqlite++.h create mode 100644 OSX/libsecurity_utilities/lib/streams.cpp create mode 100644 OSX/libsecurity_utilities/lib/streams.h create mode 100644 OSX/libsecurity_utilities/lib/superblob.cpp create mode 100644 OSX/libsecurity_utilities/lib/superblob.h create mode 100644 OSX/libsecurity_utilities/lib/threading.cpp create mode 100644 OSX/libsecurity_utilities/lib/threading.h create mode 100644 OSX/libsecurity_utilities/lib/threading_internal.h create mode 100644 OSX/libsecurity_utilities/lib/timeflow.cpp create mode 100644 OSX/libsecurity_utilities/lib/timeflow.h create mode 100644 OSX/libsecurity_utilities/lib/tqueue.cpp create mode 100644 OSX/libsecurity_utilities/lib/tqueue.h create mode 100644 OSX/libsecurity_utilities/lib/trackingallocator.cpp create mode 100644 OSX/libsecurity_utilities/lib/trackingallocator.h create mode 100644 OSX/libsecurity_utilities/lib/transactions.cpp create mode 100644 OSX/libsecurity_utilities/lib/transactions.h create mode 100644 OSX/libsecurity_utilities/lib/typedvalue.cpp create mode 100644 OSX/libsecurity_utilities/lib/typedvalue.h create mode 100644 OSX/libsecurity_utilities/lib/unix++.cpp create mode 100644 OSX/libsecurity_utilities/lib/unix++.h create mode 100644 OSX/libsecurity_utilities/lib/unixchild.cpp create mode 100644 OSX/libsecurity_utilities/lib/unixchild.h create mode 100644 OSX/libsecurity_utilities/lib/url.cpp create mode 100644 OSX/libsecurity_utilities/lib/url.h create mode 100644 OSX/libsecurity_utilities/lib/utilities.cpp create mode 100644 OSX/libsecurity_utilities/lib/utilities.h create mode 100644 OSX/libsecurity_utilities/lib/utility_config.h create mode 100644 OSX/libsecurity_utilities/lib/vproc++.cpp create mode 100644 OSX/libsecurity_utilities/lib/vproc++.h create mode 100644 OSX/libsecurity_utilities/libsecurity_utilities.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurityd/APPLE_LICENSE (100%) rename {Security => OSX}/libsecurityd/Info-securityd_client.plist (100%) rename {Security => OSX}/libsecurityd/Info-securityd_server.plist (100%) create mode 100644 OSX/libsecurityd/lib/SharedMemoryClient.cpp create mode 100644 OSX/libsecurityd/lib/SharedMemoryClient.h create mode 100644 OSX/libsecurityd/lib/SharedMemoryCommon.h create mode 100644 OSX/libsecurityd/lib/dictionary.cpp create mode 100644 OSX/libsecurityd/lib/dictionary.h create mode 100644 OSX/libsecurityd/lib/eventlistener.cpp create mode 100644 OSX/libsecurityd/lib/eventlistener.h create mode 100644 OSX/libsecurityd/lib/handletypes.h create mode 100644 OSX/libsecurityd/lib/sec_xdr.c create mode 100644 OSX/libsecurityd/lib/sec_xdr.h create mode 100644 OSX/libsecurityd/lib/sec_xdr_array.c create mode 100644 OSX/libsecurityd/lib/sec_xdr_reference.c create mode 100644 OSX/libsecurityd/lib/sec_xdr_sizeof.c create mode 100644 OSX/libsecurityd/lib/sec_xdrmem.c create mode 100644 OSX/libsecurityd/lib/ss_types.h create mode 100644 OSX/libsecurityd/lib/ssblob.cpp create mode 100644 OSX/libsecurityd/lib/ssblob.h create mode 100644 OSX/libsecurityd/lib/ssclient.cpp create mode 100644 OSX/libsecurityd/lib/ssclient.h create mode 100644 OSX/libsecurityd/lib/sscommon.h create mode 100644 OSX/libsecurityd/lib/ssnotify.h create mode 100644 OSX/libsecurityd/lib/sstransit.cpp create mode 100644 OSX/libsecurityd/lib/sstransit.h create mode 100644 OSX/libsecurityd/lib/transition.cpp create mode 100644 OSX/libsecurityd/lib/ucsp_types.h create mode 100644 OSX/libsecurityd/lib/xdr_auth.c create mode 100644 OSX/libsecurityd/lib/xdr_auth.h create mode 100644 OSX/libsecurityd/lib/xdr_cssm.c create mode 100644 OSX/libsecurityd/lib/xdr_cssm.h create mode 100644 OSX/libsecurityd/lib/xdr_dldb.cpp create mode 100644 OSX/libsecurityd/lib/xdr_dldb.h create mode 100644 OSX/libsecurityd/libsecurityd.xcodeproj/project.pbxproj rename {Security => OSX}/libsecurityd/mig/cshosting.defs (100%) rename {Security => OSX}/libsecurityd/mig/mig.mk (100%) rename {Security => OSX}/libsecurityd/mig/ss_types.defs (100%) rename {Security => OSX}/libsecurityd/mig/ucsp.defs (97%) rename {Security => OSX}/libsecurityd/mig/ucspNotify.defs (100%) rename {Security => OSX}/regressions/README (100%) rename {Security => OSX}/regressions/inc/IPC/Run3.pm (100%) rename {Security => OSX}/regressions/inc/MyHarness.pm (100%) create mode 100644 OSX/regressions/regressions.xcodeproj/project.pbxproj rename {Security => OSX}/regressions/t/security.pl (100%) rename {Security => OSX}/regressions/test/test-00-test.c (100%) rename {Security => OSX}/regressions/test/test_regressions.h (100%) rename {Security => OSX}/regressions/test/testcert.c (100%) rename {Security => OSX}/regressions/test/testcert.h (100%) rename {Security => OSX}/regressions/test/testcpp.h (100%) create mode 100644 OSX/regressions/test/testenv.c rename {Security => OSX}/regressions/test/testenv.h (100%) rename {Security => OSX}/regressions/test/testlist_begin.h (100%) rename {Security => OSX}/regressions/test/testlist_end.h (100%) create mode 100644 OSX/regressions/test/testmore.c rename {Security => OSX}/regressions/test/testmore.h (87%) rename {Security => OSX}/regressions/test/testpolicy.h (100%) rename {Security => OSX}/regressions/test/testpolicy.m (100%) rename {Security => OSX}/sec/CloudKeychainProxy/CloudKeychainProxy.1 (100%) create mode 100644 OSX/sec/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy.1 create mode 100644 OSX/sec/ProjectHeaders/SOSCircle/Tool/SOSCommands.h create mode 100644 OSX/sec/ProjectHeaders/SOSCircle/Tool/keychain_sync.c rename {Security/sec/SOSCircle => OSX/sec/ProjectHeaders/Security}/CKBridge/CKClient.c (100%) rename {Security/sec/SOSCircle => OSX/sec/ProjectHeaders/Security}/CKBridge/CKClient.h (100%) create mode 100644 OSX/sec/ProjectHeaders/Security/CKBridge/SOSCloudKeychainClient.c create mode 100644 OSX/sec/ProjectHeaders/Security/CKBridge/SOSCloudKeychainClient.h create mode 100644 OSX/sec/ProjectHeaders/Security/CKBridge/SOSCloudKeychainConstants.c create mode 100644 OSX/sec/ProjectHeaders/Security/CKBridge/SOSCloudKeychainConstants.h rename {Security/sec/SOSCircle => OSX/sec/ProjectHeaders/Security}/CKBridge/SOSCloudTransport.c (100%) rename {Security/sec/SOSCircle => OSX/sec/ProjectHeaders/Security}/CKBridge/SOSCloudTransport.h (100%) create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSARCDefines.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccount.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccount.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountBackup.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountCircles.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountCloudParameters.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountCredentials.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountDer.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountFullPeerInfo.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountHSAJoin.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountHSAJoin.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountPeers.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountPersistence.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountPriv.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountRingUpdate.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountRings.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSAccountUpdate.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSBackupEvent.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSBackupEvent.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSBackupSliceKeyBag.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSBackupSliceKeyBag.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSChangeTracker.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSChangeTracker.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCircle.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCircle.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCircleDer.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCircleDer.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCirclePriv.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCircleRings.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCircleV2.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCircleV2.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCloudCircle.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCloudCircle.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCloudCircleInternal.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCoder.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSCoder.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSConcordanceTrust.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSDataSource.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSDigestVector.c rename {Security/sec/SOSCircle => OSX/sec/ProjectHeaders/Security}/SecureObjectSync/SOSDigestVector.h (100%) create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSECWrapUnwrap.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSEngine.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSEngine.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSExports.exp-in create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSForerunnerSession.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSForerunnerSession.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSFullPeerInfo.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSFullPeerInfo.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSGenCount.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSGenCount.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSInternal.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSInternal.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSKVSKeys.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSKVSKeys.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSManifest.c rename {Security/sec/SOSCircle => OSX/sec/ProjectHeaders/Security}/SecureObjectSync/SOSManifest.h (100%) create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSMessage.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSMessage.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeer.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeer.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerCoder.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerCoder.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfo.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfo.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoCollections.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoCollections.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoDER.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoDER.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoInternal.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoPriv.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoRingState.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoRingState.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoSecurityProperties.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoSecurityProperties.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoV2.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPeerInfoV2.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSPlatform.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRing.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingBackup.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingBackup.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingBasic.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingBasic.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingConcordanceTrust.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingConcordanceTrust.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingDER.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingDER.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingPeerInfoUtils.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingPeerInfoUtils.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingTypes.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingTypes.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingUtils.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingUtils.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingV0.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSRingV0.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransport.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransport.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportBackupPeer.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportBackupPeer.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportCircle.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportCircle.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportCircleKVS.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportCircleKVS.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportCoder.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportCoder.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportKeyParameter.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportKeyParameter.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportKeyParameterKVS.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportKeyParameterKVS.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportMessage.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportMessage.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportMessageIDS.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportMessageIDS.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportMessageKVS.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTransportMessageKVS.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSTypes.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSUserKeygen.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSUserKeygen.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSViewManager.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSViewManager.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSViewQueries.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSViewQueries.h create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSViews.c create mode 100644 OSX/sec/ProjectHeaders/Security/SecureObjectSync/SOSViews.h create mode 100644 OSX/sec/ProjectHeaders/Security/Tool/SecurityCommands.h rename {Security/sec => OSX/sec/ProjectHeaders}/Security/Tool/add_internet_password.c (100%) rename {Security/sec => OSX/sec/ProjectHeaders}/Security/Tool/codesign.c (100%) create mode 100644 OSX/sec/ProjectHeaders/Security/Tool/keychain_add.c rename {Security/sec => OSX/sec/ProjectHeaders}/Security/Tool/keychain_backup.c (100%) create mode 100644 OSX/sec/ProjectHeaders/Security/Tool/keychain_find.c create mode 100644 OSX/sec/ProjectHeaders/Security/Tool/keychain_util.c rename {Security/sec => OSX/sec/ProjectHeaders}/Security/Tool/keychain_util.h (100%) create mode 100644 OSX/sec/ProjectHeaders/Security/Tool/log_control.c rename {Security/sec => OSX/sec/ProjectHeaders}/Security/Tool/pkcs12_util.c (100%) create mode 100644 OSX/sec/ProjectHeaders/Security/Tool/scep.c create mode 100644 OSX/sec/ProjectHeaders/Security/Tool/show_certificates.c create mode 100644 OSX/sec/ProjectHeaders/Security/Tool/spc.c rename {Security/sec => OSX/sec/ProjectHeaders}/SecurityTool/SecurityTool.c (100%) rename {Security/sec => OSX/sec/ProjectHeaders}/SecurityTool/SecurityTool.h (100%) rename {Security/sec => OSX/sec/ProjectHeaders}/SecurityTool/builtin_commands.h (100%) rename {Security/sec => OSX/sec/ProjectHeaders}/SecurityTool/digest_calc.c (100%) rename {Security/sec => OSX/sec/ProjectHeaders}/SecurityTool/entitlements.plist (100%) rename {Security/sec => OSX/sec/ProjectHeaders}/SecurityTool/leaks.c (100%) rename {Security/sec => OSX/sec/ProjectHeaders}/SecurityTool/leaks.h (100%) create mode 100644 OSX/sec/ProjectHeaders/SecurityTool/print_cert.c rename {Security/sec => OSX/sec/ProjectHeaders}/SecurityTool/print_cert.h (100%) rename {Security/sec => OSX/sec/ProjectHeaders}/SecurityTool/security.1 (100%) rename {Security/sec => OSX/sec/ProjectHeaders}/SecurityTool/tool_errors.h (100%) create mode 100644 OSX/sec/SOSCircle/CKBridge/CKClient.c create mode 100644 OSX/sec/SOSCircle/CKBridge/CKClient.h create mode 100644 OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.c create mode 100644 OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.h create mode 100644 OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.c create mode 100644 OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.h create mode 100644 OSX/sec/SOSCircle/CKBridge/SOSCloudTransport.c create mode 100644 OSX/sec/SOSCircle/CKBridge/SOSCloudTransport.h rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/CKDKVSProxy.h (97%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/CKDKVSProxy.m (79%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/CKDPersistentState.h (95%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/CKDPersistentState.m (79%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/CKDUserInteraction.h (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/CKDUserInteraction.m (99%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/ckdmain.m (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/cloudkeychain.entitlements.plist (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/cloudkeychainproxy.m (99%) rename {Security/tlsnke/tlsnke => OSX/sec/SOSCircle/CloudKeychainProxy}/en.lproj/InfoPlist.strings (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/scripts/PhoneTerms2.applescript (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/scripts/PhoneTerms2.scpt (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/scripts/install_on_devices (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/scripts/kcstatus (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/scripts/sosbuildroot (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/scripts/soscopy (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/scripts/soscopysshkeys (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/scripts/sosinstallroot (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/scripts/sosreset (100%) rename {Security => OSX}/sec/SOSCircle/CloudKeychainProxy/scripts/tweak (100%) rename {Security => OSX}/sec/SOSCircle/Empty.c (100%) create mode 100644 OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSPersistentState.h create mode 100644 OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSPersistentState.m create mode 100644 OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSProxy.h create mode 100644 OSX/sec/SOSCircle/IDSKeychainSyncingProxy/IDSProxy.m create mode 100644 OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idksmain.m create mode 100644 OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist create mode 100644 OSX/sec/SOSCircle/IDSKeychainSyncingProxy/idskeychainsyncingproxy.m rename {Security => OSX}/sec/SOSCircle/Regressions/CKDKeyValueStore.h (100%) rename {Security => OSX}/sec/SOSCircle/Regressions/CKDKeyValueStore.m (100%) create mode 100644 OSX/sec/SOSCircle/Regressions/SOSCircle_regressions.h rename {Security => OSX}/sec/SOSCircle/Regressions/SOSRegressionUtilities.c (90%) rename {Security => OSX}/sec/SOSCircle/Regressions/SOSRegressionUtilities.h (96%) rename {Security => OSX}/sec/SOSCircle/Regressions/SOSTestDataSource.c (88%) rename {Security => OSX}/sec/SOSCircle/Regressions/SOSTestDataSource.h (94%) create mode 100644 OSX/sec/SOSCircle/Regressions/SOSTestDevice.c rename {Security => OSX}/sec/SOSCircle/Regressions/SOSTestDevice.h (87%) rename {Security => OSX}/sec/SOSCircle/Regressions/sc-130-resignationticket.c (82%) create mode 100644 OSX/sec/SOSCircle/Regressions/sc-140-hsa2.c create mode 100644 OSX/sec/SOSCircle/Regressions/sc-150-backupkeyderivation.c create mode 100644 OSX/sec/SOSCircle/Regressions/sc-150-ring.c create mode 100644 OSX/sec/SOSCircle/Regressions/sc-153-backupslicekeybag.c rename {Security => OSX}/sec/SOSCircle/Regressions/sc-20-keynames.c (86%) create mode 100644 OSX/sec/SOSCircle/Regressions/sc-25-soskeygen.c create mode 100644 OSX/sec/SOSCircle/Regressions/sc-30-peerinfo.c create mode 100644 OSX/sec/SOSCircle/Regressions/sc-31-peerinfo-simplefuzz.c rename {Security => OSX}/sec/SOSCircle/Regressions/sc-40-circle.c (93%) rename {Security => OSX}/sec/SOSCircle/Regressions/sc-42-circlegencount.c (83%) rename {Security => OSX}/sec/SOSCircle/Regressions/sc-45-digestvector.c (99%) rename {Security => OSX}/sec/SOSCircle/Regressions/sc-kvstool.m (100%) create mode 100644 OSX/sec/SOSCircle/SOSPeerInfoDER.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSARCDefines.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountBackup.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountCircles.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountCloudParameters.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountCredentials.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountDer.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountFullPeerInfo.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountHSAJoin.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountHSAJoin.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPeers.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPersistence.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountPriv.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRingUpdate.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRings.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSAccountUpdate.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSBackupEvent.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSBackupEvent.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSChangeTracker.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSChangeTracker.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCircleDer.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCircleDer.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCirclePriv.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCircleRings.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCircleV2.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCircleV2.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSCoder.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSConcordanceTrust.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSDataSource.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSDigestVector.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSDigestVector.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSECWrapUnwrap.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSExports.exp-in create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSGenCount.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSGenCount.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSManifest.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSManifest.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSMessage.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSMessage.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoCollections.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoCollections.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoDER.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoDER.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoInternal.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoPriv.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoRingState.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoRingState.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoSecurityProperties.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoSecurityProperties.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSPlatform.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRing.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingBackup.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingBackup.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingBasic.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingBasic.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingConcordanceTrust.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingConcordanceTrust.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingDER.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingDER.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingPeerInfoUtils.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingPeerInfoUtils.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingTypes.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingTypes.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingV0.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSRingV0.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportBackupPeer.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportBackupPeer.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircle.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircle.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCoder.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCoder.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportKeyParameter.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportKeyParameter.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportKeyParameterKVS.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportKeyParameterKVS.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSViewManager.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSViewManager.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSViewQueries.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSViewQueries.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSViews.c create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSViews.h create mode 100644 OSX/sec/SOSCircle/Tool/SOSCommands.h create mode 100644 OSX/sec/SOSCircle/Tool/keychain_sync.c create mode 100644 OSX/sec/SOSCircle/osxshim.c create mode 100644 OSX/sec/Security/AppleBaselineEscrowCertificates.h rename {Security => OSX}/sec/Security/AuthorizationStatus.h (100%) rename {Security => OSX}/sec/Security/Regressions/Security_regressions.h (92%) rename {Security => OSX}/sec/Security/Regressions/crypto/pbkdf2-00-hmac-sha1.c (100%) rename {Security => OSX}/sec/Security/Regressions/crypto/spbkdf-00-hmac-sha1.c (100%) rename {Security => OSX}/sec/Security/Regressions/otr/otr-00-identity.c (91%) rename {Security => OSX}/sec/Security/Regressions/otr/otr-30-negotiation.c (99%) rename {Security => OSX}/sec/Security/Regressions/otr/otr-40-edgecases.c (100%) rename {Security => OSX}/sec/Security/Regressions/otr/otr-50-roll.c (96%) rename {Security => OSX}/sec/Security/Regressions/otr/otr-60-slowroll.c (96%) rename {Security => OSX}/sec/Security/Regressions/otr/otr-otrdh.c (100%) rename {Security => OSX}/sec/Security/Regressions/otr/otr-packetdata.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-00-find-nothing.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-05-add.c (98%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-10-find-internet.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-11-update-data.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-12-item-stress.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-14-dateparse.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-15-certificate.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-16-ec-certificate.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-20-sectrust-activation.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-20-sectrust.c (99%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-21-sectrust-asr.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-22-sectrust-iap.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-23-sectrust-ocsp-wwdr.c (100%) create mode 100644 OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c rename {Security => OSX}/sec/Security/Regressions/secitem/si-24-sectrust-appleid.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-24-sectrust-digicert-malaysia.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-24-sectrust-diginotar.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-24-sectrust-itms.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-24-sectrust-mobileasset.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-24-sectrust-nist.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-24-sectrust-otatasking.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-24-sectrust-shoebox.c (99%) create mode 100644 OSX/sec/Security/Regressions/secitem/si-25-sectrust-apple-authentication.c rename {Security => OSX}/sec/Security/Regressions/secitem/si-25-sectrust-ipsec-eap.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-26-applicationsigning.c (100%) create mode 100644 OSX/sec/Security/Regressions/secitem/si-27-sectrust-exceptions.c rename {Security => OSX}/sec/Security/Regressions/secitem/si-28-sectrustsettings.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-29-sectrust-codesigning.c (97%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-30-keychain-upgrade.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-31-keychain-bad.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-31-keychain-unreadable.c (94%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-33-keychain-backup.c (99%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-40-seckey-custom.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-40-seckey.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-41-sececkey.c (76%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-42-identity.c (99%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-43-persistent.c (98%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-50-secrandom.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-60-cms.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-61-pkcs12.c (80%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-62-csr.c (95%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-63-scep.c (99%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-63-scep.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-63-scep/getcacert-mdes.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-63-scep/getcacert-mdesqa.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-64-ossl-cms.c (98%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-64-ossl-cms/attached_no_data_signed_data.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-64-ossl-cms/attached_signed_data.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-64-ossl-cms/detached_content.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-64-ossl-cms/detached_signed_data.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-64-ossl-cms/privkey.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-64-ossl-cms/signer.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-65-cms-cert-policy.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-66-smime.c (97%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-66-smime/signed-receipt.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-67-sectrust-blacklist.c (91%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-67-sectrust-blacklist/Global Trustee.cer.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-67-sectrust-blacklist/UTN-USERFirst-Hardware.cer.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-67-sectrust-blacklist/addons.mozilla.org.cer.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-67-sectrust-blacklist/login.live.com.cer.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-67-sectrust-blacklist/login.skype.com.cer.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-67-sectrust-blacklist/login.yahoo.com.1.cer.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-67-sectrust-blacklist/login.yahoo.com.2.cer.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-67-sectrust-blacklist/login.yahoo.com.cer.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-67-sectrust-blacklist/mail.google.com.cer.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-67-sectrust-blacklist/www.google.com.cer.h (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-68-secmatchissuer.c (97%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-69-keydesc.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-70-sectrust-unified.c (98%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-71-mobile-store-policy.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-72-syncableitems.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-73-secpasswordgenerate.c (98%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-74-OTAPKISigner.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-75-AppleIDRecordSigning.c (93%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-76-shared-credentials.c (98%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-78-query-attrs.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-79-smp-cert-policy.c (100%) rename {Security => OSX}/sec/Security/Regressions/secitem/si-80-empty-data.c (100%) create mode 100644 OSX/sec/Security/Regressions/secitem/si-81-sectrust-appletv.c rename {Security => OSX}/sec/Security/Regressions/secitem/si-81-sectrust-server-auth.c (100%) create mode 100644 OSX/sec/Security/Regressions/secitem/si-83-seccertificate-sighashalg.c create mode 100644 OSX/sec/Security/Regressions/secitem/si-84-sectrust-atv-appsigning.c create mode 100644 OSX/sec/Security/Regressions/secitem/si_77_SecAccessControl.c rename {Security => OSX}/sec/Security/Regressions/vmdh/vmdh-40.c (100%) rename {Security => OSX}/sec/Security/Regressions/vmdh/vmdh-41-example.c (100%) rename {Security => OSX}/sec/Security/Regressions/vmdh/vmdh-42-example2.c (100%) create mode 100644 OSX/sec/Security/SecAccessControl.c create mode 100644 OSX/sec/Security/SecAccessControl.h create mode 100644 OSX/sec/Security/SecAccessControlExports.exp-in create mode 100644 OSX/sec/Security/SecAccessControlPriv.h create mode 100644 OSX/sec/Security/SecBase.h rename {Security => OSX}/sec/Security/SecBase64.c (100%) create mode 100644 OSX/sec/Security/SecBase64.h create mode 100644 OSX/sec/Security/SecBasePriv.h rename {Security => OSX}/sec/Security/SecCMS.c (100%) rename {Security => OSX}/sec/Security/SecCMS.h (100%) create mode 100644 OSX/sec/Security/SecCTKKey.c create mode 100644 OSX/sec/Security/SecCTKKeyPriv.h rename {Security => OSX}/sec/Security/SecCertificate.c (90%) create mode 100644 OSX/sec/Security/SecCertificate.h rename {Security => OSX}/sec/Security/SecCertificateInternal.h (88%) rename {Security => OSX}/sec/Security/SecCertificatePath.c (99%) rename {Security => OSX}/sec/Security/SecCertificatePath.h (100%) create mode 100644 OSX/sec/Security/SecCertificatePriv.h rename {Security => OSX}/sec/Security/SecCertificateRequest.c (99%) rename {Security => OSX}/sec/Security/SecCertificateRequest.h (100%) rename {Security => OSX}/sec/Security/SecDH.c (100%) rename {Security => OSX}/sec/Security/SecDH.h (100%) rename {Security => OSX}/sec/Security/SecECKey.c (93%) rename {Security => OSX}/sec/Security/SecECKey.h (100%) rename {Security => OSX}/sec/Security/SecECKeyPriv.h (100%) rename {Security => OSX}/sec/Security/SecExports.exp-in (87%) rename {Security => OSX}/sec/Security/SecFramework.c (88%) rename {Security => OSX}/sec/Security/SecFramework.h (90%) create mode 100644 OSX/sec/Security/SecFrameworkStrings.h rename {Security => OSX}/sec/Security/SecIdentity.c (100%) create mode 100644 OSX/sec/Security/SecIdentity.h rename {Security => OSX}/sec/Security/SecIdentityPriv.h (100%) create mode 100644 OSX/sec/Security/SecImportExport.c create mode 100644 OSX/sec/Security/SecImportExport.h rename {Security => OSX}/sec/Security/SecInternal.h (100%) create mode 100644 OSX/sec/Security/SecItem.c create mode 100644 OSX/sec/Security/SecItem.h create mode 100644 OSX/sec/Security/SecItemBackup.c create mode 100644 OSX/sec/Security/SecItemBackup.h create mode 100644 OSX/sec/Security/SecItemConstants.c create mode 100644 OSX/sec/Security/SecItemInternal.h create mode 100644 OSX/sec/Security/SecItemPriv.h rename {Security => OSX}/sec/Security/SecKey.c (89%) create mode 100644 OSX/sec/Security/SecKey.h rename {Security => OSX}/sec/Security/SecKeyInternal.h (91%) create mode 100644 OSX/sec/Security/SecKeyPriv.h create mode 100644 OSX/sec/Security/SecLogging.c rename {Security => OSX}/sec/Security/SecLogging.h (76%) rename {Security => OSX}/sec/Security/SecOTR.h (100%) rename {Security => OSX}/sec/Security/SecOTRDHKey.c (100%) rename {Security => OSX}/sec/Security/SecOTRDHKey.h (100%) rename {Security => OSX}/sec/Security/SecOTRErrors.h (100%) rename {Security => OSX}/sec/Security/SecOTRFullIdentity.c (75%) rename {Security => OSX}/sec/Security/SecOTRIdentityPriv.h (99%) rename {Security => OSX}/sec/Security/SecOTRMath.c (99%) rename {Security => OSX}/sec/Security/SecOTRMath.h (100%) rename {Security => OSX}/sec/Security/SecOTRPacketData.c (100%) rename {Security => OSX}/sec/Security/SecOTRPacketData.h (98%) rename {Security => OSX}/sec/Security/SecOTRPackets.c (99%) rename {Security => OSX}/sec/Security/SecOTRPackets.h (100%) rename {Security => OSX}/sec/Security/SecOTRPublicIdentity.c (100%) rename {Security => OSX}/sec/Security/SecOTRSession.c (94%) rename {Security => OSX}/sec/Security/SecOTRSession.h (100%) rename {Security => OSX}/sec/Security/SecOTRSessionAKE.c (99%) rename {Security => OSX}/sec/Security/SecOTRSessionPriv.h (99%) rename {Security => OSX}/sec/Security/SecOTRUtils.c (100%) rename {Security => OSX}/sec/Security/SecOnOSX.h (100%) rename {Security => OSX}/sec/Security/SecPBKDF.c (100%) rename {Security => OSX}/sec/Security/SecPBKDF.h (100%) rename {Security => OSX}/sec/Security/SecPasswordGenerate.c (93%) rename {Security => OSX}/sec/Security/SecPasswordGenerate.h (93%) create mode 100644 OSX/sec/Security/SecPolicy.c create mode 100644 OSX/sec/Security/SecPolicy.h rename {Security => OSX}/sec/Security/SecPolicyCerts.h (100%) create mode 100644 OSX/sec/Security/SecPolicyInternal.h create mode 100644 OSX/sec/Security/SecPolicyPriv.h rename {Security => OSX}/sec/Security/SecRSAKey.c (82%) rename {Security => OSX}/sec/Security/SecRSAKey.h (100%) rename {Security => OSX}/sec/Security/SecRSAKeyPriv.h (100%) create mode 100644 OSX/sec/Security/SecRandom.h rename {Security => OSX}/sec/Security/SecSCEP.c (99%) rename {Security => OSX}/sec/Security/SecSCEP.h (100%) rename {Security => OSX}/sec/Security/SecServerEncryptionSupport.c (100%) rename {Security => OSX}/sec/Security/SecServerEncryptionSupport.h (100%) rename {Security => OSX}/sec/Security/SecSharedCredential.c (99%) rename {Security => OSX}/sec/Security/SecSharedCredential.h (89%) create mode 100644 OSX/sec/Security/SecTrust.c create mode 100644 OSX/sec/Security/SecTrust.h create mode 100644 OSX/sec/Security/SecTrustInternal.h create mode 100644 OSX/sec/Security/SecTrustPriv.h rename {Security => OSX}/sec/Security/SecTrustSettings.c (94%) rename {Security => OSX}/sec/Security/SecTrustSettings.h (100%) create mode 100644 OSX/sec/Security/SecTrustSettingsPriv.h rename {Security => OSX}/sec/Security/SecTrustStore.c (86%) rename {Security => OSX}/sec/Security/SecTrustStore.h (100%) rename {Security => OSX}/sec/Security/Security.h (100%) create mode 100644 OSX/sec/Security/SecuritydXPC.c rename {Security => OSX}/sec/Security/SecuritydXPC.h (82%) create mode 100644 OSX/sec/Security/Tool/SecurityCommands.h create mode 100644 OSX/sec/Security/Tool/add_internet_password.c create mode 100644 OSX/sec/Security/Tool/codesign.c create mode 100644 OSX/sec/Security/Tool/keychain_add.c create mode 100644 OSX/sec/Security/Tool/keychain_backup.c create mode 100644 OSX/sec/Security/Tool/keychain_find.c create mode 100644 OSX/sec/Security/Tool/keychain_util.c create mode 100644 OSX/sec/Security/Tool/keychain_util.h create mode 100644 OSX/sec/Security/Tool/log_control.c create mode 100644 OSX/sec/Security/Tool/pkcs12_util.c create mode 100644 OSX/sec/Security/Tool/scep.c create mode 100644 OSX/sec/Security/Tool/show_certificates.c create mode 100644 OSX/sec/Security/Tool/spc.c rename {Security => OSX}/sec/Security/certextensions.h (100%) create mode 100644 OSX/sec/Security/cssmapple.h rename {Security => OSX}/sec/Security/keychain_find.h (100%) rename {Security => OSX}/sec/Security/p12import.c (99%) rename {Security => OSX}/sec/Security/p12import.h (100%) rename {Security => OSX}/sec/Security/p12pbegen.c (100%) rename {Security => OSX}/sec/Security/p12pbegen.h (100%) rename {Security => OSX}/sec/Security/pbkdf2.c (100%) rename {Security => OSX}/sec/Security/pbkdf2.h (100%) rename {Security => OSX}/sec/Security/so_01_serverencryption.c (97%) rename {Security => OSX}/sec/Security/vmdh.c (100%) rename {Security => OSX}/sec/Security/vmdh.h (100%) create mode 100644 OSX/sec/SecurityTool/SecurityTool.c create mode 100644 OSX/sec/SecurityTool/SecurityTool.h create mode 100644 OSX/sec/SecurityTool/builtin_commands.h create mode 100644 OSX/sec/SecurityTool/digest_calc.c create mode 100644 OSX/sec/SecurityTool/entitlements.plist create mode 100644 OSX/sec/SecurityTool/leaks.c create mode 100644 OSX/sec/SecurityTool/leaks.h create mode 100644 OSX/sec/SecurityTool/print_cert.c create mode 100644 OSX/sec/SecurityTool/print_cert.h create mode 100644 OSX/sec/SecurityTool/security.1 create mode 100644 OSX/sec/SecurityTool/tool_errors.h rename {Security => OSX}/sec/SharedWebCredential/com.apple.security.swcagent.plist (100%) rename {Security => OSX}/sec/SharedWebCredential/swcagent.m (96%) rename {Security => OSX}/sec/SharedWebCredential/swcagent_client.c (100%) rename {Security => OSX}/sec/SharedWebCredential/swcagent_client.h (95%) rename {Security => OSX}/sec/config/base.xcconfig (100%) rename {Security => OSX}/sec/config/debug.xcconfig (100%) create mode 100644 OSX/sec/config/lib-arc-only.xcconfig create mode 100644 OSX/sec/config/lib.xcconfig rename {Security => OSX}/sec/config/release.xcconfig (100%) create mode 100644 OSX/sec/ipc/client.c rename {Security => OSX}/sec/ipc/com.apple.secd.plist (86%) rename {Security => OSX}/sec/ipc/com.apple.securityd.plist (84%) create mode 100644 OSX/sec/ipc/securityd_client.h create mode 100644 OSX/sec/ipc/server.c create mode 100644 OSX/sec/sec.xcodeproj/project.pbxproj create mode 100644 OSX/sec/securityd/OTATrustUtilities.c rename {Security => OSX}/sec/securityd/OTATrustUtilities.h (88%) create mode 100644 OSX/sec/securityd/Regressions/SOSAccountTesting.h create mode 100644 OSX/sec/securityd/Regressions/SOSTransportTestTransports.c create mode 100644 OSX/sec/securityd/Regressions/SOSTransportTestTransports.h rename {Security => OSX}/sec/securityd/Regressions/SecdTestKeychainUtilities.c (96%) rename {Security => OSX}/sec/securityd/Regressions/SecdTestKeychainUtilities.h (100%) rename {Security => OSX}/sec/securityd/Regressions/ios6_1_keychain_2_db.h (100%) create mode 100644 OSX/sec/securityd/Regressions/ios8-inet-keychain-2.h rename {Security => OSX}/sec/securityd/Regressions/sd-10-policytree.c (99%) rename {Security => OSX}/sec/securityd/Regressions/secd-01-items.c (97%) rename {Security => OSX}/sec/securityd/Regressions/secd-02-upgrade-while-locked.c (87%) rename {Security => OSX}/sec/securityd/Regressions/secd-03-corrupted-items.c (96%) rename {Security => OSX}/sec/securityd/Regressions/secd-04-corrupted-items.c (100%) rename {Security => OSX}/sec/securityd/Regressions/secd-05-corrupted-items.c (97%) rename {Security => OSX}/sec/securityd/Regressions/secd-30-keychain-upgrade.c (100%) rename {Security => OSX}/sec/securityd/Regressions/secd-31-keychain-bad.c (95%) rename {Security => OSX}/sec/securityd/Regressions/secd-31-keychain-unreadable.c (85%) create mode 100644 OSX/sec/securityd/Regressions/secd-32-restore-bad-backup.c create mode 100644 OSX/sec/securityd/Regressions/secd-33-keychain-ctk.c create mode 100644 OSX/sec/securityd/Regressions/secd-34-backup-der-parse.c create mode 100644 OSX/sec/securityd/Regressions/secd-35-keychain-migrate-inet.c create mode 100644 OSX/sec/securityd/Regressions/secd-40-cc-gestalt.c create mode 100644 OSX/sec/securityd/Regressions/secd-49-manifests.c rename {Security => OSX}/sec/securityd/Regressions/secd-50-account.c (80%) create mode 100644 OSX/sec/securityd/Regressions/secd-50-message.c create mode 100644 OSX/sec/securityd/Regressions/secd-51-account-inflate.c create mode 100644 OSX/sec/securityd/Regressions/secd-52-account-changed.c create mode 100644 OSX/sec/securityd/Regressions/secd-52-offering-gencount-reset.c rename {Security => OSX}/sec/securityd/Regressions/secd-55-account-circle.c (90%) rename {Security => OSX}/sec/securityd/Regressions/secd-55-account-incompatibility.c (91%) rename {Security => OSX}/sec/securityd/Regressions/secd-56-account-apply.c (93%) rename {Security => OSX}/sec/securityd/Regressions/secd-57-account-leave.c (84%) rename {Security => OSX}/sec/securityd/Regressions/secd-58-password-change.c (87%) rename {Security => OSX}/sec/securityd/Regressions/secd-59-account-cleanup.c (86%) rename {Security => OSX}/sec/securityd/Regressions/secd-60-account-cloud-identity.c (86%) rename {Security => OSX}/sec/securityd/Regressions/secd-61-account-leave-not-in-kansas-anymore.c (80%) create mode 100644 OSX/sec/securityd/Regressions/secd-62-account-backup.c create mode 100644 OSX/sec/securityd/Regressions/secd-62-account-hsa-join.c create mode 100644 OSX/sec/securityd/Regressions/secd-63-account-resurrection.c create mode 100644 OSX/sec/securityd/Regressions/secd-64-circlereset.c rename {Security => OSX}/sec/securityd/Regressions/secd-70-engine-corrupt.c (83%) create mode 100644 OSX/sec/securityd/Regressions/secd-70-engine-smash.c rename {Security => OSX}/sec/securityd/Regressions/secd-70-engine.c (94%) rename {Security => OSX}/sec/securityd/Regressions/secd-70-otr-remote.c (87%) create mode 100644 OSX/sec/securityd/Regressions/secd-74-engine-beer-servers.c create mode 100644 OSX/sec/securityd/Regressions/secd-75-engine-views.c create mode 100644 OSX/sec/securityd/Regressions/secd-80-views-basic.c create mode 100644 OSX/sec/securityd/Regressions/secd-81-item-acl-stress.c create mode 100644 OSX/sec/securityd/Regressions/secd-81-item-acl.c create mode 100644 OSX/sec/securityd/Regressions/secd-82-persistent-ref.c create mode 100644 OSX/sec/securityd/Regressions/secd-82-secproperties-basic.c create mode 100644 OSX/sec/securityd/Regressions/secd-90-hsa2.c create mode 100644 OSX/sec/securityd/Regressions/secd_regressions.h rename {Security => OSX}/sec/securityd/Regressions/securityd_regressions.h (100%) create mode 100644 OSX/sec/securityd/SOSCloudCircleServer.c create mode 100644 OSX/sec/securityd/SOSCloudCircleServer.h rename {Security => OSX}/sec/securityd/SecCAIssuerCache.c (100%) rename {Security => OSX}/sec/securityd/SecCAIssuerCache.h (100%) rename {Security => OSX}/sec/securityd/SecCAIssuerRequest.c (98%) rename {Security => OSX}/sec/securityd/SecCAIssuerRequest.h (100%) create mode 100644 OSX/sec/securityd/SecDbItem.c rename {Security => OSX}/sec/securityd/SecDbItem.h (79%) create mode 100644 OSX/sec/securityd/SecDbKeychainItem.c create mode 100644 OSX/sec/securityd/SecDbKeychainItem.h rename {Security => OSX}/sec/securityd/SecDbQuery.c (79%) rename {Security => OSX}/sec/securityd/SecDbQuery.h (83%) create mode 100644 OSX/sec/securityd/SecItemBackupServer.c create mode 100644 OSX/sec/securityd/SecItemBackupServer.h create mode 100644 OSX/sec/securityd/SecItemDataSource.c rename {Security => OSX}/sec/securityd/SecItemDataSource.h (97%) rename {Security => OSX}/sec/securityd/SecItemDb.c (77%) rename {Security => OSX}/sec/securityd/SecItemDb.h (94%) create mode 100644 OSX/sec/securityd/SecItemSchema.c rename {Security => OSX}/sec/securityd/SecItemSchema.h (78%) create mode 100644 OSX/sec/securityd/SecItemServer.c rename {Security => OSX}/sec/securityd/SecItemServer.h (93%) create mode 100644 OSX/sec/securityd/SecKeybagSupport.c create mode 100644 OSX/sec/securityd/SecKeybagSupport.h create mode 100644 OSX/sec/securityd/SecLogSettingsServer.c rename {Security => OSX}/sec/securityd/SecLogSettingsServer.h (80%) rename {Security => OSX}/sec/securityd/SecOCSPCache.c (81%) rename {Security => OSX}/sec/securityd/SecOCSPCache.h (97%) rename {Security => OSX}/sec/securityd/SecOCSPRequest.c (97%) rename {Security => OSX}/sec/securityd/SecOCSPRequest.h (100%) rename {Security => OSX}/sec/securityd/SecOCSPResponse.c (83%) rename {Security => OSX}/sec/securityd/SecOCSPResponse.h (84%) create mode 100644 OSX/sec/securityd/SecOTRRemote.c rename {Security => OSX}/sec/securityd/SecOTRRemote.h (100%) rename {Security => OSX}/sec/securityd/SecPolicyServer.c (75%) rename {Security => OSX}/sec/securityd/SecPolicyServer.h (92%) rename {Security => OSX}/sec/securityd/SecTrustServer.c (87%) create mode 100644 OSX/sec/securityd/SecTrustServer.h rename {Security => OSX}/sec/securityd/SecTrustStoreServer.c (99%) rename {Security => OSX}/sec/securityd/SecTrustStoreServer.h (100%) rename {Security => OSX}/sec/securityd/asynchttp.c (96%) rename {Security => OSX}/sec/securityd/asynchttp.h (95%) create mode 100644 OSX/sec/securityd/entitlements.plist create mode 100644 OSX/sec/securityd/iCloudTrace.c rename {Security => OSX}/sec/securityd/iCloudTrace.h (94%) create mode 100644 OSX/sec/securityd/nameconstraints.c create mode 100644 OSX/sec/securityd/nameconstraints.h rename {Security => OSX}/sec/securityd/policytree.c (99%) rename {Security => OSX}/sec/securityd/policytree.h (100%) create mode 100644 OSX/sec/securityd/spi.c rename {Security => OSX}/sec/securityd/spi.h (100%) create mode 100644 OSX/secdtests/main.c rename {Security => OSX}/secdtests/testlist.h (100%) rename {Security => OSX}/sectests/SecurityTests-Entitlements.plist (96%) rename {Security => OSX}/sectests/main.c (100%) rename {Security => OSX}/sectests/test/testenv.c (100%) create mode 100644 OSX/sectests/testlist.h rename {Security => OSX}/security2/security2.1 (100%) rename {Security => OSX}/security2/security_tool_commands.c (100%) rename {Security => OSX}/security2/sub_commands.h (100%) create mode 100755 OSX/shared_regressions/append_log_to_plist.py create mode 100644 OSX/shared_regressions/shared_regressions.h create mode 100644 OSX/shared_regressions/si-82-seccertificate-ct.c create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-certs.h create mode 100644 OSX/shared_regressions/si-82-sectrust-ct-logs.plist create mode 100644 OSX/shared_regressions/si-82-sectrust-ct.c create mode 100644 OSX/tlsnke/README.tlsnke rename {Security => OSX}/tlsnke/tlsnke.xcodeproj/project.pbxproj (100%) rename {Security => OSX}/tlsnke/tlsnke.xcodeproj/project.xcworkspace/contents.xcworkspacedata (100%) rename {Security => OSX}/tlsnke/tlsnke/tlsnke.h (100%) rename {Security => OSX}/tlsnke/tlsnketest/cert-1.h (100%) rename {Security => OSX}/tlsnke/tlsnketest/dtls_client.c (100%) rename {Security => OSX}/tlsnke/tlsnketest/identity-1.h (100%) rename {Security => OSX}/tlsnke/tlsnketest/main.c (100%) rename {Security => OSX}/tlsnke/tlsnketest/privkey-1.h (100%) rename {Security => OSX}/tlsnke/tlsnketest/ssl-utils.c (100%) rename {Security => OSX}/tlsnke/tlsnketest/ssl-utils.h (100%) rename {Security => OSX}/tlsnke/tlsnketest/st_test.c (100%) rename {Security => OSX}/tlsnke/tlsnketest/tlssocket.c (100%) rename {Security => OSX}/tlsnke/tlsnketest/tlssocket.h (100%) create mode 100644 OSX/trustd/com.apple.trustd.agent.plist create mode 100644 OSX/trustd/com.apple.trustd.asl create mode 100644 OSX/trustd/com.apple.trustd.plist create mode 100644 OSX/trustd/com.apple.trustd.sb create mode 100644 OSX/trustd/trustd-Info.plist create mode 100644 OSX/trustd/trustd-Prefix.pch rename {Security => OSX}/utilities/Regressions/su-05-cfwrappers.c (100%) rename {Security => OSX}/utilities/Regressions/su-07-debugging.c (100%) create mode 100644 OSX/utilities/Regressions/su-08-secbuffer.c rename {Security => OSX}/utilities/Regressions/su-10-cfstring-der.c (100%) rename {Security => OSX}/utilities/Regressions/su-11-cfdata-der.c (100%) rename {Security => OSX}/utilities/Regressions/su-12-cfboolean-der.c (100%) rename {Security => OSX}/utilities/Regressions/su-13-cfnumber-der.c (100%) rename {Security => OSX}/utilities/Regressions/su-14-cfarray-der.c (100%) rename {Security => OSX}/utilities/Regressions/su-15-cfdictionary-der.c (100%) rename {Security => OSX}/utilities/Regressions/su-16-cfdate-der.c (100%) create mode 100644 OSX/utilities/Regressions/su-17-cfset-der.c rename {Security => OSX}/utilities/Regressions/su-40-secdb.c (100%) rename {Security => OSX}/utilities/Regressions/su-41-secdb-stress.c (97%) rename {Security => OSX}/utilities/Regressions/utilities_regressions.h (89%) rename {Security => OSX}/utilities/SecLogging.mobileconfig (100%) rename {Security => OSX}/utilities/SecurityTool/not_on_this_platorm.c (100%) rename {Security => OSX}/utilities/SecurityTool/readline.c (100%) rename {Security => OSX}/utilities/SecurityTool/readline.h (100%) rename {Security => OSX}/utilities/SecurityTool/security_tool_commands.h (100%) rename {Security => OSX}/utilities/SecurityTool/security_tool_commands_table.h (100%) create mode 100644 OSX/utilities/config/lib.xcconfig create mode 100644 OSX/utilities/src/SecAKSWrappers.c create mode 100644 OSX/utilities/src/SecAKSWrappers.h create mode 100644 OSX/utilities/src/SecAppleAnchor.c create mode 100644 OSX/utilities/src/SecAppleAnchorPriv.h create mode 100644 OSX/utilities/src/SecBuffer.c create mode 100644 OSX/utilities/src/SecBuffer.h create mode 100644 OSX/utilities/src/SecCFCCWrappers.c create mode 100644 OSX/utilities/src/SecCFCCWrappers.h create mode 100644 OSX/utilities/src/SecCFError.c create mode 100644 OSX/utilities/src/SecCFError.h create mode 100644 OSX/utilities/src/SecCFRelease.h create mode 100644 OSX/utilities/src/SecCFWrappers.c create mode 100644 OSX/utilities/src/SecCFWrappers.h create mode 100644 OSX/utilities/src/SecCertificateTrace.c create mode 100644 OSX/utilities/src/SecCertificateTrace.h create mode 100644 OSX/utilities/src/SecCoreCrypto.c create mode 100644 OSX/utilities/src/SecCoreCrypto.h create mode 100644 OSX/utilities/src/SecDb.c create mode 100644 OSX/utilities/src/SecDb.h rename {Security => OSX}/utilities/src/SecDispatchRelease.h (100%) create mode 100644 OSX/utilities/src/SecFileLocations.c create mode 100644 OSX/utilities/src/SecFileLocations.h rename {Security => OSX}/utilities/src/SecIOFormat.h (100%) create mode 100644 OSX/utilities/src/SecInternalRelease.c create mode 100644 OSX/utilities/src/SecInternalReleasePriv.h rename {Security => OSX}/utilities/src/SecMeta.h (100%) create mode 100644 OSX/utilities/src/SecSCTUtils.c create mode 100644 OSX/utilities/src/SecSCTUtils.h create mode 100644 OSX/utilities/src/SecXPCError.c rename {Security => OSX}/utilities/src/SecXPCError.h (100%) rename {Security => OSX}/utilities/src/array_size.h (100%) create mode 100644 OSX/utilities/src/cloud_keychain_diagnose.c rename {Security => OSX}/utilities/src/comparison.c (100%) create mode 100644 OSX/utilities/src/comparison.h create mode 100644 OSX/utilities/src/debugging.c create mode 100644 OSX/utilities/src/debugging.h rename {Security => OSX}/utilities/src/debugging_test.h (100%) rename {Security => OSX}/utilities/src/der_array.c (100%) rename {Security => OSX}/utilities/src/der_boolean.c (100%) rename {Security => OSX}/utilities/src/der_data.c (100%) rename {Security => OSX}/utilities/src/der_date.c (100%) rename {Security => OSX}/utilities/src/der_date.h (100%) rename {Security => OSX}/utilities/src/der_dictionary.c (100%) rename {Security => OSX}/utilities/src/der_null.c (100%) rename {Security => OSX}/utilities/src/der_number.c (100%) create mode 100644 OSX/utilities/src/der_plist.c create mode 100644 OSX/utilities/src/der_plist.h rename {Security => OSX}/utilities/src/der_plist_internal.c (100%) create mode 100644 OSX/utilities/src/der_plist_internal.h create mode 100644 OSX/utilities/src/der_set.c create mode 100644 OSX/utilities/src/der_set.h rename {Security => OSX}/utilities/src/der_string.c (100%) rename {Security => OSX}/utilities/src/fileIo.c (100%) rename {Security => OSX}/utilities/src/fileIo.h (100%) create mode 100644 OSX/utilities/src/iCloudKeychainTrace.c rename {Security => OSX}/utilities/src/iCloudKeychainTrace.h (100%) create mode 100644 OSX/utilities/src/iOSforOSX-SecAttr.c rename {Security => OSX}/utilities/src/iOSforOSX-SecRandom.c (100%) rename {Security => OSX}/utilities/src/iOSforOSX.c (100%) create mode 100644 OSX/utilities/src/iOSforOSX.h create mode 100644 OSX/utilities/src/simulate_crash.c rename {Security => OSX}/utilities/src/sqlutils.h (100%) create mode 100644 OSX/utilities/utilities.xcodeproj/project.pbxproj create mode 100644 OSX/utilities/utilities/SecAKSWrappers.c create mode 100644 OSX/utilities/utilities/SecAKSWrappers.h create mode 100644 OSX/utilities/utilities/SecAppleAnchor.c create mode 100644 OSX/utilities/utilities/SecAppleAnchorPriv.h create mode 100644 OSX/utilities/utilities/SecBuffer.c create mode 100644 OSX/utilities/utilities/SecBuffer.h create mode 100644 OSX/utilities/utilities/SecCFCCWrappers.c create mode 100644 OSX/utilities/utilities/SecCFCCWrappers.h create mode 100644 OSX/utilities/utilities/SecCFError.c create mode 100644 OSX/utilities/utilities/SecCFError.h create mode 100644 OSX/utilities/utilities/SecCFRelease.h create mode 100644 OSX/utilities/utilities/SecCFWrappers.c create mode 100644 OSX/utilities/utilities/SecCFWrappers.h create mode 100644 OSX/utilities/utilities/SecCertificateTrace.c create mode 100644 OSX/utilities/utilities/SecCertificateTrace.h create mode 100644 OSX/utilities/utilities/SecCoreCrypto.c create mode 100644 OSX/utilities/utilities/SecCoreCrypto.h create mode 100644 OSX/utilities/utilities/SecDb.c create mode 100644 OSX/utilities/utilities/SecDb.h create mode 100644 OSX/utilities/utilities/SecDispatchRelease.h create mode 100644 OSX/utilities/utilities/SecFileLocations.c create mode 100644 OSX/utilities/utilities/SecFileLocations.h create mode 100644 OSX/utilities/utilities/SecIOFormat.h create mode 100644 OSX/utilities/utilities/SecInternalRelease.c create mode 100644 OSX/utilities/utilities/SecInternalReleasePriv.h create mode 100644 OSX/utilities/utilities/SecMeta.h create mode 100644 OSX/utilities/utilities/SecSCTUtils.c create mode 100644 OSX/utilities/utilities/SecSCTUtils.h create mode 100644 OSX/utilities/utilities/SecXPCError.c create mode 100644 OSX/utilities/utilities/SecXPCError.h create mode 100644 OSX/utilities/utilities/array_size.h create mode 100644 OSX/utilities/utilities/cloud_keychain_diagnose.c create mode 100644 OSX/utilities/utilities/comparison.c create mode 100644 OSX/utilities/utilities/comparison.h create mode 100644 OSX/utilities/utilities/debugging.c create mode 100644 OSX/utilities/utilities/debugging.h create mode 100644 OSX/utilities/utilities/debugging_test.h create mode 100644 OSX/utilities/utilities/der_array.c create mode 100644 OSX/utilities/utilities/der_boolean.c create mode 100644 OSX/utilities/utilities/der_data.c create mode 100644 OSX/utilities/utilities/der_date.c create mode 100644 OSX/utilities/utilities/der_date.h create mode 100644 OSX/utilities/utilities/der_dictionary.c create mode 100644 OSX/utilities/utilities/der_null.c create mode 100644 OSX/utilities/utilities/der_number.c create mode 100644 OSX/utilities/utilities/der_plist.c create mode 100644 OSX/utilities/utilities/der_plist.h create mode 100644 OSX/utilities/utilities/der_plist_internal.c create mode 100644 OSX/utilities/utilities/der_plist_internal.h create mode 100644 OSX/utilities/utilities/der_set.c create mode 100644 OSX/utilities/utilities/der_set.h create mode 100644 OSX/utilities/utilities/der_string.c create mode 100644 OSX/utilities/utilities/fileIo.c create mode 100644 OSX/utilities/utilities/fileIo.h create mode 100644 OSX/utilities/utilities/iCloudKeychainTrace.c create mode 100644 OSX/utilities/utilities/iCloudKeychainTrace.h create mode 100644 OSX/utilities/utilities/iOSforOSX-SecAttr.c create mode 100644 OSX/utilities/utilities/iOSforOSX-SecRandom.c create mode 100644 OSX/utilities/utilities/iOSforOSX.c create mode 100644 OSX/utilities/utilities/iOSforOSX.h create mode 100644 OSX/utilities/utilities/simulate_crash.c create mode 100644 OSX/utilities/utilities/sqlutils.h create mode 100644 OTAPKIAssetTool/OTAPKIAssetTool.xcconfig delete mode 100644 README.genanchors create mode 100644 SOSCCAuthPlugin/Info.plist create mode 100644 SOSCCAuthPlugin/SOSCCAuthPlugin.h create mode 100644 SOSCCAuthPlugin/SOSCCAuthPlugin.m delete mode 100644 Security.xcodeproj/project.xcworkspace/contents.xcworkspacedata delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/ProtectedCloudStorage.xcscheme create mode 100644 Security.xcodeproj/xcshareddata/xcschemes/Security_executables.xcscheme create mode 100644 Security.xcodeproj/xcshareddata/xcschemes/Security_frameworks.xcscheme create mode 100644 Security.xcodeproj/xcshareddata/xcschemes/Security_temporary_UI.xcscheme delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/SyncTest.xcscheme delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/SyncTest2.xcscheme delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/codesigntester.xcscheme delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/libsecurityd.xcscheme create mode 100644 Security.xcodeproj/xcshareddata/xcschemes/phase1.xcscheme create mode 100644 Security.xcodeproj/xcshareddata/xcschemes/phase2.xcscheme delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/security.xcscheme delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/securityd.xcscheme delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/sslEcdsa.xcscheme delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/sslServer.xcscheme delete mode 100644 Security.xcodeproj/xcshareddata/xcschemes/sslViewer.xcscheme delete mode 100644 Security/Keychain Circle Notification/KNAppDelegate.m delete mode 100644 Security/Keychain Circle Notification/KNPersistantState.h delete mode 100644 Security/Keychain Circle Notification/KNPersistantState.m delete mode 100644 Security/Keychain Circle Notification/en.lproj/Localizable.strings delete mode 100644 Security/Keychain Circle Notification/en.lproj/MainMenu.xib delete mode 100644 Security/Keychain/en.lproj/Credits.rtf delete mode 100644 Security/Keychain/en.lproj/MainMenu.xib delete mode 100644 Security/Security.xcodeproj/project.pbxproj delete mode 100644 Security/Security.xcodeproj/project.xcworkspace/contents.xcworkspacedata delete mode 100644 Security/Security.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings delete mode 100644 Security/Security.xcodeproj/xcshareddata/xcschemes/Security.xcscheme delete mode 100644 Security/Security.xcodeproj/xcshareddata/xcschemes/Security_executables.xcscheme delete mode 100644 Security/Security.xcodeproj/xcshareddata/xcschemes/Security_frameworks.xcscheme delete mode 100644 Security/Security.xcodeproj/xcshareddata/xcschemes/World.xcscheme delete mode 100644 Security/Security.xcodeproj/xcshareddata/xcschemes/authd.xcscheme delete mode 100644 Security/Security.xcodeproj/xcshareddata/xcschemes/copyHeaders.xcscheme delete mode 100644 Security/Security.xcodeproj/xcshareddata/xcschemes/secd.xcscheme delete mode 100644 Security/Security.xcodeproj/xcshareddata/xcschemes/secdtests.xcscheme delete mode 100644 Security/authd/Info.plist delete mode 100644 Security/authd/main.c delete mode 100644 Security/authd/server.c delete mode 100644 Security/config/base.xcconfig delete mode 100644 Security/config/command.xcconfig delete mode 100644 Security/config/executable.xcconfig delete mode 100644 Security/config/lib.xcconfig delete mode 120000 Security/include/security_asn1 delete mode 120000 Security/include/security_cdsa_client delete mode 120000 Security/include/security_cdsa_plugin delete mode 120000 Security/include/security_cdsa_utilities delete mode 120000 Security/include/security_cdsa_utils delete mode 120000 Security/include/security_codesigning delete mode 120000 Security/include/security_comcryption delete mode 120000 Security/include/security_cryptkit delete mode 120000 Security/include/security_filedb delete mode 120000 Security/include/security_keychain delete mode 120000 Security/include/security_ocspd delete mode 120000 Security/include/security_pkcs12 delete mode 120000 Security/include/security_smime delete mode 120000 Security/include/security_utilities delete mode 120000 Security/include/securityd_client delete mode 100644 Security/lib/framework.sb delete mode 100644 Security/lib/generateErrStrings.pl delete mode 100644 Security/libsecurity_apple_csp/libsecurity_apple_csp.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_apple_cspdl/libsecurity_apple_cspdl.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_apple_file_dl/libsecurity_apple_file_dl.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_apple_x509_cl/libsecurity_apple_x509_cl.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_apple_x509_tp/lib/tpCertAllowList.c delete mode 100644 Security/libsecurity_apple_x509_tp/libsecurity_apple_x509_tp.xcodeproj/project.pbxproj delete mode 120000 Security/libsecurity_asn1/Security delete mode 100644 Security/libsecurity_asn1/config/base.xcconfig delete mode 100644 Security/libsecurity_asn1/lib/SecAsn1Coder.c delete mode 100644 Security/libsecurity_asn1/lib/SecAsn1Coder.h delete mode 100644 Security/libsecurity_asn1/lib/SecAsn1Templates.h delete mode 100644 Security/libsecurity_asn1/lib/SecAsn1Types.h delete mode 100644 Security/libsecurity_asn1/lib/ocspTemplates.c delete mode 100644 Security/libsecurity_asn1/lib/oidsbase.h delete mode 100644 Security/libsecurity_asn1/lib/oidsocsp.c delete mode 100644 Security/libsecurity_asn1/lib/oidsocsp.h delete mode 100644 Security/libsecurity_asn1/libsecurity_asn1.xcodeproj/project.pbxproj delete mode 120000 Security/libsecurity_asn1/security_asn1 delete mode 100644 Security/libsecurity_authorization/libsecurity_authorization.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_cdsa_client/libsecurity_cdsa_client.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_cdsa_plugin/lib/cssmplugin.h delete mode 100644 Security/libsecurity_cdsa_plugin/libsecurity_cdsa_plugin.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_cdsa_utilities/lib/cssmpods.cpp delete mode 100644 Security/libsecurity_cdsa_utilities/lib/handletemplates.h delete mode 100644 Security/libsecurity_cdsa_utilities/libsecurity_cdsa_utilities.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_cdsa_utils/libsecurity_cdsa_utils.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_checkpw/libsecurity_checkpw.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_cms/libsecurity_cms.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_codesigning/lib/CSCommon.h delete mode 100644 Security/libsecurity_codesigning/lib/CSCommonPriv.h delete mode 100644 Security/libsecurity_codesigning/lib/CodeSigner.cpp delete mode 100644 Security/libsecurity_codesigning/lib/CodeSigner.h delete mode 100644 Security/libsecurity_codesigning/lib/RequirementKeywords.h delete mode 100644 Security/libsecurity_codesigning/lib/RequirementLexer.cpp delete mode 100644 Security/libsecurity_codesigning/lib/RequirementLexer.hpp delete mode 100644 Security/libsecurity_codesigning/lib/RequirementParser.cpp delete mode 100644 Security/libsecurity_codesigning/lib/RequirementParser.hpp delete mode 100644 Security/libsecurity_codesigning/lib/RequirementParserTokenTypes.hpp delete mode 100644 Security/libsecurity_codesigning/lib/RequirementParserTokenTypes.txt delete mode 100644 Security/libsecurity_codesigning/lib/SecAssessment.cpp delete mode 100644 Security/libsecurity_codesigning/lib/SecAssessment.h delete mode 100644 Security/libsecurity_codesigning/lib/SecCode.cpp delete mode 100644 Security/libsecurity_codesigning/lib/SecCode.h delete mode 100644 Security/libsecurity_codesigning/lib/SecCodeHost.h delete mode 100644 Security/libsecurity_codesigning/lib/SecCodeSigner.cpp delete mode 100644 Security/libsecurity_codesigning/lib/SecCodeSigner.h delete mode 100644 Security/libsecurity_codesigning/lib/SecRequirement.h delete mode 100644 Security/libsecurity_codesigning/lib/SecStaticCode.cpp delete mode 100644 Security/libsecurity_codesigning/lib/SecStaticCode.h delete mode 100644 Security/libsecurity_codesigning/lib/SecTask.c delete mode 100644 Security/libsecurity_codesigning/lib/SecTask.h delete mode 100644 Security/libsecurity_codesigning/lib/StaticCode.cpp delete mode 100644 Security/libsecurity_codesigning/lib/StaticCode.h delete mode 100644 Security/libsecurity_codesigning/lib/bundlediskrep.cpp delete mode 100644 Security/libsecurity_codesigning/lib/cdbuilder.cpp delete mode 100644 Security/libsecurity_codesigning/lib/cdbuilder.h delete mode 100644 Security/libsecurity_codesigning/lib/codedirectory.cpp delete mode 100644 Security/libsecurity_codesigning/lib/codedirectory.h delete mode 100644 Security/libsecurity_codesigning/lib/csutilities.cpp delete mode 100644 Security/libsecurity_codesigning/lib/csutilities.h delete mode 100644 Security/libsecurity_codesigning/lib/drmaker.cpp delete mode 100644 Security/libsecurity_codesigning/lib/machorep.cpp delete mode 100644 Security/libsecurity_codesigning/lib/opaquewhitelist.cpp delete mode 100644 Security/libsecurity_codesigning/lib/policyengine.cpp delete mode 100644 Security/libsecurity_codesigning/lib/policyengine.h delete mode 100644 Security/libsecurity_codesigning/lib/reqdumper.cpp delete mode 100644 Security/libsecurity_codesigning/lib/reqinterp.cpp delete mode 100644 Security/libsecurity_codesigning/lib/reqinterp.h delete mode 100644 Security/libsecurity_codesigning/lib/reqmaker.cpp delete mode 100644 Security/libsecurity_codesigning/lib/reqmaker.h delete mode 100644 Security/libsecurity_codesigning/lib/reqreader.cpp delete mode 100644 Security/libsecurity_codesigning/lib/reqreader.h delete mode 100644 Security/libsecurity_codesigning/lib/requirement.h delete mode 100644 Security/libsecurity_codesigning/lib/resources.cpp delete mode 100644 Security/libsecurity_codesigning/lib/resources.h delete mode 100644 Security/libsecurity_codesigning/lib/signer.cpp delete mode 100644 Security/libsecurity_codesigning/lib/signer.h delete mode 100644 Security/libsecurity_codesigning/lib/signerutils.cpp delete mode 100644 Security/libsecurity_codesigning/lib/singlediskrep.cpp delete mode 100644 Security/libsecurity_codesigning/libsecurity_codesigning.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_comcryption/libsecurity_comcryption.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_cryptkit/lib/CryptKitDER.cpp delete mode 100644 Security/libsecurity_cryptkit/lib/CryptKitDER.h delete mode 100644 Security/libsecurity_cryptkit/lib/feeDigitalSignature.c delete mode 100644 Security/libsecurity_cryptkit/lib/feeECDSA.c delete mode 100644 Security/libsecurity_cryptkit/lib/feeECDSA.h delete mode 100644 Security/libsecurity_cryptkit/lib/feeFEEDExp.c delete mode 100644 Security/libsecurity_cryptkit/lib/feeTypes.h delete mode 100644 Security/libsecurity_cryptkit/libsecurity_cryptkit.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_cssm/lib/cssmapple.h delete mode 100644 Security/libsecurity_cssm/libsecurity_cssm.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_filedb/lib/ReadWriteSection.cpp delete mode 100644 Security/libsecurity_filedb/libsecurity_filedb.xcodeproj/project.pbxproj delete mode 120000 Security/libsecurity_keychain/Security delete mode 100644 Security/libsecurity_keychain/lib/Certificate.cpp delete mode 100644 Security/libsecurity_keychain/lib/CertificateValues.cpp delete mode 100644 Security/libsecurity_keychain/lib/KeyItem.cpp delete mode 100644 Security/libsecurity_keychain/lib/Keychains.h delete mode 100644 Security/libsecurity_keychain/lib/Policies.cpp delete mode 100644 Security/libsecurity_keychain/lib/PolicyCursor.h delete mode 100644 Security/libsecurity_keychain/lib/SecACL.h delete mode 100644 Security/libsecurity_keychain/lib/SecAccess.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecAccess.h delete mode 100644 Security/libsecurity_keychain/lib/SecBase.h delete mode 100644 Security/libsecurity_keychain/lib/SecBridge.h delete mode 100644 Security/libsecurity_keychain/lib/SecCertificate.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecCertificate.h delete mode 100644 Security/libsecurity_keychain/lib/SecCertificateInternalP.h delete mode 100644 Security/libsecurity_keychain/lib/SecCertificateOIDs.h delete mode 100644 Security/libsecurity_keychain/lib/SecCertificateP.c delete mode 100644 Security/libsecurity_keychain/lib/SecCertificateP.h delete mode 100644 Security/libsecurity_keychain/lib/SecCertificatePriv.h delete mode 100644 Security/libsecurity_keychain/lib/SecCertificatePrivP.h delete mode 100644 Security/libsecurity_keychain/lib/SecFrameworkP.c delete mode 100644 Security/libsecurity_keychain/lib/SecIdentity.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecIdentity.h delete mode 100644 Security/libsecurity_keychain/lib/SecIdentitySearch.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecIdentitySearch.h delete mode 100644 Security/libsecurity_keychain/lib/SecImportExport.c delete mode 100644 Security/libsecurity_keychain/lib/SecImportExport.h delete mode 100644 Security/libsecurity_keychain/lib/SecImportExportAgg.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecItem.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecItem.h delete mode 100644 Security/libsecurity_keychain/lib/SecItemConstants.c delete mode 100644 Security/libsecurity_keychain/lib/SecItemPriv.h delete mode 100644 Security/libsecurity_keychain/lib/SecKey.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecKey.h delete mode 100644 Security/libsecurity_keychain/lib/SecKeyPriv.h delete mode 100644 Security/libsecurity_keychain/lib/SecKeychain.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecKeychain.h delete mode 100644 Security/libsecurity_keychain/lib/SecKeychainItem.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecKeychainItem.h delete mode 100644 Security/libsecurity_keychain/lib/SecKeychainItemExtendedAttributes.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecKeychainSearch.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecKeychainSearch.h delete mode 100644 Security/libsecurity_keychain/lib/SecPolicy.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecPolicy.h delete mode 100644 Security/libsecurity_keychain/lib/SecPolicyPriv.h delete mode 100644 Security/libsecurity_keychain/lib/SecPolicySearch.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecPolicySearch.h delete mode 100644 Security/libsecurity_keychain/lib/SecRandom.h delete mode 100644 Security/libsecurity_keychain/lib/SecTrust.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecTrust.h delete mode 100644 Security/libsecurity_keychain/lib/SecTrustPriv.h delete mode 100644 Security/libsecurity_keychain/lib/SecTrustSettings.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecTrustSettings.h delete mode 100644 Security/libsecurity_keychain/lib/SecTrustedApplication.cpp delete mode 100644 Security/libsecurity_keychain/lib/SecTrustedApplication.h delete mode 100644 Security/libsecurity_keychain/lib/Security.h delete mode 100644 Security/libsecurity_keychain/lib/Trust.cpp delete mode 100644 Security/libsecurity_keychain/lib/TrustAdditions.cpp delete mode 100644 Security/libsecurity_keychain/lib/TrustRevocation.cpp delete mode 100644 Security/libsecurity_keychain/lib/TrustSettings.cpp delete mode 100644 Security/libsecurity_keychain/lib/TrustedApplication.cpp delete mode 100644 Security/libsecurity_keychain/lib/TrustedApplication.h delete mode 100644 Security/libsecurity_keychain/lib/security_keychain.exp delete mode 100644 Security/libsecurity_keychain/libDER/libDER.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_keychain/libDER/libDER/oids.c delete mode 100644 Security/libsecurity_keychain/libDER/libDER/oids.h delete mode 100644 Security/libsecurity_keychain/libsecurity_keychain.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_keychain/regressions/kc-41-sececkey.c delete mode 100644 Security/libsecurity_keychain/regressions/kc-42-trust-revocation.c delete mode 100644 Security/libsecurity_manifest/libsecurity_manifest.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_mds/libsecurity_mds.xcodeproj/project.pbxproj delete mode 120000 Security/libsecurity_ocspd/common/ocspdClient.h delete mode 100644 Security/libsecurity_ocspd/libsecurity_ocspd.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_pkcs12/libsecurity_pkcs12.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_sd_cspdl/libsecurity_sd_cspdl.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_smime/lib/cert.c delete mode 100644 Security/libsecurity_smime/lib/cmspubkey.c delete mode 100644 Security/libsecurity_smime/lib/cmsrecinfo.c delete mode 100644 Security/libsecurity_smime/lib/cmssigdata.c delete mode 100644 Security/libsecurity_smime/lib/cmssiginfo.c delete mode 100644 Security/libsecurity_smime/lib/tsaSupport.c delete mode 100644 Security/libsecurity_smime/libsecurity_smime.xcodeproj/project.pbxproj delete mode 120000 Security/libsecurity_ssl/Security delete mode 100644 Security/libsecurity_ssl/config/base.xcconfig delete mode 100644 Security/libsecurity_ssl/lib/CipherSuite.h delete mode 100644 Security/libsecurity_ssl/lib/ModuleAttacher.h delete mode 100644 Security/libsecurity_ssl/lib/SSLRecordInternal.c delete mode 100644 Security/libsecurity_ssl/lib/SSLRecordInternal.h delete mode 100644 Security/libsecurity_ssl/lib/SecureTransport.h delete mode 100644 Security/libsecurity_ssl/lib/SecureTransportPriv.h delete mode 100644 Security/libsecurity_ssl/lib/appleCdsa.h delete mode 100644 Security/libsecurity_ssl/lib/cipherSpecs.c delete mode 100644 Security/libsecurity_ssl/lib/cryptType.h delete mode 100644 Security/libsecurity_ssl/lib/secCrypto.c delete mode 100644 Security/libsecurity_ssl/lib/securetransport++.cpp delete mode 100644 Security/libsecurity_ssl/lib/securetransport++.h delete mode 100644 Security/libsecurity_ssl/lib/security_ssl.exp delete mode 100644 Security/libsecurity_ssl/lib/sslAlertMessage.h delete mode 100644 Security/libsecurity_ssl/lib/sslBER.c delete mode 100644 Security/libsecurity_ssl/lib/sslBER.h delete mode 100644 Security/libsecurity_ssl/lib/sslCipherSpecs.c delete mode 100644 Security/libsecurity_ssl/lib/sslContext.c delete mode 100644 Security/libsecurity_ssl/lib/sslContext.h delete mode 100644 Security/libsecurity_ssl/lib/sslCrypto.c delete mode 100644 Security/libsecurity_ssl/lib/sslCrypto.h delete mode 100644 Security/libsecurity_ssl/lib/sslDigests.c delete mode 100644 Security/libsecurity_ssl/lib/sslDigests.h delete mode 100644 Security/libsecurity_ssl/lib/sslHandshake.h delete mode 100644 Security/libsecurity_ssl/lib/sslKeychain.c delete mode 100644 Security/libsecurity_ssl/lib/sslNullCipher.c delete mode 100644 Security/libsecurity_ssl/lib/sslPriv.h delete mode 100644 Security/libsecurity_ssl/lib/sslRand.c delete mode 100644 Security/libsecurity_ssl/lib/sslRand.h delete mode 100644 Security/libsecurity_ssl/lib/sslRecord.c delete mode 100644 Security/libsecurity_ssl/lib/sslSession.c delete mode 100644 Security/libsecurity_ssl/lib/sslSession.h delete mode 100644 Security/libsecurity_ssl/lib/sslTransport.c delete mode 100644 Security/libsecurity_ssl/lib/symCipher.c delete mode 100644 Security/libsecurity_ssl/lib/symCipher.h delete mode 100644 Security/libsecurity_ssl/lib/symCipherParams.c delete mode 100644 Security/libsecurity_ssl/lib/tlsCallbacks.c delete mode 100644 Security/libsecurity_ssl/lib/tls_digest.c delete mode 100644 Security/libsecurity_ssl/lib/tls_digest.h delete mode 100644 Security/libsecurity_ssl/lib/tls_hashhmac.c delete mode 100644 Security/libsecurity_ssl/lib/tls_hashhmac.h delete mode 100644 Security/libsecurity_ssl/lib/tls_hmac.c delete mode 100644 Security/libsecurity_ssl/lib/tls_hmac.h delete mode 100644 Security/libsecurity_ssl/lib/tls_record_internal.h delete mode 100644 Security/libsecurity_ssl/lib/tls_ssl.h delete mode 100644 Security/libsecurity_ssl/libsecurity_ssl.xcodeproj/project.pbxproj delete mode 100755 Security/libsecurity_ssl/regressions/gencerts.sh delete mode 100644 Security/libsecurity_ssl/regressions/ssl-42-ciphers.c delete mode 100644 Security/libsecurity_ssl/regressions/ssl-49-sni.c delete mode 100644 Security/libsecurity_ssl/regressions/ssl-utils.c delete mode 120000 Security/libsecurity_ssl/security_ssl delete mode 100644 Security/libsecurity_transform/lib/SecEncryptTransform.cpp delete mode 100644 Security/libsecurity_transform/libsecurity_transform.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurity_utilities/lib/cfmach++.cpp delete mode 100644 Security/libsecurity_utilities/lib/cfutilities.cpp delete mode 100644 Security/libsecurity_utilities/lib/cfutilities.h delete mode 100644 Security/libsecurity_utilities/lib/dyldcache.cpp delete mode 100644 Security/libsecurity_utilities/lib/dyldcache.h delete mode 100644 Security/libsecurity_utilities/lib/hashing.cpp delete mode 100644 Security/libsecurity_utilities/lib/hashing.h delete mode 100644 Security/libsecurity_utilities/lib/mach_notify.c delete mode 100644 Security/libsecurity_utilities/lib/macho++.cpp delete mode 100644 Security/libsecurity_utilities/lib/macho++.h delete mode 100644 Security/libsecurity_utilities/lib/powerwatch.cpp delete mode 100644 Security/libsecurity_utilities/lib/powerwatch.h delete mode 100644 Security/libsecurity_utilities/lib/sqlite++.cpp delete mode 100644 Security/libsecurity_utilities/lib/unix++.cpp delete mode 100644 Security/libsecurity_utilities/libsecurity_utilities.xcodeproj/project.pbxproj delete mode 100644 Security/libsecurityd/lib/ssclient.h delete mode 100644 Security/libsecurityd/lib/transition.cpp delete mode 100644 Security/libsecurityd/libsecurityd.xcodeproj/project.pbxproj delete mode 100644 Security/regressions/regressions.xcodeproj/project.pbxproj delete mode 100644 Security/regressions/test/testenv.c delete mode 100644 Security/regressions/test/testmore.c delete mode 100644 Security/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.c delete mode 100644 Security/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.h delete mode 100644 Security/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.c delete mode 100644 Security/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.h delete mode 100644 Security/sec/SOSCircle/Regressions/SOSCircle_regressions.h delete mode 100644 Security/sec/SOSCircle/Regressions/SOSTestDevice.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-103-syncupdate.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-131-transport.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-30-peerinfo.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-31-peerinfo-simplefuzz.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-41-cloudcircle.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-50-message.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-51-persistentEC.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-60-peer.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-70-engine.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-75-circle-engine.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-90-ckdclient.c delete mode 100644 Security/sec/SOSCircle/Regressions/sc-95-ckd2client.c delete mode 100644 Security/sec/SOSCircle/SOSARCDefines.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSAccount.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSAccount.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSAccountCircles.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSAccountCloudParameters.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSAccountCredentials.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSAccountDer.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSAccountFullPeerInfo.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSAccountPeers.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSAccountPersistence.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSAccountPriv.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSAccountUpdate.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSCircle.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSCircle.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSCoder.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSCoder.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSDataSource.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSDigestVector.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSEngine.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSEngine.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSExports.exp-in delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSInternal.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSInternal.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSManifest.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSMessage.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSMessage.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSPeer.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSPeer.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSPeerInfoCollections.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSPeerInfoCollections.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSPeerInfoInternal.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransport.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransport.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportCircle.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportCircle.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportCoder.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportCoder.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportKeyParameter.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportKeyParameter.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportKeyParameterKVS.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportKeyParameterKVS.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.h delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.c delete mode 100644 Security/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.h delete mode 100644 Security/sec/SOSCircle/Tool/SOSCommands.h delete mode 100644 Security/sec/SOSCircle/Tool/keychain_sync.c delete mode 100644 Security/sec/SOSCircle/osxshim.c delete mode 100644 Security/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c delete mode 100644 Security/sec/Security/Regressions/secitem/si-27-sectrust-exceptions.c delete mode 100644 Security/sec/Security/Regressions/secitem/si-81-item-acl-stress.c delete mode 100644 Security/sec/Security/Regressions/secitem/si_77_SecAccessControl.c delete mode 100644 Security/sec/Security/SecAccessControl.c delete mode 100644 Security/sec/Security/SecAccessControl.h delete mode 100644 Security/sec/Security/SecAccessControlExports.exp-in delete mode 100644 Security/sec/Security/SecAccessControlPriv.h delete mode 100644 Security/sec/Security/SecBase.h delete mode 100644 Security/sec/Security/SecBasePriv.h delete mode 100644 Security/sec/Security/SecCertificate.h delete mode 100644 Security/sec/Security/SecCertificatePriv.h delete mode 100644 Security/sec/Security/SecFrameworkStrings.h delete mode 100644 Security/sec/Security/SecIdentity.h delete mode 100644 Security/sec/Security/SecImportExport.c delete mode 100644 Security/sec/Security/SecImportExport.h delete mode 100644 Security/sec/Security/SecItem.c delete mode 100644 Security/sec/Security/SecItem.h delete mode 100644 Security/sec/Security/SecItemConstants.c delete mode 100644 Security/sec/Security/SecItemInternal.h delete mode 100644 Security/sec/Security/SecItemPriv.h delete mode 100644 Security/sec/Security/SecKey.h delete mode 100644 Security/sec/Security/SecKeyPriv.h delete mode 100644 Security/sec/Security/SecLogging.c delete mode 100644 Security/sec/Security/SecPolicy.c delete mode 100644 Security/sec/Security/SecPolicy.h delete mode 100644 Security/sec/Security/SecPolicyInternal.h delete mode 100644 Security/sec/Security/SecPolicyPriv.h delete mode 100644 Security/sec/Security/SecRandom.h delete mode 100644 Security/sec/Security/SecTrust.c delete mode 100644 Security/sec/Security/SecTrust.h delete mode 100644 Security/sec/Security/SecTrustPriv.h delete mode 100644 Security/sec/Security/SecTrustSettingsPriv.h delete mode 100644 Security/sec/Security/SecuritydXPC.c delete mode 100644 Security/sec/Security/Tool/SecurityCommands.h delete mode 100644 Security/sec/Security/Tool/keychain_add.c delete mode 100644 Security/sec/Security/Tool/keychain_find.c delete mode 100644 Security/sec/Security/Tool/keychain_util.c delete mode 100644 Security/sec/Security/Tool/log_control.c delete mode 100644 Security/sec/Security/Tool/scep.c delete mode 100644 Security/sec/Security/Tool/show_certificates.c delete mode 100644 Security/sec/Security/Tool/spc.c delete mode 100644 Security/sec/Security/cssmapple.h delete mode 100644 Security/sec/SecurityTool/print_cert.c delete mode 100644 Security/sec/config/lib-arc-only.xcconfig delete mode 100644 Security/sec/config/lib.xcconfig delete mode 100644 Security/sec/ipc/client.c delete mode 100755 Security/sec/ipc/securityd_client.h delete mode 100644 Security/sec/ipc/server.c delete mode 100644 Security/sec/sec.xcodeproj/project.pbxproj delete mode 100644 Security/sec/securityd/OTATrustUtilities.c delete mode 100644 Security/sec/securityd/Regressions/SOSAccountTesting.h delete mode 100644 Security/sec/securityd/Regressions/SOSTransportTestTransports.c delete mode 100644 Security/sec/securityd/Regressions/SOSTransportTestTransports.h delete mode 100644 Security/sec/securityd/Regressions/secd-51-account-inflate.c delete mode 100644 Security/sec/securityd/Regressions/secd-52-account-changed.c delete mode 100644 Security/sec/securityd/Regressions/secd_regressions.h delete mode 100644 Security/sec/securityd/SOSCloudCircleServer.c delete mode 100644 Security/sec/securityd/SOSCloudCircleServer.h delete mode 100644 Security/sec/securityd/SecDbItem.c delete mode 100644 Security/sec/securityd/SecDbKeychainItem.c delete mode 100644 Security/sec/securityd/SecDbKeychainItem.h delete mode 100644 Security/sec/securityd/SecItemDataSource.c delete mode 100644 Security/sec/securityd/SecItemServer.c delete mode 100644 Security/sec/securityd/SecKeybagSupport.c delete mode 100644 Security/sec/securityd/SecKeybagSupport.h delete mode 100644 Security/sec/securityd/SecLogSettingsServer.c delete mode 100644 Security/sec/securityd/SecOTRRemote.c delete mode 100644 Security/sec/securityd/SecTrustServer.h delete mode 100644 Security/sec/securityd/entitlements.plist delete mode 100644 Security/sec/securityd/iCloudTrace.c delete mode 100644 Security/sec/securityd/spi.c delete mode 100644 Security/secdtests/main.c delete mode 100644 Security/sectests/testlist.h delete mode 100755 Security/tlsnke/loadkext.sh delete mode 100644 Security/tlsnke/tlsnke.xcodeproj/xcshareddata/xcschemes/Device.xcscheme delete mode 100644 Security/tlsnke/tlsnke.xcodeproj/xcshareddata/xcschemes/Host.xcscheme delete mode 100644 Security/tlsnke/tlsnke.xcodeproj/xcshareddata/xcschemes/tlsnke.xcscheme delete mode 100644 Security/tlsnke/tlsnke.xcodeproj/xcshareddata/xcschemes/tlsnketest.xcscheme delete mode 100644 Security/tlsnke/tlsnke/tlsnke-Info.plist delete mode 100644 Security/tlsnke/tlsnke/tlsnke-Prefix.pch delete mode 100644 Security/tlsnke/tlsnke/tlsnke.c delete mode 100644 Security/utilities/config/lib.xcconfig delete mode 100644 Security/utilities/src/SecAKSWrappers.c delete mode 100644 Security/utilities/src/SecAKSWrappers.h delete mode 100644 Security/utilities/src/SecCFError.c delete mode 100644 Security/utilities/src/SecCFError.h delete mode 100644 Security/utilities/src/SecCFRelease.h delete mode 100644 Security/utilities/src/SecCFWrappers.c delete mode 100644 Security/utilities/src/SecCFWrappers.h delete mode 100644 Security/utilities/src/SecCertificateTrace.c delete mode 100644 Security/utilities/src/SecCertificateTrace.h delete mode 100644 Security/utilities/src/SecDb.c delete mode 100644 Security/utilities/src/SecDb.h delete mode 100644 Security/utilities/src/SecFileLocations.c delete mode 100644 Security/utilities/src/SecFileLocations.h delete mode 100644 Security/utilities/src/SecXPCError.c delete mode 100644 Security/utilities/src/cloud_keychain_diagnose.c delete mode 100644 Security/utilities/src/comparison.h delete mode 100644 Security/utilities/src/debugging.c delete mode 100644 Security/utilities/src/debugging.h delete mode 100644 Security/utilities/src/der_plist.c delete mode 100644 Security/utilities/src/der_plist.h delete mode 100644 Security/utilities/src/der_plist_internal.h delete mode 100644 Security/utilities/src/iCloudKeychainTrace.c delete mode 100644 Security/utilities/src/iOSforOSX-SecAttr.c delete mode 100644 Security/utilities/src/iOSforOSX.h delete mode 100644 Security/utilities/src/simulate_crash.c delete mode 120000 Security/utilities/utilities delete mode 100644 Security/utilities/utilities.xcodeproj/project.pbxproj delete mode 100644 certificates/CertificateTool/Asset/SecurityCertificatesAssets/AssetData/PKITrustData/AppleESCertificates.plist delete mode 100644 certificates/CertificateTool/Asset/SecurityCertificatesAssets/AssetData/PKITrustData/AssetVersion.plist delete mode 100644 certificates/CertificateTool/Asset/SecurityCertificatesAssets/AssetData/PKITrustData/Blocked.plist delete mode 100644 certificates/CertificateTool/Asset/SecurityCertificatesAssets/AssetData/PKITrustData/EVRoots.plist delete mode 100644 certificates/CertificateTool/Asset/SecurityCertificatesAssets/AssetData/PKITrustData/GrayListedKeys.plist delete mode 100644 certificates/CertificateTool/Asset/SecurityCertificatesAssets/AssetData/PKITrustData/certsIndex.data delete mode 100644 certificates/CertificateTool/Asset/SecurityCertificatesAssets/AssetData/PKITrustData/certsTable.data delete mode 100644 certificates/CertificateTool/Asset/SecurityCertificatesAssets/AssetData/PKITrustData/manifest.data delete mode 100644 certificates/CertificateTool/Asset/SecurityCertificatesAssets/Info.plist delete mode 100644 certificates/CertificateTool/BuildOSXRootKeychain/X509Anchors delete mode 100644 certificates/CertificateTool/BuildOSXRootKeychain/buildRootKeychain.rb delete mode 100644 certificates/CertificateTool/BuildOSXRootKeychain/certsha1hashtmp delete mode 100755 certificates/CertificateTool/BuildOSXRootKeychain/evroot.config delete mode 100644 certificates/CertificateTool/BuildiOSAsset/BuildAsset.rb delete mode 100644 certificates/CertificateTool/BuildiOSAsset/BuildPListFiles.rb delete mode 100644 certificates/CertificateTool/CertificateTool.xcodeproj/project.xcworkspace/contents.xcworkspacedata delete mode 120000 certificates/CertificateTool/CertificateTool/AppleBaselineEscrowCertificates.h delete mode 100644 certificates/CertificateTool/CertificateTool/AssetVersion.plist delete mode 100644 certificates/CertificateTool/CertificateTool/CertificateTool-Prefix.pch delete mode 100644 certificates/CertificateTool/CertificateTool/CertificateToolApp.h delete mode 100644 certificates/CertificateTool/CertificateTool/CertificateToolApp.m delete mode 100644 certificates/CertificateTool/CertificateTool/DataConversion.h delete mode 100644 certificates/CertificateTool/CertificateTool/DataConversion.m delete mode 100644 certificates/CertificateTool/CertificateTool/Info.plist delete mode 100644 certificates/CertificateTool/CertificateTool/PSAssetConstants.c delete mode 100644 certificates/CertificateTool/CertificateTool/PSAssetConstants.h delete mode 100644 certificates/CertificateTool/CertificateTool/PSCert.h delete mode 100644 certificates/CertificateTool/CertificateTool/PSCert.m delete mode 100644 certificates/CertificateTool/CertificateTool/PSCertData.h delete mode 100644 certificates/CertificateTool/CertificateTool/PSCertData.m delete mode 100644 certificates/CertificateTool/CertificateTool/PSCertKey.h delete mode 100644 certificates/CertificateTool/CertificateTool/PSCertKey.m delete mode 100644 certificates/CertificateTool/CertificateTool/PSCertRecord.h delete mode 100644 certificates/CertificateTool/CertificateTool/PSCertRecord.m delete mode 100644 certificates/CertificateTool/CertificateTool/PSCerts.h delete mode 100644 certificates/CertificateTool/CertificateTool/PSCerts.m delete mode 100644 certificates/CertificateTool/CertificateTool/PSUtilities.h delete mode 100644 certificates/CertificateTool/CertificateTool/PSUtilities.m delete mode 100644 certificates/CertificateTool/CertificateTool/ValidateAsset.c delete mode 100644 certificates/CertificateTool/CertificateTool/ValidateAsset.h delete mode 100644 certificates/CertificateTool/CertificateTool/main.m delete mode 100755 certificates/EVRoots/evroot.config delete mode 100644 certificates/assetData/Info.plist delete mode 100644 certificates/certs/AppleDEVID.cer delete mode 100644 certificates/certs/DODCA_13.cer delete mode 100644 certificates/certs/DODCA_14.cer delete mode 100644 certificates/certs/DODCA_15.cer delete mode 100644 certificates/certs/DODCA_16.cer delete mode 100644 certificates/certs/DODCA_17.cer delete mode 100644 certificates/certs/DODCA_18.cer delete mode 100644 certificates/certs/DODCA_19.cer delete mode 100644 certificates/certs/DODCA_20.cer delete mode 100644 certificates/certs/DODCA_25.der delete mode 100644 certificates/certs/DODCA_26.der delete mode 100644 certificates/certs/DODCA_27.cer delete mode 100644 certificates/certs/DODCA_28.cer delete mode 100644 certificates/certs/DODCA_29.cer delete mode 100644 certificates/certs/DODCA_30.cer delete mode 100644 certificates/certs/DODEMAILCA_13.cer delete mode 100644 certificates/certs/DODEMAILCA_14.cer delete mode 100644 certificates/certs/DODEMAILCA_15.cer delete mode 100644 certificates/certs/DODEMAILCA_16.cer delete mode 100644 certificates/certs/DODEMAILCA_17.cer delete mode 100644 certificates/certs/DODEMAILCA_18.cer delete mode 100644 certificates/certs/DODEMAILCA_19.cer delete mode 100644 certificates/certs/DODEMAILCA_20.cer delete mode 100644 certificates/certs/DODEMAILCA_21.cer delete mode 100644 certificates/certs/DODEMAILCA_22.cer delete mode 100644 certificates/certs/DODEMAILCA_23.cer delete mode 100644 certificates/certs/DODEMAILCA_24.cer delete mode 100644 certificates/certs/DODEMAILCA_25.der delete mode 100644 certificates/certs/DODEMAILCA_26.der delete mode 100644 certificates/certs/DODEMAILCA_27.cer delete mode 100644 certificates/certs/DODEMAILCA_28.cer delete mode 100644 certificates/certs/DODEMAILCA_29.cer delete mode 100644 certificates/certs/DODEMAILCA_30.cer delete mode 100644 certificates/certs/DODINTERMEDIATECA-2.cer delete mode 100644 certificates/certs/DODINTERMEDIATECA_1.cer delete mode 100644 certificates/certs/DOD_CA-11.cer delete mode 100644 certificates/certs/DOD_CA-12.cer delete mode 100644 certificates/certs/DOD_CLASS_3_CA-10.cer delete mode 100644 certificates/certs/DOD_CLASS_3_CA-5.cer delete mode 100644 certificates/certs/DOD_CLASS_3_CA-6.cer delete mode 100644 certificates/certs/DOD_CLASS_3_CA-7.cer delete mode 100644 certificates/certs/DOD_CLASS_3_CA-8.cer delete mode 100644 certificates/certs/DOD_CLASS_3_CA-9.cer delete mode 100644 certificates/certs/DOD_CLASS_3_EMAIL_CA-10.cer delete mode 100644 certificates/certs/DOD_CLASS_3_EMAIL_CA-5.cer delete mode 100644 certificates/certs/DOD_CLASS_3_EMAIL_CA-6.cer delete mode 100644 certificates/certs/DOD_CLASS_3_EMAIL_CA-7.cer delete mode 100644 certificates/certs/DOD_CLASS_3_EMAIL_CA-8.cer delete mode 100644 certificates/certs/DOD_CLASS_3_EMAIL_CA-9.cer delete mode 100644 certificates/certs/DOD_EMAIL_CA-11.cer delete mode 100644 certificates/certs/DOD_EMAIL_CA-12.cer delete mode 100644 certificates/certs/DoDCA21.cer delete mode 100644 certificates/certs/DoDCA22.cer delete mode 100644 certificates/certs/DoDCA23.cer delete mode 100644 certificates/certs/DoDCA24.cer delete mode 100644 certificates/certs/GeoTrust_True_Credentials_CA_2.cer delete mode 100644 certificates/certs/IDENTRUSTECA1.cer delete mode 100644 certificates/certs/IDENTRUSTECA2.cer delete mode 100644 certificates/certs/IDENTRUSTECA3.cer delete mode 100644 certificates/certs/ORCECA2.cer delete mode 100644 certificates/certs/ORCECAFOREIGNNATIONALSCA1.cer delete mode 100644 certificates/certs/ORCECAHW3.cer delete mode 100644 certificates/certs/ORCECAHW4.cer delete mode 100644 certificates/certs/ORCECASW3.cer delete mode 100644 certificates/certs/ORCECASW4.cer delete mode 100644 certificates/certs/ORC_ECA.cer delete mode 100755 certificates/certs/Thawte_Code_Signing_CA.cer delete mode 100644 certificates/certs/Thawte_SGC_CA.der.cer delete mode 100644 certificates/certs/Thawte_SSL_Domain_CA_der.cer delete mode 100644 certificates/certs/VERISIGNCLIENTECA-G2.cer delete mode 100644 certificates/certs/VERISIGNCLIENTEXTERNALCERTIFICATIONAUTHORITY_G3.cer delete mode 100644 certificates/certs/VeriSignClientExternalCertificationAuthority.cer delete mode 100755 certificates/certs/VeriSign_TSA_CA.crt delete mode 100644 certificates/certs/VisaNet.crt delete mode 100644 certificates/certs/acClasse0_0.cer delete mode 100644 certificates/certs/acClasse0_1.cer delete mode 100644 certificates/certs/acClasse1_0.cer delete mode 100644 certificates/certs/acClasse1_1.cer delete mode 100644 certificates/certs/acClasse2_0.cer delete mode 100644 certificates/certs/acClasse2_1.cer delete mode 100644 certificates/certs/acClasse3_0.cer delete mode 100644 certificates/certs/acClasse3_1.cer delete mode 100644 certificates/certs/acClasse4.cer delete mode 100644 certificates/certs/acClasse5.cer delete mode 100644 certificates/certs/acCps2_2.cer delete mode 100644 certificates/certs/belgiumrs.crt delete mode 100644 certificates/certs/e-Visa.crt delete mode 100644 certificates/certs/gipCps0.cer delete mode 100644 certificates/distrusted/DigiNotar Extended Validation CA.cer delete mode 100644 certificates/distrusted/DigiNotar PKIoverheid CA Organisatie - G2.cer delete mode 100644 certificates/distrusted/DigiNotar Qualified CA.cer delete mode 100644 certificates/distrusted/DigiNotar Services 1024 CA.cer delete mode 100644 certificates/distrusted/DigiNotar Services CA.cer delete mode 100644 certificates/distrusted/DigiNotarRootCA2007.crt delete mode 100644 certificates/distrusted/DigiNotarRootCAG2.cer delete mode 100644 certificates/distrusted/DigiNotar_PKIoverheid_CA.cer delete mode 100644 certificates/distrusted/EASEE-gas CA.cer delete mode 100644 certificates/distrusted/Nederlandse Orde van Advocaten - Dutch Bar Association.cer delete mode 100644 certificates/distrusted/TRIALOrgCA.cer delete mode 100644 certificates/distrusted/TRIAL_DigiNotar_PKIoverheid_Organisatie_TEST_CA_G2.cer delete mode 100644 certificates/distrusted/TU Delft CA.cer delete mode 100644 certificates/ota_cert_tool/BuildAsset/BuildAsset-Prefix.pch delete mode 100644 certificates/ota_cert_tool/BuildAsset/BuildAsset.1 delete mode 100644 certificates/ota_cert_tool/BuildAsset/main.m delete mode 100644 certificates/ota_cert_tool/Scripts/BuildAsset.rb delete mode 100644 certificates/ota_cert_tool/Scripts/BuildPlistFiles.rb delete mode 100644 certificates/ota_cert_tool/Scripts/File.rb delete mode 100644 certificates/ota_cert_tool/SecuritydAssertHelper/Readme.txt delete mode 100644 certificates/ota_cert_tool/SecuritydAssertHelper/SecuritydAssertHelper.1 delete mode 100644 certificates/ota_cert_tool/SecuritydAssertHelper/SecuritydAssertHelper.m delete mode 100644 certificates/ota_cert_tool/TestValidator/Readme.txt delete mode 100644 certificates/ota_cert_tool/TestValidator/Resources/EVRoots.plist delete mode 100644 certificates/ota_cert_tool/TestValidator/Resources/Manifest.plist delete mode 100644 certificates/ota_cert_tool/TestValidator/Resources/certs.plist delete mode 100644 certificates/ota_cert_tool/TestValidator/Resources/distrusted.plist delete mode 100644 certificates/ota_cert_tool/TestValidator/Resources/revoked.plist delete mode 100644 certificates/ota_cert_tool/TestValidator/Resources/roots.plist delete mode 100644 certificates/ota_cert_tool/TestValidator/TestValidator.1 delete mode 100644 certificates/ota_cert_tool/TestValidator/TestValidator.m delete mode 100644 certificates/ota_cert_tool/assertValidation/assertValidation-Prefix.pch delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool.xcodeproj/project.pbxproj delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool.xcodeproj/project.xcworkspace/contents.xcworkspacedata delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/CommonBaseXX.c delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/CommonBaseXX.h delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/CommonBuffering.c delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/CommonBufferingPriv.h delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/Info.plist delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/PSCert.h delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/PSCert.m delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/PSCertKey.h delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/PSCertKey.m delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/PSCerts.h delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/PSCerts.m delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/PSIOSCertToolApp.h delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/PSIOSCertToolApp.m delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/PSUtilities.h delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/PSUtilities.m delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/ValidateAsset.c delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/ValidateAsset.h delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/ccMemory.h delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/ios_ota_cert_tool-Prefix.pch delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/ios_ota_cert_tool.1 delete mode 100644 certificates/ota_cert_tool/ios_ota_cert_tool/main.m delete mode 100644 certificates/removed/AOLTimeWarner1.der delete mode 100644 certificates/removed/AOLTimeWarner2.der delete mode 100644 certificates/removed/EntrustRootCA1024.crt delete mode 100644 certificates/removed/Equifax_Secure_eBusiness_CA-2.cer delete mode 100644 certificates/removed/JCSSecureSignRootCA11.cer delete mode 100644 certificates/removed/ValiCertClass1PVA.cer delete mode 100644 certificates/removed/ValiCertClass2PVA.cer delete mode 100644 certificates/removed/ValiCertClass3PVA.cer delete mode 100644 certificates/removed/persbasi.crt delete mode 100644 certificates/removed/persprem.crt delete mode 100644 certificates/revoked/*.EGO.GOV.TR.cer delete mode 100644 certificates/revoked/*.google.com.cer delete mode 100644 certificates/revoked/*.mail.me.com.cer delete mode 100644 certificates/revoked/DigiNotar Public CA 2025.cer delete mode 100644 certificates/revoked/DigiNotar092006.cer delete mode 100644 certificates/revoked/DigiNotar092706.cer delete mode 100644 certificates/revoked/DigiNotar100406.cer delete mode 100644 certificates/revoked/DigiNotarRootCA1.cer delete mode 100644 certificates/revoked/DigiNotarRootCA2.cer delete mode 100644 certificates/revoked/DigiNotarServices1024CA.cer delete mode 100644 certificates/revoked/Digisign-Server-ID-Enrich-Entrust-Cert.cer delete mode 100644 certificates/revoked/Digisign-Server-ID-Enrich-GTETrust-Cert.cer delete mode 100644 certificates/revoked/Micros CA 2.cer delete mode 100644 certificates/revoked/Trustwave Organization Issuing CA, Level 2 2.cer delete mode 100644 certificates/revoked/e-islem.kktcmerkezbankasi.org.cer delete mode 100644 certificates/roots/00_BCA.cer delete mode 100644 certificates/roots/2048CA.cer delete mode 100644 certificates/roots/A-Trust-Qual-01.cer delete mode 100644 certificates/roots/A-Trust-Qual-02a.crt delete mode 100644 certificates/roots/A-Trust-nQual-01.cer delete mode 100644 certificates/roots/A-Trust-nQual-03.cer delete mode 100644 certificates/roots/APCAroot.der delete mode 100644 certificates/roots/Actalis Authentication Root CA.cer delete mode 100644 certificates/roots/AddTrust Class 1 CA Root.crt delete mode 100644 certificates/roots/AddTrust External CA Root.crt delete mode 100644 certificates/roots/AddTrust Public CA Root.crt delete mode 100644 certificates/roots/AddTrust Qualified CA Root.crt delete mode 100644 certificates/roots/AffirmTrust-Commercial.der delete mode 100644 certificates/roots/AffirmTrust-Networking.der delete mode 100644 certificates/roots/AffirmTrust-Premium-ECC.der delete mode 100644 certificates/roots/AffirmTrust-Premium.der delete mode 100644 certificates/roots/AmericaOnline1.der delete mode 100644 certificates/roots/AmericaOnline2.der delete mode 100644 certificates/roots/AppCAG2.cer delete mode 100644 certificates/roots/Apple Root CA - G2.cer delete mode 100644 certificates/roots/Apple Root CA - G3.cer delete mode 100644 certificates/roots/AppleDEVID.cer delete mode 100644 certificates/roots/AppleIncRoot042506.cer delete mode 100644 certificates/roots/AppleROOTCA.der delete mode 100644 certificates/roots/Autoridad de Certificacion Raiz del Estado Venezolano.cer delete mode 100644 certificates/roots/BIT-Admin-Root-CA.crt delete mode 100644 certificates/roots/BIT-AdminCA-CD-T01.crt delete mode 100644 certificates/roots/BTCTRT.cer delete mode 100644 certificates/roots/Buypass Class 2 Root CA.cer delete mode 100644 certificates/roots/Buypass Class 3 Root CA.cer delete mode 100755 certificates/roots/BuypassClass2CA1.cer delete mode 100755 certificates/roots/BuypassClass3CA1.cer delete mode 100644 certificates/roots/C1_PCA_G3v2.509 delete mode 100644 certificates/roots/C2_PCA_G3v2.509 delete mode 100644 certificates/roots/C3_PCA_G3v2.509 delete mode 100644 certificates/roots/C4_PCA_G3v2.509 delete mode 100644 certificates/roots/CA Disig Root R1.cer delete mode 100644 certificates/roots/CA Disig Root R2.cer delete mode 100644 certificates/roots/CNNICEVRoot.der delete mode 100644 certificates/roots/COMODOCertificationAuthority.crt delete mode 100644 certificates/roots/Certigna.cer delete mode 100644 certificates/roots/Certinomis - Root CA.cer delete mode 100644 certificates/roots/Certinomis-May2013.der delete mode 100644 certificates/roots/Certum Trusted Network CA 2.cer delete mode 100644 certificates/roots/Chunghwa-ROOTeCA.der delete mode 100644 certificates/roots/Class1_PCA_G2_v2.509 delete mode 100644 certificates/roots/Class2_PCA_G2_v2.509 delete mode 100644 certificates/roots/Class3_PCA_G2_v2.509 delete mode 100644 certificates/roots/Class4_PCA_G2_v2.509 delete mode 100644 certificates/roots/ComSign-CA.der delete mode 100644 certificates/roots/ComSign-Global.der delete mode 100644 certificates/roots/ComSign-Secured.der delete mode 100644 certificates/roots/Comodo_AAA_Certificate_Services.cer delete mode 100644 certificates/roots/Comodo_Secure_Certificate_Services.cer delete mode 100644 certificates/roots/Comodo_Trusted_Certificate_Services.cer delete mode 100644 certificates/roots/D-TRUST_Root_Class_3_CA_2_2009.cer delete mode 100644 certificates/roots/D-TRUST_Root_Class_3_CA_2_EV_2009.cer delete mode 100644 certificates/roots/DST Root CA X4.cer delete mode 100644 certificates/roots/Deutsche_Telekom_Root_CA_2.der delete mode 100644 certificates/roots/DigiCertAssuredIDRootCA.crt delete mode 100644 certificates/roots/DigiCertAssuredIDRootG2.der delete mode 100644 certificates/roots/DigiCertAssuredIDRootG3.der delete mode 100644 certificates/roots/DigiCertGlobalRootCA.crt delete mode 100644 certificates/roots/DigiCertGlobalRootG2.der delete mode 100644 certificates/roots/DigiCertGlobalRootG3.der delete mode 100644 certificates/roots/DigiCertHighAssuranceEVRootCA.crt delete mode 100644 certificates/roots/DigiCertTrustedRootG4.der delete mode 100644 certificates/roots/DoDCLASS3RootCA.cer delete mode 100644 certificates/roots/DoDRootCA2.der delete mode 100644 certificates/roots/E-Tugra.der delete mode 100644 certificates/roots/EBG_KOKSM.cer delete mode 100644 certificates/roots/ECARootCA.der delete mode 100644 certificates/roots/EchoworxRootCA2.cer delete mode 100644 certificates/roots/EntrustEVRoot.crt delete mode 100644 certificates/roots/EntrustRoot-EC1.der delete mode 100644 certificates/roots/EntrustRoot-G2.der delete mode 100644 certificates/roots/Equifax_Secure_Certificate_Auth delete mode 100644 certificates/roots/Equifax_Secure_Global_eBusiness delete mode 100644 certificates/roots/Equifax_Secure_eBusiness_CA-1.cer delete mode 100644 certificates/roots/Estonia-Juur-SK.cer delete mode 100755 certificates/roots/FBCA-commonpolicy2.cer delete mode 100644 certificates/roots/FederalCommonPolicyCA.cer delete mode 100644 certificates/roots/Firmaprofesional-CIF-A62634068.der delete mode 100644 certificates/roots/GD-Class2-root.crt delete mode 100644 certificates/roots/GTEGB18.cer delete mode 100644 certificates/roots/GeoTrust Primary Certification Authority - G2.cer delete mode 100644 certificates/roots/GeoTrust Primary Certification Authority - G3.cer delete mode 100644 certificates/roots/GeoTrust_Global_CA.cer delete mode 100644 certificates/roots/GlobalSign-Root-R3.der delete mode 100644 certificates/roots/GlobalSign-RootCA-2028exp.cer delete mode 100644 certificates/roots/GlobalSignRoot-R4.cer delete mode 100644 certificates/roots/GlobalSignRoot-R5.cer delete mode 100644 certificates/roots/GlobalSignRootCA-R2.cer delete mode 100644 certificates/roots/GoDaddyRootCertificateAuthorityG2.der delete mode 100644 certificates/roots/HKPost-smartid_rt.cacert.crt delete mode 100644 certificates/roots/HaricaRootCA2011.der delete mode 100644 certificates/roots/ICA-20090901.der delete mode 100644 certificates/roots/IdenTrust_Root_X3.der delete mode 100644 certificates/roots/IdenTrust_Root_X6.der delete mode 100644 certificates/roots/Izenpe-RAIZ2007.crt delete mode 100644 certificates/roots/Izenpe-ca_raiz2003.crt delete mode 100644 certificates/roots/Izenpe.com.cer delete mode 100644 certificates/roots/JapanMinistryIAC-ApplicationCA2.der delete mode 100644 certificates/roots/KIR-SZAFIR-Trusted.der delete mode 100644 certificates/roots/KMD-CA-KPerson.crt delete mode 100644 certificates/roots/KMD-CA-Server.crt delete mode 100644 certificates/roots/MPHPT_CA.cer delete mode 100644 certificates/roots/Microsec e-Szigno Root CA 2009.cer delete mode 100644 certificates/roots/NetLockAranyClassGoldF.cer delete mode 100644 certificates/roots/NetworkSolutionsEVRoot.crt delete mode 100644 certificates/roots/PCA1ss_v4.509 delete mode 100644 certificates/roots/PCA2ss_v4.509 delete mode 100644 certificates/roots/PCA3ss_v4.509 delete mode 100644 certificates/roots/Poland-Certum-CTNCA.der delete mode 100644 certificates/roots/ROOT-CHAMBERS.crt delete mode 100644 certificates/roots/ROOT-CHAMBERSIGN.crt delete mode 100644 certificates/roots/RSA_Root_CA.der delete mode 100644 certificates/roots/SCRoot1ca.cer delete mode 100644 certificates/roots/SECOM-EVRoot1ca.cer delete mode 100644 certificates/roots/SECOM-RootCA2.cer delete mode 100644 certificates/roots/SF-Class2-root.crt delete mode 100644 certificates/roots/SKEE_Certification_Centre_Root_CA.crt delete mode 100644 certificates/roots/SoneraClass1.crt delete mode 100644 certificates/roots/SoneraClass2.crt delete mode 100644 certificates/roots/Staat der Nederlanden EV Root CA.cer delete mode 100644 certificates/roots/StarfieldRootCertificateAuthorityG2.der delete mode 100644 certificates/roots/StarfieldServicesRootCertificateAuthorityG2.der delete mode 100644 certificates/roots/StartCom May 2013 G2.der delete mode 100644 certificates/roots/SwissSign-Gold_G2.der delete mode 100644 certificates/roots/SwissSign-Platinum_G2.der delete mode 100644 certificates/roots/SwissSign-Silver_G2.der delete mode 100644 certificates/roots/Swisscom Root CA 2.cer delete mode 100644 certificates/roots/Swisscom Root EV CA 2.cer delete mode 100644 certificates/roots/Symantec Class 1 Public Primary Certification Authority - G4.cer delete mode 100644 certificates/roots/Symantec Class 1 Public Primary Certification Authority - G6.cer delete mode 100644 certificates/roots/Symantec Class 2 Public Primary Certification Authority - G4.cer delete mode 100644 certificates/roots/Symantec Class 2 Public Primary Certification Authority - G6.cer delete mode 100644 certificates/roots/Symantec Class 3 Public Primary Certification Authority - G4.cer delete mode 100644 certificates/roots/Symantec Class 3 Public Primary Certification Authority - G6.cer delete mode 100644 certificates/roots/T-TeleSec GlobalRoot Class 2.cer delete mode 100644 certificates/roots/T-TeleSec GlobalRoot Class 3.cer delete mode 100644 certificates/roots/TDC_ocesca.cer delete mode 100644 certificates/roots/TDC_rootca.cer delete mode 100644 certificates/roots/TRUST2408 OCES Primary CA.cer delete mode 100644 certificates/roots/TWCARootCA-4096.der delete mode 100644 certificates/roots/Taiwan-GRCA2.der delete mode 100644 certificates/roots/TeliaSoneraRootCAv1.der delete mode 100755 certificates/roots/Thawte_Personal_Basic_CA.cer delete mode 100755 certificates/roots/Thawte_Personal_Freemail_CA.cer delete mode 100755 certificates/roots/Thawte_Personal_Premium_CA.cer delete mode 100755 certificates/roots/Thawte_Premium_Server_CA.cer delete mode 100755 certificates/roots/Thawte_Server_CA.cer delete mode 100755 certificates/roots/Thawte_Timestamping_CA.cer delete mode 100644 certificates/roots/TrustisFPSRootCA.der delete mode 100644 certificates/roots/Trustwave-SGCA.der delete mode 100644 certificates/roots/Trustwave-STCA.der delete mode 100644 certificates/roots/TubitakSurum3.cer delete mode 100644 certificates/roots/UCAGlobalRoot.cer delete mode 100644 certificates/roots/UCARoot.cer delete mode 100644 certificates/roots/UTN-USERFirst-ClientAuthentication.der delete mode 100644 certificates/roots/UTN-USERFirst-Hardware.crt delete mode 100644 certificates/roots/UTN-USERFirst-NetworkApplication.der delete mode 100644 certificates/roots/UTN-USERFirst-Object.crt delete mode 100644 certificates/roots/UTN_DATACorp_SGC.cer delete mode 100644 certificates/roots/Unizeto-CertumCA.cer delete mode 100644 certificates/roots/VASLatvijasPasts-SSI-RCA.crt delete mode 100644 certificates/roots/VeriSign Class 3 Public Primary Certification Authority - G4.cer delete mode 100644 certificates/roots/VeriSign Universal Root Certification Authority.cer delete mode 100644 certificates/roots/VeriSignC3PublicPrimaryCA-G5.cer delete mode 100644 certificates/roots/VerisignSHA1_1024_PCA1_G1.cer delete mode 100644 certificates/roots/VerisignSHA1_1024_PCA2_G1.cer delete mode 100644 certificates/roots/VerisignSHA1_1024_PCA3_G1.cer delete mode 100644 certificates/roots/Visa Information Delivery Root CA.cer delete mode 100644 certificates/roots/Visa eCommerce Root.cer delete mode 100644 certificates/roots/WISeKey-owgrgaca.cer delete mode 100644 certificates/roots/WellsSecurePRCA.der delete mode 100644 certificates/roots/XGCA.crt delete mode 100644 certificates/roots/ac-racine.der delete mode 100644 certificates/roots/ac_offline_raiz_certicamara.crt delete mode 100644 certificates/roots/belgiumrca.crt delete mode 100644 certificates/roots/belgiumrca2.crt delete mode 100644 certificates/roots/certSIGN ROOT CA.cer delete mode 100644 certificates/roots/certplus_class2.der delete mode 100644 certificates/roots/cisco-ca2048.der delete mode 100755 certificates/roots/cnnicroot.cer delete mode 100644 certificates/roots/disig-root-1.der delete mode 100644 certificates/roots/entrust2048.der delete mode 100644 certificates/roots/expressz.cer delete mode 100644 certificates/roots/geotrust-primary-ca.crt delete mode 100644 certificates/roots/globalSignRoot.cer delete mode 100644 certificates/roots/kisa-root-rsa-3280.der delete mode 100644 certificates/roots/kisa-root-wrsa.der delete mode 100644 certificates/roots/kozjegyzoi.cer delete mode 100644 certificates/roots/netlockQA-01-minositett.cer delete mode 100644 certificates/roots/persfree.crt delete mode 100644 certificates/roots/popFinnVrkrootc.der delete mode 100644 certificates/roots/qvrca.crt delete mode 100644 certificates/roots/qvrca2.crt delete mode 100644 certificates/roots/qvrca3.crt delete mode 100644 certificates/roots/root_chambers-2008.der delete mode 100644 certificates/roots/root_chambersign-2008.der delete mode 100644 certificates/roots/serverbasic.crt delete mode 100644 certificates/roots/serverpremium.crt delete mode 100644 certificates/roots/staatDerNederlandenRootCA-G2.crt delete mode 100644 certificates/roots/staatdernederlandenrootca.cer delete mode 100644 certificates/roots/startcom-sfsca.der delete mode 100644 certificates/roots/startcomSHA2.der delete mode 100644 certificates/roots/swisscom-sdcs-root.crt delete mode 100644 certificates/roots/swisssign.der delete mode 100644 certificates/roots/tc_Universal_CA-I.cer delete mode 100644 certificates/roots/tc_Universal_CA-II.cer delete mode 100644 certificates/roots/tc_class_2_ii.cer delete mode 100644 certificates/roots/tc_class_3_ii.cer delete mode 100644 certificates/roots/tc_class_4_ii.cer delete mode 100644 certificates/roots/thawte Primary Root CA - G3.cer delete mode 100644 certificates/roots/thawte-primary-root-ca.crt delete mode 100755 certificates/roots/thawte_Primary_Root_CA_G2_ECC.cer delete mode 100644 certificates/roots/trustCenter-root-5.der delete mode 100644 certificates/roots/turktrust-root1.cer delete mode 100644 certificates/roots/turktrust-root2.cer delete mode 100644 certificates/roots/turktrust-root3.cer delete mode 100644 certificates/roots/twca-root-1.der delete mode 100644 certificates/roots/uzleti.cer create mode 100755 ckcdiagnose/ckcdiagnose.sh delete mode 100644 evroots.h delete mode 120000 libsecurity_smime/Security create mode 100644 libsecurity_smime/Security/SecAsn1Item.c create mode 100644 libsecurity_smime/Security/SecAsn1Item.h create mode 100644 libsecurity_smime/Security/SecCmsBase.h create mode 100644 libsecurity_smime/Security/SecCmsContentInfo.h create mode 100644 libsecurity_smime/Security/SecCmsDecoder.h create mode 100644 libsecurity_smime/Security/SecCmsDigestContext.h create mode 100644 libsecurity_smime/Security/SecCmsDigestedData.h create mode 100644 libsecurity_smime/Security/SecCmsEncoder.h create mode 100644 libsecurity_smime/Security/SecCmsEncryptedData.h create mode 100644 libsecurity_smime/Security/SecCmsEnvelopedData.h create mode 100644 libsecurity_smime/Security/SecCmsMessage.h create mode 100644 libsecurity_smime/Security/SecCmsRecipientInfo.h create mode 100644 libsecurity_smime/Security/SecCmsSignedData.h create mode 100644 libsecurity_smime/Security/SecCmsSignerInfo.h create mode 100644 libsecurity_smime/Security/SecSMIME.h create mode 100644 libsecurity_smime/Security/SecSMIMEPriv.h create mode 100644 libsecurity_smime/Security/cert.c create mode 100644 libsecurity_smime/Security/cert.h create mode 100644 libsecurity_smime/Security/cmsarray.c create mode 100644 libsecurity_smime/Security/cmsasn1.c create mode 100644 libsecurity_smime/Security/cmsattr.c create mode 100644 libsecurity_smime/Security/cmscinfo.c create mode 100644 libsecurity_smime/Security/cmscipher.c create mode 100644 libsecurity_smime/Security/cmsdecode.c create mode 100644 libsecurity_smime/Security/cmsdigdata.c create mode 100644 libsecurity_smime/Security/cmsdigest.c create mode 100644 libsecurity_smime/Security/cmsencdata.c create mode 100644 libsecurity_smime/Security/cmsencode.c create mode 100644 libsecurity_smime/Security/cmsenvdata.c create mode 100644 libsecurity_smime/Security/cmslocal.h create mode 100644 libsecurity_smime/Security/cmsmessage.c create mode 100644 libsecurity_smime/Security/cmspriv.h create mode 100644 libsecurity_smime/Security/cmspubkey.c create mode 100644 libsecurity_smime/Security/cmsrecinfo.c create mode 100644 libsecurity_smime/Security/cmsreclist.c create mode 100644 libsecurity_smime/Security/cmsreclist.h create mode 100644 libsecurity_smime/Security/cmssigdata.c create mode 100644 libsecurity_smime/Security/cmssiginfo.c create mode 100644 libsecurity_smime/Security/cmstpriv.h create mode 100644 libsecurity_smime/Security/cmsutil.c create mode 100644 libsecurity_smime/Security/crypto-embedded.c create mode 100644 libsecurity_smime/Security/cryptohi.c create mode 100644 libsecurity_smime/Security/cryptohi.h create mode 100644 libsecurity_smime/Security/plhash.c create mode 100644 libsecurity_smime/Security/plhash.h create mode 100644 libsecurity_smime/Security/secalgid.c create mode 100644 libsecurity_smime/Security/secoid.c create mode 100644 libsecurity_smime/Security/secoid.h create mode 100644 libsecurity_smime/Security/secoidt.h create mode 100644 libsecurity_smime/Security/security_smime.exp create mode 100644 libsecurity_smime/Security/smimeutil.c create mode 100755 libsecurity_smime/Security/testcms delete mode 120000 libsecurity_smime/security_smime create mode 100644 libsecurity_smime/security_smime/SecAsn1Item.c create mode 100644 libsecurity_smime/security_smime/SecAsn1Item.h create mode 100644 libsecurity_smime/security_smime/SecCmsBase.h create mode 100644 libsecurity_smime/security_smime/SecCmsContentInfo.h create mode 100644 libsecurity_smime/security_smime/SecCmsDecoder.h create mode 100644 libsecurity_smime/security_smime/SecCmsDigestContext.h create mode 100644 libsecurity_smime/security_smime/SecCmsDigestedData.h create mode 100644 libsecurity_smime/security_smime/SecCmsEncoder.h create mode 100644 libsecurity_smime/security_smime/SecCmsEncryptedData.h create mode 100644 libsecurity_smime/security_smime/SecCmsEnvelopedData.h create mode 100644 libsecurity_smime/security_smime/SecCmsMessage.h create mode 100644 libsecurity_smime/security_smime/SecCmsRecipientInfo.h create mode 100644 libsecurity_smime/security_smime/SecCmsSignedData.h create mode 100644 libsecurity_smime/security_smime/SecCmsSignerInfo.h create mode 100644 libsecurity_smime/security_smime/SecSMIME.h create mode 100644 libsecurity_smime/security_smime/SecSMIMEPriv.h create mode 100644 libsecurity_smime/security_smime/cert.c create mode 100644 libsecurity_smime/security_smime/cert.h create mode 100644 libsecurity_smime/security_smime/cmsarray.c create mode 100644 libsecurity_smime/security_smime/cmsasn1.c create mode 100644 libsecurity_smime/security_smime/cmsattr.c create mode 100644 libsecurity_smime/security_smime/cmscinfo.c create mode 100644 libsecurity_smime/security_smime/cmscipher.c create mode 100644 libsecurity_smime/security_smime/cmsdecode.c create mode 100644 libsecurity_smime/security_smime/cmsdigdata.c create mode 100644 libsecurity_smime/security_smime/cmsdigest.c create mode 100644 libsecurity_smime/security_smime/cmsencdata.c create mode 100644 libsecurity_smime/security_smime/cmsencode.c create mode 100644 libsecurity_smime/security_smime/cmsenvdata.c create mode 100644 libsecurity_smime/security_smime/cmslocal.h create mode 100644 libsecurity_smime/security_smime/cmsmessage.c create mode 100644 libsecurity_smime/security_smime/cmspriv.h create mode 100644 libsecurity_smime/security_smime/cmspubkey.c create mode 100644 libsecurity_smime/security_smime/cmsrecinfo.c create mode 100644 libsecurity_smime/security_smime/cmsreclist.c create mode 100644 libsecurity_smime/security_smime/cmsreclist.h create mode 100644 libsecurity_smime/security_smime/cmssigdata.c create mode 100644 libsecurity_smime/security_smime/cmssiginfo.c create mode 100644 libsecurity_smime/security_smime/cmstpriv.h create mode 100644 libsecurity_smime/security_smime/cmsutil.c create mode 100644 libsecurity_smime/security_smime/crypto-embedded.c create mode 100644 libsecurity_smime/security_smime/cryptohi.c create mode 100644 libsecurity_smime/security_smime/cryptohi.h create mode 100644 libsecurity_smime/security_smime/plhash.c create mode 100644 libsecurity_smime/security_smime/plhash.h create mode 100644 libsecurity_smime/security_smime/secalgid.c create mode 100644 libsecurity_smime/security_smime/secoid.c create mode 100644 libsecurity_smime/security_smime/secoid.h create mode 100644 libsecurity_smime/security_smime/secoidt.h create mode 100644 libsecurity_smime/security_smime/security_smime.exp create mode 100644 libsecurity_smime/security_smime/smimeutil.c create mode 100755 libsecurity_smime/security_smime/testcms delete mode 100644 resources/AppleESCertificates.plist delete mode 100644 resources/AssetVersion.plist delete mode 100644 resources/Blocked.plist delete mode 100644 resources/EVRoots.plist delete mode 100644 resources/GrayListedKeys.plist create mode 100644 resources/TrustedLogs.plist delete mode 100644 resources/certsIndex.data delete mode 100644 resources/certsTable.data create mode 100644 secacltests/main.c create mode 100644 secacltests/sec_acl_stress.c create mode 100644 secacltests/secacltests-entitlements.plist create mode 100644 secacltests/testlist.h delete mode 100644 securityd/etc/CodeEquivalenceCandidates delete mode 100644 securityd/libsecurity_agent/Info-security_agent_client.plist delete mode 100644 securityd/libsecurity_agent/Info-security_agent_server.plist delete mode 100644 securityd/libsecurity_agent/lib/agentclient.cpp delete mode 100644 securityd/libsecurity_agent/lib/agentclient.h delete mode 100644 securityd/libsecurity_agent/lib/sa_types.h delete mode 100644 securityd/libsecurity_agent/lib/secagent_types.h delete mode 100644 securityd/libsecurity_agent/lib/utils.c delete mode 100644 securityd/libsecurity_agent/lib/utils.h delete mode 100644 securityd/libsecurity_agent/libsecurity_agent.xcodeproj/project.pbxproj delete mode 100644 securityd/libsecurity_agent/mig/mig.mk delete mode 100644 securityd/libsecurity_agent/mig/sa_reply.defs delete mode 100644 securityd/libsecurity_agent/mig/sa_request.defs delete mode 120000 securityd/libsecurity_agent/security_agent_client delete mode 120000 securityd/security_agent_client delete mode 120000 securityd/security_agent_server delete mode 100644 securityd/securityd.xcodeproj/project.xcworkspace/contents.xcworkspacedata create mode 100644 securityd/src/agentclient.h create mode 100644 sslViewer/SSLViewer.c delete mode 100644 sslViewer/SSLViewer.cpp diff --git a/CircleJoinRequested/CircleJoinRequested.m b/CircleJoinRequested/CircleJoinRequested.m index e00c7bc5..bcae9ddd 100644 --- a/CircleJoinRequested/CircleJoinRequested.m +++ b/CircleJoinRequested/CircleJoinRequested.m @@ -7,10 +7,8 @@ // #import #import -#pragma clang diagnostic push -#pragma clang diagnostic ignored "-Wnewline-eof" +#import #import -#pragma clang diagnostic pop #import #import #import @@ -26,7 +24,7 @@ #import #import #import -#import "PersistantState.h" +#import "PersistentState.h" #include #include #import "NSDate+TimeIntervalDescription.h" @@ -36,7 +34,10 @@ #import #import #import +#import #import +#include "utilities/SecCFRelease.h" +#include "utilities/debugging.h" // As long as we are logging the failure use exit code of zero to make launchd happy #define EXIT_LOGGED_FAILURE(code) xpc_transaction_end(); exit(0) @@ -52,17 +53,6 @@ dispatch_block_t doOnceInMainBlockChain = NULL; NSString *castleKeychainUrl = @"prefs:root=CASTLE&path=Keychain/ADVANCED"; -#if 0 -// For use with: __attribute__((cleanup(CFReleaseSafeIndirect))) CFType auto_var; -static void CFReleaseSafeIndirect(void *o_) -{ - void **o = o_; - if (o && *o) { - CFRelease(*o); - } -} -#endif - static void doOnceInMain(dispatch_block_t block) { if (doOnceInMainBlockChain) { @@ -75,18 +65,21 @@ static void doOnceInMain(dispatch_block_t block) } } + static NSString *appleIDAccountName() { - ACAccountStore *accountStore = [[ACAccountStore alloc] init]; + ACAccountStore *accountStore = [[ACAccountStore alloc] init]; ACAccount *primaryAppleAccount = [accountStore aa_primaryAppleAccount]; return primaryAppleAccount.username; } + static CFOptionFlags flagsForAsk(Applicant *applicant) { - return kCFUserNotificationPlainAlertLevel|CFUserNotificationSecureTextField(0); + return kCFUserNotificationPlainAlertLevel | CFUserNotificationSecureTextField(0); } + // NOTE: gives precedence to OnScreen static Applicant *firstApplicantWaitingOrOnScreen() { @@ -102,6 +95,7 @@ static Applicant *firstApplicantWaitingOrOnScreen() return waiting; } + static NSMutableArray *applicantsInState(ApplicantUIState state) { NSMutableArray *results = [NSMutableArray new]; @@ -114,227 +108,243 @@ static NSMutableArray *applicantsInState(ApplicantUIState state) return results; } -static BOOL processRequests(CFErrorRef *error) -{ - bool ok = true; - NSMutableArray *toAccept = [[applicantsInState(ApplicantAccepted) mapWithBlock:^id(id obj) { - return (id)[obj rawPeerInfo]; - }] mutableCopy]; - NSMutableArray *toReject = [[applicantsInState(ApplicantRejected) mapWithBlock:^id(id obj) { - return (id)[obj rawPeerInfo]; - }] mutableCopy]; - - NSLog(@"Process accept: %@", toAccept); - NSLog(@"Process reject: %@", toReject); - - if ([toAccept count]) { - ok = ok && SOSCCAcceptApplicants((__bridge CFArrayRef)(toAccept), error); - } - if ([toReject count]) { - ok = ok && SOSCCRejectApplicants((__bridge CFArrayRef)(toReject), error); - } - - return ok; + +static BOOL processRequests(CFErrorRef *error) { + NSMutableArray *toAccept = [[applicantsInState(ApplicantAccepted) mapWithBlock:^id(id obj) {return (id)[obj rawPeerInfo];}] mutableCopy]; + NSMutableArray *toReject = [[applicantsInState(ApplicantRejected) mapWithBlock:^id(id obj) {return (id)[obj rawPeerInfo];}] mutableCopy]; + bool ok = true; + + NSLog(@"Process accept: %@", toAccept); + NSLog(@"Process reject: %@", toReject); + + if ([toAccept count]) + ok = ok && SOSCCAcceptApplicants((__bridge CFArrayRef) toAccept, error); + + if ([toReject count]) + ok = ok && SOSCCRejectApplicants((__bridge CFArrayRef) toReject, error); + + return ok; } -static void cancelCurrentAlert(bool stopRunLoop) -{ - if (currentAlertSource) { - CFRunLoopRemoveSource(CFRunLoopGetCurrent(), currentAlertSource, kCFRunLoopDefaultMode); - CFRelease(currentAlertSource); - currentAlertSource = NULL; - } - if (currentAlert) { - CFUserNotificationCancel(currentAlert); - CFRelease(currentAlert); - currentAlert = NULL; - } - if (stopRunLoop) { - CFRunLoopStop(CFRunLoopGetCurrent()); - } - currentAlertIsForKickOut = currentAlertIsForApplicants = false; + +static void cancelCurrentAlert(bool stopRunLoop) { + if (currentAlertSource) { + CFRunLoopRemoveSource(CFRunLoopGetCurrent(), currentAlertSource, kCFRunLoopDefaultMode); + CFReleaseNull(currentAlertSource); + } + if (currentAlert) { + CFUserNotificationCancel(currentAlert); + CFReleaseNull(currentAlert); + } + if (stopRunLoop) { + CFRunLoopStop(CFRunLoopGetCurrent()); + } + currentAlertIsForKickOut = currentAlertIsForApplicants = false; } + static void askAboutAll(bool passwordFailure); + static void applicantChoice(CFUserNotificationRef userNotification, CFOptionFlags responseFlags) { - ApplicantUIState choice; - - if (kCFUserNotificationAlternateResponse == responseFlags) { - choice = ApplicantRejected; - } else if (kCFUserNotificationDefaultResponse == responseFlags) { - choice = ApplicantAccepted; - } else { - NSLog(@"Unexpected response %lu", responseFlags); - choice = ApplicantRejected; - } - - BOOL processed = NO; - CFErrorRef error = NULL; - - NSArray *onScreen = applicantsInState(ApplicantOnScreen); - - [onScreen enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) { - Applicant* applicant = (Applicant*) obj; - - applicant.applicantUIState = choice; - }]; - - if (choice == ApplicantRejected) { - // If this device has ever set up the public key this should work without the password... - processed = processRequests(&error); - if (processed) { - NSLog(@"Didn't need password to process %@", onScreen); - cancelCurrentAlert(true); - return; - } else { - // ...however if the public key gets lost we should "just" fall through to the validate - // password path. - NSLog(@"Couldn't process reject without password (e=%@) for %@ (will try with password next)", error, onScreen); - } - } - - NSString *password = (__bridge NSString *)(CFUserNotificationGetResponseValue(userNotification, kCFUserNotificationTextFieldValuesKey, 0)); - if (!password) { - NSLog(@"No password given, retry"); - askAboutAll(true); - return; - } - const char *passwordUTF8 = [password UTF8String]; - NSData *passwordBytes = [NSData dataWithBytes:passwordUTF8 length:strlen(passwordUTF8)]; - - // Sometimes securityd crashes between the SOSCCRegisterUserCredentials and the processRequests, - // (which results in a process error -- I think this is 13355140); as a workaround we retry - // failure a few times before we give up. - for (int try = 0; try < 5 && !processed; try++) { - if (!SOSCCTryUserCredentials(CFSTR(""), (__bridge CFDataRef)(passwordBytes), &error)) { - NSLog(@"Try user credentials failed %@", error); - if ((error==NULL) || (CFEqual(kSOSErrorDomain, CFErrorGetDomain(error)) && kSOSErrorWrongPassword == CFErrorGetCode(error))) { - NSLog(@"Calling askAboutAll again..."); - - [onScreen enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) { - Applicant* applicant = (Applicant*) obj; - - applicant.applicantUIState = ApplicantWaiting; - }]; - askAboutAll(true); - return; - } - EXIT_LOGGED_FAILURE(EX_DATAERR); - } - - processed = processRequests(&error); - if (!processed) { - NSLog(@"Can't processRequests: %@ for %@", error, onScreen); - } - } - if (processed && firstApplicantWaitingOrOnScreen()) { - cancelCurrentAlert(false); - askAboutAll(false); - } else { - cancelCurrentAlert(true); - } + ApplicantUIState choice; + + if (kCFUserNotificationAlternateResponse == responseFlags) { + choice = ApplicantRejected; + } else if (kCFUserNotificationDefaultResponse == responseFlags) { + choice = ApplicantAccepted; + } else { + NSLog(@"Unexpected response %lu", responseFlags); + choice = ApplicantRejected; + } + + BOOL processed = NO; + CFErrorRef error = NULL; + NSArray *onScreen = applicantsInState(ApplicantOnScreen); + + [onScreen enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) { + Applicant* applicant = (Applicant *) obj; + applicant.applicantUIState = choice; + }]; + + if (choice == ApplicantRejected) { + // If this device has ever set up the public key this should work without the password... + processed = processRequests(&error); + if (processed) { + NSLog(@"Didn't need password to process %@", onScreen); + cancelCurrentAlert(true); + return; + } else { + // ...however if the public key gets lost we should "just" fall through to the validate + // password path. + NSLog(@"Couldn't process reject without password (e=%@) for %@ (will try with password next)", error, onScreen); + } + CFReleaseNull(error); + } + + NSString *password = (__bridge NSString *)(CFUserNotificationGetResponseValue(userNotification, kCFUserNotificationTextFieldValuesKey, 0)); + if (!password) { + NSLog(@"No password given, retry"); + askAboutAll(true); + return; + } + const char *passwordUTF8 = [password UTF8String]; + NSData *passwordBytes = [NSData dataWithBytes:passwordUTF8 length:strlen(passwordUTF8)]; + + // Sometimes securityd crashes between SOSCCRegisterUserCredentials and processRequests + // (which results in a process error -- I think this is 13355140), as a workaround we retry + // failure a few times before we give up. + for (int try = 0; try < 5 && !processed; try++) { + if (!SOSCCTryUserCredentials(CFSTR(""), (__bridge CFDataRef)(passwordBytes), &error)) { + NSLog(@"Try user credentials failed %@", error); + if ((error == NULL) || + (CFEqual(kSOSErrorDomain, CFErrorGetDomain(error)) && kSOSErrorWrongPassword == CFErrorGetCode(error))) { + NSLog(@"Calling askAboutAll again..."); + [onScreen enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) { + Applicant* applicant = (Applicant*) obj; + applicant.applicantUIState = ApplicantWaiting; + }]; + askAboutAll(true); + CFReleaseNull(error); + return; + } + EXIT_LOGGED_FAILURE(EX_DATAERR); + } + + processed = processRequests(&error); + if (!processed) { + NSLog(@"Can't processRequests: %@ for %@", error, onScreen); + } + CFReleaseNull(error); + } + + if (processed && firstApplicantWaitingOrOnScreen()) { + cancelCurrentAlert(false); + askAboutAll(false); + } else { + cancelCurrentAlert(true); + } } + static void passwordFailurePrompt() { - //CFBridgingRelease - NSString *pwIncorrect = [NSString stringWithFormat:(NSString *)CFBridgingRelease(SecCopyCKString(SEC_CK_PASSWORD_INCORRECT)), appleIDAccountName()]; - NSString *tryAgain = CFBridgingRelease(SecCopyCKString(SEC_CK_TRY_AGAIN)); - NSDictionary *noteAttributes = @{ - (id)kCFUserNotificationAlertHeaderKey: pwIncorrect, - (id)kCFUserNotificationDefaultButtonTitleKey: tryAgain, - // TopMost gets us onto the lock screen - (id)kCFUserNotificationAlertTopMostKey: (id)kCFBooleanTrue, - (__bridge id)SBUserNotificationDontDismissOnUnlock: @YES, - (__bridge id)SBUserNotificationDismissOnLock: @NO, - }; - CFOptionFlags flags = kCFUserNotificationPlainAlertLevel; - SInt32 err; - CFUserNotificationRef note = CFUserNotificationCreate(NULL, 0.0, flags, &err, (__bridge CFDictionaryRef)noteAttributes); - CFUserNotificationReceiveResponse(note, 0.0, &flags); - CFRelease(note); + NSString *pwIncorrect = [NSString stringWithFormat:(NSString *)CFBridgingRelease(SecCopyCKString(SEC_CK_PASSWORD_INCORRECT)), appleIDAccountName()]; + NSString *tryAgain = CFBridgingRelease(SecCopyCKString(SEC_CK_TRY_AGAIN)); + NSDictionary *noteAttributes = @{ + (id) kCFUserNotificationAlertHeaderKey : pwIncorrect, + (id) kCFUserNotificationDefaultButtonTitleKey : tryAgain, + (id) kCFUserNotificationAlertTopMostKey : @YES, // get us onto the lock screen + (__bridge id) SBUserNotificationDontDismissOnUnlock: @YES, + (__bridge id) SBUserNotificationDismissOnLock : @NO, + }; + CFOptionFlags flags = kCFUserNotificationPlainAlertLevel; + SInt32 err; + CFUserNotificationRef note = CFUserNotificationCreate(NULL, 0.0, flags, &err, (__bridge CFDictionaryRef)noteAttributes); + + if (note) { + CFUserNotificationReceiveResponse(note, 0.0, &flags); + CFRelease(note); + } } -static NSDictionary *createNote(Applicant *applicantToAskAbout) { - if(!applicantToAskAbout) return NULL; - NSString *appName = applicantToAskAbout.name; - if(!appName) return NULL; - NSString *devType = applicantToAskAbout.deviceType; - if(!devType) return NULL; - return @{ - (id)kCFUserNotificationAlertHeaderKey: [NSString stringWithFormat:(__bridge_transfer NSString*)SecCopyCKString(SEC_CK_JOIN_TITLE), appName], - (id)kCFUserNotificationAlertMessageKey: [NSString stringWithFormat:(__bridge_transfer NSString*)SecCopyCKString(SEC_CK_JOIN_PROMPT), appleIDAccountName(), devType], - (id)kCFUserNotificationDefaultButtonTitleKey: (__bridge_transfer NSString*)SecCopyCKString(SEC_CK_ALLOW), - (id)kCFUserNotificationAlternateButtonTitleKey: (__bridge_transfer NSString*)SecCopyCKString(SEC_CK_DONT_ALLOW), - (id)kCFUserNotificationTextFieldTitlesKey: (__bridge_transfer NSString*)SecCopyCKString(SEC_CK_ICLOUD_PASSWORD), - // TopMost gets us onto the lock screen - (id)kCFUserNotificationAlertTopMostKey: (id)kCFBooleanTrue, - (__bridge_transfer id)SBUserNotificationDontDismissOnUnlock: @YES, - (__bridge_transfer id)SBUserNotificationDismissOnLock: @NO, + +static NSString *getLocalizedApprovalBody(NSString *deviceType) { + CFStringRef applicationReminder = NULL; + + if ([deviceType isEqualToString:@"iPhone"]) + applicationReminder = SecCopyCKString(SEC_CK_APPROVAL_BODY_IOS_IPHONE); + else if ([deviceType isEqualToString:@"iPod"]) + applicationReminder = SecCopyCKString(SEC_CK_APPROVAL_BODY_IOS_IPOD); + else if ([deviceType isEqualToString:@"iPad"]) + applicationReminder = SecCopyCKString(SEC_CK_APPROVAL_BODY_IOS_IPAD); + else if ([deviceType isEqualToString:@"Mac"]) + applicationReminder = SecCopyCKString(SEC_CK_APPROVAL_BODY_IOS_MAC); + else + applicationReminder = SecCopyCKString(SEC_CK_APPROVAL_BODY_IOS_GENERIC); + + return (__bridge_transfer NSString *) applicationReminder; +} + + +static NSDictionary *createNote(Applicant *applicantToAskAbout) +{ + if(!applicantToAskAbout || !applicantToAskAbout.name || !applicantToAskAbout.deviceType) + return NULL; + + NSString *header = [NSString stringWithFormat: (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_APPROVAL_TITLE_IOS), applicantToAskAbout.name]; + NSString *body = [NSString stringWithFormat: getLocalizedApprovalBody(applicantToAskAbout.deviceType), appleIDAccountName()]; + + return @{ + (id) kCFUserNotificationAlertHeaderKey : header, + (id) kCFUserNotificationAlertMessageKey : body, + (id) kCFUserNotificationDefaultButtonTitleKey : (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_ALLOW), + (id) kCFUserNotificationAlternateButtonTitleKey: (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_DONT_ALLOW), + (id) kCFUserNotificationTextFieldTitlesKey : (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_ICLOUD_PASSWORD), + (id) kCFUserNotificationAlertTopMostKey : @YES, // get us onto the lock screen + (__bridge_transfer id) SBUserNotificationDontDismissOnUnlock: @YES, + (__bridge_transfer id) SBUserNotificationDismissOnLock : @NO, }; } + static void askAboutAll(bool passwordFailure) { - if ([[MCProfileConnection sharedConnection] effectiveBoolValueForSetting: MCFeatureAccountModificationAllowed] == MCRestrictedBoolExplicitNo) { - NSLog(@"Account modifications not allowed."); - return; - } - - if (passwordFailure) { - passwordFailurePrompt(); - } - - if ((passwordFailure || !currentAlertIsForApplicants) && currentAlert) { - if (!currentAlertIsForApplicants) { - CFUserNotificationCancel(currentAlert); - } - // after password failure we need to remove the existing alert and supporting objects - // because we can't reuse them. - CFRelease(currentAlert); - currentAlert = NULL; - if (currentAlertSource) { - CFRelease(currentAlertSource); - currentAlertSource = NULL; - } - } - currentAlertIsForApplicants = true; - - Applicant *applicantToAskAbout = firstApplicantWaitingOrOnScreen(); - NSLog(@"Asking about: %@ (of: %@)", applicantToAskAbout, applicants); - - NSDictionary *noteAttributes = createNote(applicantToAskAbout); - if(!noteAttributes) { - NSLog(@"NULL data for %@", applicantToAskAbout); - cancelCurrentAlert(true); - return; - } - - CFOptionFlags flags = flagsForAsk(applicantToAskAbout); - - if (currentAlert) { - SInt32 err = CFUserNotificationUpdate(currentAlert, 0, flags, (__bridge CFDictionaryRef)noteAttributes); - if (err) { - NSLog(@"CFUserNotificationUpdate err=%d", (int)err); - EXIT_LOGGED_FAILURE(EX_SOFTWARE); - } - } else { - SInt32 err = 0; - currentAlert = CFUserNotificationCreate(NULL, 0.0, flags, &err, (__bridge CFDictionaryRef)(noteAttributes)); - if (err) { - NSLog(@"Can't make notification for %@ err=%x", applicantToAskAbout, (int)err); - EXIT_LOGGED_FAILURE(EX_SOFTWARE); - } - - currentAlertSource = CFUserNotificationCreateRunLoopSource(NULL, currentAlert, applicantChoice, 0); - CFRunLoopAddSource(CFRunLoopGetCurrent(), currentAlertSource, kCFRunLoopDefaultMode); - } - - applicantToAskAbout.applicantUIState = ApplicantOnScreen; + if ([[MCProfileConnection sharedConnection] effectiveBoolValueForSetting: MCFeatureAccountModificationAllowed] == MCRestrictedBoolExplicitNo) { + NSLog(@"Account modifications not allowed."); + return; + } + + if (passwordFailure) { + passwordFailurePrompt(); + } + + if ((passwordFailure || !currentAlertIsForApplicants) && currentAlert) { + if (!currentAlertIsForApplicants) { + CFUserNotificationCancel(currentAlert); + } + // after password failure we need to remove the existing alert and supporting objects + // because we can't reuse them. + CFReleaseNull(currentAlert); + CFReleaseNull(currentAlertSource); + } + currentAlertIsForApplicants = true; + + Applicant *applicantToAskAbout = firstApplicantWaitingOrOnScreen(); + NSLog(@"Asking about: %@ (of: %@)", applicantToAskAbout, applicants); + + NSDictionary *noteAttributes = createNote(applicantToAskAbout); + if(!noteAttributes) { + NSLog(@"NULL data for %@", applicantToAskAbout); + cancelCurrentAlert(true); + return; + } + + CFOptionFlags flags = flagsForAsk(applicantToAskAbout); + + if (currentAlert) { + SInt32 err = CFUserNotificationUpdate(currentAlert, 0, flags, (__bridge CFDictionaryRef)noteAttributes); + if (err) { + NSLog(@"CFUserNotificationUpdate err=%d", (int)err); + EXIT_LOGGED_FAILURE(EX_SOFTWARE); + } + } else { + SInt32 err = 0; + currentAlert = CFUserNotificationCreate(NULL, 0.0, flags, &err, (__bridge CFDictionaryRef)(noteAttributes)); + if (err) { + NSLog(@"Can't make notification for %@ err=%x", applicantToAskAbout, (int)err); + EXIT_LOGGED_FAILURE(EX_SOFTWARE); + } + + currentAlertSource = CFUserNotificationCreateRunLoopSource(NULL, currentAlert, applicantChoice, 0); + CFRunLoopAddSource(CFRunLoopGetCurrent(), currentAlertSource, kCFRunLoopDefaultMode); + } + + applicantToAskAbout.applicantUIState = ApplicantOnScreen; } + static void scheduleActivity(int alertInterval) { xpc_object_t options = xpc_dictionary_create(NULL, NULL, 0); @@ -349,17 +359,18 @@ static void scheduleActivity(int alertInterval) }); } -static void reminderChoice(CFUserNotificationRef userNotification, CFOptionFlags responseFlags) -{ - if (kCFUserNotificationAlternateResponse == responseFlags || kCFUserNotificationDefaultResponse == responseFlags) { - PersistantState *state = [PersistantState loadFromStorage]; + +static void reminderChoice(CFUserNotificationRef userNotification, CFOptionFlags responseFlags) { + if (responseFlags == kCFUserNotificationAlternateResponse || responseFlags == kCFUserNotificationDefaultResponse) { + PersistentState *state = [PersistentState loadFromStorage]; NSDate *nowish = [NSDate new]; state.pendingApplicationReminder = [nowish dateByAddingTimeInterval: state.pendingApplicationReminderAlertInterval]; scheduleActivity(state.pendingApplicationReminderAlertInterval); [state writeToStorage]; - if (kCFUserNotificationAlternateResponse == responseFlags) { + if (responseFlags == kCFUserNotificationAlternateResponse) { + // Use security code BOOL ok = [[LSApplicationWorkspace defaultWorkspace] openSensitiveURL:[NSURL URLWithString:castleKeychainUrl] withOptions:nil]; - NSLog(@"ok=%d opening %@", ok, [NSURL URLWithString:castleKeychainUrl]); + NSLog(@"%s iCSC: opening %@ ok=%d", __FUNCTION__, castleKeychainUrl, ok); } } @@ -367,153 +378,177 @@ static void reminderChoice(CFUserNotificationRef userNotification, CFOptionFlags } -static NSString* getLocalizedDeviceClass(void) { - NSString *deviceType = NULL; - switch (MGGetSInt32Answer(kMGQDeviceClassNumber, MGDeviceClassInvalid)) { - case MGDeviceClassiPhone: - deviceType = (__bridge NSString*)SecCopyCKString(SEC_CK_THIS_IPHONE); - break; - case MGDeviceClassiPod: - deviceType = (__bridge NSString*)SecCopyCKString(SEC_CK_THIS_IPOD); - break; - case MGDeviceClassiPad: - deviceType = (__bridge NSString*)SecCopyCKString(SEC_CK_THIS_IPAD); - break; - default: - deviceType = (__bridge NSString*)SecCopyCKString(SEC_CK_THIS_DEVICE); - break; - } - return deviceType; +static bool iCloudResetAvailable() { + SecureBackup *backupd = [SecureBackup new]; + NSDictionary *backupdResults; + NSError *error = [backupd getAccountInfoWithInfo:nil results:&backupdResults]; + NSLog(@"SecureBackup e=%@ r=%@", error, backupdResults); + return (error == nil && [backupdResults[kSecureBackupIsEnabledKey] isEqualToNumber:@YES]); } -static bool iCloudResetAvailable() -{ - SecureBackup *backupd = [SecureBackup new]; - NSDictionary *backupdResults; - NSError *error = [backupd getAccountInfoWithInfo:nil results:&backupdResults]; - NSLog(@"SecureBackup e=%@ r=%@", error, backupdResults); - return (nil == error && [backupdResults[kSecureBackupIsEnabledKey] isEqualToNumber:@YES]); + + +static NSString *getLocalizedApplicationReminder() { + CFStringRef applicationReminder = NULL; + switch (MGGetSInt32Answer(kMGQDeviceClassNumber, MGDeviceClassInvalid)) { + case MGDeviceClassiPhone: + applicationReminder = SecCopyCKString(SEC_CK_REMINDER_BODY_IOS_IPHONE); + break; + case MGDeviceClassiPod: + applicationReminder = SecCopyCKString(SEC_CK_REMINDER_BODY_IOS_IPOD); + break; + case MGDeviceClassiPad: + applicationReminder = SecCopyCKString(SEC_CK_REMINDER_BODY_IOS_IPAD); + break; + default: + applicationReminder = SecCopyCKString(SEC_CK_REMINDER_BODY_IOS_GENERIC); + break; + } + return (__bridge_transfer NSString *) applicationReminder; } -static void postApplicationReminderAlert(NSDate *nowish, PersistantState *state, unsigned int alertInterval) + +static void postApplicationReminderAlert(NSDate *nowish, PersistentState *state, unsigned int alertInterval) { + NSString *body = getLocalizedApplicationReminder(); + bool has_iCSC = iCloudResetAvailable(); - NSString *deviceType = getLocalizedDeviceClass(); - - bool has_iCSC = iCloudResetAvailable(); - - NSString *alertMessage = [NSString stringWithFormat:(__bridge NSString*)SecCopyCKString(has_iCSC ? SEC_CK_ARS1_BODY : SEC_CK_ARS0_BODY), deviceType]; - if (state.defaultPendingApplicationReminderAlertInterval != state.pendingApplicationReminderAlertInterval) { - alertMessage = [NSString stringWithFormat:@"%@ 〖debug interval %u; wait time %@〗", - alertMessage, - state.pendingApplicationReminderAlertInterval, - [nowish copyDescriptionOfIntervalSince:state.applcationDate]]; + if (state.defaultPendingApplicationReminderAlertInterval != state.pendingApplicationReminderAlertInterval) { + body = [body stringByAppendingFormat: @"〖debug interval %u; wait time %@〗", + state.pendingApplicationReminderAlertInterval, + [nowish copyDescriptionOfIntervalSince:state.applicationDate]]; } - + NSDictionary *pendingAttributes = @{ - (id)kCFUserNotificationAlertHeaderKey: (__bridge NSString*)SecCopyCKString(has_iCSC ? SEC_CK_ARS1_TITLE : SEC_CK_ARS0_TITLE), - (id)kCFUserNotificationAlertMessageKey: alertMessage, - (id)kCFUserNotificationDefaultButtonTitleKey: (__bridge NSString*)SecCopyCKString(SEC_CK_AR_APPROVE_OTHER), - (id)kCFUserNotificationAlternateButtonTitleKey: has_iCSC ? (__bridge NSString*)SecCopyCKString(SEC_CK_AR_USE_CODE) : @"", - (id)kCFUserNotificationAlertTopMostKey: (id)kCFBooleanTrue, - (__bridge id)SBUserNotificationHideButtonsInAwayView: @YES, - (__bridge id)SBUserNotificationDontDismissOnUnlock: @YES, - (__bridge id)SBUserNotificationDismissOnLock: @NO, - (__bridge id)SBUserNotificationOneButtonPerLine: @YES, - }; + (id) kCFUserNotificationAlertHeaderKey : (__bridge NSString *) SecCopyCKString(SEC_CK_REMINDER_TITLE_IOS), + (id) kCFUserNotificationAlertMessageKey : body, + (id) kCFUserNotificationDefaultButtonTitleKey : (__bridge NSString *) SecCopyCKString(SEC_CK_REMINDER_BUTTON_OK), + (id) kCFUserNotificationAlternateButtonTitleKey: has_iCSC ? (__bridge NSString *) SecCopyCKString(SEC_CK_REMINDER_BUTTON_ICSC) : @"", + (id) kCFUserNotificationAlertTopMostKey : @YES, + (__bridge id) SBUserNotificationDontDismissOnUnlock : @YES, + (__bridge id) SBUserNotificationDismissOnLock : @NO, + (__bridge id) SBUserNotificationOneButtonPerLine : @YES, + }; SInt32 err = 0; - currentAlert = CFUserNotificationCreate(NULL, 0.0, kCFUserNotificationPlainAlertLevel, &err, (__bridge CFDictionaryRef)(pendingAttributes)); - - if (err) { - NSLog(@"Can't make pending notification err=%x", (int)err); - } else { - currentAlertIsForApplicants = false; - currentAlertSource = CFUserNotificationCreateRunLoopSource(NULL, currentAlert, reminderChoice, 0); - CFRunLoopAddSource(CFRunLoopGetCurrent(), currentAlertSource, kCFRunLoopDefaultMode); - } + currentAlert = CFUserNotificationCreate(NULL, 0.0, kCFUserNotificationPlainAlertLevel, &err, (__bridge CFDictionaryRef) pendingAttributes); + + if (err) { + NSLog(@"Can't make pending notification err=%x", (int)err); + } else { + currentAlertIsForApplicants = false; + currentAlertSource = CFUserNotificationCreateRunLoopSource(NULL, currentAlert, reminderChoice, 0); + CFRunLoopAddSource(CFRunLoopGetCurrent(), currentAlertSource, kCFRunLoopDefaultMode); + } } -static void kickOutChoice(CFUserNotificationRef userNotification, CFOptionFlags responseFlags) -{ - NSLog(@"kOC %@ %lu", userNotification, responseFlags); - if (kCFUserNotificationAlternateResponse == responseFlags) { - // We need to let things unwind to main for the new state to get saved - doOnceInMain(^{ - BOOL ok = [[LSApplicationWorkspace defaultWorkspace] openSensitiveURL:[NSURL URLWithString:castleKeychainUrl] withOptions:nil]; - NSLog(@"ok=%d opening %@", ok, [NSURL URLWithString:castleKeychainUrl]); - }); - } - cancelCurrentAlert(true); + +static void kickOutChoice(CFUserNotificationRef userNotification, CFOptionFlags responseFlags) { + NSLog(@"kOC %@ %lu", userNotification, responseFlags); + if (responseFlags == kCFUserNotificationDefaultResponse) { + // We need to let things unwind to main for the new state to get saved + doOnceInMain(^{ + BOOL ok = [[LSApplicationWorkspace defaultWorkspace] openSensitiveURL:[NSURL URLWithString:castleKeychainUrl] withOptions:nil]; + NSLog(@"ok=%d opening %@", ok, [NSURL URLWithString:castleKeychainUrl]); + }); + } + cancelCurrentAlert(true); } + +CFStringRef const CJRAggdDepartureReasonKey = CFSTR("com.apple.security.circlejoinrequested.departurereason"); +CFStringRef const CJRAggdNumCircleDevicesKey = CFSTR("com.apple.security.circlejoinrequested.numcircledevices"); + static void postKickedOutAlert(enum DepartureReason reason) { - NSString *deviceType = getLocalizedDeviceClass(); - NSString *message = nil; - debugState = @"pKOA A"; - bool ok_to_use_code = iCloudResetAvailable(); - debugState = @"pKOA B"; - + NSString *header = nil; + NSString *message = nil; + + // iCDP telemetry: ☂ Statistics on circle reset and drop out events + ADClientSetValueForScalarKey(CJRAggdDepartureReasonKey, reason); + + int64_t num_peers = 0; + CFArrayRef peerList = SOSCCCopyPeerPeerInfo(NULL); + if (peerList) { + num_peers = CFArrayGetCount(peerList); + if (num_peers > 99) { + // Round down # peers to 2 significant digits + int factor; + for (factor = 10; num_peers >= 100*factor; factor *= 10) ; + num_peers = (num_peers / factor) * factor; + } + CFRelease(peerList); + } + ADClientSetValueForScalarKey(CJRAggdNumCircleDevicesKey, num_peers); + + debugState = @"pKOA A"; + syslog(LOG_ERR, "DepartureReason %d", reason); switch (reason) { - case kSOSNeverLeftCircle: - // Was: SEC_CK_CR_BODY_NEVER_LEFT - return; - break; - - case kSOSWithdrewMembership: - // Was: SEC_CK_CR_BODY_WITHDREW - // "... if you turn off a switch you have some idea why the light is off" - Murf - return; - break; - - case kSOSMembershipRevoked: - message = [NSString stringWithFormat:(__bridge NSString*)SecCopyCKString(SEC_CK_CR_BODY_REVOKED), deviceType]; - break; - - case kSOSLeftUntrustedCircle: - message = [NSString stringWithFormat:(__bridge NSString*)SecCopyCKString(SEC_CK_CR_BODY_LEFT_UNTRUSTED), deviceType]; - ok_to_use_code = false; - break; - - case kSOSNeverAppliedToCircle: - // We didn't get kicked out, we were never here. This should only happen if we changed iCloud accounts - // (and we had sync on in the previous one, and never had it on in the new one). As this is explicit - // user action alot of thd "Light switch" argument (above) applies. - return; - break; - - default: - message = [NSString stringWithFormat:(__bridge NSString*)SecCopyCKString(SEC_CK_CR_BODY_UNKNOWN), deviceType]; - ok_to_use_code = false; - syslog(LOG_ERR, "Unknown DepartureReason %d", reason); - break; + case kSOSDiscoveredRetirement: + case kSOSLostPrivateKey: + case kSOSWithdrewMembership: + // Was: SEC_CK_CR_BODY_WITHDREW + // "... if you turn off a switch you have some idea why the light is off" - Murf + return; + break; + + case kSOSNeverAppliedToCircle: + // We didn't get kicked out, we were never here. This should only happen if we changed iCloud accounts + // (and we had sync on in the previous one, and never had it on in the new one). As this is explicit + // user action alot of the "Light switch" argument (above) applies. + return; + break; + + case kSOSNeverLeftCircle: + case kSOSMembershipRevoked: + case kSOSLeftUntrustedCircle: + default: + header = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_PWD_REQUIRED_TITLE); + message = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_PWD_REQUIRED_BODY_IOS); + break; } - + + if (CPIsInternalDevice()) { + static const char *departureReasonStrings[] = { + "kSOSDepartureReasonError", + "kSOSNeverLeftCircle", + "kSOSWithdrewMembership", + "kSOSMembershipRevoked", + "kSOSLeftUntrustedCircle", + "kSOSNeverAppliedToCircle", + "kSOSDiscoveredRetirement", + "kSOSLostPrivateKey", + "unknown reason" + }; + int idx = (kSOSDepartureReasonError <= reason && reason <= kSOSLostPrivateKey) ? reason : (kSOSLostPrivateKey + 1); + NSString *reason_str = [NSString stringWithFormat:(__bridge_transfer NSString *) SecCopyCKString(SEC_CK_CR_REASON_INTERNAL), + departureReasonStrings[idx]]; + message = [message stringByAppendingString: reason_str]; + } + NSDictionary *kickedAttributes = @{ - (id)kCFUserNotificationAlertHeaderKey: (__bridge NSString*)SecCopyCKString(SEC_CK_CR_TITLE), - (id)kCFUserNotificationAlertMessageKey: message, - (id)kCFUserNotificationDefaultButtonTitleKey: (__bridge NSString*)SecCopyCKString(SEC_CK_CR_OK), - (id)kCFUserNotificationAlternateButtonTitleKey: ok_to_use_code ? (__bridge NSString*)SecCopyCKString(SEC_CK_CR_USE_CODE) - : @"", - (id)kCFUserNotificationAlertTopMostKey: (id)kCFBooleanTrue, - (__bridge id)SBUserNotificationHideButtonsInAwayView: @YES, - (__bridge id)SBUserNotificationDontDismissOnUnlock: @YES, - (__bridge id)SBUserNotificationDismissOnLock: @NO, - (__bridge id)SBUserNotificationOneButtonPerLine: @YES, - }; + (id) kCFUserNotificationAlertHeaderKey : header, + (id) kCFUserNotificationAlertMessageKey : message, + (id) kCFUserNotificationDefaultButtonTitleKey : (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_CONTINUE), + (id) kCFUserNotificationAlternateButtonTitleKey: (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_NOT_NOW), + (id) kCFUserNotificationAlertTopMostKey : @YES, + (__bridge id) SBUserNotificationDismissOnLock : @NO, + (__bridge id) SBUserNotificationDontDismissOnUnlock : @YES, + (__bridge id) SBUserNotificationOneButtonPerLine : @YES, + }; SInt32 err = 0; if (currentAlertIsForKickOut) { - debugState = @"pKOA C"; + debugState = @"pKOA B"; NSLog(@"Updating existing alert %@ with %@", currentAlert, kickedAttributes); - CFUserNotificationUpdate(currentAlert, 0, kCFUserNotificationPlainAlertLevel, (__bridge CFDictionaryRef)(kickedAttributes)); + CFUserNotificationUpdate(currentAlert, 0, kCFUserNotificationPlainAlertLevel, (__bridge CFDictionaryRef) kickedAttributes); } else { - debugState = @"pKOA D"; + debugState = @"pKOA C"; - CFUserNotificationRef note = CFUserNotificationCreate(NULL, 0.0, kCFUserNotificationPlainAlertLevel, &err, (__bridge CFDictionaryRef)(kickedAttributes)); - if (err) { - NSLog(@"Can't make kicked out notification err=%x", (int)err); - } else { + CFUserNotificationRef note = CFUserNotificationCreate(NULL, 0.0, kCFUserNotificationPlainAlertLevel, &err, (__bridge CFDictionaryRef) kickedAttributes); + assert((note == NULL) == (err != 0)); + if (err) { + NSLog(@"Can't make kicked out notification err=%x", (int)err); + } else { currentAlertIsForApplicants = false; currentAlertIsForKickOut = true; @@ -530,242 +565,257 @@ static void postKickedOutAlert(enum DepartureReason reason) NSLog(@"Backup state may have changed, but we don't care anymore (dS=%@)", debugState); } }); - debugState = @"pKOA E"; + debugState = @"pKOA D"; CFRunLoopRun(); - debugState = @"pKOA F"; + debugState = @"pKOA E"; notify_cancel(backupStateChangeToken); } } debugState = @"pKOA Z"; } + static bool processEvents() { - debugState = @"processEvents A"; - CFErrorRef error = NULL; - CFErrorRef departError = NULL; - SOSCCStatus circleStatus = SOSCCThisDeviceIsInCircle(&error); - NSDate *nowish = [NSDate date]; - PersistantState *state = [PersistantState loadFromStorage]; - enum DepartureReason departureReason = SOSCCGetLastDepartureReason(&departError); - NSLog(@"CircleStatus %d -> %d{%d} (s=%p)", state.lastCircleStatus, circleStatus, departureReason, state); - - NSTimeInterval timeUntilApplicationAlert = [state.pendingApplicationReminder timeIntervalSinceDate:nowish]; - - NSLog(@"Time until pendingApplicationReminder (%@) %f", [state.pendingApplicationReminder debugDescription], timeUntilApplicationAlert); - - if (circleStatus == kSOSCCRequestPending && timeUntilApplicationAlert <= 0) { - debugState = @"reminderAlert"; - postApplicationReminderAlert(nowish, state, state.pendingApplicationReminderAlertInterval); - } else if (circleStatus == kSOSCCRequestPending) { - scheduleActivity(ceil(timeUntilApplicationAlert)); - } - - if (((circleStatus == kSOSCCNotInCircle || circleStatus == kSOSCCCircleAbsent) && state.lastCircleStatus == kSOSCCInCircle) || state.debugShowLeftReason || (circleStatus == kSOSCCNotInCircle && state.lastCircleStatus == kSOSCCCircleAbsent && state.absentCircleWithNoReason)) { - debugState = @"processEvents B"; - // Use to be in the circle, now we aren't. We ought to tell the user why. - - if (state.debugShowLeftReason) { - NSLog(@"debugShowLeftReason is %@", state.debugShowLeftReason); - departureReason = [state.debugShowLeftReason intValue]; - state.debugShowLeftReason = nil; - departError = NULL; - [state writeToStorage]; - } - - if (kSOSDepartureReasonError != departureReason) { - if (circleStatus == kSOSCCCircleAbsent && departureReason == kSOSNeverLeftCircle) { - // We don't yet know why the circle has vanished, remember our current ignorance - state.absentCircleWithNoReason = YES; - } else { - state.absentCircleWithNoReason = NO; - } - NSLog(@"Depature reason %d", departureReason); - postKickedOutAlert(departureReason); - NSLog(@"pKOA returned (cS %d lCS %d)", circleStatus, state.lastCircleStatus); - } else { - NSLog(@"Can't get last depature reason: %@", departError); - } - } - - debugState = @"processEvents C"; - - if (circleStatus != state.lastCircleStatus) { - SOSCCStatus lastCircleStatus = state.lastCircleStatus; - state.lastCircleStatus = circleStatus; - - if (lastCircleStatus != kSOSCCRequestPending && circleStatus == kSOSCCRequestPending) { - state.applcationDate = nowish; - state.pendingApplicationReminder = [nowish dateByAddingTimeInterval: state.pendingApplicationReminderAlertInterval]; - scheduleActivity(state.pendingApplicationReminderAlertInterval); - } - if (lastCircleStatus == kSOSCCRequestPending && circleStatus != kSOSCCRequestPending) { - NSLog(@"Pending request completed"); - state.applcationDate = [NSDate distantPast]; - state.pendingApplicationReminder = [NSDate distantFuture]; - } - - [state writeToStorage]; - } - - if (circleStatus != kSOSCCInCircle) { - if (circleStatus == kSOSCCRequestPending && currentAlert) { - int notifyToken = 0; - CFUserNotificationRef postedAlert = currentAlert; - - debugState = @"processEvents D1"; - notify_register_dispatch(kSOSCCCircleChangedNotification, ¬ifyToken, dispatch_get_main_queue(), ^(int token) { - if (postedAlert != currentAlert) { - NSLog(@"-- CC after original alert gone (currentAlertIsForApplicants %d, pA %p, cA %p -- %@)", currentAlertIsForApplicants ? 1:0, postedAlert, currentAlert, currentAlert); - notify_cancel(token); - } else { - CFErrorRef localError = NULL; - SOSCCStatus newCircleStatus = SOSCCThisDeviceIsInCircle(&localError); - if (newCircleStatus != kSOSCCRequestPending) { - if (newCircleStatus == kSOSCCError) - NSLog(@"No longer pending (nCS=%d, alert=%@) error: %@", newCircleStatus, currentAlert, localError); - else - NSLog(@"No longer pending (nCS=%d, alert=%@)", newCircleStatus, currentAlert); - cancelCurrentAlert(true); - } else { - NSLog(@"Still pending..."); - } - } - }); - debugState = @"processEvents D2"; - NSLog(@"NOTE: currentAlertIsForApplicants %d, token %d", currentAlertIsForApplicants ? 1:0, notifyToken); - CFRunLoopRun(); - return true; - } - debugState = @"processEvents D3"; - NSLog(@"SOSCCThisDeviceIsInCircle status %d, not checking applicants", circleStatus); - return false; - } - - debugState = @"processEvents E"; - applicants = [NSMutableDictionary new]; - for (id applicantInfo in (__bridge_transfer NSArray *)(SOSCCCopyApplicantPeerInfo(&error))) { - Applicant *applicant = [[Applicant alloc] initWithPeerInfo:(__bridge SOSPeerInfoRef)(applicantInfo)]; - applicants[applicant.idString] = applicant; - } - - int notify_token = -42; - debugState = @"processEvents F"; - int notify_register_status = notify_register_dispatch(kSOSCCCircleChangedNotification, ¬ify_token, dispatch_get_main_queue(), ^(int token) { - NSLog(@"Notified: %s", kSOSCCCircleChangedNotification); - CFErrorRef circleStatusError = NULL; - - bool needsUpdate = false; - CFErrorRef copyPeerError = NULL; - NSMutableSet *newIds = [NSMutableSet new]; - for (id applicantInfo in (__bridge_transfer NSArray *)(SOSCCCopyApplicantPeerInfo(©PeerError))) { - Applicant *newApplicant = [[Applicant alloc] initWithPeerInfo:(__bridge SOSPeerInfoRef)(applicantInfo)]; - [newIds addObject:newApplicant.idString]; - Applicant *existingApplicant = applicants[newApplicant.idString]; - if (existingApplicant) { - switch (existingApplicant.applicantUIState) { - case ApplicantWaiting: - applicants[newApplicant.idString] = newApplicant; - break; - - case ApplicantOnScreen: - newApplicant.applicantUIState = ApplicantOnScreen; - applicants[newApplicant.idString] = newApplicant; - break; - - default: - NSLog(@"Update to %@ >> %@ with pending order, should work out Ok though", existingApplicant, newApplicant); - break; - } - } else { - needsUpdate = true; - applicants[newApplicant.idString] = newApplicant; - } - } - if (copyPeerError) { - NSLog(@"Could not update peer info array: %@", copyPeerError); - return; - } - - NSMutableArray *idsToRemoveFromApplicants = [NSMutableArray new]; - for (NSString *exisitngId in [applicants keyEnumerator]) { - if (![newIds containsObject:exisitngId]) { - [idsToRemoveFromApplicants addObject:exisitngId]; - needsUpdate = true; - } - } - [applicants removeObjectsForKeys:idsToRemoveFromApplicants]; - - if (newIds.count == 0) { - NSLog(@"All applicants were handled elsewhere"); - cancelCurrentAlert(true); - } - SOSCCStatus currentCircleStatus = SOSCCThisDeviceIsInCircle(&circleStatusError); - if (kSOSCCInCircle != currentCircleStatus) { - NSLog(@"Left circle (%d), not handing remaining %lu applicants", currentCircleStatus, (unsigned long)newIds.count); - cancelCurrentAlert(true); - } - if (needsUpdate) { - askAboutAll(false); - } else { - NSLog(@"needsUpdate false, not updating alert"); - } - }); - NSLog(@"ACC token %d, status %d", notify_token, notify_register_status); - debugState = @"processEvents F2"; - - if (applicants.count == 0) { - NSLog(@"No applicants"); - } else { - debugState = @"processEvents F3"; - askAboutAll(false); - debugState = @"processEvents F4"; - if (currentAlert) { - debugState = @"processEvents F5"; - CFRunLoopRun(); - } - } - - debugState = @"processEvents F6"; - notify_cancel(notify_token); - debugState = @"processEvents DONE"; - - return false; + debugState = @"processEvents A"; + + CFErrorRef error = NULL; + CFErrorRef departError = NULL; + SOSCCStatus circleStatus = SOSCCThisDeviceIsInCircle(&error); + NSDate *nowish = [NSDate date]; + PersistentState *state = [PersistentState loadFromStorage]; + enum DepartureReason departureReason = SOSCCGetLastDepartureReason(&departError); + NSLog(@"CircleStatus %d -> %d{%d} (s=%p)", state.lastCircleStatus, circleStatus, departureReason, state); + + + // Pending application reminder + NSTimeInterval timeUntilApplicationAlert = [state.pendingApplicationReminder timeIntervalSinceDate:nowish]; + NSLog(@"Time until pendingApplicationReminder (%@) %f", [state.pendingApplicationReminder debugDescription], timeUntilApplicationAlert); + if (circleStatus == kSOSCCRequestPending) { + if (timeUntilApplicationAlert <= 0) { + debugState = @"reminderAlert"; + postApplicationReminderAlert(nowish, state, state.pendingApplicationReminderAlertInterval); + } else { + scheduleActivity(ceil(timeUntilApplicationAlert)); + } + } + + + // No longer in circle? + if ((state.lastCircleStatus == kSOSCCInCircle && (circleStatus == kSOSCCNotInCircle || circleStatus == kSOSCCCircleAbsent)) || + (state.lastCircleStatus == kSOSCCCircleAbsent && circleStatus == kSOSCCNotInCircle && state.absentCircleWithNoReason) || + state.debugShowLeftReason) { + // Used to be in the circle, now we aren't - tell the user why + debugState = @"processEvents B"; + + if (state.debugShowLeftReason) { + NSLog(@"debugShowLeftReason: %@", state.debugShowLeftReason); + departureReason = [state.debugShowLeftReason intValue]; + state.debugShowLeftReason = nil; + CFReleaseNull(departError); + [state writeToStorage]; + } + + if (departureReason != kSOSDepartureReasonError) { + state.absentCircleWithNoReason = (circleStatus == kSOSCCCircleAbsent && departureReason == kSOSNeverLeftCircle); + NSLog(@"Depature reason %d", departureReason); + postKickedOutAlert(departureReason); + NSLog(@"pKOA returned (cS %d lCS %d)", circleStatus, state.lastCircleStatus); + } else { + NSLog(@"Couldn't get last departure reason: %@", departError); + } + } + + + // Circle applications: pending request(s) started / completed + debugState = @"processEvents C"; + if (circleStatus != state.lastCircleStatus) { + SOSCCStatus lastCircleStatus = state.lastCircleStatus; + state.lastCircleStatus = circleStatus; + + if (lastCircleStatus != kSOSCCRequestPending && circleStatus == kSOSCCRequestPending) { + NSLog(@"Pending request started"); + state.applicationDate = nowish; + state.pendingApplicationReminder = [nowish dateByAddingTimeInterval: state.pendingApplicationReminderAlertInterval]; + scheduleActivity(state.pendingApplicationReminderAlertInterval); + } + if (lastCircleStatus == kSOSCCRequestPending && circleStatus != kSOSCCRequestPending) { + NSLog(@"Pending request completed"); + state.applicationDate = [NSDate distantPast]; + state.pendingApplicationReminder = [NSDate distantFuture]; + } + + [state writeToStorage]; + } + + if (circleStatus != kSOSCCInCircle) { + if (circleStatus == kSOSCCRequestPending && currentAlert) { + int notifyToken = 0; + CFUserNotificationRef postedAlert = currentAlert; + + debugState = @"processEvents D1"; + notify_register_dispatch(kSOSCCCircleChangedNotification, ¬ifyToken, dispatch_get_main_queue(), ^(int token) { + if (postedAlert != currentAlert) { + NSLog(@"-- CC after original alert gone (currentAlertIsForApplicants %d, pA %p, cA %p -- %@)", + currentAlertIsForApplicants, postedAlert, currentAlert, currentAlert); + notify_cancel(token); + } else { + CFErrorRef localError = NULL; + SOSCCStatus newCircleStatus = SOSCCThisDeviceIsInCircle(&localError); + if (newCircleStatus != kSOSCCRequestPending) { + if (newCircleStatus == kSOSCCError) + NSLog(@"No longer pending (nCS=%d, alert=%@) error: %@", newCircleStatus, currentAlert, localError); + else + NSLog(@"No longer pending (nCS=%d, alert=%@)", newCircleStatus, currentAlert); + cancelCurrentAlert(true); + } else { + NSLog(@"Still pending..."); + } + CFReleaseNull(localError); + } + }); + debugState = @"processEvents D2"; + NSLog(@"NOTE: currentAlertIsForApplicants %d, token %d", currentAlertIsForApplicants, notifyToken); + CFRunLoopRun(); + return true; + } + debugState = @"processEvents D4"; + NSLog(@"SOSCCThisDeviceIsInCircle status %d, not checking applicants", circleStatus); + return false; + } + + + // Applicants + debugState = @"processEvents E"; + applicants = [NSMutableDictionary new]; + for (id applicantInfo in (__bridge_transfer NSArray *) SOSCCCopyApplicantPeerInfo(&error)) { + Applicant *applicant = [[Applicant alloc] initWithPeerInfo:(__bridge SOSPeerInfoRef) applicantInfo]; + applicants[applicant.idString] = applicant; + } + + // Log error from SOSCCCopyApplicantPeerInfo() above? + CFReleaseNull(error); + + int notify_token = -42; + debugState = @"processEvents F"; + int notify_register_status = notify_register_dispatch(kSOSCCCircleChangedNotification, ¬ify_token, dispatch_get_main_queue(), ^(int token) { + NSLog(@"Notified: %s", kSOSCCCircleChangedNotification); + CFErrorRef circleStatusError = NULL; + + bool needsUpdate = false; + CFErrorRef copyPeerError = NULL; + NSMutableSet *newIds = [NSMutableSet new]; + for (id applicantInfo in (__bridge_transfer NSArray *) SOSCCCopyApplicantPeerInfo(©PeerError)) { + Applicant *newApplicant = [[Applicant alloc] initWithPeerInfo:(__bridge SOSPeerInfoRef) applicantInfo]; + [newIds addObject:newApplicant.idString]; + Applicant *existingApplicant = applicants[newApplicant.idString]; + if (existingApplicant) { + switch (existingApplicant.applicantUIState) { + case ApplicantWaiting: + applicants[newApplicant.idString] = newApplicant; + break; + + case ApplicantOnScreen: + newApplicant.applicantUIState = ApplicantOnScreen; + applicants[newApplicant.idString] = newApplicant; + break; + + default: + NSLog(@"Update to %@ >> %@ with pending order, should work out ok though", existingApplicant, newApplicant); + break; + } + } else { + needsUpdate = true; + applicants[newApplicant.idString] = newApplicant; + } + } + if (copyPeerError) { + NSLog(@"Could not update peer info array: %@", copyPeerError); + CFRelease(copyPeerError); + return; + } + + NSMutableArray *idsToRemoveFromApplicants = [NSMutableArray new]; + for (NSString *exisitngId in [applicants keyEnumerator]) { + if (![newIds containsObject:exisitngId]) { + [idsToRemoveFromApplicants addObject:exisitngId]; + needsUpdate = true; + } + } + [applicants removeObjectsForKeys:idsToRemoveFromApplicants]; + + if (newIds.count == 0) { + NSLog(@"All applicants were handled elsewhere"); + cancelCurrentAlert(true); + } + SOSCCStatus currentCircleStatus = SOSCCThisDeviceIsInCircle(&circleStatusError); + if (kSOSCCInCircle != currentCircleStatus) { + NSLog(@"Left circle (%d), not handling remaining %lu applicants", currentCircleStatus, (unsigned long)newIds.count); + cancelCurrentAlert(true); + } + if (needsUpdate) { + askAboutAll(false); + } else { + NSLog(@"needsUpdate false, not updating alert"); + } + // Log circleStatusError? + CFReleaseNull(circleStatusError); + }); + NSLog(@"ACC token %d, status %d", notify_token, notify_register_status); + debugState = @"processEvents F2"; + + if (applicants.count == 0) { + NSLog(@"No applicants"); + } else { + debugState = @"processEvents F3"; + askAboutAll(false); + debugState = @"processEvents F4"; + if (currentAlert) { + debugState = @"processEvents F5"; + CFRunLoopRun(); + } + } + + debugState = @"processEvents F6"; + notify_cancel(notify_token); + debugState = @"processEvents DONE"; + + return false; } -int main (int argc, const char * argv[]) -{ - @autoreleasepool { - xpc_transaction_begin(); - - // NOTE: DISPATCH_QUEUE_PRIORITY_LOW will not actually manage to drain events - // in a lot of cases (like circleStatus != kSOSCCInCircle) - xpc_set_event_stream_handler("com.apple.notifyd.matching", dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0), ^(xpc_object_t object) { - char *event_description = xpc_copy_description(object); - NSLog(@"notifyd event: %s\nAlert (%p) %s %s\ndebugState: %@", event_description, currentAlert, currentAlertIsForApplicants ? "for applicants" : "!applicants", currentAlertIsForKickOut ? "KO" : "!KO", debugState); - free(event_description); - }); - - xpc_activity_register(kLaunchLaterXPCName, XPC_ACTIVITY_CHECK_IN, ^(xpc_activity_t activity) { - }); - - - int falseInARow = 0; - while (falseInARow < 2) { - if (processEvents()) { - falseInARow = 0; - } else { - falseInARow++; - } - cancelCurrentAlert(false); - if (doOnceInMainBlockChain) { - doOnceInMainBlockChain(); - doOnceInMainBlockChain = NULL; - } - } + +int main (int argc, const char * argv[]) { + xpc_transaction_begin(); + + @autoreleasepool { + // NOTE: DISPATCH_QUEUE_PRIORITY_LOW will not actually manage to drain events in a lot of cases (like circleStatus != kSOSCCInCircle) + xpc_set_event_stream_handler("com.apple.notifyd.matching", dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0), ^(xpc_object_t object) { + char *event_description = xpc_copy_description(object); + NSLog(@"notifyd event: %s\nAlert (%p) %s %s\ndebugState: %@", event_description, currentAlert, + currentAlertIsForApplicants ? "for applicants" : "!applicants", + currentAlertIsForKickOut ? "KO" : "!KO", debugState); + free(event_description); + }); + + xpc_activity_register(kLaunchLaterXPCName, XPC_ACTIVITY_CHECK_IN, ^(xpc_activity_t activity) { + }); + + int falseInARow = 0; + while (falseInARow < 2) { + if (processEvents()) { + falseInARow = 0; + } else { + falseInARow++; + } + cancelCurrentAlert(false); + if (doOnceInMainBlockChain) { + doOnceInMainBlockChain(); + doOnceInMainBlockChain = NULL; + } + } } - - NSLog(@"Done"); - xpc_transaction_end(); - return(0); + + NSLog(@"Done"); + xpc_transaction_end(); + return(0); } diff --git a/CircleJoinRequested/PersistantState.h b/CircleJoinRequested/PersistantState.h deleted file mode 100644 index 0915fcb7..00000000 --- a/CircleJoinRequested/PersistantState.h +++ /dev/null @@ -1,25 +0,0 @@ -// -// PersistantState.h -// Security -// -// Created by J Osborne on 7/11/13. -// -// - -#import -#include "SecureObjectSync/SOSCloudCircle.h" -#include "SecureObjectSync/SOSPeerInfo.h" - -@interface PersistantState : NSObject -+(instancetype)loadFromStorage; --(unsigned int)defaultPendingApplicationReminderAlertInterval; --(void)writeToStorage; - -@property SOSCCStatus lastCircleStatus; -@property NSDate *lastWritten; -@property NSDate *pendingApplicationReminder; -@property unsigned int pendingApplicationReminderAlertInterval; -@property NSDate *applcationDate; -@property NSNumber *debugShowLeftReason; -@property BOOL absentCircleWithNoReason; -@end diff --git a/CircleJoinRequested/PersistantState.m b/CircleJoinRequested/PersistantState.m deleted file mode 100644 index 733e3c08..00000000 --- a/CircleJoinRequested/PersistantState.m +++ /dev/null @@ -1,90 +0,0 @@ -// -// PersistantState.m -// Security -// -// Created by J Osborne on 7/11/13. -// -// - -#import "PersistantState.h" -#import - -@interface PersistantState() --(NSURL*)urlForStorage; -@end - -@implementation PersistantState - --(NSURL*)urlForStorage -{ - return [NSURL fileURLWithPath:@"/var/mobile/Library/Preferences/com.apple.security.CircleJoinRequested.plist" isDirectory:NO]; -} - --(unsigned int)defaultPendingApplicationReminderAlertInterval -{ - return 60 * 60 * 24 * 2; -} - -+(instancetype)loadFromStorage -{ - PersistantState *state = [[PersistantState alloc] init]; - if (!state) { - return state; - } - - NSError *error = nil; - id plist = @{@"lastWritten": [NSDate distantPast]}; - - NSData *stateData = [NSData dataWithContentsOfURL:[state urlForStorage] options:0 error:&error]; - if (!stateData) { - NSLog(@"Can't read state data (p=%@, err=%@)", [state urlForStorage], error); - } else { - NSPropertyListFormat format; - id plistTmp = [NSPropertyListSerialization propertyListWithData:stateData options: NSPropertyListMutableContainersAndLeaves format:&format error:&error]; - - if (plistTmp == nil) { - NSLog(@"Can't deserialize %@, e=%@", stateData, error); - } else { - plist = plistTmp; - } - } - - state.lastCircleStatus = plist[@"lastCircleStatus"] ? [plist[@"lastCircleStatus"] intValue] : kSOSCCCircleAbsent; - state.lastWritten = plist[@"lastWritten"]; - state.pendingApplicationReminder = plist[@"pendingApplicationReminder"] ? plist[@"pendingApplicationReminder"] : [NSDate distantFuture]; - state.applcationDate = plist[@"applcationDate"] ? plist[@"applcationDate"] : [NSDate distantPast]; - state.debugShowLeftReason = plist[@"debugShowLeftReason"]; - state.pendingApplicationReminderAlertInterval = plist[@"pendingApplicationReminderAlertInterval"] ? [plist[@"pendingApplicationReminderAlertInterval"] unsignedIntValue] : [state defaultPendingApplicationReminderAlertInterval]; - state.absentCircleWithNoReason = plist[@"absentCircleWithNoReason"] ? [plist[@"absentCircleWithNoReason"] intValue] : NO; - - return state; -} - --(void)writeToStorage -{ - NSDictionary *plist = @{@"lastCircleStatus": [NSNumber numberWithInt:self.lastCircleStatus], - @"lastWritten": [NSDate date], - @"pendingApplicationReminder": self.pendingApplicationReminder ? self.pendingApplicationReminder : [NSDate distantFuture], - @"applcationDate": self.applcationDate ? self.applcationDate : [NSDate distantPast], - @"pendingApplicationReminderAlertInterval": [NSNumber numberWithUnsignedInt:self.pendingApplicationReminderAlertInterval], - @"absentCircleWithNoReason": [NSNumber numberWithBool:self.absentCircleWithNoReason] - }; - if (self.debugShowLeftReason) { - NSMutableDictionary *tmp = [plist mutableCopy]; - tmp[@"debugShowLeftReason"] = self.debugShowLeftReason; - plist =[tmp copy]; - } - NSLog(@"writeToStorage plist=%@", plist); - - NSError *error = nil; - NSData *stateData = [NSPropertyListSerialization dataWithPropertyList:plist format:NSPropertyListXMLFormat_v1_0 options:kCFPropertyListImmutable error:&error]; - if (!stateData) { - NSLog(@"Can't serialize %@: %@", plist, error); - return; - } - if (![stateData writeToURL:[self urlForStorage] options:NSDataWritingAtomic error:&error]) { - NSLog(@"Can't write to %@, error=%@", [self urlForStorage], error); - } -} - -@end diff --git a/CircleJoinRequested/PersistentState.h b/CircleJoinRequested/PersistentState.h new file mode 100644 index 00000000..29e0ef75 --- /dev/null +++ b/CircleJoinRequested/PersistentState.h @@ -0,0 +1,25 @@ +// +// PersistentState.h +// Security +// +// Created by J Osborne on 7/11/13. +// +// + +#import +#include "SecureObjectSync/SOSCloudCircle.h" +#include "SecureObjectSync/SOSPeerInfo.h" + +@interface PersistentState : NSObject ++(instancetype)loadFromStorage; +-(unsigned int)defaultPendingApplicationReminderAlertInterval; +-(void)writeToStorage; + +@property SOSCCStatus lastCircleStatus; +@property NSDate *lastWritten; +@property NSDate *pendingApplicationReminder; +@property unsigned int pendingApplicationReminderAlertInterval; +@property NSDate *applicationDate; +@property NSNumber *debugShowLeftReason; +@property BOOL absentCircleWithNoReason; +@end diff --git a/CircleJoinRequested/PersistentState.m b/CircleJoinRequested/PersistentState.m new file mode 100644 index 00000000..dfdaf3bd --- /dev/null +++ b/CircleJoinRequested/PersistentState.m @@ -0,0 +1,91 @@ +// +// PersistentState.m +// Security +// +// Created by J Osborne on 7/11/13. +// +// + +#import "PersistentState.h" +#import + +@interface PersistentState() +-(NSURL*)urlForStorage; +@end + +@implementation PersistentState + +-(NSURL*)urlForStorage +{ + return [NSURL fileURLWithPath:@"/var/mobile/Library/Preferences/com.apple.security.CircleJoinRequested.plist" isDirectory:NO]; +} + +-(unsigned int)defaultPendingApplicationReminderAlertInterval +{ + return 24 * 60 * 60; +} + ++(instancetype)loadFromStorage +{ + PersistentState *state = [[PersistentState alloc] init]; + if (!state) { + return state; + } + + NSError *error = nil; + id plist = @{@"lastWritten": [NSDate distantPast]}; + + NSData *stateData = [NSData dataWithContentsOfURL:[state urlForStorage] options:0 error:&error]; + if (!stateData) { + NSLog(@"Can't read state data (p=%@, err=%@)", [state urlForStorage], error); + } else { + NSPropertyListFormat format; + id plistTmp = [NSPropertyListSerialization propertyListWithData:stateData options: NSPropertyListMutableContainersAndLeaves format:&format error:&error]; + + if (plistTmp == nil) { + NSLog(@"Can't deserialize %@, e=%@", stateData, error); + } else { + plist = plistTmp; + } + } + + state.lastCircleStatus = plist[@"lastCircleStatus"] ? [plist[@"lastCircleStatus"] intValue] : kSOSCCCircleAbsent; + state.lastWritten = plist[@"lastWritten"]; + state.pendingApplicationReminder = plist[@"pendingApplicationReminder"] ?: [NSDate distantFuture]; + state.applicationDate = plist[@"applicationDate"] ?: [NSDate distantPast]; + state.debugShowLeftReason = plist[@"debugShowLeftReason"]; + state.pendingApplicationReminderAlertInterval = plist[@"pendingApplicationReminderAlertInterval"] ? + [plist[@"pendingApplicationReminderAlertInterval"] unsignedIntValue] : + [state defaultPendingApplicationReminderAlertInterval]; + state.absentCircleWithNoReason = plist[@"absentCircleWithNoReason"] ? [plist[@"absentCircleWithNoReason"] intValue] : NO; + + return state; +} + +-(void)writeToStorage +{ + NSDictionary *plist = @{@"lastCircleStatus": [NSNumber numberWithInt:self.lastCircleStatus], + @"lastWritten": [NSDate date], + @"pendingApplicationReminder": self.pendingApplicationReminder ?: [NSDate distantFuture], + @"applicationDate": self.applicationDate ?: [NSDate distantPast], + @"pendingApplicationReminderAlertInterval": [NSNumber numberWithUnsignedInt:self.pendingApplicationReminderAlertInterval], + @"absentCircleWithNoReason": [NSNumber numberWithBool:self.absentCircleWithNoReason]}; + if (self.debugShowLeftReason) { + NSMutableDictionary *tmp = [plist mutableCopy]; + tmp[@"debugShowLeftReason"] = self.debugShowLeftReason; + plist =[tmp copy]; + } + NSLog(@"writeToStorage plist=%@", plist); + + NSError *error = nil; + NSData *stateData = [NSPropertyListSerialization dataWithPropertyList:plist format:NSPropertyListXMLFormat_v1_0 options:kCFPropertyListImmutable error:&error]; + if (!stateData) { + NSLog(@"Can't serialize %@: %@", plist, error); + return; + } + if (![stateData writeToURL:[self urlForStorage] options:NSDataWritingAtomic error:&error]) { + NSLog(@"Can't write to %@, error=%@", [self urlForStorage], error); + } +} + +@end diff --git a/Forwarding Headers/SOSCloudCircle.h b/Forwarding Headers/SOSCloudCircle.h new file mode 100644 index 00000000..077b1d9e --- /dev/null +++ b/Forwarding Headers/SOSCloudCircle.h @@ -0,0 +1,11 @@ +// +// Forward to the proper location +// This header is temporary until deprecation can be accomplished +// +// SOSCloudCircle.h was erroneously put directly in PrivateHeaders. +// This header forwards for clients who adopted that location. +// +// Warning and removing this file left to the future +// + +#include diff --git a/Forwarding Headers/SOSPeerInfo.h b/Forwarding Headers/SOSPeerInfo.h new file mode 100644 index 00000000..29b81a5a --- /dev/null +++ b/Forwarding Headers/SOSPeerInfo.h @@ -0,0 +1,11 @@ +// +// Forward to the proper location +// This header is temporary until deprecation can be accomplished +// +// SOSPeerInfo.h was erroneously put directly in PrivateHeaders. +// This header forwards for clients who adopted that location. +// +// Warning and removing this file left to the future +// + +#include diff --git a/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist new file mode 100644 index 00000000..316edd1c --- /dev/null +++ b/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist @@ -0,0 +1,30 @@ + + + + + Application-Group + + InternetAccounts + + CFBundleDevelopmentRegion + English + CFBundleExecutable + ${EXECUTABLE_NAME} + CFBundleIconFile + + CFBundleIdentifier + com.apple.security.idskeychainsyncingproxy + CFBundleInfoDictionaryVersion + 6.0 + CFBundleName + ${PRODUCT_NAME} + CFBundlePackageType + BNDL + CFBundleShortVersionString + 10.0 + CFBundleSignature + ???? + CFBundleVersion + ${CURRENT_PROJECT_VERSION} + + diff --git a/IDSKeychainSyncingProxy/com.apple.private.alloy.keychainsync.plist b/IDSKeychainSyncingProxy/com.apple.private.alloy.keychainsync.plist new file mode 100644 index 0000000000000000000000000000000000000000..f18a40e0a374d1366696389fbaf5c05a61449bc1 GIT binary patch literal 373 zcmYc)$jK}&F)+Bn$i&RT%Er#Y$;HjX%gHYgo9UdBUz!q}T2z*qoEq(tSzM5lSm~FT zn;IEVTAUG*Uyzv`6Ht_2lAoNP0}_rG5O7TK$WMmq2&pUp3duN@mgGC<=cQ$)mlmal zrIwVWrZ}dg6r~myrxr(frljVTWTs`N7DYpKfehk|@lLHw&PdG63$Dydju%i#&d=3L zEGWoH)hj5{N<%3|V*s(4b~XS2 literal 0 HcmV?d00001 diff --git a/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist b/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist new file mode 100644 index 00000000..967a5daa --- /dev/null +++ b/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist @@ -0,0 +1,41 @@ + + + + + LaunchEvents + + com.apple.notifyd.matching + + com.apple.keystore.lockstatus + + Notification + com.apple.keystore.lockstatus + + + + Program + /System/Library/Frameworks/Security.framework/IDSKeychainSyncingProxy.bundle/IDSKeychainSyncingProxy + Label + com.apple.security.idskeychainsyncingproxy + EnvironmentVariables + + WAIT4DEBUGGER + NO + + MachServices + + com.apple.security.idskeychainsyncingproxy + + + ProgramArguments + + /System/Library/Frameworks/Security.framework/IDSKeychainSyncingProxy.bundle/IDSKeychainSyncingProxy + + RunAtLoad + + EnablePressuredExit + + enabletransactions + + + diff --git a/IDSKeychainSyncingProxy/idksmain.m b/IDSKeychainSyncingProxy/idksmain.m new file mode 100644 index 00000000..4ff0dbfb --- /dev/null +++ b/IDSKeychainSyncingProxy/idksmain.m @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include +#include + +extern int idsproxymain(int argc, const char *argv[]); + +int main(int argc, const char *argv[]) +{ + // TODO: Remove log before ship + asl_log(NULL, NULL, ASL_LEVEL_NOTICE, "start"); + return idsproxymain(argc, argv); +} diff --git a/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist b/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist new file mode 100644 index 00000000..e7b0d95f --- /dev/null +++ b/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist @@ -0,0 +1,22 @@ + + + + + com.apple.private.ids.messaging.high-priority + + com.apple.private.alloy.keychainsync + + com.apple.private.ids.messaging + + com.apple.private.alloy.keychainsync + + keychain-access-groups + + IMCore + apple + InternetAccounts + + application-identifier + com.apple.security.idskeychainsyncingproxy + + diff --git a/ISACLProtectedItems/ISProtectedItems.plist b/ISACLProtectedItems/ISProtectedItems.plist new file mode 100644 index 00000000..e65eeba8 --- /dev/null +++ b/ISACLProtectedItems/ISProtectedItems.plist @@ -0,0 +1,27 @@ + + + + + title + AKPU/ACL protected items + items + + + buttonAction + createBatchOfItems: + cell + PSButtonCell + label + Create batch of protected items + + + buttonAction + deleteBatchOfItems: + cell + PSButtonCell + label + Delete batch of protected items + + + + diff --git a/ISACLProtectedItems/ISProtectedItemsController.h b/ISACLProtectedItems/ISProtectedItemsController.h new file mode 100644 index 00000000..2ce34606 --- /dev/null +++ b/ISACLProtectedItems/ISProtectedItemsController.h @@ -0,0 +1,19 @@ +// +// ISProtectedItemsController.h +// ISACLProtectedItems +// +// Copyright (c) 2014 Apple. All rights reserved. +// + +// rdar://problem/21142814 +// Remove the "pop" below too when the code is changed to not use the deprecated interface +#pragma clang diagnostic push +#pragma clang diagnostic warning "-Wdeprecated-declarations" + +#import + +#pragma clang diagnostic pop + +@interface ISProtectedItemsController : PSListController + +@end diff --git a/ISACLProtectedItems/ISProtectedItemsController.m b/ISACLProtectedItems/ISProtectedItemsController.m new file mode 100644 index 00000000..ee4d33fb --- /dev/null +++ b/ISACLProtectedItems/ISProtectedItemsController.m @@ -0,0 +1,42 @@ +// +// ISProtectedItemsController.m +// ISACLProtectedItems +// +// Copyright (c) 2014 Apple. All rights reserved. +// + +#import "ISProtectedItemsController.h" +#import + +char * const pathToScrtiptFile = "/usr/local/bin/KeychainItemsAclTest.sh"; + +@implementation ISProtectedItemsController + +- (NSArray *)specifiers +{ + if (!_specifiers) { + _specifiers = [self loadSpecifiersFromPlistName:@"ISProtectedItems" target:self]; + } + + return _specifiers; +} + +- (void)createBatchOfItems:(PSSpecifier *)specifier +{ + char * const argv[] = { pathToScrtiptFile, + "op=create", + NULL }; + + posix_spawn(NULL, pathToScrtiptFile, NULL, NULL, argv, NULL); +} + +- (void)deleteBatchOfItems:(PSSpecifier *)specifier +{ + char * const argv[] = { pathToScrtiptFile, + "op=delete", + NULL }; + + posix_spawn(NULL, pathToScrtiptFile, NULL, NULL, argv, NULL); +} + +@end diff --git a/ISACLProtectedItems/Info.plist b/ISACLProtectedItems/Info.plist new file mode 100644 index 00000000..75762714 --- /dev/null +++ b/ISACLProtectedItems/Info.plist @@ -0,0 +1,26 @@ + + + + + CFBundleDisplayName + AKPU/ACL protected keychain items + CFBundleDevelopmentRegion + en + CFBundleExecutable + ${EXECUTABLE_NAME} + CFBundleIdentifier + com.apple.securityservices.${PRODUCT_NAME:rfc1034identifier} + CFBundleInfoDictionaryVersion + 6.0 + CFBundleName + ${PRODUCT_NAME} + CFBundlePackageType + BNDL + CFBundleShortVersionString + 1.0 + CFBundleSignature + ???? + CFBundleVersion + 1 + + diff --git a/ISACLProtectedItems/KeychainItemsAclTest.sh b/ISACLProtectedItems/KeychainItemsAclTest.sh new file mode 100755 index 00000000..c7b9496e --- /dev/null +++ b/ISACLProtectedItems/KeychainItemsAclTest.sh @@ -0,0 +1,61 @@ +#!/bin/sh + +# KechainItemsAclTest.sh +# Security +# +# Created by Vratislav Kužela on 22/08/14. +# + +AGRP="testACL" +SVCE="testACLService" +OPERATION="create" + +for i in $@; do + if [[ "$i" =~ "agrp=" ]]; then + AGRP=${i#*=} + elif [[ "$i" =~ "svce=" ]]; then + SVCE=${i#*=} + elif [[ "$i" =~ "op=create" ]]; then + OPERATION="create" + elif [[ "$i" =~ "op=delete" ]]; then + OPERATION="delete" + fi +done + +if [ "$OPERATION" = "create" ]; then +security item -a class=genp,svce=$SVCE,agrp=$AGRP,acct=acct1,accc="ak" +security item -a class=genp,svce=$SVCE,agrp=$AGRP,acct=acct2,accc="ak;od:true;odel:true" +security item -a class=genp,svce=$SVCE,agrp=$AGRP,acct=acct3,accc="ak;od:cpo(DeviceOwnerAuthentication);odel:true" +security item -a class=genp,svce=$SVCE,agrp=$AGRP,acct=acct4,accc="akpu" +security item -a class=genp,svce=$SVCE,agrp=$AGRP,acct=acct5,accc="akpu;od:true;odel:true" +security item -a class=genp,svce=$SVCE,agrp=$AGRP,acct=acct6,accc="akpu;od:cpo(DeviceOwnerAuthentication);odel:true" + +security item -a class=inet,agrp=$AGRP,acct=acct1,accc="ak" +security item -a class=inet,agrp=$AGRP,acct=acct2,accc="ak;od:true;odel:true" +security item -a class=inet,agrp=$AGRP,acct=acct3,accc="ak;od:cpo(DeviceOwnerAuthentication);odel:true" +security item -a class=inet,agrp=$AGRP,acct=acct4,accc="akpu" +security item -a class=inet,agrp=$AGRP,acct=acct5,accc="akpu;od:true;odel:true" +security item -a class=inet,agrp=$AGRP,acct=acct6,accc="akpu;od:cpo(DeviceOwnerAuthentication);odel:true" + +security item -a class=cert,agrp=$AGRP,slnr=slnr1,accc="ak" +security item -a class=cert,agrp=$AGRP,slnr=slnr2,accc="ak;od:true;odel:true" +security item -a class=cert,agrp=$AGRP,slnr=slnr3,accc="ak;od:cpo(DeviceOwnerAuthentication);odel:true" +security item -a class=cert,agrp=$AGRP,slnr=slnr4,accc="akpu" +security item -a class=cert,agrp=$AGRP,slnr=slnr5,accc="akpu;od:true;odel:true" +security item -a class=cert,agrp=$AGRP,slnr=slnr6,accc="akpu;od:cpo(DeviceOwnerAuthentication);odel:true" + +security item -a class=keys,agrp=$AGRP,klbl=hash1,accc="ak" +security item -a class=keys,agrp=$AGRP,klbl=hash2,accc="ak;od:true;odel:true" +security item -a class=keys,agrp=$AGRP,klbl=hash3,accc="ak;od:cpo(DeviceOwnerAuthentication);odel:true" +security item -a class=keys,agrp=$AGRP,klbl=hash4,accc="akpu" +security item -a class=keys,agrp=$AGRP,klbl=hash5,accc="akpu;od:true;odel:true" +security item -a class=keys,agrp=$AGRP,klbl=hash6,accc="akpu;od:cpo(DeviceOwnerAuthentication);odel:true" + +elif [ "$OPERATION" = "delete" ]; then + +security item -D class=genp,agrp=$AGRP +security item -D class=inet,agrp=$AGRP +security item -D class=cert,agrp=$AGRP +security item -D class=keys,agrp=$AGRP + +fi diff --git a/Keychain/SyncViewController.m b/Keychain/SyncViewController.m index bdbe5578..dcd9f24e 100644 --- a/Keychain/SyncViewController.m +++ b/Keychain/SyncViewController.m @@ -10,8 +10,8 @@ #import "MyKeychain.h" #import -#import -#import +#import +#import #import #import diff --git a/Keychain/ToolsViewController.m b/Keychain/ToolsViewController.m index 48db7f45..b42c91d2 100644 --- a/Keychain/ToolsViewController.m +++ b/Keychain/ToolsViewController.m @@ -10,8 +10,8 @@ #import "MyKeychain.h" #include -#include -#include +#include +#include #include #include //#include diff --git a/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m b/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m index c00eed74..3d522f93 100644 --- a/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m +++ b/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m @@ -10,10 +10,7 @@ #import #import #import -#pragma clang diagnostic push -#pragma clang diagnostic ignored "-Wnewline-eof" #import -#pragma clang diagnostic pop #import #import #import @@ -22,18 +19,26 @@ @implementation KeychainSyncAccountNotification - (BOOL)account:(ACAccount *)account willChangeWithType:(ACAccountChangeType)changeType inStore:(ACDAccountStore *)store oldAccount:(ACAccount *)oldAccount { + if ((changeType == kACAccountChangeTypeDeleted) && [oldAccount.accountType.identifier isEqualToString:ACAccountTypeIdentifierAppleAccount]) { - if ([account aa_isPrimaryAccount]) { - - CFErrorRef removalError = NULL; + if(oldAccount.identifier != NULL && oldAccount.username !=NULL){ - ACLogDebug(@"Performing SOS circle credential removal for account %@: %@", oldAccount.identifier, oldAccount.username); - - if (!SOSCCRemoveThisDeviceFromCircle(&removalError)) { - ACLogError(@"Account %@ could not leave the SOS circle: %@", oldAccount.identifier, removalError); + if ([oldAccount aa_isPrimaryAccount]) { + + CFErrorRef removalError = NULL; + + ACLogDebug(@"Performing SOS circle credential removal for account %@: %@", oldAccount.identifier, oldAccount.username); + + if (!SOSCCLoggedOutOfAccount(&removalError)) { + ACLogError(@"Account %@ could not leave the SOS circle: %@", oldAccount.identifier, removalError); + } + } else { + ACLogDebug(@"NOT performing SOS circle credential removal for secondary account %@: %@", account.identifier, account.username); } - } else { - ACLogDebug(@"NOT performing SOS circle credential removal for secondary account %@: %@", account.identifier, account.username); + } + else{ + ACLogDebug(@"Already logged out of account"); + } } @@ -41,39 +46,19 @@ } - (void)account:(ACAccount *)account didChangeWithType:(ACAccountChangeType)changeType inStore:(ACDAccountStore *)store oldAccount:(ACAccount *)oldAccount { - if ((changeType == kACAccountChangeTypeAdded || changeType == kACAccountChangeTypeModified) && [account.accountType.identifier isEqualToString:ACAccountTypeIdentifierAppleAccount]) { - if ([account aa_isPrimaryAccount]) { - NSError *errObject; - ACAccountCredential *accountCred = [store credentialForAccount:account error:&errObject]; - if (accountCred != NULL) { - CFErrorRef authenticateError = NULL; - if (accountCred.password != NULL) { - const char *accountPassword = [accountCred.password cStringUsingEncoding:NSUTF8StringEncoding]; - CFDataRef passwordData = CFDataCreate(kCFAllocatorDefault, (const uint8_t *)accountPassword, strlen(accountPassword)); - if (NULL != passwordData) { - ACLogDebug(@"Performing SOS circle credential set for account %@: %@", account.identifier, account.username); - if (!SOSCCSetUserCredentials((__bridge CFStringRef)(account.username), passwordData, &authenticateError)) { - ACLogError(@"Unable to set SOS circle credentials for account %@: %@", account.identifier, authenticateError); - if (NULL != authenticateError) { - CFRelease(authenticateError); - } - } - CFRelease(passwordData); - } - } else { - if (!SOSCCCanAuthenticate(&authenticateError)) { - ACLogError(@"Account %@ did not present a password and we could not authenticate the SOS circle: %@", account.identifier, authenticateError); - if (NULL != authenticateError) { - CFRelease(authenticateError); - } - } + if (changeType == kACAccountChangeTypeDeleted) { + if (oldAccount.identifier != NULL && oldAccount.username != NULL){ + if ([oldAccount aa_isPrimaryAccount]) { + CFErrorRef removalError = NULL; + ACLogDebug(@"Performing SOS circle credential removal for account %@: %@", oldAccount.identifier, oldAccount.username); + if (!SOSCCLoggedOutOfAccount(&removalError)) { + ACLogError(@"Account %@ could not leave the SOS circle: %@", oldAccount.identifier, removalError); } } else { - ACLogError(@"Account %@ did not present a credential for SOS circle: %@", account.identifier, errObject); + ACLogDebug(@"NOT performing SOS circle credential removal for secondary account %@: %@", account.identifier, account.username); } - } else { - ACLogDebug(@"NOT performing SOS circle credential set for secondary account %@: %@", account.identifier, account.username); } + ACLogDebug(@"Already logged out of account"); } } diff --git a/Security/APPLE_LICENSE b/OSX/APPLE_LICENSE similarity index 100% rename from Security/APPLE_LICENSE rename to OSX/APPLE_LICENSE diff --git a/Security/Breadcrumb/README b/OSX/Breadcrumb/README similarity index 100% rename from Security/Breadcrumb/README rename to OSX/Breadcrumb/README diff --git a/Security/Breadcrumb/SecBreadcrumb.c b/OSX/Breadcrumb/SecBreadcrumb.c similarity index 82% rename from Security/Breadcrumb/SecBreadcrumb.c rename to OSX/Breadcrumb/SecBreadcrumb.c index e434f542..b0c3b56d 100644 --- a/Security/Breadcrumb/SecBreadcrumb.c +++ b/OSX/Breadcrumb/SecBreadcrumb.c @@ -28,7 +28,7 @@ SecBreadcrumbCreateFromPassword(CFStringRef inPassword, CFErrorRef *outError) { const struct ccmode_ecb *ecb = ccaes_ecb_encrypt_mode(); - const struct ccmode_gcm gcm = CCMODE_FACTORY_GCM_ENCRYPT(ecb); + const struct ccmode_gcm *gcm = ccaes_gcm_encrypt_mode(); const struct ccdigest_info *di = ccsha256_di(); CFMutableDataRef key, npw; CFDataRef pw; @@ -86,12 +86,12 @@ SecBreadcrumbCreateFromPassword(CFStringRef inPassword, * Now create a GCM encrypted password using the random key */ - ccgcm_ctx_decl(gcm.size, ctx); - gcm.init(&gcm, ctx, kKeySize, CFDataGetMutableBytePtr(key)); - gcm.gmac(ctx, 1, CFDataGetMutableBytePtr(npw)); - gcm.gcm(ctx, outLength - tagLen - 1, CFDataGetMutableBytePtr(npw) + 1, CFDataGetMutableBytePtr(npw) + 1); - gcm.finalize(ctx, tagLen, CFDataGetMutableBytePtr(npw) + outLength - tagLen); - ccgcm_ctx_clear(gcm.size, ctx); + ccgcm_ctx_decl(gcm->size, ctx); + ccgcm_init(gcm, ctx, kKeySize, CFDataGetMutableBytePtr(key)); + ccgcm_gmac(gcm, ctx, 1, CFDataGetMutableBytePtr(npw)); + ccgcm_update(gcm, ctx, outLength - tagLen - 1, CFDataGetMutableBytePtr(npw) + 1, CFDataGetMutableBytePtr(npw) + 1); + ccgcm_finalize(gcm, ctx, tagLen, CFDataGetMutableBytePtr(npw) + outLength - tagLen); + ccgcm_ctx_clear(gcm->size, ctx); /* * Wrapping key is PBKDF2(sha256) over password @@ -111,10 +111,11 @@ SecBreadcrumbCreateFromPassword(CFStringRef inPassword, * Wrap the random key with one round of ECB cryto */ - ccecb_ctx_decl(ecb->size, ecbkey); - ecb->init(ecb, ecbkey, kKeySize, rawkey); - ecb->ecb(ecbkey, 1, CFDataGetMutableBytePtr(key), CFDataGetMutableBytePtr(key)); - + ccecb_ctx_decl(ccecb_context_size(ecb), ecbkey); + ccecb_init(ecb, ecbkey, kKeySize, rawkey); + ccecb_update(ecb, ecbkey, 1, CFDataGetMutableBytePtr(key), CFDataGetMutableBytePtr(key)); + ccecb_ctx_clear(ccecb_context_size(ecb), ecbkey); + /* * */ @@ -137,7 +138,7 @@ SecBreadcrumbCopyPassword(CFStringRef inPassword, CFErrorRef *outError) { const struct ccmode_ecb *ecb = ccaes_ecb_decrypt_mode(); - const struct ccmode_gcm gcm = CCMODE_FACTORY_GCM_DECRYPT(ccaes_ecb_encrypt_mode()); + const struct ccmode_gcm *gcm = ccaes_gcm_decrypt_mode(); const struct ccdigest_info *di = ccsha256_di(); CFMutableDataRef gcmkey, oldpw; CFDataRef pw; @@ -212,22 +213,22 @@ SecBreadcrumbCopyPassword(CFStringRef inPassword, * Unwrap the random key with one round of ECB cryto */ - ccecb_ctx_decl(ecb->size, ecbkey); - ecb->init(ecb, ecbkey, kKeySize, rawkey); - ecb->ecb(ecbkey, 1, CFDataGetMutableBytePtr(gcmkey), CFDataGetMutableBytePtr(gcmkey)); - + ccecb_ctx_decl(ccecb_context_size(ecb), ecbkey); + ccecb_init(ecb, ecbkey, kKeySize, rawkey); + ccecb_update(ecb, ecbkey, 1, CFDataGetMutableBytePtr(gcmkey), CFDataGetMutableBytePtr(gcmkey)); + ccecb_ctx_clear(ccecb_context_size(ecb), ecbkey); /* * GCM unwrap */ uint8_t tag[tagLen]; - ccgcm_ctx_decl(gcm.size, ctx); + ccgcm_ctx_decl(gcm->size, ctx); - gcm.init(&gcm, ctx, kKeySize, CFDataGetMutableBytePtr(gcmkey)); - gcm.gmac(ctx, 1, CFDataGetBytePtr(inBreadcrumb)); - gcm.gcm(ctx, outLength, CFDataGetBytePtr(inBreadcrumb) + 1, CFDataGetMutableBytePtr(oldpw)); - gcm.finalize(ctx, tagLen, tag); - ccgcm_ctx_clear(gcm.size, ctx); + ccgcm_init(gcm, ctx, kKeySize, CFDataGetMutableBytePtr(gcmkey)); + ccgcm_gmac(gcm, ctx, 1, CFDataGetBytePtr(inBreadcrumb)); + ccgcm_update(gcm, ctx, outLength, CFDataGetBytePtr(inBreadcrumb) + 1, CFDataGetMutableBytePtr(oldpw)); + ccgcm_finalize(gcm, ctx, tagLen, tag); + ccgcm_ctx_clear(gcm->size, ctx); CFReleaseNull(gcmkey); @@ -307,8 +308,9 @@ SecBreadcrumbCreateNewEncryptedKey(CFStringRef oldPassword, ccecb_ctx_decl(dec->size, deckey); - dec->init(dec, deckey, kKeySize, rawkey); - dec->ecb(deckey, 1, CFDataGetMutableBytePtr(newEncryptedKey), CFDataGetMutableBytePtr(newEncryptedKey)); + ccecb_init(dec, deckey, kKeySize, rawkey); + ccecb_update(dec, deckey, 1, CFDataGetMutableBytePtr(newEncryptedKey), CFDataGetMutableBytePtr(newEncryptedKey)); + ccecb_ctx_clear(ccecb_context_size(dec), deckey); memset(rawkey, 0, sizeof(rawkey)); @@ -326,8 +328,9 @@ SecBreadcrumbCreateNewEncryptedKey(CFStringRef oldPassword, ccecb_ctx_decl(enc->size, enckey); - enc->init(enc, enckey, kKeySize, rawkey); - enc->ecb(enckey, 1, CFDataGetMutableBytePtr(newEncryptedKey), CFDataGetMutableBytePtr(newEncryptedKey)); + ccecb_init(enc, enckey, kKeySize, rawkey); + ccecb_update(enc, enckey, 1, CFDataGetMutableBytePtr(newEncryptedKey), CFDataGetMutableBytePtr(newEncryptedKey)); + ccecb_ctx_clear(ccecb_context_size(enc), enckey); memset(rawkey, 0, sizeof(rawkey)); diff --git a/Security/Breadcrumb/SecBreadcrumb.h b/OSX/Breadcrumb/SecBreadcrumb.h similarity index 100% rename from Security/Breadcrumb/SecBreadcrumb.h rename to OSX/Breadcrumb/SecBreadcrumb.h diff --git a/Security/Breadcrumb/bc-10-knife-on-bread.c b/OSX/Breadcrumb/bc-10-knife-on-bread.c similarity index 100% rename from Security/Breadcrumb/bc-10-knife-on-bread.c rename to OSX/Breadcrumb/bc-10-knife-on-bread.c diff --git a/Security/Breadcrumb/breadcrumb_regressions.h b/OSX/Breadcrumb/breadcrumb_regressions.h similarity index 100% rename from Security/Breadcrumb/breadcrumb_regressions.h rename to OSX/Breadcrumb/breadcrumb_regressions.h diff --git a/Security/CloudKeychainProxy/CloudKeychainProxy-Info.plist b/OSX/CloudKeychainProxy/CloudKeychainProxy-Info.plist similarity index 100% rename from Security/CloudKeychainProxy/CloudKeychainProxy-Info.plist rename to OSX/CloudKeychainProxy/CloudKeychainProxy-Info.plist diff --git a/Security/CloudKeychainProxy/cloudkeychain.entitlements.plist b/OSX/CloudKeychainProxy/cloudkeychain.entitlements.plist similarity index 100% rename from Security/CloudKeychainProxy/cloudkeychain.entitlements.plist rename to OSX/CloudKeychainProxy/cloudkeychain.entitlements.plist diff --git a/Security/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist b/OSX/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist similarity index 98% rename from Security/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist rename to OSX/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist index b841f7f2..c9056a14 100644 --- a/Security/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist +++ b/OSX/CloudKeychainProxy/com.apple.security.cloudkeychainproxy.plist @@ -28,7 +28,7 @@ EnvironmentVariables DEBUGSCOPE - all + none WAIT4DEBUGGER NO diff --git a/Security/CloudKeychainProxy/en.lproj/InfoPlist.strings b/OSX/CloudKeychainProxy/en.lproj/InfoPlist.strings similarity index 100% rename from Security/CloudKeychainProxy/en.lproj/InfoPlist.strings rename to OSX/CloudKeychainProxy/en.lproj/InfoPlist.strings diff --git a/OSX/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist b/OSX/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist new file mode 100644 index 00000000..07887652 --- /dev/null +++ b/OSX/IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist @@ -0,0 +1,32 @@ + + + + + Application-Group + + InternetAccounts + + CFBundleDevelopmentRegion + English + CFBundleExecutable + ${EXECUTABLE_NAME} + CFBundleIconFile + + CFBundleIdentifier + com.apple.security.idskeychainsyncingproxy + CFBundleInfoDictionaryVersion + 6.0 + CFBundleName + ${PRODUCT_NAME} + CFBundlePackageType + BNDL + CFBundleShortVersionString + 1.0 + CFBundleSignature + ???? + CFBundleVersion + ${CURRENT_PROJECT_VERSION} + NSHumanReadableCopyright + Copyright © 2013 Apple, Inc. All rights reserved. + + diff --git a/OSX/IDSKeychainSyncingProxy/com.apple.private.alloy.keychainsync.plist b/OSX/IDSKeychainSyncingProxy/com.apple.private.alloy.keychainsync.plist new file mode 100644 index 0000000000000000000000000000000000000000..f18a40e0a374d1366696389fbaf5c05a61449bc1 GIT binary patch literal 373 zcmYc)$jK}&F)+Bn$i&RT%Er#Y$;HjX%gHYgo9UdBUz!q}T2z*qoEq(tSzM5lSm~FT zn;IEVTAUG*Uyzv`6Ht_2lAoNP0}_rG5O7TK$WMmq2&pUp3duN@mgGC<=cQ$)mlmal zrIwVWrZ}dg6r~myrxr(frljVTWTs`N7DYpKfehk|@lLHw&PdG63$Dydju%i#&d=3L zEGWoH)hj5{N<%3|V*s(4b~XS2 literal 0 HcmV?d00001 diff --git a/OSX/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist b/OSX/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist new file mode 100644 index 00000000..b8b1e6db --- /dev/null +++ b/OSX/IDSKeychainSyncingProxy/com.apple.security.idskeychainsyncingproxy.plist @@ -0,0 +1,45 @@ + + + + + LaunchEvents + + com.apple.notifyd.matching + + com.apple.keystore.lockstatus + + Notification + com.apple.keystore.lockstatus + + + + Program + /System/Library/Frameworks/Security.framework/Versions/A/Resources/IDSKeychainSyncingProxy.bundle/Contents/MacOS/IDSKeychainSyncingProxy + Label + com.apple.security.idskeychainsyncingproxy + EnvironmentVariables + + WAIT4DEBUGGER + NO + DEBUGSCOPE + all + + ProcessType + Adaptive + MachServices + + com.apple.security.idskeychainsyncingproxy + + + ProgramArguments + + /System/Library/Frameworks/Security.framework/Versions/A/Resources/IDSKeychainSyncingProxy.bundle/Contents/MacOS/IDSKeychainSyncingProxy + + RunAtLoad + + EnablePressuredExit + + KeepAlive + + + diff --git a/Security/Keychain Circle Notification/en.lproj/InfoPlist.strings b/OSX/IDSKeychainSyncingProxy/en.lproj/InfoPlist.strings similarity index 100% rename from Security/Keychain Circle Notification/en.lproj/InfoPlist.strings rename to OSX/IDSKeychainSyncingProxy/en.lproj/InfoPlist.strings diff --git a/OSX/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist b/OSX/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist new file mode 100644 index 00000000..06f7c014 --- /dev/null +++ b/OSX/IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist @@ -0,0 +1,19 @@ + + + + + keychain-access-groups + + IMCore + InternetAccounts + + com.apple.private.ids.messaging + + com.apple.private.alloy.keychainsync + + com.apple.private.ids.messaging.high-priority + + com.apple.private.alloy.keychainsync + + + diff --git a/OSX/Keychain Circle Notification/Base.lproj/MainMenu.xib b/OSX/Keychain Circle Notification/Base.lproj/MainMenu.xib new file mode 100644 index 00000000..9d3cc2d1 --- /dev/null +++ b/OSX/Keychain Circle Notification/Base.lproj/MainMenu.xib @@ -0,0 +1,18 @@ + + + + + + + + + + + + + + + + + + diff --git a/Security/Keychain Circle Notification/KNAppDelegate.h b/OSX/Keychain Circle Notification/KNAppDelegate.h similarity index 94% rename from Security/Keychain Circle Notification/KNAppDelegate.h rename to OSX/Keychain Circle Notification/KNAppDelegate.h index 0ef34b7a..b480bd19 100644 --- a/Security/Keychain Circle Notification/KNAppDelegate.h +++ b/OSX/Keychain Circle Notification/KNAppDelegate.h @@ -24,7 +24,7 @@ #import #import -#import "KNPersistantState.h" +#import "KNPersistentState.h" @class KDSecCircle; @@ -33,6 +33,6 @@ @property (assign) IBOutlet NSWindow *window; @property (retain) KDSecCircle *circle; @property (retain) NSMutableSet *viewedIds; -@property (retain) KNPersistantState *state; +@property (retain) KNPersistentState *state; @end diff --git a/OSX/Keychain Circle Notification/KNAppDelegate.m b/OSX/Keychain Circle Notification/KNAppDelegate.m new file mode 100644 index 00000000..8640fb3d --- /dev/null +++ b/OSX/Keychain Circle Notification/KNAppDelegate.m @@ -0,0 +1,549 @@ +/* + * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +#import "KNAppDelegate.h" +#import "KDSecCircle.h" +#import "KDCirclePeer.h" +#import "NSDictionary+compactDescription.h" +#import +#import +#import + +#import +#import + +#include +#include +#include + +static const char * const kLaunchLaterXPCName = "com.apple.security.Keychain-Circle-Notification-TICK"; +static const NSString * const kKickedOutKey = @"KickedOut"; +static const NSString * const kValidOnlyOutOfCircleKey = @"ValidOnlyOutOfCircle"; + + +@implementation KNAppDelegate + +static NSUserNotificationCenter *appropriateNotificationCenter() +{ + return [NSUserNotificationCenter _centerForIdentifier: @"com.apple.security.keychain-circle-notification" + type: _NSUserNotificationCenterTypeSystem]; +} + + +- (void) notifyiCloudPreferencesAbout: (NSString *) eventName +{ + if (eventName == nil) + return; + + NSString *account = (__bridge NSString *)(MMCopyLoggedInAccount()); + NSLog(@"notifyiCloudPreferencesAbout %@", eventName); + + AEDesc aeDesc; + BOOL createdAEDesc = createAEDescWithAEActionAndAccountID((__bridge NSString *) kMMServiceIDKeychainSync, eventName, account, &aeDesc); + if (createdAEDesc) { + LSLaunchURLSpec lsSpec = { + .appURL = NULL, + .itemURLs = (__bridge CFArrayRef)([NSArray arrayWithObject: [NSURL fileURLWithPath:@"/System/Library/PreferencePanes/iCloudPref.prefPane"]]), + .passThruParams = &aeDesc, + .launchFlags = kLSLaunchDefaults | kLSLaunchAsync, + .asyncRefCon = NULL, + }; + OSErr err = LSOpenFromURLSpec(&lsSpec, NULL); + + if (err) + NSLog(@"Can't send event %@, err=%d", eventName, err); + AEDisposeDesc(&aeDesc); + } else { + NSLog(@"unable to create and send aedesc for account: '%@' and action: '%@'\n", account, eventName); + } +} + + +- (void) showiCloudPreferences +{ + static NSAppleScript *script = nil; + if (!script) { + static NSString *script_src = @"tell application \"System Preferences\"\n" + "activate\n" + "set the current pane to pane id \"com.apple.preferences.icloud\"\n" + "end tell"; + script = [[NSAppleScript alloc] initWithSource: script_src]; + } + + NSDictionary *scriptError = nil; + [script executeAndReturnError:&scriptError]; + + if (scriptError) + NSLog(@"scriptError: %@", scriptError); + else + NSLog(@"showiCloudPreferences success"); +} + + +- (void) timerCheck +{ + NSDate *nowish = [NSDate new]; + + self.state = [KNPersistentState loadFromStorage]; + if ([nowish compare:self.state.pendingApplicationReminder] != NSOrderedAscending) { + NSLog(@"REMINDER TIME: %@ >>> %@", nowish, self.state.pendingApplicationReminder); + + // self.circle.rawStatus might not be valid yet + if (SOSCCThisDeviceIsInCircle(NULL) == kSOSCCRequestPending) { + // Still have a request pending, send reminder, and also in addtion to the UI + // we need to send a notification for iCloud pref pane to pick up + CFNotificationCenterPostNotificationWithOptions( + CFNotificationCenterGetDistributedCenter(), + CFSTR("com.apple.security.secureobjectsync.pendingApplicationReminder"), + (__bridge const void *) [self.state.applicationDate description], NULL, 0 + ); + + [self postApplicationReminder]; + self.state.pendingApplicationReminder = [nowish dateByAddingTimeInterval:[self getPendingApplicationReminderInterval]]; + [self.state writeToStorage]; + } + } +} + + +- (void) scheduleActivityAt: (NSDate *) time +{ + if ([time compare:[NSDate distantFuture]] != NSOrderedSame) { + NSTimeInterval howSoon = [time timeIntervalSinceNow]; + if (howSoon > 0) + [self scheduleActivityIn:ceil(howSoon)]; + else + [self timerCheck]; + } +} + + +- (void) scheduleActivityIn: (int) alertInterval +{ + xpc_object_t options = xpc_dictionary_create(NULL, NULL, 0); + xpc_dictionary_set_uint64(options, XPC_ACTIVITY_DELAY, alertInterval); + xpc_dictionary_set_uint64(options, XPC_ACTIVITY_GRACE_PERIOD, XPC_ACTIVITY_INTERVAL_1_MIN); + xpc_dictionary_set_bool (options, XPC_ACTIVITY_REPEATING, false); + xpc_dictionary_set_bool (options, XPC_ACTIVITY_ALLOW_BATTERY, true); + xpc_dictionary_set_string(options, XPC_ACTIVITY_PRIORITY, XPC_ACTIVITY_PRIORITY_UTILITY); + + xpc_activity_register(kLaunchLaterXPCName, options, ^(xpc_activity_t activity) { + [self timerCheck]; + }); +} + + +- (NSTimeInterval) getPendingApplicationReminderInterval +{ + if (self.state.pendingApplicationReminderInterval) + return [self.state.pendingApplicationReminderInterval doubleValue]; + else + return 24*60*60; +} + + +// Copied from sysdiagnose/src/utils.m +bool isAppleInternal(void) +{ + static bool ret = false; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ +#if TARGET_OS_IPHONE + ret = CRIsAppleInternal(); +#else + ret = CRHasBeenAppleInternalRecently(); +#endif + }); + return ret; +} + + +#define ICKC_EVENT_DISABLED "com.apple.security.secureobjectsync.disabled" +#define ICKC_EVENT_DEPARTURE_REASON "com.apple.security.secureobjectsync.departurereason" +#define ICKC_EVENT_NUM_PEERS "com.apple.security.secureobjectsync.numcircledevices" + +- (void) applicationDidFinishLaunching: (NSNotification *) aNotification +{ + appropriateNotificationCenter().delegate = self; + NSLog(@"Posted at launch: %@", appropriateNotificationCenter().deliveredNotifications); + + self.viewedIds = [NSMutableSet new]; + self.circle = [KDSecCircle new]; +// self.state = [KNPersistentState loadFromStorage]; + KNAppDelegate *me = self; + + [self.circle addChangeCallback:^{ + NSLog(@"{ChangeCallback}"); +/* SOSCCStatus circleStatus = SOSCCThisDeviceIsInCircle(&error); + NSDate *nowish = [NSDate date]; + PersistentState *state = [PersistentState loadFromStorage]; + enum DepartureReason departureReason = SOSCCGetLastDepartureReason(&departError); */ +// me.circle.rawStatus = SOSCCThisDeviceIsInCircle(&error); + NSDate *nowish = [NSDate date]; + SOSCCStatus circleStatus = me.circle.rawStatus; + me.state = [KNPersistentState loadFromStorage]; + + + // Pending application reminder + NSLog(@"{ChangeCallback} scheduleActivity %@", me.state.pendingApplicationReminder); + if (circleStatus == kSOSCCRequestPending) + [me scheduleActivityAt:me.state.pendingApplicationReminder]; + + + // No longer in circle? + if ((me.state.lastCircleStatus == kSOSCCInCircle && (circleStatus == kSOSCCNotInCircle || circleStatus == kSOSCCCircleAbsent)) || + (me.state.lastCircleStatus == kSOSCCCircleAbsent && circleStatus == kSOSCCNotInCircle && me.state.absentCircleWithNoReason) || + me.state.debugLeftReason) { + enum DepartureReason reason = kSOSNeverLeftCircle; + if (me.state.debugLeftReason) { + reason = [me.state.debugLeftReason intValue]; + me.state.debugLeftReason = nil; + [me.state writeToStorage]; + } else { + CFErrorRef err = NULL; + reason = SOSCCGetLastDepartureReason(&err); + if (reason == kSOSDepartureReasonError) { + NSLog(@"SOSCCGetLastDepartureReason err: %@", err); + } + if (err) CFRelease(err); + } + + if (reason != kSOSDepartureReasonError) { + // Post kick-out alert + + // MessageTracer data to find out how many users were dropped & reset + msgtracer_domain_t domain = msgtracer_domain_new(ICKC_EVENT_DISABLED); + msgtracer_msg_t mt_msg = NULL; + + if (domain != NULL) + mt_msg = msgtracer_msg_new(domain); + + if (mt_msg) { + char s[16]; + + msgtracer_set(mt_msg, kMsgTracerKeySignature, ICKC_EVENT_DEPARTURE_REASON); + snprintf(s, sizeof(s), "%u", reason); + msgtracer_set(mt_msg, kMsgTracerKeyValue, s); + + int64_t num_peers = 0; + CFArrayRef peerList = SOSCCCopyPeerPeerInfo(NULL); + if (peerList) { + num_peers = CFArrayGetCount(peerList); + if (num_peers > 99) { + // Round down # peers to 2 significant digits + int factor; + for (factor = 10; num_peers >= 100*factor; factor *= 10) ; + num_peers = (num_peers / factor) * factor; + } + CFRelease(peerList); + } + msgtracer_set(mt_msg, kMsgTracerKeySignature2, ICKC_EVENT_NUM_PEERS); + snprintf(s, sizeof(s), "%lld", num_peers); + msgtracer_set(mt_msg, kMsgTracerKeyValue2, s); + + msgtracer_set(mt_msg, kMsgTracerKeySummarize, "NO"); + msgtracer_log(mt_msg, ASL_LEVEL_DEBUG, ""); + } + + // FIXME: + // 1. Write here due to [me timerCheck] => [KNPersistentState loadFromStorage] below?!? + // 2. Or change call order of timerCheck, pendingApplication reminder below??? + me.state.absentCircleWithNoReason = (circleStatus == kSOSCCCircleAbsent && reason == kSOSNeverLeftCircle); + [me.state writeToStorage]; + NSLog(@"{ChangeCallback} departure reason %d", reason); + + switch (reason) { + case kSOSDiscoveredRetirement: + case kSOSLostPrivateKey: + case kSOSWithdrewMembership: + case kSOSNeverAppliedToCircle: + break; + + case kSOSNeverLeftCircle: + case kSOSMembershipRevoked: + case kSOSLeftUntrustedCircle: + default: + [me postKickedOutAlert: reason]; + break; + } + } + } + + + // Circle applications: pending request(s) started / completed + if (me.circle.rawStatus != me.state.lastCircleStatus) { + SOSCCStatus lastCircleStatus = me.state.lastCircleStatus; + me.state.lastCircleStatus = circleStatus; + + if (lastCircleStatus != kSOSCCRequestPending && circleStatus == kSOSCCRequestPending) { + NSLog(@"{ChangeCallback} Pending request START"); + me.state.applicationDate = nowish; + me.state.pendingApplicationReminder = [me.state.applicationDate dateByAddingTimeInterval:[me getPendingApplicationReminderInterval]]; + [me.state writeToStorage]; // FIXME: move below? might be needed for scheduleActivityAt... + [me scheduleActivityAt:me.state.pendingApplicationReminder]; + } + + if (lastCircleStatus == kSOSCCRequestPending && circleStatus != kSOSCCRequestPending) { + NSLog(@"Pending request completed"); + me.state.applicationDate = [NSDate distantPast]; + me.state.pendingApplicationReminder = [NSDate distantFuture]; + [me.state writeToStorage]; + + // Remove reminders + NSUserNotificationCenter *noteCenter = appropriateNotificationCenter(); + for (NSUserNotification *note in noteCenter.deliveredNotifications) { + if (note.userInfo[kValidOnlyOutOfCircleKey] && note.userInfo[@"ApplicationReminder"]) { + NSLog(@"{ChangeCallback} Removing notification %@", note); + [appropriateNotificationCenter() removeDeliveredNotification: note]; + } + } + } + + // [me.state writeToStorage]; + } + + + // CircleJoinRequested +/* if (circleStatus != kSOSCCInCircle) { + if (circleStatus == kSOSCCRequestPending && currentAlert) { ... } */ + + // Clear out (old) reset notifications + if (me.circle.isInCircle) { + NSLog(@"{ChangeCallback} me.circle.isInCircle"); + NSUserNotificationCenter *noteCenter = appropriateNotificationCenter(); + for (NSUserNotification *note in noteCenter.deliveredNotifications) { + if (note.userInfo[kValidOnlyOutOfCircleKey]) { + NSLog(@"Removing existing notification (%@) now that we are in circle", note); + [appropriateNotificationCenter() removeDeliveredNotification: note]; + } + } + } + + + // Applicants + NSLog(@"{ChangeCallback} Applicants"); + NSMutableSet *applicantIds = [NSMutableSet new]; + for (KDCirclePeer *applicant in me.circle.applicants) { + if (!me.circle.isInCircle) { + // Don't yammer on about circles we aren't in, and don't announce our own + // join requests as if the user could approve them locally! + break; + } + [me postForApplicant:applicant]; + [applicantIds addObject:applicant.idString]; + } + + + // Update notifications + NSUserNotificationCenter *notificationCenter = appropriateNotificationCenter(); + NSLog(@"Checking validity of %lu notes", (unsigned long)notificationCenter.deliveredNotifications.count); + for (NSUserNotification *note in notificationCenter.deliveredNotifications) { + if (note.userInfo[@"applicantId"] && ![applicantIds containsObject:note.userInfo[@"applicantId"]]) { + NSLog(@"No longer an applicant (%@) for %@ (I=%@)", note.userInfo[@"applicantId"], note, [note.userInfo compactDescription]); + [notificationCenter removeDeliveredNotification:note]; + } else { + NSLog(@"Still an applicant (%@) for %@ (I=%@)", note.userInfo[@"applicantId"], note, [note.userInfo compactDescription]); + } + } + + me.state.lastCircleStatus = me.circle.rawStatus; + + [me.state writeToStorage]; + }]; +} + + +- (BOOL) userNotificationCenter: (NSUserNotificationCenter *) center + shouldPresentNotification: (NSUserNotification *) notification +{ + return YES; +} + + +- (void) userNotificationCenter: (NSUserNotificationCenter *) center + didActivateNotification: (NSUserNotification *) notification +{ + if (notification.activationType == NSUserNotificationActivationTypeActionButtonClicked) { + [self notifyiCloudPreferencesAbout:notification.userInfo[@"Activate"]]; + } +} + + +- (void) userNotificationCenter: (NSUserNotificationCenter *) center + didDismissAlert: (NSUserNotification *) notification +{ + [self notifyiCloudPreferencesAbout:notification.userInfo[@"Dismiss"]]; + + // If we don't do anything here & another notification comes in we + // will repost the alert, which will be dumb. + id applicantId = notification.userInfo[@"applicantId"]; + if (applicantId != nil) { + [self.viewedIds addObject:applicantId]; + } +} + + +- (void) postForApplicant: (KDCirclePeer *) applicant +{ + static int postCount = 0; + + if ([self.viewedIds containsObject:applicant.idString]) { + NSLog(@"Already viewed %@, skipping", applicant); + return; + } + + NSUserNotificationCenter *noteCenter = appropriateNotificationCenter(); + for (NSUserNotification *note in noteCenter.deliveredNotifications) { + if ([applicant.idString isEqualToString:note.userInfo[@"applicantId"]]) { + if (note.isPresented) { + NSLog(@"Already posted&presented: %@ (I=%@)", note, note.userInfo); + return; + } else { + NSLog(@"Already posted, but not presented: %@ (I=%@)", note, note.userInfo); + } + } + } + + // Contrary to HI spec (and I think it makes more sense) + // 1. otherButton == top : Not Now + // 2. actionButton == bottom: Continue + // 3. If we followed HI spec, replace "Activate" => "Dismiss" in note.userInfo below + NSUserNotification *note = [NSUserNotification new]; + note.title = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_APPROVAL_TITLE_OSX); + note.informativeText = [NSString stringWithFormat: (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_APPROVAL_BODY_OSX), applicant.name]; + note._displayStyle = _NSUserNotificationDisplayStyleAlert; + note._identityImage = [NSImage bundleImage]; + note._identityImageStyle = _NSUserNotificationIdentityImageStyleRectangleNoBorder; + note.otherButtonTitle = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_NOT_NOW); + note.actionButtonTitle = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_CONTINUE); + note.identifier = [[NSUUID new] UUIDString]; + note.userInfo = @{ + @"applicantName": applicant.name, + @"applicantId" : applicant.idString, + @"Activate" : (__bridge NSString *) kMMPropertyKeychainAADetailsAEAction, + }; + + NSLog(@"About to post #%d/%lu (%@): %@", postCount, noteCenter.deliveredNotifications.count, applicant.idString, note); + [appropriateNotificationCenter() deliverNotification:note]; + postCount++; +} + + +- (void) postKickedOutAlert: (int) reason +{ + NSUserNotificationCenter *noteCenter = appropriateNotificationCenter(); + for (NSUserNotification *note in noteCenter.deliveredNotifications) { + if (note.userInfo[kKickedOutKey]) { + if (note.isPresented) { + NSLog(@"Already posted&presented (removing): %@", note); + [appropriateNotificationCenter() removeDeliveredNotification: note]; + } else { + NSLog(@"Already posted, but not presented: %@", note); + } + } + } + + NSString *message = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_PWD_REQUIRED_BODY_OSX); + if (isAppleInternal()) { + static const char *departureReasonStrings[] = { + "kSOSDepartureReasonError", + "kSOSNeverLeftCircle", + "kSOSWithdrewMembership", + "kSOSMembershipRevoked", + "kSOSLeftUntrustedCircle", + "kSOSNeverAppliedToCircle", + "kSOSDiscoveredRetirement", + "kSOSLostPrivateKey", + "unknown reason" + }; + int idx = (kSOSDepartureReasonError <= reason && reason <= kSOSLostPrivateKey) ? reason : (kSOSLostPrivateKey + 1); + NSString *reason_str = [NSString stringWithFormat:(__bridge_transfer NSString *) SecCopyCKString(SEC_CK_CR_REASON_INTERNAL), departureReasonStrings[idx]]; + message = [message stringByAppendingString: reason_str]; + } + + // Improve wording of the iCloud keychain drop/reset error messages + // Contrary to HI spec (and I think it makes more sense) + // 1. otherButton == top : Not Now + // 2. actionButton == bottom: Continue + // 3. If we followed HI spec, replace "Activate" => "Dismiss" in note.userInfo below + NSUserNotification *note = [NSUserNotification new]; + note.title = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_PWD_REQUIRED_TITLE); + note.informativeText = message; + note._identityImage = [NSImage bundleImage]; + note._identityImageStyle = _NSUserNotificationIdentityImageStyleRectangleNoBorder; + note.otherButtonTitle = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_NOT_NOW); + note.actionButtonTitle = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_CONTINUE); + note.identifier = [[NSUUID new] UUIDString]; + + note.userInfo = @{ + kKickedOutKey : @1, + kValidOnlyOutOfCircleKey: @1, + @"Activate" : (__bridge NSString *) kMMPropertyKeychainMRDetailsAEAction, + }; + + NSLog(@"body=%@", note.informativeText); + NSLog(@"About to post #-/%lu (KICKOUT): %@", noteCenter.deliveredNotifications.count, note); + [appropriateNotificationCenter() deliverNotification:note]; +} + + +- (void) postApplicationReminder +{ + NSUserNotificationCenter *noteCenter = appropriateNotificationCenter(); + for (NSUserNotification *note in noteCenter.deliveredNotifications) { + if (note.userInfo[@"ApplicationReminder"]) { + if (note.isPresented) { + NSLog(@"Already posted&presented (removing): %@", note); + [appropriateNotificationCenter() removeDeliveredNotification: note]; + } else { + NSLog(@"Already posted, but not presented: %@", note); + } + } + } + + // Improve wording of the iCloud keychain drop/reset error messages + // Contrary to HI spec (and I think it makes more sense) + // 1. otherButton == top : Not Now + // 2. actionButton == bottom: Continue + // 3. If we followed HI spec, replace "Activate" => "Dismiss" in note.userInfo below + NSUserNotification *note = [NSUserNotification new]; + note.title = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_REMINDER_TITLE_OSX); + note.informativeText = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_REMINDER_BODY_OSX); + note._identityImage = [NSImage bundleImage]; + note._identityImageStyle = _NSUserNotificationIdentityImageStyleRectangleNoBorder; + note.otherButtonTitle = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_NOT_NOW); + note.actionButtonTitle = (__bridge_transfer NSString *) SecCopyCKString(SEC_CK_CONTINUE); + note.identifier = [[NSUUID new] UUIDString]; + + note.userInfo = @{ + @"ApplicationReminder" : @1, + kValidOnlyOutOfCircleKey: @1, + @"Activate" : (__bridge NSString *) kMMPropertyKeychainWADetailsAEAction, + }; + + NSLog(@"About to post #-/%lu (REMINDER): %@ (I=%@)", noteCenter.deliveredNotifications.count, note, [note.userInfo compactDescription]); + [appropriateNotificationCenter() deliverNotification:note]; +} + +@end diff --git a/OSX/Keychain Circle Notification/KNPersistentState.h b/OSX/Keychain Circle Notification/KNPersistentState.h new file mode 100644 index 00000000..8c2f2a5a --- /dev/null +++ b/OSX/Keychain Circle Notification/KNPersistentState.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +#import +#include "SecureObjectSync/SOSCloudCircle.h" +#include "SecureObjectSync/SOSPeerInfo.h" + +@interface KNPersistentState : NSObject ++(instancetype)loadFromStorage; +-(void)writeToStorage; + +@property SOSCCStatus lastCircleStatus; +@property NSDate *lastWritten; +@property NSDate *pendingApplicationReminder; +@property NSNumber *pendingApplicationReminderInterval; +@property NSDate *applicationDate; +@property NSNumber *debugLeftReason; +@property BOOL absentCircleWithNoReason; +@end diff --git a/OSX/Keychain Circle Notification/KNPersistentState.m b/OSX/Keychain Circle Notification/KNPersistentState.m new file mode 100644 index 00000000..458ff973 --- /dev/null +++ b/OSX/Keychain Circle Notification/KNPersistentState.m @@ -0,0 +1,96 @@ +/* + * Copyright (c) 2013-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +#import "KNPersistentState.h" + +@implementation KNPersistentState + +-(NSURL*)urlForStorage +{ + return [NSURL URLWithString:@"Preferences/com.apple.security.KCN.plist" relativeToURL:[[NSFileManager defaultManager] URLForDirectory:NSLibraryDirectory inDomain:NSUserDomainMask appropriateForURL:nil create:YES error:nil]]; +} + ++(instancetype)loadFromStorage +{ + KNPersistentState *state = [KNPersistentState new]; + if (!state) { + return state; + } + + id plist = @{@"lastWritten": [NSDate distantPast]}; + + NSError *error = nil; + NSData *stateData = [NSData dataWithContentsOfURL:[state urlForStorage] options:0 error:&error]; + if (!stateData) { + NSLog(@"Can't read state data (p=%@, err=%@)", [state urlForStorage], error); + } else { + NSPropertyListFormat format; + plist = [NSPropertyListSerialization propertyListWithData:stateData options: NSPropertyListMutableContainersAndLeaves format:&format error:&error]; + + if (plist == nil) { + NSLog(@"Can't deserialize %@, e=%@", stateData, error); + } + } + + state.lastCircleStatus = plist[@"lastCircleStatus"] ? [plist[@"lastCircleStatus"] intValue] : kSOSCCCircleAbsent; + state.lastWritten = plist[@"lastWritten"]; + state.pendingApplicationReminder = plist[@"pendingApplicationReminder"] ?: [NSDate distantFuture]; + state.applicationDate = plist[@"applicationDate"] ?: [NSDate distantPast]; + state.debugLeftReason = plist[@"debugLeftReason"]; + state.pendingApplicationReminderInterval = plist[@"pendingApplicationReminderInterval"]; + state.absentCircleWithNoReason = plist[@"absentCircleWithNoReason"] ? [plist[@"absentCircleWithNoReason"] intValue] : NO; + + if (!state.pendingApplicationReminderInterval || [state.pendingApplicationReminderInterval doubleValue] <= 0) { + state.pendingApplicationReminderInterval = [NSNumber numberWithUnsignedInt: 24*60*60]; + } + + return state; +} + +-(void)writeToStorage +{ + NSMutableDictionary *plist = [@{@"lastCircleStatus" : [NSNumber numberWithInt:self.lastCircleStatus], + @"lastWritten" : [NSDate date], + @"applicationDate" : self.applicationDate, + @"pendingApplicationReminder" : self.pendingApplicationReminder, + @"pendingApplicationReminderInterval": self.pendingApplicationReminderInterval, + @"absentCircleWithNoReason" : [NSNumber numberWithBool:self.absentCircleWithNoReason], + } mutableCopy]; + if (self.debugLeftReason) + plist[@"debugLeftReason"] = self.debugLeftReason; + NSLog(@"writeToStorage plist=%@", plist); + + NSError *error = nil; + NSData *stateData = [NSPropertyListSerialization dataWithPropertyList:plist format:NSPropertyListXMLFormat_v1_0 options:kCFPropertyListImmutable error:&error]; + if (!stateData) { + NSLog(@"Can't serialize %@: %@", plist, error); + return; + } + if (![stateData writeToURL:[self urlForStorage] options:NSDataWritingAtomic error:&error]) { + NSLog(@"Can't write to %@, error=%@", [self urlForStorage], error); + } +} + + +@end diff --git a/Security/Keychain Circle Notification/Keychain Circle Notification-Info.plist b/OSX/Keychain Circle Notification/Keychain Circle Notification-Info.plist similarity index 100% rename from Security/Keychain Circle Notification/Keychain Circle Notification-Info.plist rename to OSX/Keychain Circle Notification/Keychain Circle Notification-Info.plist diff --git a/Security/Keychain Circle Notification/Keychain Circle Notification-Prefix.pch b/OSX/Keychain Circle Notification/Keychain Circle Notification-Prefix.pch similarity index 100% rename from Security/Keychain Circle Notification/Keychain Circle Notification-Prefix.pch rename to OSX/Keychain Circle Notification/Keychain Circle Notification-Prefix.pch diff --git a/Security/Keychain Circle Notification/NSArray+mapWithBlock.h b/OSX/Keychain Circle Notification/NSArray+mapWithBlock.h similarity index 100% rename from Security/Keychain Circle Notification/NSArray+mapWithBlock.h rename to OSX/Keychain Circle Notification/NSArray+mapWithBlock.h diff --git a/Security/Keychain Circle Notification/NSArray+mapWithBlock.m b/OSX/Keychain Circle Notification/NSArray+mapWithBlock.m similarity index 100% rename from Security/Keychain Circle Notification/NSArray+mapWithBlock.m rename to OSX/Keychain Circle Notification/NSArray+mapWithBlock.m diff --git a/Security/Keychain Circle Notification/NSDictionary+compactDescription.h b/OSX/Keychain Circle Notification/NSDictionary+compactDescription.h similarity index 100% rename from Security/Keychain Circle Notification/NSDictionary+compactDescription.h rename to OSX/Keychain Circle Notification/NSDictionary+compactDescription.h diff --git a/Security/Keychain Circle Notification/NSDictionary+compactDescription.m b/OSX/Keychain Circle Notification/NSDictionary+compactDescription.m similarity index 100% rename from Security/Keychain Circle Notification/NSDictionary+compactDescription.m rename to OSX/Keychain Circle Notification/NSDictionary+compactDescription.m diff --git a/Security/Keychain Circle Notification/NSSet+compactDescription.h b/OSX/Keychain Circle Notification/NSSet+compactDescription.h similarity index 100% rename from Security/Keychain Circle Notification/NSSet+compactDescription.h rename to OSX/Keychain Circle Notification/NSSet+compactDescription.h diff --git a/Security/Keychain Circle Notification/NSSet+compactDescription.m b/OSX/Keychain Circle Notification/NSSet+compactDescription.m similarity index 100% rename from Security/Keychain Circle Notification/NSSet+compactDescription.m rename to OSX/Keychain Circle Notification/NSSet+compactDescription.m diff --git a/Security/Keychain Circle Notification/NSString+compactDescription.h b/OSX/Keychain Circle Notification/NSString+compactDescription.h similarity index 100% rename from Security/Keychain Circle Notification/NSString+compactDescription.h rename to OSX/Keychain Circle Notification/NSString+compactDescription.h diff --git a/Security/Keychain Circle Notification/NSString+compactDescription.m b/OSX/Keychain Circle Notification/NSString+compactDescription.m similarity index 100% rename from Security/Keychain Circle Notification/NSString+compactDescription.m rename to OSX/Keychain Circle Notification/NSString+compactDescription.m diff --git a/Security/Keychain Circle Notification/com.apple.security.keychain-circle-notification.plist b/OSX/Keychain Circle Notification/com.apple.security.keychain-circle-notification.plist similarity index 94% rename from Security/Keychain Circle Notification/com.apple.security.keychain-circle-notification.plist rename to OSX/Keychain Circle Notification/com.apple.security.keychain-circle-notification.plist index bc7d56c4..0167ddd5 100644 --- a/Security/Keychain Circle Notification/com.apple.security.keychain-circle-notification.plist +++ b/OSX/Keychain Circle Notification/com.apple.security.keychain-circle-notification.plist @@ -8,6 +8,8 @@ KeepAlive + ProcessType + Background LaunchEvents com.apple.notifyd.matching diff --git a/Security/Keychain/en.lproj/InfoPlist.strings b/OSX/Keychain Circle Notification/en.lproj/InfoPlist.strings similarity index 100% rename from Security/Keychain/en.lproj/InfoPlist.strings rename to OSX/Keychain Circle Notification/en.lproj/InfoPlist.strings diff --git a/OSX/Keychain Circle Notification/en.lproj/Localizable.strings b/OSX/Keychain Circle Notification/en.lproj/Localizable.strings new file mode 100644 index 0000000000000000000000000000000000000000..e4f3c21432b6eaaabab993f2b1e861a3e3548fd7 GIT binary patch literal 1208 zcmc(eOH0E*6ot<^zd>Or3fhHLw<7r3NjIW9HzlcUFny4ujrsHHcc+Flq_zuD8It>$ zxo6JYGxPD@Q&&!X4V5tl8sRzR{NMOHy=bNsJ0(+KU$Lb^jaeI$byStu&_^TUh!sns z5NmZaaAI&QGw}Y**LBrXppKpyPdeAB&UC9o{s+2hWbeQ!sGU-s;pbpFE%0rJl4#*M z&RJupC_Lu~?*x3OOTLcwT!p>weu8%a>j3W7w;OhfU{Lod<_w8v6p_7eb?bqQ@wVQ6 z*PDPj8#Q`ck6rs*YtBeoUC+D%2{VrQAsiysOwrxx2$fQ}Pw;aTj$zu=^O!iLYT|25 zX}cShlB+!pVad!oMjvHDGBv)bX*Xm1h0(k + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Default + + + + + + + Left to Right + + + + + + + Right to Left + + + + + + + + + + + Default + + + + + + + Left to Right + + + + + + + Right to Left + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Security/Keychain/Icon.icns b/OSX/Keychain/Icon.icns similarity index 100% rename from Security/Keychain/Icon.icns rename to OSX/Keychain/Icon.icns diff --git a/Security/Keychain/KDAppDelegate.h b/OSX/Keychain/KDAppDelegate.h similarity index 100% rename from Security/Keychain/KDAppDelegate.h rename to OSX/Keychain/KDAppDelegate.h diff --git a/Security/Keychain/KDAppDelegate.m b/OSX/Keychain/KDAppDelegate.m similarity index 100% rename from Security/Keychain/KDAppDelegate.m rename to OSX/Keychain/KDAppDelegate.m diff --git a/Security/Keychain/KDCirclePeer.h b/OSX/Keychain/KDCirclePeer.h similarity index 100% rename from Security/Keychain/KDCirclePeer.h rename to OSX/Keychain/KDCirclePeer.h diff --git a/Security/Keychain/KDCirclePeer.m b/OSX/Keychain/KDCirclePeer.m similarity index 100% rename from Security/Keychain/KDCirclePeer.m rename to OSX/Keychain/KDCirclePeer.m diff --git a/Security/Keychain/KDSecCircle.h b/OSX/Keychain/KDSecCircle.h similarity index 100% rename from Security/Keychain/KDSecCircle.h rename to OSX/Keychain/KDSecCircle.h diff --git a/Security/Keychain/KDSecCircle.m b/OSX/Keychain/KDSecCircle.m similarity index 91% rename from Security/Keychain/KDSecCircle.m rename to OSX/Keychain/KDSecCircle.m index c1a91817..c053ee2f 100644 --- a/Security/Keychain/KDSecCircle.m +++ b/OSX/Keychain/KDSecCircle.m @@ -28,6 +28,8 @@ #include #import "SecureObjectSync/SOSCloudCircle.h" #include "SecureObjectSync/SOSPeerInfo.h" +#import +#include "../utilities/utilities/debugging.h" @interface KDSecCircle () @property (retain) NSMutableArray *callbacks; @@ -53,14 +55,13 @@ // XXX: assert not on main_queue CFErrorRef err = NULL; SOSCCStatus newRawStatus = SOSCCThisDeviceIsInCircle(&err); - - NSArray *peerInfos = (__bridge NSArray *)(SOSCCCopyApplicantPeerInfo(&err)); + NSArray *peerInfos = (__bridge NSArray *) SOSCCCopyApplicantPeerInfo(&err); NSMutableArray *newApplicants = [[NSMutableArray alloc] initWithCapacity:peerInfos.count]; [peerInfos enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) { [newApplicants addObject:[[KDCirclePeer alloc] initWithPeerObject:obj]]; }]; - peerInfos = (__bridge NSArray *)(SOSCCCopyPeerPeerInfo(&err)); + peerInfos = (__bridge NSArray *) SOSCCCopyPeerPeerInfo(&err); NSMutableArray *newPeers = [[NSMutableArray alloc] initWithCapacity:peerInfos.count]; [peerInfos enumerateObjectsUsingBlock:^(id obj, NSUInteger idx, BOOL *stop) { [newPeers addObject:[[KDCirclePeer alloc] initWithPeerObject:obj]]; @@ -98,8 +99,8 @@ } self.applicants = [newApplicants copy]; - self.peers = [newPeers copy]; - self.error = (__bridge NSError *)(err); + self.peers = [newPeers copy]; + self.error = (__bridge NSError *)(err); self.changeCount++; for (dispatch_block_t callback in self.callbacks) { @@ -153,8 +154,7 @@ typedef void (^applicantBlock)(id applicant); self->_queue_ = dispatch_queue_create([[NSString stringWithFormat:@"KDSecCircle@%p", self] UTF8String], NULL); self->_callbacks = [NSMutableArray new]; - // Replace "com.apple.security.secureobjectsync.circlechanged" with kSOSCCCircleChangedNotification once it is exported - notify_register_dispatch("com.apple.security.secureobjectsync.circlechanged", &token, self.queue_, ^(int token){ + notify_register_dispatch(kSOSCCCircleChangedNotification, &token, self.queue_, ^(int token){ [self updateCheck]; }); @@ -175,7 +175,7 @@ typedef void (^applicantBlock)(id applicant); -(BOOL)isInCircle { - return (self.rawStatus == kSOSCCInCircle) ? YES : NO; + return (self.rawStatus == kSOSCCInCircle); } -(BOOL)isOutOfCircle diff --git a/Security/Keychain/KDSecItems.h b/OSX/Keychain/KDSecItems.h similarity index 100% rename from Security/Keychain/KDSecItems.h rename to OSX/Keychain/KDSecItems.h diff --git a/Security/Keychain/KDSecItems.m b/OSX/Keychain/KDSecItems.m similarity index 100% rename from Security/Keychain/KDSecItems.m rename to OSX/Keychain/KDSecItems.m diff --git a/Security/Keychain/Keychain-Info.plist b/OSX/Keychain/Keychain-Info.plist similarity index 100% rename from Security/Keychain/Keychain-Info.plist rename to OSX/Keychain/Keychain-Info.plist diff --git a/Security/Keychain/Keychain-Prefix.pch b/OSX/Keychain/Keychain-Prefix.pch similarity index 100% rename from Security/Keychain/Keychain-Prefix.pch rename to OSX/Keychain/Keychain-Prefix.pch diff --git a/Security/Keychain Circle Notification/en.lproj/Credits.rtf b/OSX/Keychain/en.lproj/Credits.rtf similarity index 100% rename from Security/Keychain Circle Notification/en.lproj/Credits.rtf rename to OSX/Keychain/en.lproj/Credits.rtf diff --git a/Security/authd/en.lproj/InfoPlist.strings b/OSX/Keychain/en.lproj/InfoPlist.strings similarity index 100% rename from Security/authd/en.lproj/InfoPlist.strings rename to OSX/Keychain/en.lproj/InfoPlist.strings diff --git a/Security/Keychain/main.m b/OSX/Keychain/main.m similarity index 100% rename from Security/Keychain/main.m rename to OSX/Keychain/main.m diff --git a/OSX/OSX.xcodeproj/project.pbxproj b/OSX/OSX.xcodeproj/project.pbxproj new file mode 100644 index 00000000..993b844e --- /dev/null +++ b/OSX/OSX.xcodeproj/project.pbxproj @@ -0,0 +1,8132 @@ +// !$*UTF8*$! +{ + archiveVersion = 1; + classes = { + }; + objectVersion = 46; + objects = { + +/* Begin PBXAggregateTarget section */ + 0C6C642915D5ADB500BC68CD /* Security_kexts */ = { + isa = PBXAggregateTarget; + buildConfigurationList = 0C6C642A15D5ADB500BC68CD /* Build configuration list for PBXAggregateTarget "Security_kexts" */; + buildPhases = ( + ); + dependencies = ( + ); + name = Security_kexts; + productName = Security_kexts; + }; + 182BB598146FE295000BF1F3 /* World */ = { + isa = PBXAggregateTarget; + buildConfigurationList = 182BB599146FE295000BF1F3 /* Build configuration list for PBXAggregateTarget "World" */; + buildPhases = ( + 18F2360315CB30EC00060520 /* ShellScript */, + ); + dependencies = ( + 186F779914E5A06500434E1F /* PBXTargetDependency */, + 186F779B14E5A06800434E1F /* PBXTargetDependency */, + ); + name = World; + productName = SecurityFramework; + }; + 186F778814E59FB200434E1F /* Security_frameworks */ = { + isa = PBXAggregateTarget; + buildConfigurationList = 186F778914E59FB200434E1F /* Build configuration list for PBXAggregateTarget "Security_frameworks" */; + buildPhases = ( + ); + dependencies = ( + 186F779714E5A04200434E1F /* PBXTargetDependency */, + 186F779514E5A01C00434E1F /* PBXTargetDependency */, + 186F779314E5A01700434E1F /* PBXTargetDependency */, + ); + name = Security_frameworks; + productName = Framework; + }; + 186F778C14E59FDA00434E1F /* Security_executables */ = { + isa = PBXAggregateTarget; + buildConfigurationList = 186F778D14E59FDA00434E1F /* Build configuration list for PBXAggregateTarget "Security_executables" */; + buildPhases = ( + ); + dependencies = ( + 5EF7C2541B00EEC000E5E99C /* PBXTargetDependency */, + 3705CADE1A8971DF00402F75 /* PBXTargetDependency */, + 37AB39401A44A95500B56E04 /* PBXTargetDependency */, + 37A7CEDA197DBA8700926CE8 /* PBXTargetDependency */, + 722CF218175D602F00BCE0A5 /* PBXTargetDependency */, + 521470291697842500DF0DB3 /* PBXTargetDependency */, + CDEB2BD21A8151CD00B0E23A /* PBXTargetDependency */, + 18F235FF15CA100300060520 /* PBXTargetDependency */, + 186F779114E5A00F00434E1F /* PBXTargetDependency */, + BE48AE291ADF204E000836C1 /* PBXTargetDependency */, + 0CCEBDBA16C303D8001BD7F6 /* PBXTargetDependency */, + 0CFC55E315DDB86500BEC89E /* PBXTargetDependency */, + C2432A2515C726B50096DB5B /* PBXTargetDependency */, + 4CB23B90169F59D8003A0131 /* PBXTargetDependency */, + EBB9FFE01682E71F00FF9774 /* PBXTargetDependency */, + F94E7A971ACC8CC200F23132 /* PBXTargetDependency */, + ); + name = Security_executables; + productName = Other; + }; + 4CE4729E16D833FD009070D1 /* Security_temporary_UI */ = { + isa = PBXAggregateTarget; + buildConfigurationList = 4CE472C716D833FE009070D1 /* Build configuration list for PBXAggregateTarget "Security_temporary_UI" */; + buildPhases = ( + ); + dependencies = ( + 4C797BC916D83A3100C7B586 /* PBXTargetDependency */, + 4C797BF116D83A3800C7B586 /* PBXTargetDependency */, + ); + name = Security_temporary_UI; + productName = "Security_ temporary_UI"; + }; + F93C49311AB8FD350047E01A /* ckcdiagnose.sh */ = { + isa = PBXAggregateTarget; + buildConfigurationList = F93C49321AB8FD350047E01A /* Build configuration list for PBXAggregateTarget "ckcdiagnose.sh" */; + buildPhases = ( + F93C49351AB8FD3B0047E01A /* CopyFiles */, + ); + dependencies = ( + ); + name = ckcdiagnose.sh; + productName = ckcdiagnose.sh; + }; +/* End PBXAggregateTarget section */ + +/* Begin PBXBuildFile section */ + 0C03D62B17D93EED0087643B /* SecDH.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C03D60317D93E810087643B /* SecDH.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 0C10987616CAAE8200803B8F /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; }; + 0C4EAE4C1766864F00773425 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; }; + 0C4EAE761766875E00773425 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; + 0C4EAE7717668DDF00773425 /* libsecdRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0C4EAE721766865000773425 /* libsecdRegressions.a */; }; + 0C4F055E15C9E51A00F9DFD5 /* sslTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C4F055D15C9E51A00F9DFD5 /* sslTypes.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 0C6C632A15D1989900BC68CD /* libsecurity_ssl_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0C6D77CF15C8B66000BB4405 /* libsecurity_ssl_regressions.a */; }; + 0C6C633015D19FF500BC68CD /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 0C6D0065177B54CB0095D167 /* com.apple.securityd in CopyFiles */ = {isa = PBXBuildFile; fileRef = 0C6D0064177B54C60095D167 /* com.apple.securityd */; }; + 0CAA7AB516C9A72A00A32C6D /* libsecurity_keychain_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CBD50B316C325F000713B6C /* libsecurity_keychain_regressions.a */; }; + 0CC2CB101B6A04D80074B0F2 /* libDiagnosticMessagesClient.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CC2CB0F1B6A04D80074B0F2 /* libDiagnosticMessagesClient.dylib */; }; + 0CC3351C16C1ED8000399E53 /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18D4053B14CE2C1600A2BE4E /* libsecurity.a */; }; + 0CC3351E16C1ED8000399E53 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; }; + 0CC3351F16C1ED8000399E53 /* libSecItemShimOSX.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 186CDD1E14CA11C700AF9171 /* libSecItemShimOSX.a */; }; + 0CC3352016C1ED8000399E53 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; + 0CC3352316C1ED8000399E53 /* libSOSRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EC15FFE9D7008CE3E3 /* libSOSRegressions.a */; }; + 0CC3352416C1ED8000399E53 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 0CC3352616C1ED8000399E53 /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F6014CF655B00B05E7F /* libsecipc_client.a */; }; + 0CC3352716C1ED8000399E53 /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */; }; + 0CC3355A16C1EEE700399E53 /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 0CC3355716C1EEE700399E53 /* main.c */; }; + 0CC3356316C1EFBE00399E53 /* libregressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CC3356016C1EF5D00399E53 /* libregressions.a */; }; + 0CCEBDB116C2CFC1001BD7F6 /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C6C630E15D193C800BC68CD /* main.c */; }; + 0CCEBDB416C2D026001BD7F6 /* libregressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CC3356016C1EF5D00399E53 /* libregressions.a */; }; + 0CCEBDB616C2E431001BD7F6 /* libsecurityd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270C7D14CE573D00B05E7F /* libsecurityd.a */; }; + 0CCEBDB716C2E6B0001BD7F6 /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFB14CF427800B05E7F /* CFNetwork.framework */; }; + 0CCEBDB816C2E6CE001BD7F6 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */; }; + 0CCEBDBB16C30924001BD7F6 /* libutilitiesRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894215FFECF3008CE3E3 /* libutilitiesRegressions.a */; }; + 18270EE814CF294500B05E7F /* libsecurityd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270C7D14CE573D00B05E7F /* libsecurityd.a */; }; + 18270EF614CF334A00B05E7F /* server.c in Sources */ = {isa = PBXBuildFile; fileRef = 18270EF314CF333400B05E7F /* server.c */; }; + 18270EF814CF424900B05E7F /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 18270EF914CF425100B05E7F /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */; }; + 18270EFA14CF426200B05E7F /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */; }; + 18270EFC14CF427800B05E7F /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFB14CF427800B05E7F /* CFNetwork.framework */; }; + 18270EFE14CF429600B05E7F /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; + 18270F6114CF656E00B05E7F /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F6014CF655B00B05E7F /* libsecipc_client.a */; }; + 182A191115D09AFF006AB103 /* connection.c in Sources */ = {isa = PBXBuildFile; fileRef = 182A191015D09AFF006AB103 /* connection.c */; }; + 182BB22A146F068B000BF1F3 /* iToolsTrustedApps.plist in Resources */ = {isa = PBXBuildFile; fileRef = 182BB229146F068B000BF1F3 /* iToolsTrustedApps.plist */; }; + 182BB3C5146F1DCB000BF1F3 /* sd_cspdl_common.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 182BB3C4146F1DCB000BF1F3 /* sd_cspdl_common.mdsinfo */; }; + 182BB41B146F2533000BF1F3 /* libsecurity_apple_csp.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B5C6146DE6C8007E536C /* libsecurity_apple_csp.a */; }; + 182BB41C146F2533000BF1F3 /* libsecurity_apple_cspdl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B5D2146DE6CE007E536C /* libsecurity_apple_cspdl.a */; }; + 182BB41D146F2533000BF1F3 /* libsecurity_apple_file_dl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B5DE146DE6D7007E536C /* libsecurity_apple_file_dl.a */; }; + 182BB41E146F2533000BF1F3 /* libsecurity_apple_x509_cl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B5EB146DE6E8007E536C /* libsecurity_apple_x509_cl.a */; }; + 182BB41F146F2533000BF1F3 /* libsecurity_apple_x509_tp.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B5F9146DE6FD007E536C /* libsecurity_apple_x509_tp.a */; }; + 182BB421146F2533000BF1F3 /* libsecurity_authorization.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B612146DE70A007E536C /* libsecurity_authorization.a */; }; + 182BB422146F2533000BF1F3 /* libsecurity_cdsa_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B61E146DE715007E536C /* libsecurity_cdsa_client.a */; }; + 182BB423146F2533000BF1F3 /* libsecurity_cdsa_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B55A146DE227007E536C /* libsecurity_cdsa_utilities.a */; }; + 182BB424146F2533000BF1F3 /* libsecurity_checkpw.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B644146DE748007E536C /* libsecurity_checkpw.a */; }; + 182BB425146F2533000BF1F3 /* libsecurity_cms.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B654146DE750007E536C /* libsecurity_cms.a */; }; + 182BB426146F2533000BF1F3 /* libsecurity_codesigning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B666146DE757007E536C /* libsecurity_codesigning.a */; }; + 182BB428146F2533000BF1F3 /* libsecurity_cryptkit.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B684146DE76F007E536C /* libsecurity_cryptkit.a */; }; + 182BB429146F2533000BF1F3 /* libsecurity_filedb.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B69D146DE797007E536C /* libsecurity_filedb.a */; }; + 182BB42A146F2533000BF1F3 /* libsecurity_keychain.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B6B3146DE7A0007E536C /* libsecurity_keychain.a */; }; + 182BB42B146F2533000BF1F3 /* libsecurity_ocspd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B6E9146DE7E8007E536C /* libsecurity_ocspd.a */; }; + 182BB42C146F2533000BF1F3 /* libsecurity_pkcs12.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B6F5146DE7EF007E536C /* libsecurity_pkcs12.a */; }; + 182BB42D146F2533000BF1F3 /* libsecurity_transform.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B739146DE845007E536C /* libsecurity_transform.a */; }; + 182BB42E146F2533000BF1F3 /* libsecurityd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 184461B1146E9D3300B12992 /* libsecurityd_client.a */; }; + 182BB4E1146F2591000BF1F3 /* libsecurity_manifest.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B6D0146DE7D7007E536C /* libsecurity_manifest.a */; }; + 182BB4E2146F2591000BF1F3 /* libsecurity_mds.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B6DC146DE7E0007E536C /* libsecurity_mds.a */; }; + 182BB4E3146F2591000BF1F3 /* libsecurity_sd_cspdl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B701146DE7F7007E536C /* libsecurity_sd_cspdl.a */; }; + 182BB4E4146F2591000BF1F3 /* libsecurity_smime.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B71C146DE825007E536C /* libsecurity_smime.a */; }; + 182BB4E5146F2591000BF1F3 /* libsecurity_ssl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B728146DE839007E536C /* libsecurity_ssl.a */; }; + 182BB55F146F4544000BF1F3 /* FDEPrefs.plist in Resources */ = {isa = PBXBuildFile; fileRef = 182BB55C146F4544000BF1F3 /* FDEPrefs.plist */; }; + 182BB57F146F51A5000BF1F3 /* csparser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 182BB557146F4510000BF1F3 /* csparser.cpp */; }; + 182BB589146FE013000BF1F3 /* libsecurity_codesigning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B666146DE757007E536C /* libsecurity_codesigning.a */; }; + 182BB590146FE125000BF1F3 /* libsecurity_cdsa_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B55A146DE227007E536C /* libsecurity_cdsa_utilities.a */; }; + 182BB591146FE12F000BF1F3 /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B538146DDBE5007E536C /* libsecurity_utilities.a */; }; + 182BB592146FE1D7000BF1F3 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 182BB5AA146FEE50000BF1F3 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 182BB5AC146FEF15000BF1F3 /* libpam.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5AB146FEF14000BF1F3 /* libpam.dylib */; }; + 182BB5AE146FEF43000BF1F3 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */; }; + 182BB5B2146FF039000BF1F3 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B1146FF039000BF1F3 /* libz.dylib */; }; + 182BB5B4146FF04C000BF1F3 /* libxar.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B3146FF04C000BF1F3 /* libxar.dylib */; }; + 182BB5B6146FF090000BF1F3 /* libauto.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B5146FF08F000BF1F3 /* libauto.dylib */; }; + 182BB5B8146FF0A2000BF1F3 /* libobjc.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B7146FF0A1000BF1F3 /* libobjc.dylib */; }; + 182BB5BA146FF0BF000BF1F3 /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */; }; + 182BB5BB146FF62F000BF1F3 /* libsecurity_comcryption.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B676146DE75E007E536C /* libsecurity_comcryption.a */; }; + 1831329B14EB2C6D00F0BCAC /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; }; + 1831329C14EB2C6D00F0BCAC /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; }; + 18363C1417026084002D5C1C /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; + 1844605F146DE93E00B12992 /* csp_capabilities.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 1844605B146DE93E00B12992 /* csp_capabilities.mdsinfo */; }; + 18446060146DE93E00B12992 /* csp_capabilities_common.mds in Resources */ = {isa = PBXBuildFile; fileRef = 1844605C146DE93E00B12992 /* csp_capabilities_common.mds */; }; + 18446061146DE93E00B12992 /* csp_common.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 1844605D146DE93E00B12992 /* csp_common.mdsinfo */; }; + 18446062146DE93E00B12992 /* csp_primary.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 1844605E146DE93E00B12992 /* csp_primary.mdsinfo */; }; + 18446083146DF58B00B12992 /* libsecurity_cdsa_plugin.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B62B146DE720007E536C /* libsecurity_cdsa_plugin.a */; }; + 184460C7146E7B1E00B12992 /* cspdl_common.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 184460C3146E7B1E00B12992 /* cspdl_common.mdsinfo */; }; + 184460C8146E7B1E00B12992 /* cspdl_csp_capabilities.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 184460C4146E7B1E00B12992 /* cspdl_csp_capabilities.mdsinfo */; }; + 184460C9146E7B1E00B12992 /* cspdl_csp_primary.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 184460C5146E7B1E00B12992 /* cspdl_csp_primary.mdsinfo */; }; + 184460CA146E7B1E00B12992 /* cspdl_dl_primary.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 184460C6146E7B1E00B12992 /* cspdl_dl_primary.mdsinfo */; }; + 184460E3146E806700B12992 /* dl_common.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 184460E1146E806700B12992 /* dl_common.mdsinfo */; }; + 184460E4146E806700B12992 /* dl_primary.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 184460E2146E806700B12992 /* dl_primary.mdsinfo */; }; + 18446105146E82C800B12992 /* cl_common.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 18446103146E82C800B12992 /* cl_common.mdsinfo */; }; + 18446106146E82C800B12992 /* cl_primary.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 18446104146E82C800B12992 /* cl_primary.mdsinfo */; }; + 18446115146E85A300B12992 /* tp_common.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 18446112146E85A300B12992 /* tp_common.mdsinfo */; }; + 18446116146E85A300B12992 /* tp_policyOids.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 18446113146E85A300B12992 /* tp_policyOids.mdsinfo */; }; + 18446117146E85A300B12992 /* tp_primary.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 18446114146E85A300B12992 /* tp_primary.mdsinfo */; }; + 18500F9B14708D0E006F9AB4 /* SecDebugErrorMessages.strings in Resources */ = {isa = PBXBuildFile; fileRef = 18500F9A14708D0E006F9AB4 /* SecDebugErrorMessages.strings */; }; + 18500FA114708F19006F9AB4 /* SecErrorMessages.strings in Resources */ = {isa = PBXBuildFile; fileRef = 18500F9F14708F19006F9AB4 /* SecErrorMessages.strings */; }; + 1879B4AA146DCA18007E536C /* cssm.mdsinfo in Resources */ = {isa = PBXBuildFile; fileRef = 1879B4A9146DCA18007E536C /* cssm.mdsinfo */; }; + 1879B546146DE192007E536C /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B538146DDBE5007E536C /* libsecurity_utilities.a */; }; + 1879B570146DE2E6007E536C /* libsecurity_cdsa_utils.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B54F146DE212007E536C /* libsecurity_cdsa_utils.a */; }; + 1879B571146DE2FF007E536C /* libsecurity_cssm.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1879B565146DE244007E536C /* libsecurity_cssm.a */; }; + 187A05B1170393FF0038C158 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; }; + 187D6B9315D435BD00E27494 /* authorization.buttons.strings in Resources */ = {isa = PBXBuildFile; fileRef = 187D6B8F15D4359F00E27494 /* authorization.buttons.strings */; }; + 187D6B9415D435C700E27494 /* authorization.prompts.strings in Resources */ = {isa = PBXBuildFile; fileRef = 187D6B9115D4359F00E27494 /* authorization.prompts.strings */; }; + 187D6B9715D438AD00E27494 /* authorization.plist in Copy authorization.plist */ = {isa = PBXBuildFile; fileRef = 187D6B9515D436BF00E27494 /* authorization.plist */; }; + 187D6B9815D4476D00E27494 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; + 1885B45214D9AB8100519375 /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1885B3F914D8D9B100519375 /* libASN1.a */; }; + 188AD8DC1471FE3E0081C619 /* FDELocalizable.strings in Resources */ = {isa = PBXBuildFile; fileRef = 188AD8D81471FE3D0081C619 /* FDELocalizable.strings */; }; + 188AD8DD1471FE3E0081C619 /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = 188AD8DA1471FE3D0081C619 /* InfoPlist.strings */; }; + 189757871700CF4C00672567 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; }; + 18A5493315EFD3690059E6DC /* dummy.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 18A5493115EFD2F40059E6DC /* dummy.cpp */; }; + 18AD56A414CDE7BE008233F2 /* libSecItemShimOSX.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 186CDD1E14CA11C700AF9171 /* libSecItemShimOSX.a */; }; + 18B647EC14D9F20500F538BF /* oidsalg.h in Headers */ = {isa = PBXBuildFile; fileRef = 18B647E814D9EB6300F538BF /* oidsalg.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18B647ED14D9F20F00F538BF /* oidsattr.h in Headers */ = {isa = PBXBuildFile; fileRef = 18B647EA14D9EE4300F538BF /* oidsattr.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18BBC7361471F5A300F2B224 /* SecExternalSourceTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 18BBC7351471F5A300F2B224 /* SecExternalSourceTransform.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18BEB19A14CF7F8100C8BD36 /* com.apple.secd.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 18BEB19614CF74C100C8BD36 /* com.apple.secd.plist */; }; + 18CD682717272EBC005345FB /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; }; + 18CD684E17272EE2005345FB /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; + 18CFEE8915DEE2C600E3F2A3 /* com.apple.authd.sb in Copy sandbox profile */ = {isa = PBXBuildFile; fileRef = 18CFEE8715DEE25200E3F2A3 /* com.apple.authd.sb */; }; + 18D6803B16B768F700DF6D2E /* com.apple.authd in Copy asl module */ = {isa = PBXBuildFile; fileRef = 18D6803916B768D500DF6D2E /* com.apple.authd */; }; + 18F2352115C9FA3C00060520 /* agent.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F234F915C9FA3B00060520 /* agent.c */; }; + 18F2352215C9FA3C00060520 /* authdb.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F234FB15C9FA3B00060520 /* authdb.c */; }; + 18F2352315C9FA3C00060520 /* authitems.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F234FD15C9FA3B00060520 /* authitems.c */; }; + 18F2352415C9FA3C00060520 /* authtoken.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F234FF15C9FA3B00060520 /* authtoken.c */; }; + 18F2352515C9FA3C00060520 /* authutilities.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2350215C9FA3B00060520 /* authutilities.c */; }; + 18F2352615C9FA3C00060520 /* ccaudit.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2350415C9FA3B00060520 /* ccaudit.c */; }; + 18F2352715C9FA3C00060520 /* crc.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2350615C9FA3B00060520 /* crc.c */; }; + 18F2352815C9FA3C00060520 /* credential.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2350815C9FA3B00060520 /* credential.c */; }; + 18F2352915C9FA3C00060520 /* debugging.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2350A15C9FA3B00060520 /* debugging.c */; }; + 18F2352B15C9FA3C00060520 /* engine.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2350F15C9FA3B00060520 /* engine.c */; }; + 18F2352C15C9FA3C00060520 /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2351115C9FA3B00060520 /* main.c */; }; + 18F2352D15C9FA3C00060520 /* mechanism.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2351215C9FA3B00060520 /* mechanism.c */; }; + 18F2352E15C9FA3C00060520 /* object.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2351415C9FA3C00060520 /* object.c */; }; + 18F2352F15C9FA3C00060520 /* process.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2351615C9FA3C00060520 /* process.c */; }; + 18F2353015C9FA3C00060520 /* rule.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2351815C9FA3C00060520 /* rule.c */; }; + 18F2353215C9FA3C00060520 /* server.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2351D15C9FA3C00060520 /* server.c */; }; + 18F2353315C9FA3C00060520 /* session.c in Sources */ = {isa = PBXBuildFile; fileRef = 18F2351F15C9FA3C00060520 /* session.c */; }; + 18F2353515C9FDB700060520 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 18F2353615C9FDD200060520 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; }; + 18F2353715C9FDE400060520 /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */; }; + 18F2353815C9FDEF00060520 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */; }; + 18F2360115CAF41200060520 /* libsecurity_codesigning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F2360015CAF41100060520 /* libsecurity_codesigning.a */; }; + 18FE68021471A42900A2CBE3 /* SecDigestTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A3146F1BEC000BF1F3 /* SecDigestTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68031471A42900A2CBE3 /* SecReadTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A4146F1BEC000BF1F3 /* SecReadTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68041471A42900A2CBE3 /* SecTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A5146F1BEC000BF1F3 /* SecTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68051471A42900A2CBE3 /* SecCustomTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A6146F1BEC000BF1F3 /* SecCustomTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68061471A42900A2CBE3 /* SecDecodeTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A7146F1BEC000BF1F3 /* SecDecodeTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68071471A42900A2CBE3 /* SecEncodeTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A8146F1BEC000BF1F3 /* SecEncodeTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68081471A42900A2CBE3 /* SecEncryptTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3A9146F1BEC000BF1F3 /* SecEncryptTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68091471A42900A2CBE3 /* SecSignVerifyTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3AA146F1BEC000BF1F3 /* SecSignVerifyTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE680A1471A42900A2CBE3 /* SecTransformReadTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3AB146F1BEC000BF1F3 /* SecTransformReadTransform.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE680B1471A42900A2CBE3 /* CipherSuite.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB36E146F13B4000BF1F3 /* CipherSuite.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE680C1471A42900A2CBE3 /* SecureTransport.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB36F146F13B4000BF1F3 /* SecureTransport.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE680D1471A42900A2CBE3 /* mds.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB356146F1198000BF1F3 /* mds.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE680E1471A42900A2CBE3 /* mds_schema.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB357146F1198000BF1F3 /* mds_schema.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE680F1471A42900A2CBE3 /* SecureDownload.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB315146F0E7E000BF1F3 /* SecureDownload.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68101471A42900A2CBE3 /* SecAccess.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB187146EAD4C000BF1F3 /* SecAccess.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68111471A42900A2CBE3 /* SecACL.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB188146EAD4C000BF1F3 /* SecACL.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68121471A42900A2CBE3 /* SecBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB189146EAD4C000BF1F3 /* SecBase.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68131471A42900A2CBE3 /* SecCertificate.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB18A146EAD4C000BF1F3 /* SecCertificate.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68141471A42900A2CBE3 /* SecIdentity.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB18B146EAD4C000BF1F3 /* SecIdentity.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68151471A42900A2CBE3 /* SecIdentitySearch.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB18C146EAD4C000BF1F3 /* SecIdentitySearch.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68161471A42900A2CBE3 /* SecItem.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB18D146EAD4C000BF1F3 /* SecItem.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68171471A42900A2CBE3 /* SecKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB18E146EAD4C000BF1F3 /* SecKey.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68181471A42900A2CBE3 /* SecKeychain.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB18F146EAD4C000BF1F3 /* SecKeychain.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68191471A42900A2CBE3 /* SecKeychainItem.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB190146EAD4C000BF1F3 /* SecKeychainItem.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE681A1471A42900A2CBE3 /* SecKeychainSearch.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB191146EAD4C000BF1F3 /* SecKeychainSearch.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE681B1471A42900A2CBE3 /* SecPolicy.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB192146EAD4C000BF1F3 /* SecPolicy.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE681C1471A42900A2CBE3 /* SecPolicySearch.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB193146EAD4C000BF1F3 /* SecPolicySearch.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE681D1471A42900A2CBE3 /* SecTrust.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB194146EAD4C000BF1F3 /* SecTrust.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE681E1471A42900A2CBE3 /* SecTrustedApplication.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB195146EAD4C000BF1F3 /* SecTrustedApplication.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE681F1471A42900A2CBE3 /* Security.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB196146EAD4C000BF1F3 /* Security.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68201471A42900A2CBE3 /* SecImportExport.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB197146EAD4C000BF1F3 /* SecImportExport.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68211471A42900A2CBE3 /* SecTrustSettings.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB198146EAD4C000BF1F3 /* SecTrustSettings.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68221471A42900A2CBE3 /* SecCertificateOIDs.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB199146EAD4C000BF1F3 /* SecCertificateOIDs.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68231471A42900A2CBE3 /* SecRandom.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB19A146EAD4C000BF1F3 /* SecRandom.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68241471A42900A2CBE3 /* SecTask.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844617E146E9A8500B12992 /* SecTask.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68251471A42900A2CBE3 /* CodeSigning.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844617F146E9A8500B12992 /* CodeSigning.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68261471A42900A2CBE3 /* CSCommon.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446180146E9A8500B12992 /* CSCommon.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68271471A42900A2CBE3 /* SecCode.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446181146E9A8500B12992 /* SecCode.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68281471A42900A2CBE3 /* SecStaticCode.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446182146E9A8500B12992 /* SecStaticCode.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68291471A42900A2CBE3 /* SecRequirement.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446183146E9A8500B12992 /* SecRequirement.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE682A1471A42900A2CBE3 /* SecCodeHost.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446184146E9A8500B12992 /* SecCodeHost.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE682B1471A42900A2CBE3 /* CMSDecoder.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446170146E982800B12992 /* CMSDecoder.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE682C1471A42900A2CBE3 /* CMSEncoder.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446171146E982800B12992 /* CMSEncoder.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE682D1471A42900A2CBE3 /* AuthorizationTags.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446144146E923200B12992 /* AuthorizationTags.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE682E1471A42900A2CBE3 /* AuthSession.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446145146E923200B12992 /* AuthSession.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE682F1471A42900A2CBE3 /* Authorization.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446146146E923200B12992 /* Authorization.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68301471A42900A2CBE3 /* AuthorizationDB.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446147146E923200B12992 /* AuthorizationDB.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68311471A42900A2CBE3 /* AuthorizationPlugin.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446148146E923200B12992 /* AuthorizationPlugin.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68321471A42900A2CBE3 /* SecAsn1Coder.h in Headers */ = {isa = PBXBuildFile; fileRef = 184460AB146DFCC100B12992 /* SecAsn1Coder.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68331471A42900A2CBE3 /* SecAsn1Templates.h in Headers */ = {isa = PBXBuildFile; fileRef = 184460AC146DFCC100B12992 /* SecAsn1Templates.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68341471A42900A2CBE3 /* SecAsn1Types.h in Headers */ = {isa = PBXBuildFile; fileRef = 184460AD146DFCC100B12992 /* SecAsn1Types.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68351471A42900A2CBE3 /* certextensions.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4AD146DCA84007E536C /* certextensions.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68361471A42900A2CBE3 /* cssm.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4AE146DCA84007E536C /* cssm.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68371471A42900A2CBE3 /* cssmaci.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4AF146DCA84007E536C /* cssmaci.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68381471A42900A2CBE3 /* cssmapi.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4B0146DCA84007E536C /* cssmapi.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68391471A42900A2CBE3 /* cssmapple.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4B1146DCA84007E536C /* cssmapple.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE683A1471A42900A2CBE3 /* cssmcli.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4B2146DCA84007E536C /* cssmcli.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE683B1471A42900A2CBE3 /* cssmconfig.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4B3146DCA84007E536C /* cssmconfig.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE683C1471A42900A2CBE3 /* cssmcspi.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4B4146DCA84007E536C /* cssmcspi.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE683D1471A42900A2CBE3 /* cssmdli.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4B5146DCA84007E536C /* cssmdli.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE683E1471A42900A2CBE3 /* cssmerr.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4B6146DCA84007E536C /* cssmerr.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE683F1471A42900A2CBE3 /* cssmkrapi.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4B7146DCA84007E536C /* cssmkrapi.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68401471A42900A2CBE3 /* cssmkrspi.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4B8146DCA84007E536C /* cssmkrspi.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68411471A42900A2CBE3 /* cssmspi.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4B9146DCA84007E536C /* cssmspi.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68421471A42900A2CBE3 /* cssmtpi.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4BA146DCA84007E536C /* cssmtpi.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68431471A42900A2CBE3 /* cssmtype.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4BB146DCA84007E536C /* cssmtype.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68441471A42900A2CBE3 /* eisl.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4BC146DCA84007E536C /* eisl.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68451471A42900A2CBE3 /* emmspi.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4BD146DCA84007E536C /* emmspi.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68461471A42900A2CBE3 /* emmtype.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4BE146DCA84007E536C /* emmtype.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE68491471A42900A2CBE3 /* oidsbase.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4C1146DCA84007E536C /* oidsbase.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE684A1471A42900A2CBE3 /* oidscert.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4C2146DCA84007E536C /* oidscert.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE684B1471A42900A2CBE3 /* oidscrl.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4C3146DCA84007E536C /* oidscrl.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE684C1471A42900A2CBE3 /* x509defs.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4C4146DCA84007E536C /* x509defs.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 18FE684D1471A46600A2CBE3 /* asn1Templates.h in Headers */ = {isa = PBXBuildFile; fileRef = 184460A1146DFCB700B12992 /* asn1Templates.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE684E1471A46600A2CBE3 /* AuthorizationPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844614F146E923B00B12992 /* AuthorizationPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE684F1471A46600A2CBE3 /* AuthorizationTagsPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844614E146E923B00B12992 /* AuthorizationTagsPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68501471A46600A2CBE3 /* certExtensionTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844609A146DFCB700B12992 /* certExtensionTemplates.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68511471A46600A2CBE3 /* checkpw.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446168146E95D700B12992 /* checkpw.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68521471A46600A2CBE3 /* CMSPrivate.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446174146E982D00B12992 /* CMSPrivate.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68531471A46600A2CBE3 /* CSCommonPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844618C146E9A8F00B12992 /* CSCommonPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68541471A46600A2CBE3 /* csrTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844609B146DFCB700B12992 /* csrTemplates.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68551471A46600A2CBE3 /* cssmapplePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 1879B4AB146DCA4A007E536C /* cssmapplePriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68561471A46600A2CBE3 /* keyTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 184460A0146DFCB700B12992 /* keyTemplates.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68571471A46600A2CBE3 /* mdspriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB35A146F11A1000BF1F3 /* mdspriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68581471A46600A2CBE3 /* nameTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844609D146DFCB700B12992 /* nameTemplates.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68591471A46600A2CBE3 /* ocspTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844609C146DFCB700B12992 /* ocspTemplates.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE685A1471A46600A2CBE3 /* osKeyTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844609F146DFCB700B12992 /* osKeyTemplates.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE685B1471A46600A2CBE3 /* SecAccessPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1B2146EAD5D000BF1F3 /* SecAccessPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE685C1471A46600A2CBE3 /* secasn1t.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446099146DFCB700B12992 /* secasn1t.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE685D1471A46600A2CBE3 /* SecAssessment.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446194146E9A8F00B12992 /* SecAssessment.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE685E1471A46600A2CBE3 /* SecBasePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1B3146EAD5D000BF1F3 /* SecBasePriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE685F1471A46600A2CBE3 /* SecCertificateBundle.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1B4146EAD5D000BF1F3 /* SecCertificateBundle.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68611471A46600A2CBE3 /* SecCertificatePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1B5146EAD5D000BF1F3 /* SecCertificatePriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68621471A46600A2CBE3 /* SecCertificateRequest.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1B6146EAD5D000BF1F3 /* SecCertificateRequest.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68631471A46600A2CBE3 /* SecCmsBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB383146F14D2000BF1F3 /* SecCmsBase.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68641471A46600A2CBE3 /* SecCmsContentInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB384146F14D2000BF1F3 /* SecCmsContentInfo.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68651471A46600A2CBE3 /* SecCmsDecoder.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB385146F14D2000BF1F3 /* SecCmsDecoder.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68661471A46600A2CBE3 /* SecCmsDigestContext.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB386146F14D2000BF1F3 /* SecCmsDigestContext.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68671471A46600A2CBE3 /* SecCmsDigestedData.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB387146F14D2000BF1F3 /* SecCmsDigestedData.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68681471A46600A2CBE3 /* SecCmsEncoder.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB388146F14D2000BF1F3 /* SecCmsEncoder.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68691471A46600A2CBE3 /* SecCmsEncryptedData.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB389146F14D2000BF1F3 /* SecCmsEncryptedData.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE686A1471A46600A2CBE3 /* SecCmsEnvelopedData.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB38A146F14D2000BF1F3 /* SecCmsEnvelopedData.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE686B1471A46600A2CBE3 /* SecCmsMessage.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB38B146F14D2000BF1F3 /* SecCmsMessage.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE686C1471A46600A2CBE3 /* SecCmsRecipientInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB38C146F14D2000BF1F3 /* SecCmsRecipientInfo.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE686D1471A46600A2CBE3 /* SecCmsSignedData.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB38D146F14D2000BF1F3 /* SecCmsSignedData.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE686E1471A46600A2CBE3 /* SecCmsSignerInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB38E146F14D2000BF1F3 /* SecCmsSignerInfo.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE686F1471A46600A2CBE3 /* SecCodeHostLib.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446193146E9A8F00B12992 /* SecCodeHostLib.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68701471A46600A2CBE3 /* SecCodePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844618D146E9A8F00B12992 /* SecCodePriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68711471A46600A2CBE3 /* SecCodeSigner.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446190146E9A8F00B12992 /* SecCodeSigner.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68721471A46600A2CBE3 /* SecFDERecoveryAsymmetricCrypto.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1AF146EAD5D000BF1F3 /* SecFDERecoveryAsymmetricCrypto.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68731471A46600A2CBE3 /* SecIdentityPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1B7146EAD5D000BF1F3 /* SecIdentityPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68741471A46600A2CBE3 /* SecIdentitySearchPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1C4146EAD5D000BF1F3 /* SecIdentitySearchPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68751471A46600A2CBE3 /* SecIntegrity.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446191146E9A8F00B12992 /* SecIntegrity.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68761471A46600A2CBE3 /* SecIntegrityLib.h in Headers */ = {isa = PBXBuildFile; fileRef = 18446192146E9A8F00B12992 /* SecIntegrityLib.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68771471A46600A2CBE3 /* SecItemPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1CA146EAD5D000BF1F3 /* SecItemPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68781471A46600A2CBE3 /* SecKeychainItemExtendedAttributes.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1CB146EAD5D000BF1F3 /* SecKeychainItemExtendedAttributes.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68791471A46600A2CBE3 /* SecKeychainItemPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1B8146EAD5D000BF1F3 /* SecKeychainItemPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE687A1471A46600A2CBE3 /* SecKeychainPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1B9146EAD5D000BF1F3 /* SecKeychainPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE687B1471A46700A2CBE3 /* SecKeychainSearchPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1C5146EAD5D000BF1F3 /* SecKeychainSearchPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE687C1471A46700A2CBE3 /* SecKeyPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1BA146EAD5D000BF1F3 /* SecKeyPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE687D1471A46700A2CBE3 /* SecManifest.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB317146F0E94000BF1F3 /* SecManifest.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE687E1471A46700A2CBE3 /* SecNullTransform.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3B6146F1BF9000BF1F3 /* SecNullTransform.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE687F1471A46700A2CBE3 /* SecPassword.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1B0146EAD5D000BF1F3 /* SecPassword.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68801471A46700A2CBE3 /* SecPolicyPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1BB146EAD5D000BF1F3 /* SecPolicyPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68811471A46700A2CBE3 /* SecRandomP.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1CF146EAD5D000BF1F3 /* SecRandomP.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68821471A46700A2CBE3 /* SecRecoveryPassword.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1CE146EAD5D000BF1F3 /* SecRecoveryPassword.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68831471A46700A2CBE3 /* SecRequirementPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844618F146E9A8F00B12992 /* SecRequirementPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68841471A46700A2CBE3 /* SecSMIME.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB38F146F14D2000BF1F3 /* SecSMIME.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68851471A46700A2CBE3 /* SecStaticCodePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844618E146E9A8F00B12992 /* SecStaticCodePriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68861471A46700A2CBE3 /* SecTransformInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB3B7146F1BF9000BF1F3 /* SecTransformInternal.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68871471A46700A2CBE3 /* SecTrustedApplicationPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1BC146EAD5D000BF1F3 /* SecTrustedApplicationPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68881471A46700A2CBE3 /* SecTrustPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1BD146EAD5D000BF1F3 /* SecTrustPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE68891471A46700A2CBE3 /* SecTrustSettingsPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1C6146EAD5D000BF1F3 /* SecTrustSettingsPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE688A1471A46700A2CBE3 /* SecureDownloadInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB318146F0E94000BF1F3 /* SecureDownloadInternal.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE688B1471A46700A2CBE3 /* SecureTransportPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB372146F13BB000BF1F3 /* SecureTransportPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE688C1471A46700A2CBE3 /* TrustSettingsSchema.h in Headers */ = {isa = PBXBuildFile; fileRef = 182BB1C8146EAD5D000BF1F3 /* TrustSettingsSchema.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 18FE688D1471A46700A2CBE3 /* X509Templates.h in Headers */ = {isa = PBXBuildFile; fileRef = 1844609E146DFCB700B12992 /* X509Templates.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 3705CAD91A896E0600402F75 /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 3705CACD1A896DA800402F75 /* main.c */; }; + 3705CADA1A896E0F00402F75 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 371AB2F21A04052E00A08CF2 /* teamid.sh in CopyFiles */ = {isa = PBXBuildFile; fileRef = 371AB2CA1A04050700A08CF2 /* teamid.sh */; }; + 375370891A8A981E0026B912 /* LocalCaspianTestRun.sh in CopyFiles */ = {isa = PBXBuildFile; fileRef = 37CD05041A8A96DD0053CCD0 /* LocalCaspianTestRun.sh */; }; + 3792614F1A89771A008ADD3C /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 3705CADB1A896E1A00402F75 /* Security.framework */; }; + 37A7CEAE197DB8FA00926CE8 /* FatDynamicValidation.c in Sources */ = {isa = PBXBuildFile; fileRef = 37A7CEAD197DB8FA00926CE8 /* FatDynamicValidation.c */; }; + 37A7CEDD197DCEE500926CE8 /* validation.sh in CopyFiles */ = {isa = PBXBuildFile; fileRef = 37A7CEDB197DCDD700926CE8 /* validation.sh */; }; + 37AB39121A44A88000B56E04 /* gk_reset_check.c in Sources */ = {isa = PBXBuildFile; fileRef = 37AB39111A44A88000B56E04 /* gk_reset_check.c */; }; + 37AB393D1A44A8C300B56E04 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 37CD05031A8A88320053CCD0 /* CaspianTests in CopyFiles */ = {isa = PBXBuildFile; fileRef = 37CD05021A8A87E50053CCD0 /* CaspianTests */; }; + 395E7CEE16C64EA500CD82A4 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 395E7CED16C64EA500CD82A4 /* SystemConfiguration.framework */; }; + 39BFB04516D304DE0022564B /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 395E7CED16C64EA500CD82A4 /* SystemConfiguration.framework */; }; + 431B737F1B27762C00EB0360 /* CloudServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 431B73571B27762300EB0360 /* CloudServices.framework */; }; + 431B73C11B2777A200EB0360 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; + 432800831B4CE730002E8525 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; }; + 432800841B4CE731002E8525 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; }; + 4328FE9B1B4CDBA5002E8525 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 4328FED11B4CDC11002E8525 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 395E7CED16C64EA500CD82A4 /* SystemConfiguration.framework */; }; + 43651E021B016BE8008C4B88 /* CrashReporterSupport.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 43651E011B016BE8008C4B88 /* CrashReporterSupport.framework */; }; + 438166AB1B4EC98000C54D58 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FC011AA0A56F0021AA26 /* libctkclient.a */; }; + 4381B9A91B28C6B2002BBC79 /* CloudServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 431B73571B27762300EB0360 /* CloudServices.framework */; }; + 4381B9AA1B28E09F002BBC79 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; + 43A599161B0CFCAB00D14A7B /* CloudKeychain.strings in CopyFiles */ = {isa = PBXBuildFile; fileRef = 43A598591B0CF2AB00D14A7B /* CloudKeychain.strings */; }; + 43C3B0D41AFD569600786702 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; }; + 43C3B0D51AFD56B700786702 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; }; + 43C3B2681AFD5B4800786702 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; + 43C3B2C61AFD5BBB00786702 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD19A65E1A8065E900F9C276 /* Foundation.framework */; }; + 43C3B3311AFD5E1100786702 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 43C3B35A1AFD5E1800786702 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 4469FC291AA0A5AF0021AA26 /* libctkclient_test.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FC001AA0A56F0021AA26 /* libctkclient_test.a */; }; + 44A655A71AA4B4F30059D185 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FC011AA0A56F0021AA26 /* libctkclient.a */; }; + 44A655CF1AA4B4F50059D185 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FC011AA0A56F0021AA26 /* libctkclient.a */; }; + 44B2606818F81A7D008DF20F /* SecAccessControl.h in Headers */ = {isa = PBXBuildFile; fileRef = 44B2603E18F81A6A008DF20F /* SecAccessControl.h */; settings = {ATTRIBUTES = (Public, ); }; }; + 44B2606A18F81C0F008DF20F /* SecAccessControlPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 44B2606918F81BFE008DF20F /* SecAccessControlPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 44D78BB71A0A613900B63C6C /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; }; + 44D78BB81A0A615500B63C6C /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; }; + 44D78BB91A0A615800B63C6C /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; }; + 44D78BBA1A0A616200B63C6C /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; }; + 44D78BBB1A0A617700B63C6C /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */; }; + 44F7912019FFED88008B8147 /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */; }; + 48FDA8771AF98A3600A9366F /* SOSCloudCircleInternal.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 48FDA84D1AF989F600A9366F /* SOSCloudCircleInternal.h */; }; + 4A5C1790161A9DFB00ABF784 /* authd_private.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 18F2351A15C9FA3C00060520 /* authd_private.h */; }; + 4C01DF14164C3E7C006798CD /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */; }; + 4C0F6F871985877800178101 /* SecEntitlements.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C0F6F861985877800178101 /* SecEntitlements.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 4C2505B716D2DF9F002CE025 /* Icon.icns in Resources */ = {isa = PBXBuildFile; fileRef = 4C2505B616D2DF9F002CE025 /* Icon.icns */; }; + 4C328D301778EC4F0015EED1 /* AOSUI.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C328D2F1778EC4F0015EED1 /* AOSUI.framework */; }; + 4C49390D16E51ACE00CE110C /* com.apple.security.keychain-circle-notification.plist in Resources */ = {isa = PBXBuildFile; fileRef = 4C49390C16E51ACE00CE110C /* com.apple.security.keychain-circle-notification.plist */; }; + 4C49390F16E51FC700CE110C /* com.apple.security.keychain-circle-notification.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C49390C16E51ACE00CE110C /* com.apple.security.keychain-circle-notification.plist */; }; + 4C5DD46A17A5E5D000696A79 /* KNPersistentState.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C5DD44317A5E31900696A79 /* KNPersistentState.m */; }; + 4C5DD46C17A5F67300696A79 /* AppleSystemInfo.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C5DD46B17A5F67300696A79 /* AppleSystemInfo.framework */; }; + 4C7D453D17BEE69B00DDD88F /* NSString+compactDescription.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C7D453C17BEE69B00DDD88F /* NSString+compactDescription.m */; }; + 4C7D456817BEED0400DDD88F /* NSDictionary+compactDescription.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C7D456517BEE6B700DDD88F /* NSDictionary+compactDescription.m */; }; + 4C7D456917BEED1400DDD88F /* NSSet+compactDescription.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C7D456717BEE6B700DDD88F /* NSSet+compactDescription.m */; }; + 4C7D8765160A74C400D041E3 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; + 4C85DEDA16DBD5BF00ED8D47 /* KDCirclePeer.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C85DED916DBD5BF00ED8D47 /* KDCirclePeer.m */; }; + 4C85DEDB16DBD5BF00ED8D47 /* KDCirclePeer.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C85DED916DBD5BF00ED8D47 /* KDCirclePeer.m */; }; + 4C8D8651177A752D0019A804 /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F6014CF655B00B05E7F /* libsecipc_client.a */; }; + 4C96F76016D5462F00D3B39D /* KDSecCircle.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C96F73916D5372C00D3B39D /* KDSecCircle.m */; }; + 4C96F7C216D6DF8400D3B39D /* Cocoa.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5214700716977CB800DF0DB3 /* Cocoa.framework */; }; + 4C96F7C816D6DF8400D3B39D /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = 4C96F7C616D6DF8400D3B39D /* InfoPlist.strings */; }; + 4C96F7CA16D6DF8400D3B39D /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C96F7C916D6DF8400D3B39D /* main.m */; }; + 4C96F7D116D6DF8400D3B39D /* KNAppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C96F7D016D6DF8400D3B39D /* KNAppDelegate.m */; }; + 4C96F7D416D6DF8400D3B39D /* MainMenu.xib in Resources */ = {isa = PBXBuildFile; fileRef = 4C96F7D216D6DF8400D3B39D /* MainMenu.xib */; }; + 4C97761E17BEB23E0002BFE4 /* AOSAccounts.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C97761D17BEB23E0002BFE4 /* AOSAccounts.framework */; }; + 4CAEACCC16D6FBF600263776 /* KDSecCircle.m in Sources */ = {isa = PBXBuildFile; fileRef = 4C96F73916D5372C00D3B39D /* KDSecCircle.m */; }; + 4CAEACCD16D6FC7600263776 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; }; + 4CB23B47169F5873003A0131 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + 4CB23B4C169F5873003A0131 /* security2.1 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4CB23B4B169F5873003A0131 /* security2.1 */; }; + 4CB23B81169F58DE003A0131 /* security_tool_commands.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CB23B80169F58DE003A0131 /* security_tool_commands.c */; }; + 4CB23B89169F5990003A0131 /* libSecurityTool.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CB23B76169F5873003A0131 /* libSecurityTool.a */; }; + 4CB23B8A169F599A003A0131 /* libSecurityCommands.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CB23B78169F5873003A0131 /* libSecurityCommands.a */; }; + 4CB23B8B169F599A003A0131 /* libSOSCommands.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CB23B7A169F5873003A0131 /* libSOSCommands.a */; }; + 4CB23B8C169F59AD003A0131 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; + 4CB86AF1167A6FF300F46643 /* SOSCloudCircle.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 4CB86AE7167A6FF200F46643 /* SOSCloudCircle.h */; }; + 4CB86AF7167A6FF300F46643 /* SOSPeerInfo.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 4CB86AED167A6FF300F46643 /* SOSPeerInfo.h */; }; + 4CC7A7B416CC2A85003E10C1 /* Cocoa.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5214700716977CB800DF0DB3 /* Cocoa.framework */; }; + 4CC7A7BA16CC2A85003E10C1 /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = 4CC7A7B816CC2A85003E10C1 /* InfoPlist.strings */; }; + 4CC7A7BC16CC2A85003E10C1 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 4CC7A7BB16CC2A85003E10C1 /* main.m */; }; + 4CC7A7C016CC2A85003E10C1 /* Credits.rtf in Resources */ = {isa = PBXBuildFile; fileRef = 4CC7A7BE16CC2A85003E10C1 /* Credits.rtf */; }; + 4CC7A7C316CC2A85003E10C1 /* KDAppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 4CC7A7C216CC2A85003E10C1 /* KDAppDelegate.m */; }; + 4CC7A7C616CC2A85003E10C1 /* MainMenu.xib in Resources */ = {isa = PBXBuildFile; fileRef = 4CC7A7C416CC2A85003E10C1 /* MainMenu.xib */; }; + 4CC7A7F616CD99E2003E10C1 /* KDSecItems.m in Sources */ = {isa = PBXBuildFile; fileRef = 4CC7A7F516CD95D3003E10C1 /* KDSecItems.m */; }; + 4CD1980D16DD3BDF00A9E8FD /* NSArray+mapWithBlock.m in Sources */ = {isa = PBXBuildFile; fileRef = 4CD1980C16DD3BDF00A9E8FD /* NSArray+mapWithBlock.m */; }; + 4CD1980E16DD3BDF00A9E8FD /* NSArray+mapWithBlock.m in Sources */ = {isa = PBXBuildFile; fileRef = 4CD1980C16DD3BDF00A9E8FD /* NSArray+mapWithBlock.m */; }; + 4CE7EAA31AEAF5230067F5BD /* SecItemBackup.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CE7EA7D1AEAF50F0067F5BD /* SecItemBackup.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 5208BF4F16A0993C0062DDC5 /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18D4053B14CE2C1600A2BE4E /* libsecurity.a */; }; + 5208C0D716A0C96F0062DDC5 /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */; }; + 5214701216977CB800DF0DB3 /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = 5214701016977CB800DF0DB3 /* InfoPlist.strings */; }; + 5214701D16977D9500DF0DB3 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; + 5214701E16977DA700DF0DB3 /* libCloudKeychainProxy.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C01DE32164C3793006798CD /* libCloudKeychainProxy.a */; }; + 521470261697800500DF0DB3 /* com.apple.security.cloudkeychainproxy.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = 5214702516977FEC00DF0DB3 /* com.apple.security.cloudkeychainproxy.plist */; }; + 5241C60D16DC1BA100DB5C6F /* libSecOtrOSX.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288F215FFE9D7008CE3E3 /* libSecOtrOSX.a */; }; + 5244926A1AFD6CB70043695A /* der_plist.h in Headers */ = {isa = PBXBuildFile; fileRef = 524492691AFD6CB70043695A /* der_plist.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 52669053169D181900ED8231 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; }; + 529E948C169E29450000AC9B /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18FE67EA1471A3AA00A2CBE3 /* Security.framework */; }; + 529E948D169E29470000AC9B /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18FE67EA1471A3AA00A2CBE3 /* Security.framework */; }; + 52AEA489153C778C005AFC59 /* tsaSupportPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 52AEA484153C7581005AFC59 /* tsaSupportPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 52B006C015238F76005D4556 /* TimeStampingPrefs.plist in Resources */ = {isa = PBXBuildFile; fileRef = 52B006BF15238F76005D4556 /* TimeStampingPrefs.plist */; }; + 52B5A9C21519330300664F11 /* tsaSupport.h in Headers */ = {isa = PBXBuildFile; fileRef = 52B5A9C01519330300664F11 /* tsaSupport.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 52B5A9C31519330300664F11 /* tsaTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 52B5A9C11519330300664F11 /* tsaTemplates.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 52C3D236169B56860091D9D3 /* ckdmain.m in Sources */ = {isa = PBXBuildFile; fileRef = 52C3D235169B56860091D9D3 /* ckdmain.m */; }; + 52CD052316A0E24900218387 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF42BB515A3947F00ACACE1 /* Security.framework */; }; + 52F8DDFA1AF2E56700A2C271 /* SOSViews.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 52F8DDF91AF2E56600A2C271 /* SOSViews.h */; }; + 52F8DE211AF2E57300A2C271 /* SOSBackupSliceKeyBag.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 52F8DE201AF2E57300A2C271 /* SOSBackupSliceKeyBag.h */; }; + 52F8DE251AF2E58B00A2C271 /* SOSForerunnerSession.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 52F8DE231AF2E58B00A2C271 /* SOSForerunnerSession.h */; }; + 52F8DE4C1AF2EB6600A2C271 /* SOSTypes.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = 52F8DE4B1AF2EB6600A2C271 /* SOSTypes.h */; }; + 532847791785076B009118DC /* Localizable.strings in Resources */ = {isa = PBXBuildFile; fileRef = 5328475117850741009118DC /* Localizable.strings */; }; + 5E605AFC1AB859B70049FA14 /* libcoreauthd_test_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E605AFB1AB859B70049FA14 /* libcoreauthd_test_client.a */; }; + 5E7AF4731ACD64AC00005140 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; }; + 5E7AF49B1ACD64E600005140 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; }; + 5EC01FEE1B0CA7E0009FBB75 /* sec_acl_stress.c in Sources */ = {isa = PBXBuildFile; fileRef = 5EC01FED1B0CA7E0009FBB75 /* sec_acl_stress.c */; }; + 5ED88B451B0DE63E00F3B047 /* libsecurityd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270C7D14CE573D00B05E7F /* libsecurityd.a */; }; + 5EF7C23E1B00E48200E5E99C /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 5EF7C23A1B00E48200E5E99C /* main.c */; }; + 5EF7C2401B00E4C300E5E99C /* libregressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CC3356016C1EF5D00399E53 /* libregressions.a */; }; + 5EF7C24A1B00E6E300E5E99C /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 1807384B146D0D4E00F05C24 /* Security.framework */; }; + 5EF7C24B1B00E71D00E5E99C /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18D4053B14CE2C1600A2BE4E /* libsecurity.a */; }; + 5EF7C24C1B00E76F00E5E99C /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */; }; + 5EF7C24E1B00E80000E5E99C /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; + 5EF7C24F1B00EA5200E5E99C /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; }; + 5EF7C2501B00EA7A00E5E99C /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; }; + 5EF7C2511B00EAF100E5E99C /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */; }; + 5EF7C2521B00EB0A00E5E99C /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; }; + 5EFB69BD1B0CBE030095A36E /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F1214CF43C000B05E7F /* libDER.a */; }; + 5EFB69C31B0CC16F0095A36E /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F6014CF655B00B05E7F /* libsecipc_client.a */; }; + 72756C31175D48C100F52070 /* cloud_keychain_diagnose.c in Sources */ = {isa = PBXBuildFile; fileRef = 72756C30175D48C100F52070 /* cloud_keychain_diagnose.c */; }; + 7A21DAE619B7F27C0007D37F /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; + AAF3DCCB1666D03300376593 /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F235F715CA0D9D00060520 /* libsecurity_utilities.a */; }; + AC5688BC18B4396D00F0526C /* SecCMS.h in Headers */ = {isa = PBXBuildFile; fileRef = AC5688BA18B4396D00F0526C /* SecCMS.h */; settings = {ATTRIBUTES = (Private, ); }; }; + ACB6171918B5231800EBEDD7 /* libsecurity_smime_regressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = ACB6171818B5231800EBEDD7 /* libsecurity_smime_regressions.a */; }; + BE2C05151AD893DF00D6A139 /* libsecurity_codesigning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F2360015CAF41100060520 /* libsecurity_codesigning.a */; }; + BE48AE031ADF1DF4000836C1 /* server.c in Sources */ = {isa = PBXBuildFile; fileRef = 18270EF314CF333400B05E7F /* server.c */; }; + BE48AE051ADF1DF4000836C1 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; }; + BE48AE061ADF1DF4000836C1 /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */; }; + BE48AE071ADF1DF4000836C1 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; }; + BE48AE081ADF1DF4000836C1 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 395E7CED16C64EA500CD82A4 /* SystemConfiguration.framework */; }; + BE48AE091ADF1DF4000836C1 /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18D4053B14CE2C1600A2BE4E /* libsecurity.a */; }; + BE48AE0A1ADF1DF4000836C1 /* libsecurity_utilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F235F715CA0D9D00060520 /* libsecurity_utilities.a */; }; + BE48AE0B1ADF1DF4000836C1 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; + BE48AE0C1ADF1DF4000836C1 /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; }; + BE48AE0D1ADF1DF4000836C1 /* libsecurity_codesigning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18F2360015CAF41100060520 /* libsecurity_codesigning.a */; }; + BE48AE0E1ADF1DF4000836C1 /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; }; + BE48AE0F1ADF1DF4000836C1 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; }; + BE48AE101ADF1DF4000836C1 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; + BE48AE111ADF1DF4000836C1 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */; }; + BE48AE121ADF1DF4000836C1 /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */; }; + BE48AE131ADF1DF4000836C1 /* libsecurityd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270C7D14CE573D00B05E7F /* libsecurityd.a */; }; + BE48AE141ADF1DF4000836C1 /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */; }; + BE48AE151ADF1DF4000836C1 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FC011AA0A56F0021AA26 /* libctkclient.a */; }; + BE48AE161ADF1DF4000836C1 /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F6014CF655B00B05E7F /* libsecipc_client.a */; }; + BE48AE171ADF1DF4000836C1 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + BE48AE181ADF1DF4000836C1 /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFB14CF427800B05E7F /* CFNetwork.framework */; }; + BE48AE251ADF1FD3000836C1 /* com.apple.trustd.agent.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = BE48AE241ADF1FD3000836C1 /* com.apple.trustd.agent.plist */; }; + BE48AE271ADF2016000836C1 /* com.apple.trustd.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = BE48AE261ADF2011000836C1 /* com.apple.trustd.plist */; }; + BE60737A1ADC9E89007FECC1 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E7AF4721ACD64AC00005140 /* libACM.a */; }; + BE6073A51ADC9F1C007FECC1 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FC011AA0A56F0021AA26 /* libctkclient.a */; }; + BE6073A61ADC9F7A007FECC1 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 395E7CED16C64EA500CD82A4 /* SystemConfiguration.framework */; }; + BE6073A71ADC9F88007FECC1 /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFB14CF427800B05E7F /* CFNetwork.framework */; }; + BE607DC61AD8673C001B7778 /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */; }; + BE607DC71AD86746001B7778 /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */; }; + BE607DC81AD86859001B7778 /* libASN1.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329914EB2C6D00F0BCAC /* libASN1.a */; }; + BE607DC91AD8685B001B7778 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 1831329A14EB2C6D00F0BCAC /* libDER.a */; }; + BE8C5F0A16F7CE450074CF86 /* framework.sb in Resources */ = {isa = PBXBuildFile; fileRef = BE8C5F0916F7CE450074CF86 /* framework.sb */; }; + BE8D22C01ABB74C3009A4E18 /* libSecTrustOSX.a in Frameworks */ = {isa = PBXBuildFile; fileRef = BE8D22BC1ABB747B009A4E18 /* libSecTrustOSX.a */; }; + BE94B7941AD83AF700A7216D /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */; }; + BE94B7951AD83AF700A7216D /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */; }; + BE94B7971AD83AF700A7216D /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */; }; + BE94B7981AD83AF700A7216D /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; + BE94B7CD1AD83B9900A7216D /* server.c in Sources */ = {isa = PBXBuildFile; fileRef = 18270EF314CF333400B05E7F /* server.c */; }; + BE94B7D01AD83D0D00A7216D /* libsecipc_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270F6014CF655B00B05E7F /* libsecipc_client.a */; }; + BE94B7D21AD83D0D00A7216D /* libSecTrustOSX.a in Frameworks */ = {isa = PBXBuildFile; fileRef = BE8D22BC1ABB747B009A4E18 /* libSecTrustOSX.a */; }; + BE94B7D41AD83D0D00A7216D /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18D4053B14CE2C1600A2BE4E /* libsecurity.a */; }; + BE94B7D51AD83D2B00A7216D /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; + BE94B7D81AD83D6A00A7216D /* libsecurityd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270C7D14CE573D00B05E7F /* libsecurityd.a */; }; + BE94B7DC1AD8425E00A7216D /* com.apple.trustd.asl in Copy asl module */ = {isa = PBXBuildFile; fileRef = BE94B7DA1AD8424700A7216D /* com.apple.trustd.asl */; }; + BE94B7DD1AD8426500A7216D /* com.apple.trustd.sb in Copy sandbox profile */ = {isa = PBXBuildFile; fileRef = BE94B7DB1AD8424700A7216D /* com.apple.trustd.sb */; }; + BE94B7F01AD8457200A7216D /* libSecureObjectSync.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */; }; + BE9703F71AD865540041D253 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 18752C1D16F2837A004E2799 /* libaks.a */; }; + BEC3A76816F79497003E5634 /* SecTaskPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = BEC3A76716F79497003E5634 /* SecTaskPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + BEFB63691B6834AB0052149A /* AppWorkaround.plist in Resources */ = {isa = PBXBuildFile; fileRef = BEFB63681B6834AB0052149A /* AppWorkaround.plist */; }; + C2407A1B1B30BBF30067E6AE /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; + C288A0891505796F00E773B7 /* libOpenScriptingUtil.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = C288A0881505795D00E773B7 /* libOpenScriptingUtil.dylib */; settings = {ATTRIBUTES = (Weak, ); }; }; + CD0637581A840B5B00C81E74 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18270EFD14CF429600B05E7F /* IOKit.framework */; }; + CD0CB49E1A818A0D00C058A4 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 18FE67EA1471A3AA00A2CBE3 /* Security.framework */; }; + CD19A65D1A8065DC00F9C276 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C12894015FFECF3008CE3E3 /* libutilities.a */; }; + CD19A65F1A8065E900F9C276 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD19A65E1A8065E900F9C276 /* Foundation.framework */; }; + CD19A6611A8069D100F9C276 /* libIDSKeychainSyncingProxy.a in Frameworks */ = {isa = PBXBuildFile; fileRef = CD63AD0C1A8061FA001B5671 /* libIDSKeychainSyncingProxy.a */; }; + CD276BE41A83F204003226BC /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = CD276BE21A83F204003226BC /* InfoPlist.strings */; }; + CD2E85F61A81793B00F8B00A /* IDS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD7446D8195A1CFE00FB01C0 /* IDS.framework */; }; + CD63AD161A8064C2001B5671 /* idksmain.m in Sources */ = {isa = PBXBuildFile; fileRef = CD63AD151A8064C2001B5671 /* idksmain.m */; }; + CD7446D9195A1CFE00FB01C0 /* IDS.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CD7446D8195A1CFE00FB01C0 /* IDS.framework */; }; + CD8B5A9D1B618ED9004D4AEF /* SOSPeerInfoPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = CD8B5A9C1B618ED9004D4AEF /* SOSPeerInfoPriv.h */; }; + CDAE4B9A1A86F6F20000AA84 /* idskeychainsyncingproxy.entitlements.plist in Resources */ = {isa = PBXBuildFile; fileRef = CD63AD191A8064DE001B5671 /* idskeychainsyncingproxy.entitlements.plist */; }; + CDAE4BC21A86F6FF0000AA84 /* cloudkeychain.entitlements.plist in Resources */ = {isa = PBXBuildFile; fileRef = 5214702416977FEC00DF0DB3 /* cloudkeychain.entitlements.plist */; }; + CDB22CE31A9D2EA70043E348 /* IDSKeychainSyncingProxy-Info.plist in Resources */ = {isa = PBXBuildFile; fileRef = CD63AD181A8064DE001B5671 /* IDSKeychainSyncingProxy-Info.plist */; }; + CDDE9D1E1729E2E60013B0E8 /* SecPasswordGenerate.h in Headers */ = {isa = PBXBuildFile; fileRef = CDDE9D1C1729DF250013B0E8 /* SecPasswordGenerate.h */; settings = {ATTRIBUTES = (Private, ); }; }; + CDE08DD41A85E92200B5C261 /* com.apple.security.idskeychainsyncingproxy.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = CD50D6D21A841C0E00C35E74 /* com.apple.security.idskeychainsyncingproxy.plist */; }; + CDF91EC91AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist in Resources */ = {isa = PBXBuildFile; fileRef = CDF91EC81AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist */; }; + CDF91EF51AAE028F00E88CF7 /* com.apple.private.alloy.keychainsync.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = CDF91EC81AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist */; }; + D41685841B3A288F001FB54E /* oids.h in Headers */ = {isa = PBXBuildFile; fileRef = D41685831B3A288F001FB54E /* oids.h */; settings = {ATTRIBUTES = (Public, ); }; }; + E76079D61951FDAF00F69731 /* liblogging.a in Frameworks */ = {isa = PBXBuildFile; fileRef = E76079D51951FDA800F69731 /* liblogging.a */; }; + E778BFBC17176DDE00302C14 /* security.exp-in in Sources */ = {isa = PBXBuildFile; fileRef = 182BB562146F4C73000BF1F3 /* security.exp-in */; }; + EB22F3F918A26BCA0016A8EC /* SecBreadcrumb.c in Sources */ = {isa = PBXBuildFile; fileRef = EB22F3F718A26BA50016A8EC /* SecBreadcrumb.c */; }; + EB22F3FA18A26BCE0016A8EC /* SecBreadcrumb.h in Headers */ = {isa = PBXBuildFile; fileRef = EB22F3F818A26BA50016A8EC /* SecBreadcrumb.h */; settings = {ATTRIBUTES = (Private, ); }; }; + EB22F3FB18A26BE40016A8EC /* bc-10-knife-on-bread.c in Sources */ = {isa = PBXBuildFile; fileRef = EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.c */; }; + EB5D733B1B0CB0FF009CAA47 /* SOSPeerInfo.h in Old SOS header location */ = {isa = PBXBuildFile; fileRef = 4CB86AED167A6FF300F46643 /* SOSPeerInfo.h */; }; + EB5D733C1B0CB109009CAA47 /* SOSTypes.h in Old SOS header location */ = {isa = PBXBuildFile; fileRef = 52F8DE4B1AF2EB6600A2C271 /* SOSTypes.h */; }; + F93C493E1AB8FF670047E01A /* ckcdiagnose.sh in CopyFiles */ = {isa = PBXBuildFile; fileRef = F93C493D1AB8FF670047E01A /* ckcdiagnose.sh */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; }; +/* End PBXBuildFile section */ + +/* Begin PBXBuildRule section */ + E778BFB91717461800302C14 /* PBXBuildRule */ = { + isa = PBXBuildRule; + compilerSpec = com.apple.compilers.proxy.script; + filePatterns = "*.exp-in"; + fileType = pattern.proxy; + isEditable = 1; + outputFiles = ( + "$(BUILT_PRODUCTS_DIR)/$(TARGETNAME).$(CURRENT_ARCH).exp", + ); + script = "#!/bin/sh\n\nfor file in ${HEADER_SEARCH_PATHS[@]} ; do\nHEADER_SEARCH_OPTIONS=\"${HEADER_SEARCH_OPTIONS} -I${file}\"\ndone\n\nxcrun clang -E -Xpreprocessor -P -x c -arch ${CURRENT_ARCH} ${HEADER_SEARCH_OPTIONS} ${INPUT_FILE_PATH} -o ${BUILT_PRODUCTS_DIR}/${TARGETNAME}.${CURRENT_ARCH}.exp\n"; + }; +/* End PBXBuildRule section */ + +/* Begin PBXContainerItemProxy section */ + 0C4EAE711766865000773425 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 0C0BDB5F175687EC00BC1A7E; + remoteInfo = libsecdRegressions; + }; + 0C4EAE7817668DFF00773425 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 0C0BDB55175687EC00BC1A7E; + remoteInfo = libsecdRegressions; + }; + 0C6C632D15D19D2900BC68CD /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B71F146DE839007E536C /* libsecurity_ssl.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 0CCA415815C89E8B002AEC4C; + remoteInfo = libsecurity_ssl_regressions; + }; + 0C6D77CE15C8B66000BB4405 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B71F146DE839007E536C /* libsecurity_ssl.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 0CCA415915C89E8B002AEC4C; + remoteInfo = libsecurity_ssl_regressions; + }; + 0C6D77D015C8B66000BB4405 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B71F146DE839007E536C /* libsecurity_ssl.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 0CCA42C915C8A387002AEC4C; + remoteInfo = dtlsEchoClient; + }; + 0C6D77D215C8B66000BB4405 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B71F146DE839007E536C /* libsecurity_ssl.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 0CCA42D715C8A395002AEC4C; + remoteInfo = dtlsEchoServer; + }; + 0C6D77EA15C8C06600BB4405 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 0CE08A73148FF2C6000473EB; + remoteInfo = tlsnketest; + }; + 0C6D77EC15C8C06600BB4405 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 0CDF46A014DC794300FFE2FD; + remoteInfo = tlssocket; + }; + 0CBD50B216C325F000713B6C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 0CBD509716C3242200713B6C; + remoteInfo = libsecurity_keychain_regressions; + }; + 0CBD50C616C3260D00713B6C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 0CBD500016C3242200713B6C; + remoteInfo = libsecurity_keychain_regressions; + }; + 0CC3350916C1ED8000399E53 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E702E73514E1F3EA00CDE635; + remoteInfo = libSecureObjectSync; + }; + 0CC3350B16C1ED8000399E53 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E742A09B14E343E70052A486; + remoteInfo = utilities; + }; + 0CC3350D16C1ED8000399E53 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E702E75714E1F48800CDE635; + remoteInfo = libSOSRegressions; + }; + 0CC3351116C1ED8000399E53 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18D4043414CE0CF300A2BE4E; + remoteInfo = libsecurity; + }; + 0CC3351316C1ED8000399E53 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18270F5414CF651900B05E7F; + remoteInfo = libsecipc_client; + }; + 0CC3351516C1ED8000399E53 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 186CDD0E14CA116C00AF9171; + remoteInfo = libSecItemShimOSX; + }; + 0CC3355F16C1EF5D00399E53 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 0CC3355B16C1EF5D00399E53 /* regressions.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = E710C6FE133192E900F85568; + remoteInfo = regressions; + }; + 0CC3356116C1EF8B00399E53 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 0CC3355B16C1EF5D00399E53 /* regressions.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E710C6FD133192E900F85568; + remoteInfo = regressions; + }; + 0CCEBDB216C2CFD4001BD7F6 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 0CC3355B16C1EF5D00399E53 /* regressions.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E710C6FD133192E900F85568; + remoteInfo = regressions; + }; + 0CCEBDB916C303D8001BD7F6 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 0CC3350716C1ED8000399E53; + remoteInfo = secdtests; + }; + 0CCEBDBC16C30948001BD7F6 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E7E0D8E8158FA9A3002CA176; + remoteInfo = utilitiesRegressions; + }; + 0CFC55E215DDB86500BEC89E /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 0C6C630A15D193C800BC68CD; + remoteInfo = sectests; + }; + 18270C7C14CE573D00B05E7F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 18D4056214CE53C200A2BE4E; + remoteInfo = securityd; + }; + 18270EE014CF28D000B05E7F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18D4043414CE0CF300A2BE4E; + remoteInfo = libsecurity; + }; + 18270EE214CF28D900B05E7F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18D4056114CE53C200A2BE4E; + remoteInfo = libsecurityd; + }; + 18270F1114CF43C000B05E7F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18270F0814CF43C000B05E7F /* libDER.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 053BA314091C00BF00A7007A; + remoteInfo = libDER; + }; + 18270F1314CF43C000B05E7F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18270F0814CF43C000B05E7F /* libDER.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 053BA445091FE58C00A7007A; + remoteInfo = parseCert; + }; + 18270F1514CF43C000B05E7F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18270F0814CF43C000B05E7F /* libDER.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 053BA46B091FE63E00A7007A; + remoteInfo = libDERUtils; + }; + 18270F1714CF43C000B05E7F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18270F0814CF43C000B05E7F /* libDER.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 058F16540925135E009FA1C5; + remoteInfo = parseCrl; + }; + 18270F1914CF43C000B05E7F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18270F0814CF43C000B05E7F /* libDER.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4C96C8CE113F4132005483E8; + remoteInfo = parseTicket; + }; + 18270F5C14CF655B00B05E7F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18270F5414CF651900B05E7F; + remoteInfo = libsecipc_client; + }; + 18270F5F14CF655B00B05E7F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 18270F5514CF651900B05E7F; + remoteInfo = libsecipc_client; + }; + 182BB22B146F07DD000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4C5719C712FB5E9E00B31F85; + remoteInfo = XPCKeychainSandboxCheck; + }; + 182BB3EB146F2448000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5F0146DE6FD007E536C /* libsecurity_apple_x509_tp.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_apple_x509_tp; + }; + 182BB3ED146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6EC146DE7EE007E536C /* libsecurity_pkcs12.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 0592AC8B0415523C00003D05; + remoteInfo = libsecurity_pkcs12; + }; + 182BB3EF146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B72B146DE844007E536C /* libsecurity_transform.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_transform; + }; + 182BB3F1146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6DF146DE7E7007E536C /* libsecurity_ocspd.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_ocspd; + }; + 182BB3F3146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B66D146DE75D007E536C /* libsecurity_comcryption.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 7264321D00A8AD0A7F000001; + remoteInfo = libsecurity_comcryption; + }; + 182BB3F5146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B637146DE748007E536C /* libsecurity_checkpw.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_checkpw; + }; + 182BB3F7146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B71F146DE839007E536C /* libsecurity_ssl.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_ssl; + }; + 182BB3FB146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5C9146DE6CE007E536C /* libsecurity_apple_cspdl.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_apple_cspdl; + }; + 182BB3FD146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6F8146DE7F7007E536C /* libsecurity_sd_cspdl.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_sd_cspdl; + }; + 182BB3FF146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6C7146DE7D7007E536C /* libsecurity_manifest.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = D6C8AFAD05DD2430003DB724; + remoteInfo = libsecurity_manifest; + }; + 182BB401146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B712146DE825007E536C /* libsecurity_smime.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4C2741ED03E9FBF700A80181; + remoteInfo = libsecurity_smime; + }; + 182BB403146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B64B146DE750007E536C /* libsecurity_cms.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_cms; + }; + 182BB405146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5BC146DE6C8007E536C /* libsecurity_apple_csp.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_apple_csp; + }; + 182BB407146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5E1146DE6E7007E536C /* libsecurity_apple_x509_cl.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_apple_x509_cl; + }; + 182BB409146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_keychain; + }; + 182BB40B146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5D5146DE6D7007E536C /* libsecurity_apple_file_dl.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_apple_file_dl; + }; + 182BB40D146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B609146DE70A007E536C /* libsecurity_authorization.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_authorization; + }; + 182BB40F146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B550146DE227007E536C /* libsecurity_cdsa_utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA2A5390523D32800978A7B; + remoteInfo = libsecurity_cdsa_utilities; + }; + 182BB411146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B679146DE76E007E536C /* libsecurity_cryptkit.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 7264322800A8AD0A7F000001; + remoteInfo = libsecurity_cryptkit; + }; + 182BB413146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B615146DE715007E536C /* libsecurity_cdsa_client.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_cdsa_client; + }; + 182BB417146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B694146DE797007E536C /* libsecurity_filedb.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_filedb; + }; + 182BB419146F248D000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6D3146DE7E0007E536C /* libsecurity_mds.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_mds; + }; + 182BB4E6146F25AF000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_codesigning; + }; + 182BB587146FE001000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_codesigning; + }; + 182BB58C146FE0FF000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B550146DE227007E536C /* libsecurity_cdsa_utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA2A5390523D32800978A7B; + remoteInfo = libsecurity_cdsa_utilities; + }; + 182BB58E146FE11C000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B532146DDBE5007E536C /* libsecurity_utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA2A5390523D32800978A7B; + remoteInfo = libsecurity_utilities; + }; + 182BB595146FE27F000BF1F3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 1807384A146D0D4E00F05C24; + remoteInfo = Security; + }; + 18446081146DF52F00B12992 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B621146DE720007E536C /* libsecurity_cdsa_plugin.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_cdsa_plugin; + }; + 184461B0146E9D3300B12992 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 184461A3146E9D3200B12992 /* libsecurityd.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurityd_client; + }; + 184461B4146E9D3300B12992 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 184461A3146E9D3200B12992 /* libsecurityd.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FECD052A44A100F22E42; + remoteInfo = libsecurityd_server; + }; + 184461B8146E9D3300B12992 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 184461A3146E9D3200B12992 /* libsecurityd.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = C2A788730B7AA65B00CFF85C; + remoteInfo = ucspc; + }; + 186CDD1D14CA11C700AF9171 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 186CDD0F14CA116C00AF9171; + remoteInfo = sec; + }; + 186F779014E5A00F00434E1F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 18270ED514CF282600B05E7F; + remoteInfo = secd; + }; + 186F779214E5A01700434E1F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 1807384A146D0D4E00F05C24; + remoteInfo = Security; + }; + 186F779414E5A01C00434E1F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 182BB567146F4DCA000BF1F3; + remoteInfo = csparser; + }; + 186F779614E5A04200434E1F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 18FE67E91471A3AA00A2CBE3; + remoteInfo = copyHeaders; + }; + 186F779814E5A06500434E1F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 186F778814E59FB200434E1F; + remoteInfo = Framework; + }; + 186F779A14E5A06800434E1F /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 186F778C14E59FDA00434E1F; + remoteInfo = Helpers; + }; + 1879B537146DDBE5007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B532146DDBE5007E536C /* libsecurity_utilities.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA2A53A0523D32800978A7B; + remoteInfo = utilities; + }; + 1879B544146DE18D007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B532146DDBE5007E536C /* libsecurity_utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA2A5390523D32800978A7B; + remoteInfo = libsecurity_utilities; + }; + 1879B54E146DE212007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B547146DE212007E536C /* libsecurity_cdsa_utils.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = cdsa_utils; + }; + 1879B559146DE227007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B550146DE227007E536C /* libsecurity_cdsa_utilities.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA2A53A0523D32800978A7B; + remoteInfo = cdsa_utilities; + }; + 1879B55B146DE227007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B550146DE227007E536C /* libsecurity_cdsa_utilities.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CF9C5B90535E557009B9B8D; + remoteInfo = Schemas; + }; + 1879B564146DE244007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B55D146DE244007E536C /* libsecurity_cssm.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = cssm; + }; + 1879B56B146DE2CF007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B547146DE212007E536C /* libsecurity_cdsa_utils.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_cdsa_utils; + }; + 1879B56D146DE2D3007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B55D146DE244007E536C /* libsecurity_cssm.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4CA1FEBD052A3C8100F22E42; + remoteInfo = libsecurity_cssm; + }; + 1879B5C5146DE6C8007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5BC146DE6C8007E536C /* libsecurity_apple_csp.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_apple_csp; + }; + 1879B5D1146DE6CE007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5C9146DE6CE007E536C /* libsecurity_apple_cspdl.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_apple_cspdl; + }; + 1879B5DD146DE6D7007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5D5146DE6D7007E536C /* libsecurity_apple_file_dl.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_apple_file_dl; + }; + 1879B5EA146DE6E8007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5E1146DE6E7007E536C /* libsecurity_apple_x509_cl.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CC7C27506127AA100E6CE35; + remoteInfo = libsecurity_apple_x509_cl; + }; + 1879B5EE146DE6E8007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5E1146DE6E7007E536C /* libsecurity_apple_x509_cl.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = C207F277053B21E600FF85CB; + remoteInfo = plugin_apple_x509_cl; + }; + 1879B5F8146DE6FD007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5F0146DE6FD007E536C /* libsecurity_apple_x509_tp.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_apple_x509_tp; + }; + 1879B611146DE70A007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B609146DE70A007E536C /* libsecurity_authorization.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_authorization; + }; + 1879B61D146DE715007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B615146DE715007E536C /* libsecurity_cdsa_client.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_cdsa_client; + }; + 1879B62A146DE720007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B621146DE720007E536C /* libsecurity_cdsa_plugin.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_cdsa_plugin; + }; + 1879B643146DE748007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B637146DE748007E536C /* libsecurity_checkpw.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_checkpw; + }; + 1879B647146DE748007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B637146DE748007E536C /* libsecurity_checkpw.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 1CD90B6711011176008DD07F; + remoteInfo = "test-checkpw"; + }; + 1879B649146DE748007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B637146DE748007E536C /* libsecurity_checkpw.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 1C6C402F1121FC0C00031CDE; + remoteInfo = "perf-checkpw"; + }; + 1879B653146DE750007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B64B146DE750007E536C /* libsecurity_cms.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_cms; + }; + 1879B665146DE757007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_codesigning; + }; + 1879B669146DE757007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = C2BC1F260B580D3A003EC9DC; + remoteInfo = libintegrity; + }; + 1879B66B146DE757007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = C2BC1F2F0B580D4B003EC9DC; + remoteInfo = libcodehost; + }; + 1879B675146DE75E007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B66D146DE75D007E536C /* libsecurity_comcryption.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 7264321400A8AD0A7F000001; + remoteInfo = libsecurity_comcryption; + }; + 1879B683146DE76F007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B679146DE76E007E536C /* libsecurity_cryptkit.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 7264321600A8AD0A7F000001; + remoteInfo = libsecurity_cryptkit; + }; + 1879B687146DE76F007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B679146DE76E007E536C /* libsecurity_cryptkit.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 0535DCBE074A944D00805B04; + remoteInfo = libCryptKit; + }; + 1879B689146DE76F007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B679146DE76E007E536C /* libsecurity_cryptkit.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 0536B295074BC91A00F9F1AD; + remoteInfo = CryptKitSignature; + }; + 1879B69C146DE797007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B694146DE797007E536C /* libsecurity_filedb.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_filedb; + }; + 1879B6B2146DE7A0007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_keychain; + }; + 1879B6B6146DE7A0007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4C5719C812FB5E9E00B31F85; + remoteInfo = XPCKeychainSandboxCheck; + }; + 1879B6CF146DE7D7007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6C7146DE7D7007E536C /* libsecurity_manifest.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = D6C8AFAE05DD2430003DB724; + remoteInfo = libsecurity_manifest; + }; + 1879B6DB146DE7E0007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6D3146DE7E0007E536C /* libsecurity_mds.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_mds; + }; + 1879B6E8146DE7E8007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6DF146DE7E7007E536C /* libsecurity_ocspd.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_ocspd; + }; + 1879B6F4146DE7EF007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6EC146DE7EE007E536C /* libsecurity_pkcs12.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 0592AC8C0415523C00003D05; + remoteInfo = libsecurity_pkcs12; + }; + 1879B700146DE7F7007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6F8146DE7F7007E536C /* libsecurity_sd_cspdl.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_sd_cspdl; + }; + 1879B71B146DE825007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B712146DE825007E536C /* libsecurity_smime.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4C817F8405ED4D7A007975E6; + remoteInfo = libsecurity_smime; + }; + 1879B727146DE839007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B71F146DE839007E536C /* libsecurity_ssl.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_ssl; + }; + 1879B738146DE845007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B72B146DE844007E536C /* libsecurity_transform.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CA1FEBE052A3C8100F22E42; + remoteInfo = libsecurity_transform; + }; + 1879B73C146DE845007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B72B146DE844007E536C /* libsecurity_transform.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4C738257112DF65200EA003B; + remoteInfo = "unit-tests"; + }; + 1879B73E146DE845007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B72B146DE844007E536C /* libsecurity_transform.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CBCBEB61130A2D700CC18E9; + remoteInfo = "100-sha2"; + }; + 1879B740146DE845007E536C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B72B146DE844007E536C /* libsecurity_transform.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4C010B87121AE8DF0094CB72; + remoteInfo = "input-speed-test"; + }; + 1885B3F814D8D9B100519375 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5FC146DE704007E536C /* libsecurity_asn1.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 795CA7FF0D38013D00BAE6A2; + remoteInfo = libASN1; + }; + 1885B45014D9AB3D00519375 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B5FC146DE704007E536C /* libsecurity_asn1.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 795CA7FE0D38013D00BAE6A2; + remoteInfo = libASN1; + }; + 18AD56A514CDED59008233F2 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 186CDD0E14CA116C00AF9171; + remoteInfo = sec; + }; + 18B9655B1472F83C005A4D2E /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 184461A3146E9D3200B12992 /* libsecurityd.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4C31C2D9055341AA006D00BD; + remoteInfo = world; + }; + 18D4053A14CE2C1600A2BE4E /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 18D4043514CE0CF300A2BE4E; + remoteInfo = security; + }; + 18F235FE15CA100300060520 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 18F234EA15C9F9A600060520; + remoteInfo = security.auth; + }; + 18FE688E1471A4C900A2CBE3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 18FE67E91471A3AA00A2CBE3; + remoteInfo = copyHeaders; + }; + 3705CADD1A8971DF00402F75 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 3705CAD11A896DE800402F75; + remoteInfo = SecTaskTest; + }; + 37A7CED9197DBA8700926CE8 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 37A7CEAA197DB8FA00926CE8; + remoteInfo = codesign_tests; + }; + 37AB393F1A44A95500B56E04 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 37AB390E1A44A88000B56E04; + remoteInfo = gk_reset_check; + }; + 4374574D1B2787950051E20E /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E742A09B14E343E70052A486; + remoteInfo = utilities; + }; + 4381B9AB1B28E0F4002BBC79 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E742A09B14E343E70052A486; + remoteInfo = utilities; + }; + 4AD6F6F31651CC2500DB4CE6 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 4A5CCA4E15ACEFA500702357; + remoteInfo = libSecOtrOSX; + }; + 4C01DE31164C3793006798CD /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 528402A0164445760035F320; + remoteInfo = libCloudKeychainProxy; + }; + 4C01DF12164C3E74006798CD /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E702E73514E1F3EA00CDE635; + remoteInfo = libSecureObjectSync; + }; + 4C1288E915FFE9D7008CE3E3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = E702E75614E1F3EA00CDE635; + remoteInfo = libSecureObjectSync; + }; + 4C1288EB15FFE9D7008CE3E3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = E702E77814E1F48800CDE635; + remoteInfo = libSOSRegressions; + }; + 4C1288ED15FFE9D7008CE3E3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4A824B03158FF07000F932C0; + remoteInfo = libSecurityRegressions; + }; + 4C1288EF15FFE9D7008CE3E3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4CC92B1415A3BC6B00C6D578; + remoteInfo = libsecuritydRegressions; + }; + 4C1288F115FFE9D7008CE3E3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 4A5CCA4F15ACEFA500702357; + remoteInfo = libSecOtrOSX; + }; + 4C12893F15FFECF3008CE3E3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = E742A09C14E343E70052A486; + remoteInfo = utilities; + }; + 4C12894115FFECF3008CE3E3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = E7E0D8F9158FA9A3002CA176; + remoteInfo = utilitiesRegressions; + }; + 4C12894315FFED03008CE3E3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E742A09B14E343E70052A486; + remoteInfo = utilities; + }; + 4C797BC816D83A3100C7B586 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 4C96F7C016D6DF8300D3B39D; + remoteInfo = "Keychain Circle Notification"; + }; + 4C797BF016D83A3800C7B586 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 4CC7A7B216CC2A84003E10C1; + remoteInfo = "Cloud Keychain Utility"; + }; + 4C7D8763160A746E00D041E3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E742A09B14E343E70052A486; + remoteInfo = utilities; + }; + 4C8D864F177A75100019A804 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18270F5414CF651900B05E7F; + remoteInfo = libsecipc_client; + }; + 4CB23B75169F5873003A0131 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = E71049F2169E023B00DB0045; + remoteInfo = libSecurityTool; + }; + 4CB23B77169F5873003A0131 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = E7104A1D169E216E00DB0045; + remoteInfo = libSecurityCommands; + }; + 4CB23B79169F5873003A0131 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = E7FEFB8C169E363300E18152; + remoteInfo = libSOSCommands; + }; + 4CB23B83169F5961003A0131 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E7FEFB82169E363300E18152; + remoteInfo = libSOSCommands; + }; + 4CB23B85169F5971003A0131 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E7104A12169E216E00DB0045; + remoteInfo = libSecurityCommands; + }; + 4CB23B87169F597D003A0131 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E71049F1169E023B00DB0045; + remoteInfo = libSecurityTool; + }; + 4CB23B8F169F59D8003A0131 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 4CB23B45169F5873003A0131; + remoteInfo = security2; + }; + 5208C0FD16A0D3980062DDC5 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E702E73514E1F3EA00CDE635; + remoteInfo = libSecureObjectSync; + }; + 5214701716977D1D00DF0DB3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E742A09B14E343E70052A486; + remoteInfo = utilities; + }; + 5214701916977D2500DF0DB3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 5284029F164445760035F320; + remoteInfo = libCloudKeychainProxy; + }; + 521470281697842500DF0DB3 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 5214700516977CB800DF0DB3; + remoteInfo = CloudKeychainProxy; + }; + 529FF21F1523BD7F0029D842 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 52200F8714F2B87F00F7F6E7; + remoteInfo = XPCTimeStampingService; + }; + 52B5A8F5151928B400664F11 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 52200F8F14F2B88000F7F6E7; + remoteInfo = XPCTimeStampingService; + }; + 5ED88B6D1B0DEF3100F3B047 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18270F0814CF43C000B05E7F /* libDER.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 053BA313091C00BF00A7007A; + remoteInfo = libDER; + }; + 5ED88B6F1B0DEF4700F3B047 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18270F5414CF651900B05E7F; + remoteInfo = libsecipc_client; + }; + 5EE556661B01D9A8006F78F2 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18D4056114CE53C200A2BE4E; + remoteInfo = libsecurityd; + }; + 5EE556901B01D9F5006F78F2 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 0CC3355B16C1EF5D00399E53 /* regressions.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E710C6FD133192E900F85568; + remoteInfo = regressions; + }; + 5EE556921B01DA24006F78F2 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18D4043414CE0CF300A2BE4E; + remoteInfo = libsecurity; + }; + 5EE556941B01DA33006F78F2 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E702E73514E1F3EA00CDE635; + remoteInfo = libSecureObjectSync; + }; + 5EE556961B01DA3E006F78F2 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E742A09B14E343E70052A486; + remoteInfo = utilities; + }; + 5EF7C2531B00EEC000E5E99C /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 5EF7C2091B00E25400E5E99C; + remoteInfo = secacltests; + }; + 5EFB69C11B0CBFC30095A36E /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 186CDD0E14CA116C00AF9171; + remoteInfo = libSecItemShimOSX; + }; + 722CF217175D602F00BCE0A5 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 72756BFD175D485D00F52070; + remoteInfo = cloud_keychain_diagnose; + }; + ACB6171718B5231800EBEDD7 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B712146DE825007E536C /* libsecurity_smime.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = AC62F5F018B4356A00704BBD; + remoteInfo = libsecurity_smime_regressions; + }; + ACB6173E18B5232700EBEDD7 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B712146DE825007E536C /* libsecurity_smime.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = AC62F5EF18B4356A00704BBD; + remoteInfo = libsecurity_smime_regressions; + }; + BE48ADF91ADF1DF4000836C1 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18270F5414CF651900B05E7F; + remoteInfo = libsecipc_client; + }; + BE48ADFB1ADF1DF4000836C1 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E702E73514E1F3EA00CDE635; + remoteInfo = libSecureObjectSync; + }; + BE48ADFD1ADF1DF4000836C1 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E742A09B14E343E70052A486; + remoteInfo = utilities; + }; + BE48ADFF1ADF1DF4000836C1 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18D4056114CE53C200A2BE4E; + remoteInfo = libsecurityd; + }; + BE48AE011ADF1DF4000836C1 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18D4043414CE0CF300A2BE4E; + remoteInfo = libsecurity; + }; + BE48AE221ADF1E66000836C1 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = BE8D227F1ABB7199009A4E18; + remoteInfo = libSecTrustOSX; + }; + BE48AE281ADF204E000836C1 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = BE48ADF71ADF1DF4000836C1; + remoteInfo = trustd; + }; + BE8D22941ABB747A009A4E18 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = BE8D227F1ABB7199009A4E18; + remoteInfo = libSecTrustOSX; + }; + BE8D22BB1ABB747B009A4E18 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = BE8D228E1ABB7199009A4E18; + remoteInfo = libSecTrustOSX; + }; + BE94B7E01AD8442600A7216D /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18270F5414CF651900B05E7F; + remoteInfo = libsecipc_client; + }; + BE94B7E41AD8446500A7216D /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E742A09B14E343E70052A486; + remoteInfo = utilities; + }; + BE94B7E61AD8446C00A7216D /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18D4056114CE53C200A2BE4E; + remoteInfo = libsecurityd; + }; + BE94B7E81AD8447B00A7216D /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = 18D4043414CE0CF300A2BE4E; + remoteInfo = libsecurity; + }; + BE94B7EA1AD8449300A7216D /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = BE8D227F1ABB7199009A4E18; + remoteInfo = libSecTrustOSX; + }; + BE94B7EE1AD8453300A7216D /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E702E73514E1F3EA00CDE635; + remoteInfo = libSecureObjectSync; + }; + C2432A0715C7112A0096DB5B /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = C209696015BF52040093035F; + remoteInfo = gkunpack; + }; + C2432A2415C726B50096DB5B /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = C209695F15BF52040093035F; + remoteInfo = gkunpack; + }; + CD63AD0B1A8061FA001B5671 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = CD3F914B1A802EBF00E07119; + remoteInfo = libIDSKeychainSyncingProxy; + }; + CD63AD111A8063AF001B5671 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = CD3F914A1A802EBF00E07119; + remoteInfo = libIDSKeychainSyncingProxy; + }; + CD63AD131A8063B7001B5671 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E742A09B14E343E70052A486; + remoteInfo = utilities; + }; + CDEB2BD11A8151CD00B0E23A /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = CD63ACDF1A8061FA001B5671; + remoteInfo = IDSKeychainSyncingProxy; + }; + E7421C7D1ADC8E0D005FC1C0 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = 0CC9A7F0146DF66000C18F89; + remoteInfo = tlsnke; + }; + E760796E1951F99600F69731 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = BEF9640618B4171200813FA3; + remoteInfo = libSWCAgent; + }; + E76079D41951FDA800F69731 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = E76079D21951FD2800F69731; + remoteInfo = liblogging; + }; + E76079F91951FDF600F69731 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = E76079971951FD2800F69731; + remoteInfo = liblogging; + }; + EB2E1F57166D6B3700A7EF61 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */; + proxyType = 2; + remoteGlobalIDString = EB2E1F05166D69B800A7EF61; + remoteInfo = CodeSigningHelper; + }; + EBB9FFDF1682E71F00FF9774 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */; + proxyType = 1; + remoteGlobalIDString = EBB9FF6E1682E51300FF9774; + remoteInfo = CodeSigningHelper; + }; + F94E7A961ACC8CC200F23132 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 18073841146D0D4E00F05C24 /* Project object */; + proxyType = 1; + remoteGlobalIDString = F93C49311AB8FD350047E01A; + remoteInfo = ckcdiagnose.sh; + }; +/* End PBXContainerItemProxy section */ + +/* Begin PBXCopyFilesBuildPhase section */ + 0C6D003C177B545D0095D167 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /private/etc/asl; + dstSubfolderSpec = 0; + files = ( + 0C6D0065177B54CB0095D167 /* com.apple.securityd in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + 187D6B9615D4381C00E27494 /* Copy authorization.plist */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = "$(SYSTEM_LIBRARY_DIR)/Security"; + dstSubfolderSpec = 0; + files = ( + 187D6B9715D438AD00E27494 /* authorization.plist in Copy authorization.plist */, + ); + name = "Copy authorization.plist"; + runOnlyForDeploymentPostprocessing = 1; + }; + 18BEB19914CF7F0B00C8BD36 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /System/Library/LaunchAgents; + dstSubfolderSpec = 0; + files = ( + 18BEB19A14CF7F8100C8BD36 /* com.apple.secd.plist in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + 18CFEE8815DEE2BA00E3F2A3 /* Copy sandbox profile */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = "$(SYSTEM_LIBRARY_DIR)/Sandbox/Profiles"; + dstSubfolderSpec = 0; + files = ( + 18CFEE8915DEE2C600E3F2A3 /* com.apple.authd.sb in Copy sandbox profile */, + ); + name = "Copy sandbox profile"; + runOnlyForDeploymentPostprocessing = 1; + }; + 18D6803A16B768DE00DF6D2E /* Copy asl module */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /private/etc/asl; + dstSubfolderSpec = 0; + files = ( + 18D6803B16B768F700DF6D2E /* com.apple.authd in Copy asl module */, + ); + name = "Copy asl module"; + runOnlyForDeploymentPostprocessing = 1; + }; + 3705CAD01A896DE800402F75 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = /usr/share/man/man1/; + dstSubfolderSpec = 0; + files = ( + ); + runOnlyForDeploymentPostprocessing = 1; + }; + 37A7CEDC197DCECD00926CE8 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /AppleInternal/CoreOS/codesign_tests; + dstSubfolderSpec = 0; + files = ( + 375370891A8A981E0026B912 /* LocalCaspianTestRun.sh in CopyFiles */, + 37CD05031A8A88320053CCD0 /* CaspianTests in CopyFiles */, + 371AB2F21A04052E00A08CF2 /* teamid.sh in CopyFiles */, + 37A7CEDD197DCEE500926CE8 /* validation.sh in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + 43A599151B0CFC8200D14A7B /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = en.lproj; + dstSubfolderSpec = 7; + files = ( + 43A599161B0CFCAB00D14A7B /* CloudKeychain.strings in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4A5C178F161A9DE000ABF784 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /usr/local/include; + dstSubfolderSpec = 0; + files = ( + 4A5C1790161A9DFB00ABF784 /* authd_private.h in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + 4C49390E16E51ED100CE110C /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 12; + dstPath = /System/Library/LaunchAgents; + dstSubfolderSpec = 0; + files = ( + 4C49390F16E51FC700CE110C /* com.apple.security.keychain-circle-notification.plist in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4CB23B44169F5873003A0131 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = /usr/local/share/man/man1; + dstSubfolderSpec = 0; + files = ( + 4CB23B4C169F5873003A0131 /* security2.1 in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + 4CB86AE4167A6F3D00F46643 /* Copy SecureObjectSync Headers */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = PrivateHeaders/SecureObjectSync; + dstSubfolderSpec = 1; + files = ( + 52F8DE4C1AF2EB6600A2C271 /* SOSTypes.h in Copy SecureObjectSync Headers */, + 52F8DE211AF2E57300A2C271 /* SOSBackupSliceKeyBag.h in Copy SecureObjectSync Headers */, + 4CB86AF1167A6FF300F46643 /* SOSCloudCircle.h in Copy SecureObjectSync Headers */, + 48FDA8771AF98A3600A9366F /* SOSCloudCircleInternal.h in Copy SecureObjectSync Headers */, + 4CB86AF7167A6FF300F46643 /* SOSPeerInfo.h in Copy SecureObjectSync Headers */, + 52F8DDFA1AF2E56700A2C271 /* SOSViews.h in Copy SecureObjectSync Headers */, + 52F8DE251AF2E58B00A2C271 /* SOSForerunnerSession.h in Copy SecureObjectSync Headers */, + ); + name = "Copy SecureObjectSync Headers"; + runOnlyForDeploymentPostprocessing = 1; + }; + 5214702316977EA600DF0DB3 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/System/Library/LaunchAgents"; + dstSubfolderSpec = 0; + files = ( + 521470261697800500DF0DB3 /* com.apple.security.cloudkeychainproxy.plist in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + 72756BFC175D485D00F52070 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = /usr/share/man/man1/; + dstSubfolderSpec = 0; + files = ( + ); + runOnlyForDeploymentPostprocessing = 1; + }; + BE48AE191ADF1DF4000836C1 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /System/Library/LaunchAgents; + dstSubfolderSpec = 0; + files = ( + BE48AE251ADF1FD3000836C1 /* com.apple.trustd.agent.plist in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + BE48AE1B1ADF1DF4000836C1 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /System/Library/LaunchDaemons; + dstSubfolderSpec = 0; + files = ( + BE48AE271ADF2016000836C1 /* com.apple.trustd.plist in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + BE5976DD1AD73BE50066DECE /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /System/Library/LaunchDaemons; + dstSubfolderSpec = 0; + files = ( + ); + runOnlyForDeploymentPostprocessing = 1; + }; + BE94B79B1AD83AF700A7216D /* Copy sandbox profile */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = "$(SYSTEM_LIBRARY_DIR)/Sandbox/Profiles"; + dstSubfolderSpec = 0; + files = ( + BE94B7DD1AD8426500A7216D /* com.apple.trustd.sb in Copy sandbox profile */, + ); + name = "Copy sandbox profile"; + runOnlyForDeploymentPostprocessing = 1; + }; + BE94B79F1AD83AF700A7216D /* Copy asl module */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /private/etc/asl; + dstSubfolderSpec = 0; + files = ( + BE94B7DC1AD8425E00A7216D /* com.apple.trustd.asl in Copy asl module */, + ); + name = "Copy asl module"; + runOnlyForDeploymentPostprocessing = 1; + }; + CD63AD1D1A806552001B5671 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = "$(INDIGO_INSTALL_PATH_PREFIX)/System/Library/LaunchAgents"; + dstSubfolderSpec = 0; + files = ( + CDE08DD41A85E92200B5C261 /* com.apple.security.idskeychainsyncingproxy.plist in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + CDF91EF41AAE025C00E88CF7 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /System/Library/IdentityServices/ServiceDefinitions; + dstSubfolderSpec = 0; + files = ( + CDF91EF51AAE028F00E88CF7 /* com.apple.private.alloy.keychainsync.plist in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; + EB5D73121B0CB0E0009CAA47 /* Old SOS header location */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /usr/local/include; + dstSubfolderSpec = 0; + files = ( + EB5D733C1B0CB109009CAA47 /* SOSTypes.h in Old SOS header location */, + EB5D733B1B0CB0FF009CAA47 /* SOSPeerInfo.h in Old SOS header location */, + ); + name = "Old SOS header location"; + runOnlyForDeploymentPostprocessing = 1; + }; + F93C49351AB8FD3B0047E01A /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 8; + dstPath = /usr/local/sbin; + dstSubfolderSpec = 0; + files = ( + F93C493E1AB8FF670047E01A /* ckcdiagnose.sh in CopyFiles */, + ); + runOnlyForDeploymentPostprocessing = 1; + }; +/* End PBXCopyFilesBuildPhase section */ + +/* Begin PBXFileReference section */ + 0C03D60317D93E810087643B /* SecDH.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecDH.h; path = sec/Security/SecDH.h; sourceTree = SOURCE_ROOT; }; + 0C4F055D15C9E51A00F9DFD5 /* sslTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sslTypes.h; path = libsecurity_ssl/lib/sslTypes.h; sourceTree = SOURCE_ROOT; }; + 0C6C630B15D193C800BC68CD /* sectests */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = sectests; sourceTree = BUILT_PRODUCTS_DIR; }; + 0C6C630E15D193C800BC68CD /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = ""; }; + 0C6C632415D1964200BC68CD /* testlist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = testlist.h; sourceTree = ""; }; + 0C6C632F15D19DE600BC68CD /* test.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = test.xcconfig; sourceTree = ""; }; + 0C6D0064177B54C60095D167 /* com.apple.securityd */ = {isa = PBXFileReference; lastKnownFileType = text; name = com.apple.securityd; path = asl/com.apple.securityd; sourceTree = SOURCE_ROOT; }; + 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = tlsnke.xcodeproj; path = tlsnke/tlsnke.xcodeproj; sourceTree = ""; }; + 0CC1228B19C75B9000D23178 /* shared_regressions.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = shared_regressions.h; sourceTree = ""; }; + 0CC2CB0F1B6A04D80074B0F2 /* libDiagnosticMessagesClient.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libDiagnosticMessagesClient.dylib; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.Internal.sdk/usr/lib/libDiagnosticMessagesClient.dylib; sourceTree = DEVELOPER_DIR; }; + 0CC3352D16C1ED8000399E53 /* secdtests */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secdtests; sourceTree = BUILT_PRODUCTS_DIR; }; + 0CC3355716C1EEE700399E53 /* main.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = main.c; path = secdtests/main.c; sourceTree = ""; }; + 0CC3355816C1EEE700399E53 /* testlist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = testlist.h; path = secdtests/testlist.h; sourceTree = ""; }; + 0CC3355B16C1EF5D00399E53 /* regressions.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = regressions.xcodeproj; path = regressions/regressions.xcodeproj; sourceTree = SOURCE_ROOT; }; + 1807384B146D0D4E00F05C24 /* Security.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Security.framework; sourceTree = BUILT_PRODUCTS_DIR; }; + 18073856146D0D4E00F05C24 /* Info-Security.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "Info-Security.plist"; sourceTree = ""; }; + 181EA422146D4A2A00A6D320 /* base.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = base.xcconfig; sourceTree = ""; }; + 181EA423146D4A2A00A6D320 /* debug.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = debug.xcconfig; sourceTree = ""; }; + 181EA424146D4A2A00A6D320 /* lib.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = lib.xcconfig; sourceTree = ""; wrapsLines = 0; }; + 181EA425146D4A2A00A6D320 /* release.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = release.xcconfig; sourceTree = ""; }; + 18270ED614CF282600B05E7F /* secd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secd; sourceTree = BUILT_PRODUCTS_DIR; }; + 18270EEC14CF333400B05E7F /* client.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = client.c; sourceTree = ""; }; + 18270EED14CF333400B05E7F /* com.apple.securityd.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.securityd.plist; sourceTree = ""; }; + 18270EEE14CF333400B05E7F /* securityd_client.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = securityd_client.h; sourceTree = ""; }; + 18270EEF14CF333400B05E7F /* securityd_ipc_types.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = securityd_ipc_types.h; sourceTree = ""; }; + 18270EF014CF333400B05E7F /* securityd_rep.defs */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.mig; path = securityd_rep.defs; sourceTree = ""; }; + 18270EF114CF333400B05E7F /* securityd_req.defs */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.mig; path = securityd_req.defs; sourceTree = ""; }; + 18270EF214CF333400B05E7F /* securityd_server.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = securityd_server.h; sourceTree = ""; }; + 18270EF314CF333400B05E7F /* server.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = server.c; sourceTree = ""; }; + 18270EFB14CF427800B05E7F /* CFNetwork.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CFNetwork.framework; path = System/Library/Frameworks/CFNetwork.framework; sourceTree = SDKROOT; }; + 18270EFD14CF429600B05E7F /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = System/Library/Frameworks/IOKit.framework; sourceTree = SDKROOT; }; + 18270EFF14CF42CA00B05E7F /* libcorecrypto.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcorecrypto.a; path = /usr/local/lib/libcorecrypto.a; sourceTree = ""; }; + 18270F0814CF43C000B05E7F /* libDER.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libDER.xcodeproj; path = libsecurity_keychain/libDER/libDER.xcodeproj; sourceTree = ""; }; + 18270F3A14CF44C400B05E7F /* debugging.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = debugging.c; sourceTree = ""; }; + 18270F3B14CF44C400B05E7F /* debugging.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = debugging.h; sourceTree = ""; }; + 182A190F15D09AF0006AB103 /* connection.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = connection.h; sourceTree = ""; }; + 182A191015D09AFF006AB103 /* connection.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = connection.c; sourceTree = ""; }; + 182BB187146EAD4C000BF1F3 /* SecAccess.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecAccess.h; path = libsecurity_keychain/lib/SecAccess.h; sourceTree = SOURCE_ROOT; }; + 182BB188146EAD4C000BF1F3 /* SecACL.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecACL.h; path = libsecurity_keychain/lib/SecACL.h; sourceTree = SOURCE_ROOT; }; + 182BB189146EAD4C000BF1F3 /* SecBase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecBase.h; path = libsecurity_keychain/lib/SecBase.h; sourceTree = SOURCE_ROOT; }; + 182BB18A146EAD4C000BF1F3 /* SecCertificate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCertificate.h; path = libsecurity_keychain/lib/SecCertificate.h; sourceTree = SOURCE_ROOT; }; + 182BB18B146EAD4C000BF1F3 /* SecIdentity.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecIdentity.h; path = libsecurity_keychain/lib/SecIdentity.h; sourceTree = SOURCE_ROOT; }; + 182BB18C146EAD4C000BF1F3 /* SecIdentitySearch.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecIdentitySearch.h; path = libsecurity_keychain/lib/SecIdentitySearch.h; sourceTree = SOURCE_ROOT; }; + 182BB18D146EAD4C000BF1F3 /* SecItem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecItem.h; path = libsecurity_keychain/lib/SecItem.h; sourceTree = SOURCE_ROOT; }; + 182BB18E146EAD4C000BF1F3 /* SecKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecKey.h; path = libsecurity_keychain/lib/SecKey.h; sourceTree = SOURCE_ROOT; }; + 182BB18F146EAD4C000BF1F3 /* SecKeychain.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecKeychain.h; path = libsecurity_keychain/lib/SecKeychain.h; sourceTree = SOURCE_ROOT; }; + 182BB190146EAD4C000BF1F3 /* SecKeychainItem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecKeychainItem.h; path = libsecurity_keychain/lib/SecKeychainItem.h; sourceTree = SOURCE_ROOT; }; + 182BB191146EAD4C000BF1F3 /* SecKeychainSearch.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecKeychainSearch.h; path = libsecurity_keychain/lib/SecKeychainSearch.h; sourceTree = SOURCE_ROOT; }; + 182BB192146EAD4C000BF1F3 /* SecPolicy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecPolicy.h; path = libsecurity_keychain/lib/SecPolicy.h; sourceTree = SOURCE_ROOT; }; + 182BB193146EAD4C000BF1F3 /* SecPolicySearch.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecPolicySearch.h; path = libsecurity_keychain/lib/SecPolicySearch.h; sourceTree = SOURCE_ROOT; }; + 182BB194146EAD4C000BF1F3 /* SecTrust.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTrust.h; path = libsecurity_keychain/lib/SecTrust.h; sourceTree = SOURCE_ROOT; }; + 182BB195146EAD4C000BF1F3 /* SecTrustedApplication.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTrustedApplication.h; path = libsecurity_keychain/lib/SecTrustedApplication.h; sourceTree = SOURCE_ROOT; }; + 182BB196146EAD4C000BF1F3 /* Security.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = Security.h; path = libsecurity_keychain/lib/Security.h; sourceTree = SOURCE_ROOT; }; + 182BB197146EAD4C000BF1F3 /* SecImportExport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecImportExport.h; path = libsecurity_keychain/lib/SecImportExport.h; sourceTree = SOURCE_ROOT; }; + 182BB198146EAD4C000BF1F3 /* SecTrustSettings.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTrustSettings.h; path = libsecurity_keychain/lib/SecTrustSettings.h; sourceTree = SOURCE_ROOT; }; + 182BB199146EAD4C000BF1F3 /* SecCertificateOIDs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCertificateOIDs.h; path = libsecurity_keychain/lib/SecCertificateOIDs.h; sourceTree = SOURCE_ROOT; }; + 182BB19A146EAD4C000BF1F3 /* SecRandom.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecRandom.h; path = libsecurity_keychain/lib/SecRandom.h; sourceTree = SOURCE_ROOT; }; + 182BB1AF146EAD5D000BF1F3 /* SecFDERecoveryAsymmetricCrypto.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecFDERecoveryAsymmetricCrypto.h; path = libsecurity_keychain/lib/SecFDERecoveryAsymmetricCrypto.h; sourceTree = SOURCE_ROOT; }; + 182BB1B0146EAD5D000BF1F3 /* SecPassword.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecPassword.h; path = libsecurity_keychain/lib/SecPassword.h; sourceTree = SOURCE_ROOT; }; + 182BB1B2146EAD5D000BF1F3 /* SecAccessPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecAccessPriv.h; path = libsecurity_keychain/lib/SecAccessPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1B3146EAD5D000BF1F3 /* SecBasePriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecBasePriv.h; path = libsecurity_keychain/lib/SecBasePriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1B4146EAD5D000BF1F3 /* SecCertificateBundle.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCertificateBundle.h; path = libsecurity_keychain/lib/SecCertificateBundle.h; sourceTree = SOURCE_ROOT; }; + 182BB1B5146EAD5D000BF1F3 /* SecCertificatePriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCertificatePriv.h; path = libsecurity_keychain/lib/SecCertificatePriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1B6146EAD5D000BF1F3 /* SecCertificateRequest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCertificateRequest.h; path = libsecurity_keychain/lib/SecCertificateRequest.h; sourceTree = SOURCE_ROOT; }; + 182BB1B7146EAD5D000BF1F3 /* SecIdentityPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecIdentityPriv.h; path = libsecurity_keychain/lib/SecIdentityPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1B8146EAD5D000BF1F3 /* SecKeychainItemPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecKeychainItemPriv.h; path = libsecurity_keychain/lib/SecKeychainItemPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1B9146EAD5D000BF1F3 /* SecKeychainPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecKeychainPriv.h; path = libsecurity_keychain/lib/SecKeychainPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1BA146EAD5D000BF1F3 /* SecKeyPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecKeyPriv.h; path = libsecurity_keychain/lib/SecKeyPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1BB146EAD5D000BF1F3 /* SecPolicyPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecPolicyPriv.h; path = libsecurity_keychain/lib/SecPolicyPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1BC146EAD5D000BF1F3 /* SecTrustedApplicationPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTrustedApplicationPriv.h; path = libsecurity_keychain/lib/SecTrustedApplicationPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1BD146EAD5D000BF1F3 /* SecTrustPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTrustPriv.h; path = libsecurity_keychain/lib/SecTrustPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1C4146EAD5D000BF1F3 /* SecIdentitySearchPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecIdentitySearchPriv.h; path = libsecurity_keychain/lib/SecIdentitySearchPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1C5146EAD5D000BF1F3 /* SecKeychainSearchPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecKeychainSearchPriv.h; path = libsecurity_keychain/lib/SecKeychainSearchPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1C6146EAD5D000BF1F3 /* SecTrustSettingsPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTrustSettingsPriv.h; path = libsecurity_keychain/lib/SecTrustSettingsPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB1C8146EAD5D000BF1F3 /* TrustSettingsSchema.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = TrustSettingsSchema.h; path = libsecurity_keychain/lib/TrustSettingsSchema.h; sourceTree = SOURCE_ROOT; }; + 182BB1CA146EAD5D000BF1F3 /* SecItemPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecItemPriv.h; path = libsecurity_keychain/lib/SecItemPriv.h; sourceTree = SOURCE_ROOT; usesTabs = 1; }; + 182BB1CB146EAD5D000BF1F3 /* SecKeychainItemExtendedAttributes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecKeychainItemExtendedAttributes.h; path = libsecurity_keychain/lib/SecKeychainItemExtendedAttributes.h; sourceTree = SOURCE_ROOT; }; + 182BB1CE146EAD5D000BF1F3 /* SecRecoveryPassword.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecRecoveryPassword.h; path = libsecurity_keychain/lib/SecRecoveryPassword.h; sourceTree = SOURCE_ROOT; }; + 182BB1CF146EAD5D000BF1F3 /* SecRandomP.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecRandomP.h; path = libsecurity_keychain/lib/SecRandomP.h; sourceTree = SOURCE_ROOT; }; + 182BB229146F068B000BF1F3 /* iToolsTrustedApps.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = iToolsTrustedApps.plist; path = libsecurity_keychain/plist/iToolsTrustedApps.plist; sourceTree = SOURCE_ROOT; }; + 182BB315146F0E7E000BF1F3 /* SecureDownload.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecureDownload.h; path = libsecurity_manifest/lib/SecureDownload.h; sourceTree = SOURCE_ROOT; }; + 182BB317146F0E94000BF1F3 /* SecManifest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecManifest.h; path = libsecurity_manifest/lib/SecManifest.h; sourceTree = SOURCE_ROOT; }; + 182BB318146F0E94000BF1F3 /* SecureDownloadInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecureDownloadInternal.h; path = libsecurity_manifest/lib/SecureDownloadInternal.h; sourceTree = SOURCE_ROOT; }; + 182BB356146F1198000BF1F3 /* mds.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mds.h; path = libsecurity_mds/lib/mds.h; sourceTree = SOURCE_ROOT; }; + 182BB357146F1198000BF1F3 /* mds_schema.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mds_schema.h; path = libsecurity_mds/lib/mds_schema.h; sourceTree = SOURCE_ROOT; }; + 182BB35A146F11A1000BF1F3 /* mdspriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mdspriv.h; path = libsecurity_mds/lib/mdspriv.h; sourceTree = SOURCE_ROOT; }; + 182BB36E146F13B4000BF1F3 /* CipherSuite.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CipherSuite.h; path = libsecurity_ssl/Security/CipherSuite.h; sourceTree = SOURCE_ROOT; }; + 182BB36F146F13B4000BF1F3 /* SecureTransport.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecureTransport.h; path = libsecurity_ssl/Security/SecureTransport.h; sourceTree = SOURCE_ROOT; }; + 182BB372146F13BB000BF1F3 /* SecureTransportPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecureTransportPriv.h; path = libsecurity_ssl/Security/SecureTransportPriv.h; sourceTree = SOURCE_ROOT; }; + 182BB383146F14D2000BF1F3 /* SecCmsBase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsBase.h; path = libsecurity_smime/lib/SecCmsBase.h; sourceTree = SOURCE_ROOT; }; + 182BB384146F14D2000BF1F3 /* SecCmsContentInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsContentInfo.h; path = libsecurity_smime/lib/SecCmsContentInfo.h; sourceTree = SOURCE_ROOT; }; + 182BB385146F14D2000BF1F3 /* SecCmsDecoder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsDecoder.h; path = libsecurity_smime/lib/SecCmsDecoder.h; sourceTree = SOURCE_ROOT; }; + 182BB386146F14D2000BF1F3 /* SecCmsDigestContext.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsDigestContext.h; path = libsecurity_smime/lib/SecCmsDigestContext.h; sourceTree = SOURCE_ROOT; }; + 182BB387146F14D2000BF1F3 /* SecCmsDigestedData.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsDigestedData.h; path = libsecurity_smime/lib/SecCmsDigestedData.h; sourceTree = SOURCE_ROOT; }; + 182BB388146F14D2000BF1F3 /* SecCmsEncoder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsEncoder.h; path = libsecurity_smime/lib/SecCmsEncoder.h; sourceTree = SOURCE_ROOT; }; + 182BB389146F14D2000BF1F3 /* SecCmsEncryptedData.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsEncryptedData.h; path = libsecurity_smime/lib/SecCmsEncryptedData.h; sourceTree = SOURCE_ROOT; }; + 182BB38A146F14D2000BF1F3 /* SecCmsEnvelopedData.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsEnvelopedData.h; path = libsecurity_smime/lib/SecCmsEnvelopedData.h; sourceTree = SOURCE_ROOT; }; + 182BB38B146F14D2000BF1F3 /* SecCmsMessage.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsMessage.h; path = libsecurity_smime/lib/SecCmsMessage.h; sourceTree = SOURCE_ROOT; }; + 182BB38C146F14D2000BF1F3 /* SecCmsRecipientInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsRecipientInfo.h; path = libsecurity_smime/lib/SecCmsRecipientInfo.h; sourceTree = SOURCE_ROOT; }; + 182BB38D146F14D2000BF1F3 /* SecCmsSignedData.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsSignedData.h; path = libsecurity_smime/lib/SecCmsSignedData.h; sourceTree = SOURCE_ROOT; }; + 182BB38E146F14D2000BF1F3 /* SecCmsSignerInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCmsSignerInfo.h; path = libsecurity_smime/lib/SecCmsSignerInfo.h; sourceTree = SOURCE_ROOT; }; + 182BB38F146F14D2000BF1F3 /* SecSMIME.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecSMIME.h; path = libsecurity_smime/lib/SecSMIME.h; sourceTree = SOURCE_ROOT; }; + 182BB3A3146F1BEC000BF1F3 /* SecDigestTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecDigestTransform.h; path = libsecurity_transform/lib/SecDigestTransform.h; sourceTree = SOURCE_ROOT; }; + 182BB3A4146F1BEC000BF1F3 /* SecReadTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecReadTransform.h; path = libsecurity_transform/lib/SecReadTransform.h; sourceTree = SOURCE_ROOT; }; + 182BB3A5146F1BEC000BF1F3 /* SecTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTransform.h; path = libsecurity_transform/lib/SecTransform.h; sourceTree = SOURCE_ROOT; }; + 182BB3A6146F1BEC000BF1F3 /* SecCustomTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCustomTransform.h; path = libsecurity_transform/lib/SecCustomTransform.h; sourceTree = SOURCE_ROOT; }; + 182BB3A7146F1BEC000BF1F3 /* SecDecodeTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecDecodeTransform.h; path = libsecurity_transform/lib/SecDecodeTransform.h; sourceTree = SOURCE_ROOT; }; + 182BB3A8146F1BEC000BF1F3 /* SecEncodeTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecEncodeTransform.h; path = libsecurity_transform/lib/SecEncodeTransform.h; sourceTree = SOURCE_ROOT; }; + 182BB3A9146F1BEC000BF1F3 /* SecEncryptTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecEncryptTransform.h; path = libsecurity_transform/lib/SecEncryptTransform.h; sourceTree = SOURCE_ROOT; }; + 182BB3AA146F1BEC000BF1F3 /* SecSignVerifyTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecSignVerifyTransform.h; path = libsecurity_transform/lib/SecSignVerifyTransform.h; sourceTree = SOURCE_ROOT; }; + 182BB3AB146F1BEC000BF1F3 /* SecTransformReadTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTransformReadTransform.h; path = libsecurity_transform/lib/SecTransformReadTransform.h; sourceTree = SOURCE_ROOT; }; + 182BB3B6146F1BF9000BF1F3 /* SecNullTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecNullTransform.h; path = libsecurity_transform/lib/SecNullTransform.h; sourceTree = SOURCE_ROOT; }; + 182BB3B7146F1BF9000BF1F3 /* SecTransformInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTransformInternal.h; path = libsecurity_transform/lib/SecTransformInternal.h; sourceTree = SOURCE_ROOT; }; + 182BB3C4146F1DCB000BF1F3 /* sd_cspdl_common.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = sd_cspdl_common.mdsinfo; path = libsecurity_sd_cspdl/mds/sd_cspdl_common.mdsinfo; sourceTree = SOURCE_ROOT; }; + 182BB556146F4510000BF1F3 /* csparser-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "csparser-Info.plist"; sourceTree = ""; }; + 182BB557146F4510000BF1F3 /* csparser.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = csparser.cpp; sourceTree = ""; }; + 182BB558146F4510000BF1F3 /* csparser.exp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.exports; path = csparser.exp; sourceTree = ""; }; + 182BB55C146F4544000BF1F3 /* FDEPrefs.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = FDEPrefs.plist; sourceTree = ""; }; + 182BB55D146F4544000BF1F3 /* generateErrStrings.pl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.perl; path = generateErrStrings.pl; sourceTree = ""; }; + 182BB55E146F4544000BF1F3 /* Security.order */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = Security.order; sourceTree = ""; }; + 182BB562146F4C73000BF1F3 /* security.exp-in */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = "security.exp-in"; sourceTree = ""; }; + 182BB568146F4DCA000BF1F3 /* csparser.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = csparser.bundle; sourceTree = BUILT_PRODUCTS_DIR; }; + 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = System/Library/Frameworks/CoreFoundation.framework; sourceTree = SDKROOT; }; + 182BB593146FE1ED000BF1F3 /* libantlr2c++.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = "libantlr2c++.a"; path = "/usr/local/lib/libantlr2c++.a"; sourceTree = ""; }; + 182BB5AB146FEF14000BF1F3 /* libpam.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libpam.dylib; path = /usr/lib/libpam.dylib; sourceTree = ""; }; + 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libsqlite3.dylib; path = /usr/lib/libsqlite3.dylib; sourceTree = ""; }; + 182BB5B1146FF039000BF1F3 /* libz.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libz.dylib; path = /usr/lib/libz.dylib; sourceTree = ""; }; + 182BB5B3146FF04C000BF1F3 /* libxar.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libxar.dylib; path = /usr/lib/libxar.dylib; sourceTree = ""; }; + 182BB5B5146FF08F000BF1F3 /* libauto.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libauto.dylib; path = /usr/lib/libauto.dylib; sourceTree = ""; }; + 182BB5B7146FF0A1000BF1F3 /* libobjc.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libobjc.dylib; path = /usr/lib/libobjc.dylib; sourceTree = ""; }; + 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libbsm.dylib; path = /usr/lib/libbsm.dylib; sourceTree = ""; }; + 1831329914EB2C6D00F0BCAC /* libASN1.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libASN1.a; path = /usr/local/lib/libASN1.a; sourceTree = ""; }; + 1831329A14EB2C6D00F0BCAC /* libDER.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libDER.a; path = /usr/local/lib/libDER.a; sourceTree = ""; }; + 1844605B146DE93E00B12992 /* csp_capabilities.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = csp_capabilities.mdsinfo; path = libsecurity_apple_csp/mds/csp_capabilities.mdsinfo; sourceTree = SOURCE_ROOT; }; + 1844605C146DE93E00B12992 /* csp_capabilities_common.mds */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = csp_capabilities_common.mds; path = libsecurity_apple_csp/mds/csp_capabilities_common.mds; sourceTree = SOURCE_ROOT; }; + 1844605D146DE93E00B12992 /* csp_common.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = csp_common.mdsinfo; path = libsecurity_apple_csp/mds/csp_common.mdsinfo; sourceTree = SOURCE_ROOT; }; + 1844605E146DE93E00B12992 /* csp_primary.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = csp_primary.mdsinfo; path = libsecurity_apple_csp/mds/csp_primary.mdsinfo; sourceTree = SOURCE_ROOT; }; + 18446099146DFCB700B12992 /* secasn1t.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = secasn1t.h; path = libsecurity_asn1/lib/secasn1t.h; sourceTree = SOURCE_ROOT; }; + 1844609A146DFCB700B12992 /* certExtensionTemplates.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = certExtensionTemplates.h; path = libsecurity_asn1/lib/certExtensionTemplates.h; sourceTree = SOURCE_ROOT; }; + 1844609B146DFCB700B12992 /* csrTemplates.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = csrTemplates.h; path = libsecurity_asn1/lib/csrTemplates.h; sourceTree = SOURCE_ROOT; }; + 1844609C146DFCB700B12992 /* ocspTemplates.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ocspTemplates.h; path = libsecurity_asn1/lib/ocspTemplates.h; sourceTree = SOURCE_ROOT; }; + 1844609D146DFCB700B12992 /* nameTemplates.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = nameTemplates.h; path = libsecurity_asn1/lib/nameTemplates.h; sourceTree = SOURCE_ROOT; }; + 1844609E146DFCB700B12992 /* X509Templates.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = X509Templates.h; path = libsecurity_asn1/lib/X509Templates.h; sourceTree = SOURCE_ROOT; }; + 1844609F146DFCB700B12992 /* osKeyTemplates.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = osKeyTemplates.h; path = libsecurity_asn1/lib/osKeyTemplates.h; sourceTree = SOURCE_ROOT; }; + 184460A0146DFCB700B12992 /* keyTemplates.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = keyTemplates.h; path = libsecurity_asn1/lib/keyTemplates.h; sourceTree = SOURCE_ROOT; }; + 184460A1146DFCB700B12992 /* asn1Templates.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = asn1Templates.h; path = libsecurity_asn1/lib/asn1Templates.h; sourceTree = SOURCE_ROOT; }; + 184460AB146DFCC100B12992 /* SecAsn1Coder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecAsn1Coder.h; path = libsecurity_asn1/lib/SecAsn1Coder.h; sourceTree = SOURCE_ROOT; }; + 184460AC146DFCC100B12992 /* SecAsn1Templates.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecAsn1Templates.h; path = libsecurity_asn1/lib/SecAsn1Templates.h; sourceTree = SOURCE_ROOT; }; + 184460AD146DFCC100B12992 /* SecAsn1Types.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecAsn1Types.h; path = libsecurity_asn1/lib/SecAsn1Types.h; sourceTree = SOURCE_ROOT; }; + 184460C3146E7B1E00B12992 /* cspdl_common.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = cspdl_common.mdsinfo; path = libsecurity_apple_cspdl/mds/cspdl_common.mdsinfo; sourceTree = SOURCE_ROOT; }; + 184460C4146E7B1E00B12992 /* cspdl_csp_capabilities.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = cspdl_csp_capabilities.mdsinfo; path = libsecurity_apple_cspdl/mds/cspdl_csp_capabilities.mdsinfo; sourceTree = SOURCE_ROOT; }; + 184460C5146E7B1E00B12992 /* cspdl_csp_primary.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = cspdl_csp_primary.mdsinfo; path = libsecurity_apple_cspdl/mds/cspdl_csp_primary.mdsinfo; sourceTree = SOURCE_ROOT; }; + 184460C6146E7B1E00B12992 /* cspdl_dl_primary.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = cspdl_dl_primary.mdsinfo; path = libsecurity_apple_cspdl/mds/cspdl_dl_primary.mdsinfo; sourceTree = SOURCE_ROOT; }; + 184460E1146E806700B12992 /* dl_common.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = dl_common.mdsinfo; path = libsecurity_apple_file_dl/mds/dl_common.mdsinfo; sourceTree = SOURCE_ROOT; }; + 184460E2146E806700B12992 /* dl_primary.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = dl_primary.mdsinfo; path = libsecurity_apple_file_dl/mds/dl_primary.mdsinfo; sourceTree = SOURCE_ROOT; }; + 18446103146E82C800B12992 /* cl_common.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = cl_common.mdsinfo; path = libsecurity_apple_x509_cl/mds/cl_common.mdsinfo; sourceTree = SOURCE_ROOT; }; + 18446104146E82C800B12992 /* cl_primary.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = cl_primary.mdsinfo; path = libsecurity_apple_x509_cl/mds/cl_primary.mdsinfo; sourceTree = SOURCE_ROOT; }; + 18446112146E85A300B12992 /* tp_common.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = tp_common.mdsinfo; path = libsecurity_apple_x509_tp/mds/tp_common.mdsinfo; sourceTree = SOURCE_ROOT; }; + 18446113146E85A300B12992 /* tp_policyOids.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = tp_policyOids.mdsinfo; path = libsecurity_apple_x509_tp/mds/tp_policyOids.mdsinfo; sourceTree = SOURCE_ROOT; }; + 18446114146E85A300B12992 /* tp_primary.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = tp_primary.mdsinfo; path = libsecurity_apple_x509_tp/mds/tp_primary.mdsinfo; sourceTree = SOURCE_ROOT; }; + 18446144146E923200B12992 /* AuthorizationTags.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AuthorizationTags.h; path = libsecurity_authorization/lib/AuthorizationTags.h; sourceTree = SOURCE_ROOT; }; + 18446145146E923200B12992 /* AuthSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AuthSession.h; path = libsecurity_authorization/lib/AuthSession.h; sourceTree = SOURCE_ROOT; }; + 18446146146E923200B12992 /* Authorization.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = Authorization.h; path = libsecurity_authorization/lib/Authorization.h; sourceTree = SOURCE_ROOT; }; + 18446147146E923200B12992 /* AuthorizationDB.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AuthorizationDB.h; path = libsecurity_authorization/lib/AuthorizationDB.h; sourceTree = SOURCE_ROOT; }; + 18446148146E923200B12992 /* AuthorizationPlugin.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AuthorizationPlugin.h; path = libsecurity_authorization/lib/AuthorizationPlugin.h; sourceTree = SOURCE_ROOT; }; + 1844614E146E923B00B12992 /* AuthorizationTagsPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AuthorizationTagsPriv.h; path = libsecurity_authorization/lib/AuthorizationTagsPriv.h; sourceTree = SOURCE_ROOT; }; + 1844614F146E923B00B12992 /* AuthorizationPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AuthorizationPriv.h; path = libsecurity_authorization/lib/AuthorizationPriv.h; sourceTree = SOURCE_ROOT; }; + 18446168146E95D700B12992 /* checkpw.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = checkpw.h; path = libsecurity_checkpw/lib/checkpw.h; sourceTree = SOURCE_ROOT; }; + 18446170146E982800B12992 /* CMSDecoder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CMSDecoder.h; path = libsecurity_cms/lib/CMSDecoder.h; sourceTree = SOURCE_ROOT; }; + 18446171146E982800B12992 /* CMSEncoder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CMSEncoder.h; path = libsecurity_cms/lib/CMSEncoder.h; sourceTree = SOURCE_ROOT; }; + 18446174146E982D00B12992 /* CMSPrivate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CMSPrivate.h; path = libsecurity_cms/lib/CMSPrivate.h; sourceTree = SOURCE_ROOT; }; + 1844617E146E9A8500B12992 /* SecTask.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTask.h; path = libsecurity_codesigning/lib/SecTask.h; sourceTree = SOURCE_ROOT; }; + 1844617F146E9A8500B12992 /* CodeSigning.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CodeSigning.h; path = libsecurity_codesigning/lib/CodeSigning.h; sourceTree = SOURCE_ROOT; }; + 18446180146E9A8500B12992 /* CSCommon.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CSCommon.h; path = libsecurity_codesigning/lib/CSCommon.h; sourceTree = SOURCE_ROOT; }; + 18446181146E9A8500B12992 /* SecCode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCode.h; path = libsecurity_codesigning/lib/SecCode.h; sourceTree = SOURCE_ROOT; }; + 18446182146E9A8500B12992 /* SecStaticCode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecStaticCode.h; path = libsecurity_codesigning/lib/SecStaticCode.h; sourceTree = SOURCE_ROOT; }; + 18446183146E9A8500B12992 /* SecRequirement.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecRequirement.h; path = libsecurity_codesigning/lib/SecRequirement.h; sourceTree = SOURCE_ROOT; }; + 18446184146E9A8500B12992 /* SecCodeHost.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCodeHost.h; path = libsecurity_codesigning/lib/SecCodeHost.h; sourceTree = SOURCE_ROOT; }; + 1844618C146E9A8F00B12992 /* CSCommonPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CSCommonPriv.h; path = libsecurity_codesigning/lib/CSCommonPriv.h; sourceTree = SOURCE_ROOT; }; + 1844618D146E9A8F00B12992 /* SecCodePriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCodePriv.h; path = libsecurity_codesigning/lib/SecCodePriv.h; sourceTree = SOURCE_ROOT; }; + 1844618E146E9A8F00B12992 /* SecStaticCodePriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecStaticCodePriv.h; path = libsecurity_codesigning/lib/SecStaticCodePriv.h; sourceTree = SOURCE_ROOT; }; + 1844618F146E9A8F00B12992 /* SecRequirementPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecRequirementPriv.h; path = libsecurity_codesigning/lib/SecRequirementPriv.h; sourceTree = SOURCE_ROOT; }; + 18446190146E9A8F00B12992 /* SecCodeSigner.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCodeSigner.h; path = libsecurity_codesigning/lib/SecCodeSigner.h; sourceTree = SOURCE_ROOT; }; + 18446191146E9A8F00B12992 /* SecIntegrity.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecIntegrity.h; path = libsecurity_codesigning/lib/SecIntegrity.h; sourceTree = SOURCE_ROOT; }; + 18446192146E9A8F00B12992 /* SecIntegrityLib.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecIntegrityLib.h; path = libsecurity_codesigning/lib/SecIntegrityLib.h; sourceTree = SOURCE_ROOT; }; + 18446193146E9A8F00B12992 /* SecCodeHostLib.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCodeHostLib.h; path = libsecurity_codesigning/lib/SecCodeHostLib.h; sourceTree = SOURCE_ROOT; }; + 18446194146E9A8F00B12992 /* SecAssessment.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecAssessment.h; path = libsecurity_codesigning/lib/SecAssessment.h; sourceTree = SOURCE_ROOT; }; + 184461A3146E9D3200B12992 /* libsecurityd.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurityd.xcodeproj; path = libsecurityd/libsecurityd.xcodeproj; sourceTree = ""; }; + 18500F9A14708D0E006F9AB4 /* SecDebugErrorMessages.strings */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.strings; name = SecDebugErrorMessages.strings; path = derived_src/SecDebugErrorMessages.strings; sourceTree = BUILT_PRODUCTS_DIR; }; + 18500FA014708F19006F9AB4 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = derived_src/en.lproj/SecErrorMessages.strings; sourceTree = BUILT_PRODUCTS_DIR; }; + 186CDD1614CA11C700AF9171 /* sec.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; path = sec.xcodeproj; sourceTree = ""; }; + 18752C1D16F2837A004E2799 /* libaks.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libaks.a; path = usr/local/lib/libaks.a; sourceTree = SDKROOT; }; + 1879B4A9146DCA18007E536C /* cssm.mdsinfo */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = cssm.mdsinfo; path = libsecurity_cssm/mds/cssm.mdsinfo; sourceTree = SOURCE_ROOT; }; + 1879B4AB146DCA4A007E536C /* cssmapplePriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmapplePriv.h; path = libsecurity_cssm/lib/cssmapplePriv.h; sourceTree = SOURCE_ROOT; }; + 1879B4AD146DCA84007E536C /* certextensions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = certextensions.h; path = libsecurity_cssm/lib/certextensions.h; sourceTree = SOURCE_ROOT; }; + 1879B4AE146DCA84007E536C /* cssm.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssm.h; path = libsecurity_cssm/lib/cssm.h; sourceTree = SOURCE_ROOT; }; + 1879B4AF146DCA84007E536C /* cssmaci.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmaci.h; path = libsecurity_cssm/lib/cssmaci.h; sourceTree = SOURCE_ROOT; }; + 1879B4B0146DCA84007E536C /* cssmapi.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmapi.h; path = libsecurity_cssm/lib/cssmapi.h; sourceTree = SOURCE_ROOT; }; + 1879B4B1146DCA84007E536C /* cssmapple.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmapple.h; path = libsecurity_cssm/lib/cssmapple.h; sourceTree = SOURCE_ROOT; }; + 1879B4B2146DCA84007E536C /* cssmcli.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmcli.h; path = libsecurity_cssm/lib/cssmcli.h; sourceTree = SOURCE_ROOT; }; + 1879B4B3146DCA84007E536C /* cssmconfig.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmconfig.h; path = libsecurity_cssm/lib/cssmconfig.h; sourceTree = SOURCE_ROOT; }; + 1879B4B4146DCA84007E536C /* cssmcspi.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmcspi.h; path = libsecurity_cssm/lib/cssmcspi.h; sourceTree = SOURCE_ROOT; }; + 1879B4B5146DCA84007E536C /* cssmdli.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmdli.h; path = libsecurity_cssm/lib/cssmdli.h; sourceTree = SOURCE_ROOT; }; + 1879B4B6146DCA84007E536C /* cssmerr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmerr.h; path = libsecurity_cssm/lib/cssmerr.h; sourceTree = SOURCE_ROOT; }; + 1879B4B7146DCA84007E536C /* cssmkrapi.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmkrapi.h; path = libsecurity_cssm/lib/cssmkrapi.h; sourceTree = SOURCE_ROOT; }; + 1879B4B8146DCA84007E536C /* cssmkrspi.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmkrspi.h; path = libsecurity_cssm/lib/cssmkrspi.h; sourceTree = SOURCE_ROOT; }; + 1879B4B9146DCA84007E536C /* cssmspi.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmspi.h; path = libsecurity_cssm/lib/cssmspi.h; sourceTree = SOURCE_ROOT; }; + 1879B4BA146DCA84007E536C /* cssmtpi.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmtpi.h; path = libsecurity_cssm/lib/cssmtpi.h; sourceTree = SOURCE_ROOT; }; + 1879B4BB146DCA84007E536C /* cssmtype.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmtype.h; path = libsecurity_cssm/lib/cssmtype.h; sourceTree = SOURCE_ROOT; }; + 1879B4BC146DCA84007E536C /* eisl.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = eisl.h; path = libsecurity_cssm/lib/eisl.h; sourceTree = SOURCE_ROOT; }; + 1879B4BD146DCA84007E536C /* emmspi.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = emmspi.h; path = libsecurity_cssm/lib/emmspi.h; sourceTree = SOURCE_ROOT; }; + 1879B4BE146DCA84007E536C /* emmtype.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = emmtype.h; path = libsecurity_cssm/lib/emmtype.h; sourceTree = SOURCE_ROOT; }; + 1879B4C1146DCA84007E536C /* oidsbase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = oidsbase.h; path = libsecurity_cssm/lib/oidsbase.h; sourceTree = SOURCE_ROOT; }; + 1879B4C2146DCA84007E536C /* oidscert.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = oidscert.h; path = libsecurity_cssm/lib/oidscert.h; sourceTree = SOURCE_ROOT; }; + 1879B4C3146DCA84007E536C /* oidscrl.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = oidscrl.h; path = libsecurity_cssm/lib/oidscrl.h; sourceTree = SOURCE_ROOT; }; + 1879B4C4146DCA84007E536C /* x509defs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = x509defs.h; path = libsecurity_cssm/lib/x509defs.h; sourceTree = SOURCE_ROOT; }; + 1879B532146DDBE5007E536C /* libsecurity_utilities.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_utilities.xcodeproj; path = libsecurity_utilities/libsecurity_utilities.xcodeproj; sourceTree = ""; }; + 1879B547146DE212007E536C /* libsecurity_cdsa_utils.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_cdsa_utils.xcodeproj; path = libsecurity_cdsa_utils/libsecurity_cdsa_utils.xcodeproj; sourceTree = ""; }; + 1879B550146DE227007E536C /* libsecurity_cdsa_utilities.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_cdsa_utilities.xcodeproj; path = libsecurity_cdsa_utilities/libsecurity_cdsa_utilities.xcodeproj; sourceTree = ""; }; + 1879B55D146DE244007E536C /* libsecurity_cssm.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_cssm.xcodeproj; path = libsecurity_cssm/libsecurity_cssm.xcodeproj; sourceTree = ""; }; + 1879B5BC146DE6C8007E536C /* libsecurity_apple_csp.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_apple_csp.xcodeproj; path = libsecurity_apple_csp/libsecurity_apple_csp.xcodeproj; sourceTree = ""; }; + 1879B5C9146DE6CE007E536C /* libsecurity_apple_cspdl.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_apple_cspdl.xcodeproj; path = libsecurity_apple_cspdl/libsecurity_apple_cspdl.xcodeproj; sourceTree = ""; }; + 1879B5D5146DE6D7007E536C /* libsecurity_apple_file_dl.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_apple_file_dl.xcodeproj; path = libsecurity_apple_file_dl/libsecurity_apple_file_dl.xcodeproj; sourceTree = ""; }; + 1879B5E1146DE6E7007E536C /* libsecurity_apple_x509_cl.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_apple_x509_cl.xcodeproj; path = libsecurity_apple_x509_cl/libsecurity_apple_x509_cl.xcodeproj; sourceTree = ""; }; + 1879B5F0146DE6FD007E536C /* libsecurity_apple_x509_tp.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_apple_x509_tp.xcodeproj; path = libsecurity_apple_x509_tp/libsecurity_apple_x509_tp.xcodeproj; sourceTree = ""; }; + 1879B5FC146DE704007E536C /* libsecurity_asn1.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_asn1.xcodeproj; path = libsecurity_asn1/libsecurity_asn1.xcodeproj; sourceTree = ""; }; + 1879B609146DE70A007E536C /* libsecurity_authorization.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_authorization.xcodeproj; path = libsecurity_authorization/libsecurity_authorization.xcodeproj; sourceTree = ""; }; + 1879B615146DE715007E536C /* libsecurity_cdsa_client.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_cdsa_client.xcodeproj; path = libsecurity_cdsa_client/libsecurity_cdsa_client.xcodeproj; sourceTree = ""; }; + 1879B621146DE720007E536C /* libsecurity_cdsa_plugin.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_cdsa_plugin.xcodeproj; path = libsecurity_cdsa_plugin/libsecurity_cdsa_plugin.xcodeproj; sourceTree = ""; }; + 1879B637146DE748007E536C /* libsecurity_checkpw.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_checkpw.xcodeproj; path = libsecurity_checkpw/libsecurity_checkpw.xcodeproj; sourceTree = ""; }; + 1879B64B146DE750007E536C /* libsecurity_cms.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_cms.xcodeproj; path = libsecurity_cms/libsecurity_cms.xcodeproj; sourceTree = ""; }; + 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_codesigning.xcodeproj; path = libsecurity_codesigning/libsecurity_codesigning.xcodeproj; sourceTree = ""; }; + 1879B66D146DE75D007E536C /* libsecurity_comcryption.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_comcryption.xcodeproj; path = libsecurity_comcryption/libsecurity_comcryption.xcodeproj; sourceTree = ""; }; + 1879B679146DE76E007E536C /* libsecurity_cryptkit.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_cryptkit.xcodeproj; path = libsecurity_cryptkit/libsecurity_cryptkit.xcodeproj; sourceTree = ""; }; + 1879B694146DE797007E536C /* libsecurity_filedb.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_filedb.xcodeproj; path = libsecurity_filedb/libsecurity_filedb.xcodeproj; sourceTree = ""; }; + 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_keychain.xcodeproj; path = libsecurity_keychain/libsecurity_keychain.xcodeproj; sourceTree = ""; }; + 1879B6C7146DE7D7007E536C /* libsecurity_manifest.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_manifest.xcodeproj; path = libsecurity_manifest/libsecurity_manifest.xcodeproj; sourceTree = ""; }; + 1879B6D3146DE7E0007E536C /* libsecurity_mds.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_mds.xcodeproj; path = libsecurity_mds/libsecurity_mds.xcodeproj; sourceTree = ""; }; + 1879B6DF146DE7E7007E536C /* libsecurity_ocspd.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_ocspd.xcodeproj; path = libsecurity_ocspd/libsecurity_ocspd.xcodeproj; sourceTree = ""; }; + 1879B6EC146DE7EE007E536C /* libsecurity_pkcs12.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_pkcs12.xcodeproj; path = libsecurity_pkcs12/libsecurity_pkcs12.xcodeproj; sourceTree = ""; }; + 1879B6F8146DE7F7007E536C /* libsecurity_sd_cspdl.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_sd_cspdl.xcodeproj; path = libsecurity_sd_cspdl/libsecurity_sd_cspdl.xcodeproj; sourceTree = ""; }; + 1879B712146DE825007E536C /* libsecurity_smime.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_smime.xcodeproj; path = libsecurity_smime/libsecurity_smime.xcodeproj; sourceTree = ""; }; + 1879B71F146DE839007E536C /* libsecurity_ssl.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_ssl.xcodeproj; path = libsecurity_ssl/libsecurity_ssl.xcodeproj; sourceTree = ""; }; + 1879B72B146DE844007E536C /* libsecurity_transform.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_transform.xcodeproj; path = libsecurity_transform/libsecurity_transform.xcodeproj; sourceTree = ""; }; + 187D6B9015D4359F00E27494 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/authorization.buttons.strings; sourceTree = ""; }; + 187D6B9215D4359F00E27494 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/authorization.prompts.strings; sourceTree = ""; }; + 187D6B9515D436BF00E27494 /* authorization.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = authorization.plist; sourceTree = ""; }; + 188AD8D91471FE3D0081C619 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/FDELocalizable.strings; sourceTree = ""; }; + 188AD8DB1471FE3E0081C619 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = ""; }; + 18A5493115EFD2F40059E6DC /* dummy.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = dummy.cpp; sourceTree = ""; }; + 18B647E814D9EB6300F538BF /* oidsalg.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = oidsalg.h; path = ../libsecurity_asn1/lib/oidsalg.h; sourceTree = ""; }; + 18B647EA14D9EE4300F538BF /* oidsattr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = oidsattr.h; path = ../libsecurity_asn1/lib/oidsattr.h; sourceTree = ""; }; + 18B647EF14D9F75300F538BF /* generateErrStrings.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = generateErrStrings.mm; path = derived_src/generateErrStrings.mm; sourceTree = BUILT_PRODUCTS_DIR; }; + 18BBC6801471EF1600F2B224 /* security.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = security.xcconfig; sourceTree = ""; }; + 18BBC7351471F5A300F2B224 /* SecExternalSourceTransform.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecExternalSourceTransform.h; path = libsecurity_transform/lib/SecExternalSourceTransform.h; sourceTree = SOURCE_ROOT; }; + 18BEB19614CF74C100C8BD36 /* com.apple.secd.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.secd.plist; sourceTree = ""; }; + 18BFC44017C43393005DE6C3 /* executable.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = executable.xcconfig; sourceTree = ""; }; + 18CFEE8715DEE25200E3F2A3 /* com.apple.authd.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.authd.sb; sourceTree = ""; }; + 18D6803916B768D500DF6D2E /* com.apple.authd */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.authd; sourceTree = ""; }; + 18ED4D2317270DB6003AF11B /* SecurityTests-Entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "SecurityTests-Entitlements.plist"; sourceTree = ""; }; + 18F234EB15C9F9A600060520 /* authd.xpc */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = authd.xpc; sourceTree = BUILT_PRODUCTS_DIR; }; + 18F234F915C9FA3B00060520 /* agent.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = agent.c; sourceTree = ""; }; + 18F234FA15C9FA3B00060520 /* agent.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = agent.h; sourceTree = ""; }; + 18F234FB15C9FA3B00060520 /* authdb.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = authdb.c; sourceTree = ""; }; + 18F234FC15C9FA3B00060520 /* authdb.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = authdb.h; sourceTree = ""; }; + 18F234FD15C9FA3B00060520 /* authitems.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = authitems.c; sourceTree = ""; }; + 18F234FE15C9FA3B00060520 /* authitems.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = authitems.h; sourceTree = ""; }; + 18F234FF15C9FA3B00060520 /* authtoken.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = authtoken.c; sourceTree = ""; }; + 18F2350015C9FA3B00060520 /* authtoken.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = authtoken.h; sourceTree = ""; }; + 18F2350115C9FA3B00060520 /* authtypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = authtypes.h; sourceTree = ""; }; + 18F2350215C9FA3B00060520 /* authutilities.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = authutilities.c; sourceTree = ""; }; + 18F2350315C9FA3B00060520 /* authutilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = authutilities.h; sourceTree = ""; }; + 18F2350415C9FA3B00060520 /* ccaudit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ccaudit.c; sourceTree = ""; }; + 18F2350515C9FA3B00060520 /* ccaudit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ccaudit.h; sourceTree = ""; }; + 18F2350615C9FA3B00060520 /* crc.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = crc.c; sourceTree = ""; }; + 18F2350715C9FA3B00060520 /* crc.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = crc.h; sourceTree = ""; }; + 18F2350815C9FA3B00060520 /* credential.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = credential.c; sourceTree = ""; }; + 18F2350915C9FA3B00060520 /* credential.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = credential.h; sourceTree = ""; }; + 18F2350A15C9FA3B00060520 /* debugging.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = debugging.c; sourceTree = ""; }; + 18F2350B15C9FA3B00060520 /* debugging.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = debugging.h; sourceTree = ""; }; + 18F2350E15C9FA3B00060520 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = InfoPlist.strings; sourceTree = ""; }; + 18F2350F15C9FA3B00060520 /* engine.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = engine.c; sourceTree = ""; }; + 18F2351015C9FA3B00060520 /* engine.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = engine.h; sourceTree = ""; }; + 18F2351115C9FA3B00060520 /* main.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = ""; }; + 18F2351215C9FA3B00060520 /* mechanism.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = mechanism.c; sourceTree = ""; }; + 18F2351315C9FA3B00060520 /* mechanism.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = mechanism.h; sourceTree = ""; }; + 18F2351415C9FA3C00060520 /* object.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = object.c; sourceTree = ""; }; + 18F2351515C9FA3C00060520 /* object.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = object.h; sourceTree = ""; }; + 18F2351615C9FA3C00060520 /* process.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = process.c; sourceTree = ""; }; + 18F2351715C9FA3C00060520 /* process.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = process.h; sourceTree = ""; }; + 18F2351815C9FA3C00060520 /* rule.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = rule.c; sourceTree = ""; }; + 18F2351915C9FA3C00060520 /* rule.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = rule.h; sourceTree = ""; }; + 18F2351A15C9FA3C00060520 /* authd_private.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = authd_private.h; sourceTree = ""; }; + 18F2351B15C9FA3C00060520 /* Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; + 18F2351C15C9FA3C00060520 /* security.auth-Prefix.pch */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "security.auth-Prefix.pch"; sourceTree = ""; }; + 18F2351D15C9FA3C00060520 /* server.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = server.c; sourceTree = ""; }; + 18F2351E15C9FA3C00060520 /* server.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = server.h; sourceTree = ""; }; + 18F2351F15C9FA3C00060520 /* session.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = session.c; sourceTree = ""; }; + 18F2352015C9FA3C00060520 /* session.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = session.h; sourceTree = ""; }; + 18F235F515CA0D8100060520 /* libsecurity_cdsa_utilities.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libsecurity_cdsa_utilities.a; path = /usr/local/lib/libsecurity_cdsa_utilities.a; sourceTree = ""; }; + 18F235F715CA0D9D00060520 /* libsecurity_utilities.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libsecurity_utilities.a; path = /usr/local/lib/libsecurity_utilities.a; sourceTree = ""; }; + 18F235FC15CA0EDB00060520 /* libstdc++.6.0.9.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = "libstdc++.6.0.9.dylib"; path = "/usr/lib/libstdc++.6.0.9.dylib"; sourceTree = ""; }; + 18F2360015CAF41100060520 /* libsecurity_codesigning.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libsecurity_codesigning.a; path = /usr/local/lib/libsecurity_codesigning.a; sourceTree = ""; }; + 18FE67EA1471A3AA00A2CBE3 /* Security.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Security.framework; sourceTree = BUILT_PRODUCTS_DIR; }; + 3705CACC1A896D5A00402F75 /* SecTask-Entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; path = "SecTask-Entitlements.plist"; sourceTree = ""; }; + 3705CACD1A896DA800402F75 /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = ""; }; + 3705CAD21A896DE800402F75 /* SecTaskTest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = SecTaskTest; sourceTree = BUILT_PRODUCTS_DIR; }; + 3705CADB1A896E1A00402F75 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = System/Library/Frameworks/Security.framework; sourceTree = SDKROOT; }; + 371AB2CA1A04050700A08CF2 /* teamid.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = teamid.sh; sourceTree = ""; }; + 37A7CEAB197DB8FA00926CE8 /* codesign_tests */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = codesign_tests; sourceTree = BUILT_PRODUCTS_DIR; }; + 37A7CEAD197DB8FA00926CE8 /* FatDynamicValidation.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = FatDynamicValidation.c; sourceTree = ""; }; + 37A7CEDB197DCDD700926CE8 /* validation.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = validation.sh; sourceTree = ""; }; + 37AB390F1A44A88000B56E04 /* gk_reset_check */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = gk_reset_check; sourceTree = BUILT_PRODUCTS_DIR; }; + 37AB39111A44A88000B56E04 /* gk_reset_check.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = gk_reset_check.c; sourceTree = ""; }; + 37CD05021A8A87E50053CCD0 /* CaspianTests */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = CaspianTests; sourceTree = ""; }; + 37CD05041A8A96DD0053CCD0 /* LocalCaspianTestRun.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = LocalCaspianTestRun.sh; sourceTree = ""; }; + 395E7CED16C64EA500CD82A4 /* SystemConfiguration.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SystemConfiguration.framework; path = System/Library/Frameworks/SystemConfiguration.framework; sourceTree = SDKROOT; }; + 431B73571B27762300EB0360 /* CloudServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CloudServices.framework; path = System/Library/PrivateFrameworks/CloudServices.framework; sourceTree = SDKROOT; }; + 43651E011B016BE8008C4B88 /* CrashReporterSupport.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CrashReporterSupport.framework; path = System/Library/PrivateFrameworks/CrashReporterSupport.framework; sourceTree = SDKROOT; }; + 43A598581B0CF2AB00D14A7B /* English */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = English; path = English.lproj/CloudKeychain.strings; sourceTree = ""; }; + 4469FC001AA0A56F0021AA26 /* libctkclient_test.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libctkclient_test.a; path = usr/local/lib/libctkclient_test.a; sourceTree = SDKROOT; }; + 4469FC011AA0A56F0021AA26 /* libctkclient.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libctkclient.a; path = usr/local/lib/libctkclient.a; sourceTree = SDKROOT; }; + 44B2603E18F81A6A008DF20F /* SecAccessControl.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecAccessControl.h; path = sec/Security/SecAccessControl.h; sourceTree = SOURCE_ROOT; }; + 44B2606918F81BFE008DF20F /* SecAccessControlPriv.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecAccessControlPriv.h; path = sec/Security/SecAccessControlPriv.h; sourceTree = SOURCE_ROOT; }; + 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libaks_acl.a; path = usr/local/lib/libaks_acl.a; sourceTree = SDKROOT; }; + 48FDA84D1AF989F600A9366F /* SOSCloudCircleInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSCloudCircleInternal.h; path = sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h; sourceTree = SOURCE_ROOT; }; + 4C0F6F861985877800178101 /* SecEntitlements.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecEntitlements.h; sourceTree = ""; }; + 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; path = utilities.xcodeproj; sourceTree = ""; }; + 4C2505B616D2DF9F002CE025 /* Icon.icns */ = {isa = PBXFileReference; lastKnownFileType = image.icns; path = Icon.icns; sourceTree = ""; }; + 4C328D2F1778EC4F0015EED1 /* AOSUI.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AOSUI.framework; path = System/Library/PrivateFrameworks/AOSUI.framework; sourceTree = SDKROOT; }; + 4C49390C16E51ACE00CE110C /* com.apple.security.keychain-circle-notification.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "com.apple.security.keychain-circle-notification.plist"; sourceTree = ""; }; + 4C5DD44217A5E31900696A79 /* KNPersistentState.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = KNPersistentState.h; sourceTree = ""; }; + 4C5DD44317A5E31900696A79 /* KNPersistentState.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = KNPersistentState.m; sourceTree = ""; }; + 4C5DD46B17A5F67300696A79 /* AppleSystemInfo.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AppleSystemInfo.framework; path = System/Library/PrivateFrameworks/AppleSystemInfo.framework; sourceTree = SDKROOT; }; + 4C7D453B17BEE69B00DDD88F /* NSString+compactDescription.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "NSString+compactDescription.h"; sourceTree = ""; }; + 4C7D453C17BEE69B00DDD88F /* NSString+compactDescription.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "NSString+compactDescription.m"; sourceTree = ""; }; + 4C7D456417BEE6B700DDD88F /* NSDictionary+compactDescription.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "NSDictionary+compactDescription.h"; sourceTree = ""; }; + 4C7D456517BEE6B700DDD88F /* NSDictionary+compactDescription.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "NSDictionary+compactDescription.m"; sourceTree = ""; }; + 4C7D456617BEE6B700DDD88F /* NSSet+compactDescription.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "NSSet+compactDescription.h"; sourceTree = ""; }; + 4C7D456717BEE6B700DDD88F /* NSSet+compactDescription.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "NSSet+compactDescription.m"; sourceTree = ""; }; + 4C85DED816DBD5BF00ED8D47 /* KDCirclePeer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KDCirclePeer.h; sourceTree = ""; }; + 4C85DED916DBD5BF00ED8D47 /* KDCirclePeer.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KDCirclePeer.m; sourceTree = ""; }; + 4C96F73816D5372C00D3B39D /* KDSecCircle.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KDSecCircle.h; sourceTree = ""; }; + 4C96F73916D5372C00D3B39D /* KDSecCircle.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KDSecCircle.m; sourceTree = ""; }; + 4C96F7C116D6DF8300D3B39D /* Keychain Circle Notification.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = "Keychain Circle Notification.app"; sourceTree = BUILT_PRODUCTS_DIR; }; + 4C96F7C516D6DF8400D3B39D /* Keychain Circle Notification-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "Keychain Circle Notification-Info.plist"; sourceTree = ""; }; + 4C96F7C716D6DF8400D3B39D /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = ""; }; + 4C96F7C916D6DF8400D3B39D /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; + 4C96F7CB16D6DF8400D3B39D /* Keychain Circle Notification-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "Keychain Circle Notification-Prefix.pch"; sourceTree = ""; }; + 4C96F7CF16D6DF8400D3B39D /* KNAppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = KNAppDelegate.h; sourceTree = ""; }; + 4C96F7D016D6DF8400D3B39D /* KNAppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = KNAppDelegate.m; sourceTree = ""; }; + 4C97761D17BEB23E0002BFE4 /* AOSAccounts.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AOSAccounts.framework; path = System/Library/PrivateFrameworks/AOSAccounts.framework; sourceTree = SDKROOT; }; + 4CB23B46169F5873003A0131 /* security2 */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = security2; sourceTree = BUILT_PRODUCTS_DIR; }; + 4CB23B4B169F5873003A0131 /* security2.1 */ = {isa = PBXFileReference; lastKnownFileType = text.man; path = security2.1; sourceTree = ""; }; + 4CB23B80169F58DE003A0131 /* security_tool_commands.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = security_tool_commands.c; sourceTree = ""; }; + 4CB23B82169F592C003A0131 /* sub_commands.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = sub_commands.h; sourceTree = ""; }; + 4CB23B91169F5CFF003A0131 /* command.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = command.xcconfig; sourceTree = ""; }; + 4CB86AE6167A6FF200F46643 /* SOSCircle.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSCircle.h; path = ../sec/SOSCircle/SecureObjectSync/SOSCircle.h; sourceTree = ""; }; + 4CB86AE7167A6FF200F46643 /* SOSCloudCircle.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSCloudCircle.h; path = ../sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h; sourceTree = ""; }; + 4CB86AED167A6FF300F46643 /* SOSPeerInfo.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSPeerInfo.h; path = ../sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h; sourceTree = ""; }; + 4CB9121C17750E6500C1CCCA /* entitlments.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = entitlments.plist; sourceTree = ""; }; + 4CC7A7B316CC2A84003E10C1 /* Cloud Keychain Utility.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = "Cloud Keychain Utility.app"; sourceTree = BUILT_PRODUCTS_DIR; }; + 4CC7A7B716CC2A85003E10C1 /* Keychain-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "Keychain-Info.plist"; sourceTree = ""; }; + 4CC7A7B916CC2A85003E10C1 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = ""; }; + 4CC7A7BB16CC2A85003E10C1 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; + 4CC7A7BD16CC2A85003E10C1 /* Keychain-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "Keychain-Prefix.pch"; sourceTree = ""; }; + 4CC7A7BF16CC2A85003E10C1 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.rtf; name = en; path = en.lproj/Credits.rtf; sourceTree = ""; }; + 4CC7A7C116CC2A85003E10C1 /* KDAppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = KDAppDelegate.h; sourceTree = ""; }; + 4CC7A7C216CC2A85003E10C1 /* KDAppDelegate.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = KDAppDelegate.m; sourceTree = ""; }; + 4CC7A7F416CD95D2003E10C1 /* KDSecItems.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KDSecItems.h; sourceTree = ""; }; + 4CC7A7F516CD95D3003E10C1 /* KDSecItems.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KDSecItems.m; sourceTree = ""; }; + 4CD1980B16DD3BDF00A9E8FD /* NSArray+mapWithBlock.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "NSArray+mapWithBlock.h"; path = "Keychain Circle Notification/NSArray+mapWithBlock.h"; sourceTree = SOURCE_ROOT; }; + 4CD1980C16DD3BDF00A9E8FD /* NSArray+mapWithBlock.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "NSArray+mapWithBlock.m"; path = "Keychain Circle Notification/NSArray+mapWithBlock.m"; sourceTree = SOURCE_ROOT; }; + 4CE7EA7D1AEAF50F0067F5BD /* SecItemBackup.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecItemBackup.h; path = sec/Security/SecItemBackup.h; sourceTree = SOURCE_ROOT; }; + 4CF42BB515A3947F00ACACE1 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = System/Library/Frameworks/Security.framework; sourceTree = SDKROOT; }; + 5214700616977CB800DF0DB3 /* CloudKeychainProxy.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = CloudKeychainProxy.bundle; sourceTree = BUILT_PRODUCTS_DIR; }; + 5214700716977CB800DF0DB3 /* Cocoa.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Cocoa.framework; path = System/Library/Frameworks/Cocoa.framework; sourceTree = SDKROOT; }; + 5214700F16977CB800DF0DB3 /* CloudKeychainProxy-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "CloudKeychainProxy-Info.plist"; sourceTree = ""; }; + 5214701116977CB800DF0DB3 /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/InfoPlist.strings; sourceTree = ""; }; + 5214702416977FEC00DF0DB3 /* cloudkeychain.entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = cloudkeychain.entitlements.plist; sourceTree = ""; }; + 5214702516977FEC00DF0DB3 /* com.apple.security.cloudkeychainproxy.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.security.cloudkeychainproxy.plist; sourceTree = ""; }; + 524492691AFD6CB70043695A /* der_plist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = der_plist.h; path = ../utilities/src/der_plist.h; sourceTree = ""; }; + 52AEA484153C7581005AFC59 /* tsaSupportPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = tsaSupportPriv.h; path = libsecurity_smime/lib/tsaSupportPriv.h; sourceTree = SOURCE_ROOT; }; + 52B006BF15238F76005D4556 /* TimeStampingPrefs.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = TimeStampingPrefs.plist; sourceTree = ""; }; + 52B5A9C01519330300664F11 /* tsaSupport.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = tsaSupport.h; path = libsecurity_smime/lib/tsaSupport.h; sourceTree = SOURCE_ROOT; }; + 52B5A9C11519330300664F11 /* tsaTemplates.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = tsaTemplates.h; path = libsecurity_smime/lib/tsaTemplates.h; sourceTree = SOURCE_ROOT; }; + 52C3D235169B56860091D9D3 /* ckdmain.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = ckdmain.m; path = sec/SOSCircle/CloudKeychainProxy/ckdmain.m; sourceTree = SOURCE_ROOT; }; + 52F8DDF91AF2E56600A2C271 /* SOSViews.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSViews.h; path = ../sec/SOSCircle/SecureObjectSync/SOSViews.h; sourceTree = ""; }; + 52F8DE201AF2E57300A2C271 /* SOSBackupSliceKeyBag.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSBackupSliceKeyBag.h; path = ../sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h; sourceTree = ""; }; + 52F8DE231AF2E58B00A2C271 /* SOSForerunnerSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSForerunnerSession.h; path = ../sec/SOSCircle/SecureObjectSync/SOSForerunnerSession.h; sourceTree = ""; }; + 52F8DE4B1AF2EB6600A2C271 /* SOSTypes.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSTypes.h; path = ../sec/SOSCircle/SecureObjectSync/SOSTypes.h; sourceTree = ""; }; + 5328475217850741009118DC /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = en.lproj/Localizable.strings; sourceTree = ""; }; + 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcoreauthd_client.a; path = usr/local/lib/libcoreauthd_client.a; sourceTree = SDKROOT; }; + 5E605AFB1AB859B70049FA14 /* libcoreauthd_test_client.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libcoreauthd_test_client.a; path = usr/local/lib/libcoreauthd_test_client.a; sourceTree = SDKROOT; }; + 5E7AF4721ACD64AC00005140 /* libACM.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libACM.a; path = usr/local/lib/libACM.a; sourceTree = SDKROOT; }; + 5EC01FED1B0CA7E0009FBB75 /* sec_acl_stress.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = sec_acl_stress.c; path = ../../secacltests/sec_acl_stress.c; sourceTree = ""; }; + 5EC01FF01B0CAE62009FBB75 /* LocalAuthentication.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = LocalAuthentication.framework; path = System/Library/Frameworks/LocalAuthentication.framework; sourceTree = SDKROOT; }; + 5EF7C20A1B00E25400E5E99C /* secacltests */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secacltests; sourceTree = BUILT_PRODUCTS_DIR; }; + 5EF7C23A1B00E48200E5E99C /* main.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = main.c; path = ../../secacltests/main.c; sourceTree = ""; }; + 5EF7C23C1B00E48200E5E99C /* secacltests-entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = "secacltests-entitlements.plist"; path = "../../secacltests/secacltests-entitlements.plist"; sourceTree = ""; }; + 5EF7C23D1B00E48200E5E99C /* testlist.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = testlist.h; path = ../../secacltests/testlist.h; sourceTree = ""; }; + 721680A8179B40F600406BB4 /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = ""; }; + 721680AA179B40F600406BB4 /* iCloudStats.1 */ = {isa = PBXFileReference; lastKnownFileType = text.man; path = iCloudStats.1; sourceTree = ""; }; + 721680BD179B4F9100406BB4 /* com.apple.iCloudStats.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.iCloudStats.plist; sourceTree = ""; }; + 72756BFE175D485D00F52070 /* cloud_keychain_diagnose */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = cloud_keychain_diagnose; sourceTree = BUILT_PRODUCTS_DIR; }; + 72756C04175D485D00F52070 /* cloud_keychain_diagnose-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "cloud_keychain_diagnose-Prefix.pch"; sourceTree = ""; }; + 72756C30175D48C100F52070 /* cloud_keychain_diagnose.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = cloud_keychain_diagnose.c; path = utilities/src/cloud_keychain_diagnose.c; sourceTree = SOURCE_ROOT; }; + AC5688BA18B4396D00F0526C /* SecCMS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCMS.h; path = libsecurity_smime/lib/SecCMS.h; sourceTree = SOURCE_ROOT; }; + BE48AE211ADF1DF4000836C1 /* trustd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = trustd; sourceTree = BUILT_PRODUCTS_DIR; }; + BE48AE241ADF1FD3000836C1 /* com.apple.trustd.agent.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.trustd.agent.plist; sourceTree = ""; }; + BE48AE261ADF2011000836C1 /* com.apple.trustd.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.trustd.plist; sourceTree = ""; }; + BE7048911AD84C53000402D8 /* trustd-Prefix.pch */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = "trustd-Prefix.pch"; path = "trustd/trustd-Prefix.pch"; sourceTree = SOURCE_ROOT; }; + BE8C5F0916F7CE450074CF86 /* framework.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = framework.sb; sourceTree = ""; }; + BE94B7A41AD83AF700A7216D /* trustd.xpc */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = trustd.xpc; sourceTree = BUILT_PRODUCTS_DIR; }; + BE94B7A51AD83AF800A7216D /* trustd-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "trustd-Info.plist"; sourceTree = ""; }; + BE94B7DA1AD8424700A7216D /* com.apple.trustd.asl */ = {isa = PBXFileReference; lastKnownFileType = text; name = com.apple.trustd.asl; path = ../trustd/com.apple.trustd.asl; sourceTree = ""; }; + BE94B7DB1AD8424700A7216D /* com.apple.trustd.sb */ = {isa = PBXFileReference; lastKnownFileType = text; name = com.apple.trustd.sb; path = ../trustd/com.apple.trustd.sb; sourceTree = ""; }; + BEC3A76716F79497003E5634 /* SecTaskPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTaskPriv.h; path = libsecurity_codesigning/lib/SecTaskPriv.h; sourceTree = SOURCE_ROOT; }; + BEFB63681B6834AB0052149A /* AppWorkaround.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = AppWorkaround.plist; sourceTree = ""; }; + C288A0881505795D00E773B7 /* libOpenScriptingUtil.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libOpenScriptingUtil.dylib; path = ../../../../../usr/lib/libOpenScriptingUtil.dylib; sourceTree = ""; }; + CD19A65E1A8065E900F9C276 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; }; + CD276BE31A83F204003226BC /* en */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = en; path = IDSKeychainSyncingProxy/en.lproj/InfoPlist.strings; sourceTree = ""; }; + CD4F43CC1B546A1900FE3569 /* SOSPeerInfoV2.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SOSPeerInfoV2.h; path = sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.h; sourceTree = SOURCE_ROOT; }; + CD50D6D21A841C0E00C35E74 /* com.apple.security.idskeychainsyncingproxy.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.security.idskeychainsyncingproxy.plist; sourceTree = ""; }; + CD63ACE01A8061FA001B5671 /* IDSKeychainSyncingProxy.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = IDSKeychainSyncingProxy.bundle; sourceTree = BUILT_PRODUCTS_DIR; }; + CD63AD151A8064C2001B5671 /* idksmain.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = idksmain.m; path = ../../IDSKeychainSyncingProxy/idksmain.m; sourceTree = ""; }; + CD63AD181A8064DE001B5671 /* IDSKeychainSyncingProxy-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "IDSKeychainSyncingProxy-Info.plist"; sourceTree = ""; }; + CD63AD191A8064DE001B5671 /* idskeychainsyncingproxy.entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = idskeychainsyncingproxy.entitlements.plist; sourceTree = ""; }; + CD7446D8195A1CFE00FB01C0 /* IDS.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IDS.framework; path = System/Library/PrivateFrameworks/IDS.framework; sourceTree = SDKROOT; }; + CD8B5A9C1B618ED9004D4AEF /* SOSPeerInfoPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSPeerInfoPriv.h; path = ../sec/SOSCircle/SecureObjectSync/SOSPeerInfoPriv.h; sourceTree = ""; }; + CDDE9D1C1729DF250013B0E8 /* SecPasswordGenerate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecPasswordGenerate.h; path = ../sec/Security/SecPasswordGenerate.h; sourceTree = ""; }; + CDF91EC81AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist */ = {isa = PBXFileReference; lastKnownFileType = file.bplist; path = com.apple.private.alloy.keychainsync.plist; sourceTree = ""; }; + D41685831B3A288F001FB54E /* oids.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = oids.h; path = libsecurity_keychain/libDER/libDER/oids.h; sourceTree = SOURCE_ROOT; }; + D46E9CED1B1E5DEF00ED650E /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.xib; name = Base; path = Base.lproj/MainMenu.xib; sourceTree = ""; }; + D46E9CEE1B1E5DEF00ED650E /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.xib; name = Base; path = Base.lproj/MainMenu.xib; sourceTree = ""; }; + EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "bc-10-knife-on-bread.c"; path = "Breadcrumb/bc-10-knife-on-bread.c"; sourceTree = ""; }; + EB22F3F618A26BA50016A8EC /* breadcrumb_regressions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = breadcrumb_regressions.h; path = Breadcrumb/breadcrumb_regressions.h; sourceTree = ""; }; + EB22F3F718A26BA50016A8EC /* SecBreadcrumb.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = SecBreadcrumb.c; path = Breadcrumb/SecBreadcrumb.c; sourceTree = ""; }; + EB22F3F818A26BA50016A8EC /* SecBreadcrumb.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecBreadcrumb.h; path = Breadcrumb/SecBreadcrumb.h; sourceTree = ""; }; + EBD8B52718A55668004A650F /* README */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = README; path = Breadcrumb/README; sourceTree = ""; }; + F93C493D1AB8FF670047E01A /* ckcdiagnose.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = ckcdiagnose.sh; sourceTree = ""; }; +/* End PBXFileReference section */ + +/* Begin PBXFrameworksBuildPhase section */ + 0C6C630815D193C800BC68CD /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 18CD682717272EBC005345FB /* libaks.a in Frameworks */, + 0CCEBDB416C2D026001BD7F6 /* libregressions.a in Frameworks */, + 52669053169D181900ED8231 /* Security.framework in Frameworks */, + 0C6C633015D19FF500BC68CD /* CoreFoundation.framework in Frameworks */, + 0C6C632A15D1989900BC68CD /* libsecurity_ssl_regressions.a in Frameworks */, + 0CAA7AB516C9A72A00A32C6D /* libsecurity_keychain_regressions.a in Frameworks */, + ACB6171918B5231800EBEDD7 /* libsecurity_smime_regressions.a in Frameworks */, + 18CD684E17272EE2005345FB /* IOKit.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 0CC3351B16C1ED8000399E53 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 5E7AF49B1ACD64E600005140 /* libACM.a in Frameworks */, + 5E605AFC1AB859B70049FA14 /* libcoreauthd_test_client.a in Frameworks */, + 44D78BB91A0A615800B63C6C /* libaks_acl.a in Frameworks */, + 187A05B1170393FF0038C158 /* libaks.a in Frameworks */, + 18363C1417026084002D5C1C /* IOKit.framework in Frameworks */, + 39BFB04516D304DE0022564B /* SystemConfiguration.framework in Frameworks */, + 0CC3351E16C1ED8000399E53 /* libDER.a in Frameworks */, + 0C10987616CAAE8200803B8F /* libASN1.a in Frameworks */, + 0CC3356316C1EFBE00399E53 /* libregressions.a in Frameworks */, + 0CC3351F16C1ED8000399E53 /* libSecItemShimOSX.a in Frameworks */, + 0CC3352016C1ED8000399E53 /* libutilities.a in Frameworks */, + 0CC3351C16C1ED8000399E53 /* libsecurity.a in Frameworks */, + 0CCEBDB616C2E431001BD7F6 /* libsecurityd.a in Frameworks */, + 0CC3352616C1ED8000399E53 /* libsecipc_client.a in Frameworks */, + 0CC3352716C1ED8000399E53 /* libSecureObjectSync.a in Frameworks */, + 0CCEBDB816C2E6CE001BD7F6 /* libsqlite3.dylib in Frameworks */, + 0CC3352416C1ED8000399E53 /* CoreFoundation.framework in Frameworks */, + 0CCEBDB716C2E6B0001BD7F6 /* CFNetwork.framework in Frameworks */, + 4469FC291AA0A5AF0021AA26 /* libctkclient_test.a in Frameworks */, + 0CC3352316C1ED8000399E53 /* libSOSRegressions.a in Frameworks */, + 0CCEBDBB16C30924001BD7F6 /* libutilitiesRegressions.a in Frameworks */, + 0C4EAE7717668DDF00773425 /* libsecdRegressions.a in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 18073847146D0D4E00F05C24 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 0CC2CB101B6A04D80074B0F2 /* libDiagnosticMessagesClient.dylib in Frameworks */, + 44D78BB81A0A615500B63C6C /* libaks_acl.a in Frameworks */, + 44F7912019FFED88008B8147 /* libcoreauthd_client.a in Frameworks */, + BE8D22C01ABB74C3009A4E18 /* libSecTrustOSX.a in Frameworks */, + 5241C60D16DC1BA100DB5C6F /* libSecOtrOSX.a in Frameworks */, + 5208C0D716A0C96F0062DDC5 /* libSecureObjectSync.a in Frameworks */, + 44A655A71AA4B4F30059D185 /* libctkclient.a in Frameworks */, + 1885B45214D9AB8100519375 /* libASN1.a in Frameworks */, + 18270F6114CF656E00B05E7F /* libsecipc_client.a in Frameworks */, + 182BB5BA146FF0BF000BF1F3 /* libbsm.dylib in Frameworks */, + 182BB5B8146FF0A2000BF1F3 /* libobjc.dylib in Frameworks */, + 182BB5B6146FF090000BF1F3 /* libauto.dylib in Frameworks */, + 182BB5B4146FF04C000BF1F3 /* libxar.dylib in Frameworks */, + 182BB5B2146FF039000BF1F3 /* libz.dylib in Frameworks */, + 182BB5AE146FEF43000BF1F3 /* libsqlite3.dylib in Frameworks */, + 182BB5AC146FEF15000BF1F3 /* libpam.dylib in Frameworks */, + 182BB5AA146FEE50000BF1F3 /* CoreFoundation.framework in Frameworks */, + 7A21DAE619B7F27C0007D37F /* IOKit.framework in Frameworks */, + 182BB4E1146F2591000BF1F3 /* libsecurity_manifest.a in Frameworks */, + 182BB4E2146F2591000BF1F3 /* libsecurity_mds.a in Frameworks */, + 182BB4E3146F2591000BF1F3 /* libsecurity_sd_cspdl.a in Frameworks */, + 182BB4E4146F2591000BF1F3 /* libsecurity_smime.a in Frameworks */, + 182BB4E5146F2591000BF1F3 /* libsecurity_ssl.a in Frameworks */, + 182BB41B146F2533000BF1F3 /* libsecurity_apple_csp.a in Frameworks */, + 182BB41C146F2533000BF1F3 /* libsecurity_apple_cspdl.a in Frameworks */, + 182BB41D146F2533000BF1F3 /* libsecurity_apple_file_dl.a in Frameworks */, + 182BB41E146F2533000BF1F3 /* libsecurity_apple_x509_cl.a in Frameworks */, + 182BB41F146F2533000BF1F3 /* libsecurity_apple_x509_tp.a in Frameworks */, + 182BB421146F2533000BF1F3 /* libsecurity_authorization.a in Frameworks */, + 182BB422146F2533000BF1F3 /* libsecurity_cdsa_client.a in Frameworks */, + 182BB423146F2533000BF1F3 /* libsecurity_cdsa_utilities.a in Frameworks */, + 182BB424146F2533000BF1F3 /* libsecurity_checkpw.a in Frameworks */, + 182BB425146F2533000BF1F3 /* libsecurity_cms.a in Frameworks */, + 182BB5BB146FF62F000BF1F3 /* libsecurity_comcryption.a in Frameworks */, + 182BB426146F2533000BF1F3 /* libsecurity_codesigning.a in Frameworks */, + 182BB428146F2533000BF1F3 /* libsecurity_cryptkit.a in Frameworks */, + 182BB429146F2533000BF1F3 /* libsecurity_filedb.a in Frameworks */, + 182BB42A146F2533000BF1F3 /* libsecurity_keychain.a in Frameworks */, + 182BB42B146F2533000BF1F3 /* libsecurity_ocspd.a in Frameworks */, + 182BB42C146F2533000BF1F3 /* libsecurity_pkcs12.a in Frameworks */, + 182BB42D146F2533000BF1F3 /* libsecurity_transform.a in Frameworks */, + 182BB42E146F2533000BF1F3 /* libsecurityd_client.a in Frameworks */, + 18446083146DF58B00B12992 /* libsecurity_cdsa_plugin.a in Frameworks */, + 1879B571146DE2FF007E536C /* libsecurity_cssm.a in Frameworks */, + 1879B546146DE192007E536C /* libsecurity_utilities.a in Frameworks */, + 1879B570146DE2E6007E536C /* libsecurity_cdsa_utils.a in Frameworks */, + C288A0891505796F00E773B7 /* libOpenScriptingUtil.dylib in Frameworks */, + E76079D61951FDAF00F69731 /* liblogging.a in Frameworks */, + 18AD56A414CDE7BE008233F2 /* libSecItemShimOSX.a in Frameworks */, + C2407A1B1B30BBF30067E6AE /* libutilities.a in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 18270ED314CF282600B05E7F /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 5E7AF4731ACD64AC00005140 /* libACM.a in Frameworks */, + 44D78BBB1A0A617700B63C6C /* libcoreauthd_client.a in Frameworks */, + 189757871700CF4C00672567 /* libaks.a in Frameworks */, + 395E7CEE16C64EA500CD82A4 /* SystemConfiguration.framework in Frameworks */, + 5208BF4F16A0993C0062DDC5 /* libsecurity.a in Frameworks */, + AAF3DCCB1666D03300376593 /* libsecurity_utilities.a in Frameworks */, + 4C7D8765160A74C400D041E3 /* libutilities.a in Frameworks */, + 44D78BBA1A0A616200B63C6C /* libaks_acl.a in Frameworks */, + 18F2360115CAF41200060520 /* libsecurity_codesigning.a in Frameworks */, + 1831329B14EB2C6D00F0BCAC /* libASN1.a in Frameworks */, + 1831329C14EB2C6D00F0BCAC /* libDER.a in Frameworks */, + 18270EFE14CF429600B05E7F /* IOKit.framework in Frameworks */, + 18270EFA14CF426200B05E7F /* libsqlite3.dylib in Frameworks */, + 18270EF914CF425100B05E7F /* libbsm.dylib in Frameworks */, + 18270EE814CF294500B05E7F /* libsecurityd.a in Frameworks */, + 4C01DF14164C3E7C006798CD /* libSecureObjectSync.a in Frameworks */, + 44A655CF1AA4B4F50059D185 /* libctkclient.a in Frameworks */, + 4C8D8651177A752D0019A804 /* libsecipc_client.a in Frameworks */, + 18270EF814CF424900B05E7F /* CoreFoundation.framework in Frameworks */, + 18270EFC14CF427800B05E7F /* CFNetwork.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 182BB565146F4DCA000BF1F3 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 182BB592146FE1D7000BF1F3 /* CoreFoundation.framework in Frameworks */, + 182BB591146FE12F000BF1F3 /* libsecurity_utilities.a in Frameworks */, + 182BB590146FE125000BF1F3 /* libsecurity_cdsa_utilities.a in Frameworks */, + 182BB589146FE013000BF1F3 /* libsecurity_codesigning.a in Frameworks */, + 529E948D169E29470000AC9B /* Security.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 18F234E815C9F9A600060520 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 18F2353815C9FDEF00060520 /* libsqlite3.dylib in Frameworks */, + 18F2353715C9FDE400060520 /* libbsm.dylib in Frameworks */, + 18F2353615C9FDD200060520 /* Security.framework in Frameworks */, + 18F2353515C9FDB700060520 /* CoreFoundation.framework in Frameworks */, + 187D6B9815D4476D00E27494 /* IOKit.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 3705CACF1A896DE800402F75 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 3792614F1A89771A008ADD3C /* Security.framework in Frameworks */, + 3705CADA1A896E0F00402F75 /* CoreFoundation.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 37A7CEA8197DB8FA00926CE8 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 37AB390C1A44A88000B56E04 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 37AB393D1A44A8C300B56E04 /* CoreFoundation.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4C96F7BE16D6DF8300D3B39D /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 4C97761E17BEB23E0002BFE4 /* AOSAccounts.framework in Frameworks */, + 4C5DD46C17A5F67300696A79 /* AppleSystemInfo.framework in Frameworks */, + 4C328D301778EC4F0015EED1 /* AOSUI.framework in Frameworks */, + 43651E021B016BE8008C4B88 /* CrashReporterSupport.framework in Frameworks */, + 4CAEACCD16D6FC7600263776 /* Security.framework in Frameworks */, + 4C96F7C216D6DF8400D3B39D /* Cocoa.framework in Frameworks */, + 431B737F1B27762C00EB0360 /* CloudServices.framework in Frameworks */, + 431B73C11B2777A200EB0360 /* libutilities.a in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4CB23B43169F5873003A0131 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 44D78BB71A0A613900B63C6C /* libaks_acl.a in Frameworks */, + 52CD052316A0E24900218387 /* Security.framework in Frameworks */, + 432800841B4CE731002E8525 /* libaks.a in Frameworks */, + 4CB23B8C169F59AD003A0131 /* libutilities.a in Frameworks */, + 4CB23B8A169F599A003A0131 /* libSecurityCommands.a in Frameworks */, + 4CB23B8B169F599A003A0131 /* libSOSCommands.a in Frameworks */, + 4CB23B89169F5990003A0131 /* libSecurityTool.a in Frameworks */, + 4CB23B47169F5873003A0131 /* CoreFoundation.framework in Frameworks */, + 43C3B2681AFD5B4800786702 /* IOKit.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4CC7A7B016CC2A84003E10C1 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 4381B9A91B28C6B2002BBC79 /* CloudServices.framework in Frameworks */, + 43C3B35A1AFD5E1800786702 /* CoreFoundation.framework in Frameworks */, + 4CC7A7B416CC2A85003E10C1 /* Cocoa.framework in Frameworks */, + 43C3B0D51AFD56B700786702 /* Security.framework in Frameworks */, + 4381B9AA1B28E09F002BBC79 /* libutilities.a in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 5214700316977CB800DF0DB3 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + CD7446D9195A1CFE00FB01C0 /* IDS.framework in Frameworks */, + 5214701E16977DA700DF0DB3 /* libCloudKeychainProxy.a in Frameworks */, + 5214701D16977D9500DF0DB3 /* libutilities.a in Frameworks */, + 529E948C169E29450000AC9B /* Security.framework in Frameworks */, + 0C4EAE4C1766864F00773425 /* libaks.a in Frameworks */, + 0C4EAE761766875E00773425 /* IOKit.framework in Frameworks */, + 43C3B2C61AFD5BBB00786702 /* Foundation.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 5EF7C2071B00E25400E5E99C /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 5EF7C2521B00EB0A00E5E99C /* libaks.a in Frameworks */, + 5EF7C2511B00EAF100E5E99C /* libcoreauthd_client.a in Frameworks */, + 5EF7C2501B00EA7A00E5E99C /* libACM.a in Frameworks */, + 5EF7C24F1B00EA5200E5E99C /* libaks_acl.a in Frameworks */, + 4328FE9B1B4CDBA5002E8525 /* CoreFoundation.framework in Frameworks */, + 4328FED11B4CDC11002E8525 /* SystemConfiguration.framework in Frameworks */, + 5EF7C24E1B00E80000E5E99C /* libutilities.a in Frameworks */, + 5EF7C24C1B00E76F00E5E99C /* libSecureObjectSync.a in Frameworks */, + 5EF7C24B1B00E71D00E5E99C /* libsecurity.a in Frameworks */, + 5ED88B451B0DE63E00F3B047 /* libsecurityd.a in Frameworks */, + 5EF7C2401B00E4C300E5E99C /* libregressions.a in Frameworks */, + 5EFB69BD1B0CBE030095A36E /* libDER.a in Frameworks */, + 5EFB69C31B0CC16F0095A36E /* libsecipc_client.a in Frameworks */, + 5EF7C24A1B00E6E300E5E99C /* Security.framework in Frameworks */, + 438166AB1B4EC98000C54D58 /* libctkclient.a in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 72756BFB175D485D00F52070 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 43C3B0D41AFD569600786702 /* Security.framework in Frameworks */, + 43C3B3311AFD5E1100786702 /* CoreFoundation.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + BE48AE041ADF1DF4000836C1 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + BE48AE051ADF1DF4000836C1 /* libACM.a in Frameworks */, + BE48AE061ADF1DF4000836C1 /* libcoreauthd_client.a in Frameworks */, + BE48AE071ADF1DF4000836C1 /* libaks.a in Frameworks */, + BE48AE081ADF1DF4000836C1 /* SystemConfiguration.framework in Frameworks */, + BE48AE091ADF1DF4000836C1 /* libsecurity.a in Frameworks */, + BE48AE0A1ADF1DF4000836C1 /* libsecurity_utilities.a in Frameworks */, + BE48AE0B1ADF1DF4000836C1 /* libutilities.a in Frameworks */, + BE48AE0C1ADF1DF4000836C1 /* libaks_acl.a in Frameworks */, + BE48AE0D1ADF1DF4000836C1 /* libsecurity_codesigning.a in Frameworks */, + BE48AE0E1ADF1DF4000836C1 /* libASN1.a in Frameworks */, + BE48AE0F1ADF1DF4000836C1 /* libDER.a in Frameworks */, + BE48AE101ADF1DF4000836C1 /* IOKit.framework in Frameworks */, + BE48AE111ADF1DF4000836C1 /* libsqlite3.dylib in Frameworks */, + BE48AE121ADF1DF4000836C1 /* libbsm.dylib in Frameworks */, + BE48AE131ADF1DF4000836C1 /* libsecurityd.a in Frameworks */, + BE48AE141ADF1DF4000836C1 /* libSecureObjectSync.a in Frameworks */, + BE48AE151ADF1DF4000836C1 /* libctkclient.a in Frameworks */, + BE48AE161ADF1DF4000836C1 /* libsecipc_client.a in Frameworks */, + BE48AE171ADF1DF4000836C1 /* CoreFoundation.framework in Frameworks */, + BE48AE181ADF1DF4000836C1 /* CFNetwork.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + BE94B7931AD83AF700A7216D /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + BE60737A1ADC9E89007FECC1 /* libACM.a in Frameworks */, + BE607DC61AD8673C001B7778 /* libcoreauthd_client.a in Frameworks */, + BE9703F71AD865540041D253 /* libaks.a in Frameworks */, + BE6073A61ADC9F7A007FECC1 /* SystemConfiguration.framework in Frameworks */, + BE607DC71AD86746001B7778 /* libaks_acl.a in Frameworks */, + BE6073A51ADC9F1C007FECC1 /* libctkclient.a in Frameworks */, + BE94B7D41AD83D0D00A7216D /* libsecurity.a in Frameworks */, + BE94B7D51AD83D2B00A7216D /* libutilities.a in Frameworks */, + BE94B7D21AD83D0D00A7216D /* libSecTrustOSX.a in Frameworks */, + BE2C05151AD893DF00D6A139 /* libsecurity_codesigning.a in Frameworks */, + BE607DC81AD86859001B7778 /* libASN1.a in Frameworks */, + BE607DC91AD8685B001B7778 /* libDER.a in Frameworks */, + BE94B7981AD83AF700A7216D /* IOKit.framework in Frameworks */, + BE94B7941AD83AF700A7216D /* libsqlite3.dylib in Frameworks */, + BE94B7951AD83AF700A7216D /* libbsm.dylib in Frameworks */, + BE94B7D81AD83D6A00A7216D /* libsecurityd.a in Frameworks */, + BE94B7F01AD8457200A7216D /* libSecureObjectSync.a in Frameworks */, + BE94B7D01AD83D0D00A7216D /* libsecipc_client.a in Frameworks */, + BE94B7971AD83AF700A7216D /* CoreFoundation.framework in Frameworks */, + BE6073A71ADC9F88007FECC1 /* CFNetwork.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + CD63ACDD1A8061FA001B5671 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + CD0CB49E1A818A0D00C058A4 /* Security.framework in Frameworks */, + CD2E85F61A81793B00F8B00A /* IDS.framework in Frameworks */, + CD19A65F1A8065E900F9C276 /* Foundation.framework in Frameworks */, + CD19A65D1A8065DC00F9C276 /* libutilities.a in Frameworks */, + 432800831B4CE730002E8525 /* libaks.a in Frameworks */, + CD0637581A840B5B00C81E74 /* IOKit.framework in Frameworks */, + CD19A6611A8069D100F9C276 /* libIDSKeychainSyncingProxy.a in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXFrameworksBuildPhase section */ + +/* Begin PBXGroup section */ + 0C6C630D15D193C800BC68CD /* sectests */ = { + isa = PBXGroup; + children = ( + 18ED4D2317270DB6003AF11B /* SecurityTests-Entitlements.plist */, + 0C6C630E15D193C800BC68CD /* main.c */, + 0C6C632415D1964200BC68CD /* testlist.h */, + ); + path = sectests; + sourceTree = ""; + }; + 0C6D0063177B54A70095D167 /* asl */ = { + isa = PBXGroup; + children = ( + 0C6D0064177B54C60095D167 /* com.apple.securityd */, + ); + name = asl; + path = lib; + sourceTree = ""; + }; + 0C6D77DF15C8C06500BB4405 /* Products */ = { + isa = PBXGroup; + children = ( + E7421C7E1ADC8E0D005FC1C0 /* tlsnke.kext */, + 0C6D77EB15C8C06600BB4405 /* tlsnketest */, + 0C6D77ED15C8C06600BB4405 /* libtlssocket.a */, + ); + name = Products; + sourceTree = ""; + }; + 0C6D77EE15C8C07C00BB4405 /* tlsnke */ = { + isa = PBXGroup; + children = ( + 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */, + ); + name = tlsnke; + sourceTree = ""; + }; + 0CC1228A19C75B8F00D23178 /* shared_regressions */ = { + isa = PBXGroup; + children = ( + 0CC1228B19C75B9000D23178 /* shared_regressions.h */, + ); + path = shared_regressions; + sourceTree = ""; + }; + 0CC3355516C1EEAD00399E53 /* secdtests */ = { + isa = PBXGroup; + children = ( + 0CC3355716C1EEE700399E53 /* main.c */, + 0CC3355816C1EEE700399E53 /* testlist.h */, + ); + name = secdtests; + sourceTree = ""; + }; + 0CC3355C16C1EF5D00399E53 /* Products */ = { + isa = PBXGroup; + children = ( + 0CC3356016C1EF5D00399E53 /* libregressions.a */, + ); + name = Products; + sourceTree = ""; + }; + 1807383F146D0D4E00F05C24 = { + isa = PBXGroup; + children = ( + F93C493C1AB8FF670047E01A /* ckcdiagnose */, + CD276BE21A83F204003226BC /* InfoPlist.strings */, + EB22F3CE18A26B640016A8EC /* Breadcrumb */, + 0C6D0063177B54A70095D167 /* asl */, + 4C1288F615FFECF2008CE3E3 /* utilities */, + 18073854146D0D4E00F05C24 /* lib */, + 181EA3D0146D1ED200A6D320 /* libsecurity */, + 186CDD0314CA10E700AF9171 /* sec */, + 186CDE7914CA3A3800AF9171 /* secd */, + 4C0F6FAF1985879300178101 /* sectask */, + 0CC1228A19C75B8F00D23178 /* shared_regressions */, + 0C6D77EE15C8C07C00BB4405 /* tlsnke */, + 181EA421146D4A2A00A6D320 /* config */, + 0CC3355516C1EEAD00399E53 /* secdtests */, + 0C6C630D15D193C800BC68CD /* sectests */, + 18F234ED15C9F9A700060520 /* authd */, + BE94B7D91AD8421F00A7216D /* trustd */, + 5214700D16977CB800DF0DB3 /* CloudKeychainProxy */, + 4CB23B48169F5873003A0131 /* security2 */, + 4CC7A7B516CC2A85003E10C1 /* KeychainDemoApp */, + 4C96F7C316D6DF8400D3B39D /* Keychain Circle Notification */, + 72756C00175D485D00F52070 /* cloud_keychain_diagnose */, + 721680A7179B40F600406BB4 /* iCloudStats */, + 37A7CEAC197DB8FA00926CE8 /* codesign_tests */, + 37AB39101A44A88000B56E04 /* gk_reset_check */, + CD63ACE11A8061FA001B5671 /* IDSKeychainSyncingProxy */, + 5EF7C20B1B00E25400E5E99C /* secacltests */, + 1807384D146D0D4E00F05C24 /* Frameworks */, + 1807384C146D0D4E00F05C24 /* Products */, + ); + sourceTree = ""; + }; + 1807384C146D0D4E00F05C24 /* Products */ = { + isa = PBXGroup; + children = ( + 1807384B146D0D4E00F05C24 /* Security.framework */, + 182BB568146F4DCA000BF1F3 /* csparser.bundle */, + 18FE67EA1471A3AA00A2CBE3 /* Security.framework */, + 18270ED614CF282600B05E7F /* secd */, + 0C6C630B15D193C800BC68CD /* sectests */, + 18F234EB15C9F9A600060520 /* authd.xpc */, + 5214700616977CB800DF0DB3 /* CloudKeychainProxy.bundle */, + 4CB23B46169F5873003A0131 /* security2 */, + 0CC3352D16C1ED8000399E53 /* secdtests */, + 4CC7A7B316CC2A84003E10C1 /* Cloud Keychain Utility.app */, + 4C96F7C116D6DF8300D3B39D /* Keychain Circle Notification.app */, + 72756BFE175D485D00F52070 /* cloud_keychain_diagnose */, + 37A7CEAB197DB8FA00926CE8 /* codesign_tests */, + 37AB390F1A44A88000B56E04 /* gk_reset_check */, + CD63ACE01A8061FA001B5671 /* IDSKeychainSyncingProxy.bundle */, + 3705CAD21A896DE800402F75 /* SecTaskTest */, + 5EF7C20A1B00E25400E5E99C /* secacltests */, + BE94B7A41AD83AF700A7216D /* trustd.xpc */, + BE48AE211ADF1DF4000836C1 /* trustd */, + ); + name = Products; + sourceTree = ""; + }; + 1807384D146D0D4E00F05C24 /* Frameworks */ = { + isa = PBXGroup; + children = ( + 4C97761D17BEB23E0002BFE4 /* AOSAccounts.framework */, + 4C328D2F1778EC4F0015EED1 /* AOSUI.framework */, + 4C5DD46B17A5F67300696A79 /* AppleSystemInfo.framework */, + 18270EFB14CF427800B05E7F /* CFNetwork.framework */, + 0CC2CB0F1B6A04D80074B0F2 /* libDiagnosticMessagesClient.dylib */, + 431B73571B27762300EB0360 /* CloudServices.framework */, + 5214700716977CB800DF0DB3 /* Cocoa.framework */, + 182BB569146F4DCA000BF1F3 /* CoreFoundation.framework */, + 43651E011B016BE8008C4B88 /* CrashReporterSupport.framework */, + CD19A65E1A8065E900F9C276 /* Foundation.framework */, + CD7446D8195A1CFE00FB01C0 /* IDS.framework */, + 18270EFD14CF429600B05E7F /* IOKit.framework */, + 5E7AF4721ACD64AC00005140 /* libACM.a */, + 44D78B8F1A0A611C00B63C6C /* libaks_acl.a */, + 18752C1D16F2837A004E2799 /* libaks.a */, + 182BB593146FE1ED000BF1F3 /* libantlr2c++.a */, + 1831329914EB2C6D00F0BCAC /* libASN1.a */, + 182BB5B5146FF08F000BF1F3 /* libauto.dylib */, + 182BB5B9146FF0BE000BF1F3 /* libbsm.dylib */, + 5E27BBFA18F4103100B6C79A /* libcoreauthd_client.a */, + 5E605AFB1AB859B70049FA14 /* libcoreauthd_test_client.a */, + 18270EFF14CF42CA00B05E7F /* libcorecrypto.a */, + 4469FC001AA0A56F0021AA26 /* libctkclient_test.a */, + 4469FC011AA0A56F0021AA26 /* libctkclient.a */, + 1831329A14EB2C6D00F0BCAC /* libDER.a */, + 182BB5B7146FF0A1000BF1F3 /* libobjc.dylib */, + C288A0881505795D00E773B7 /* libOpenScriptingUtil.dylib */, + 182BB5AB146FEF14000BF1F3 /* libpam.dylib */, + 18F235F515CA0D8100060520 /* libsecurity_cdsa_utilities.a */, + 18F2360015CAF41100060520 /* libsecurity_codesigning.a */, + 18F235F715CA0D9D00060520 /* libsecurity_utilities.a */, + 182BB5AD146FEF43000BF1F3 /* libsqlite3.dylib */, + 18F235FC15CA0EDB00060520 /* libstdc++.6.0.9.dylib */, + 182BB5B3146FF04C000BF1F3 /* libxar.dylib */, + 182BB5B1146FF039000BF1F3 /* libz.dylib */, + 5EC01FF01B0CAE62009FBB75 /* LocalAuthentication.framework */, + 4CF42BB515A3947F00ACACE1 /* Security.framework */, + 395E7CED16C64EA500CD82A4 /* SystemConfiguration.framework */, + ); + name = Frameworks; + sourceTree = ""; + }; + 18073854146D0D4E00F05C24 /* lib */ = { + isa = PBXGroup; + children = ( + 1879B4A6146DC971007E536C /* Headers */, + 1879B4A7146DC999007E536C /* PrivateHeaders */, + 182BB228146F0674000BF1F3 /* Resources */, + 18073855146D0D4E00F05C24 /* Supporting Files */, + 182BB555146F450F000BF1F3 /* plugins */, + 182BB5A9146FEB27000BF1F3 /* derived_src */, + 18A5493115EFD2F40059E6DC /* dummy.cpp */, + ); + path = lib; + sourceTree = ""; + }; + 18073855146D0D4E00F05C24 /* Supporting Files */ = { + isa = PBXGroup; + children = ( + 182BB562146F4C73000BF1F3 /* security.exp-in */, + 182BB55D146F4544000BF1F3 /* generateErrStrings.pl */, + 182BB55E146F4544000BF1F3 /* Security.order */, + 18073856146D0D4E00F05C24 /* Info-Security.plist */, + ); + name = "Supporting Files"; + sourceTree = ""; + }; + 181EA3D0146D1ED200A6D320 /* libsecurity */ = { + isa = PBXGroup; + children = ( + 1879B532146DDBE5007E536C /* libsecurity_utilities.xcodeproj */, + 1879B547146DE212007E536C /* libsecurity_cdsa_utils.xcodeproj */, + 1879B550146DE227007E536C /* libsecurity_cdsa_utilities.xcodeproj */, + 1879B55D146DE244007E536C /* libsecurity_cssm.xcodeproj */, + 1879B5BC146DE6C8007E536C /* libsecurity_apple_csp.xcodeproj */, + 1879B5C9146DE6CE007E536C /* libsecurity_apple_cspdl.xcodeproj */, + 1879B5D5146DE6D7007E536C /* libsecurity_apple_file_dl.xcodeproj */, + 1879B5E1146DE6E7007E536C /* libsecurity_apple_x509_cl.xcodeproj */, + 1879B5F0146DE6FD007E536C /* libsecurity_apple_x509_tp.xcodeproj */, + 1879B5FC146DE704007E536C /* libsecurity_asn1.xcodeproj */, + 1879B609146DE70A007E536C /* libsecurity_authorization.xcodeproj */, + 1879B615146DE715007E536C /* libsecurity_cdsa_client.xcodeproj */, + 1879B621146DE720007E536C /* libsecurity_cdsa_plugin.xcodeproj */, + 1879B637146DE748007E536C /* libsecurity_checkpw.xcodeproj */, + 1879B64B146DE750007E536C /* libsecurity_cms.xcodeproj */, + 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */, + 1879B66D146DE75D007E536C /* libsecurity_comcryption.xcodeproj */, + 1879B679146DE76E007E536C /* libsecurity_cryptkit.xcodeproj */, + 1879B694146DE797007E536C /* libsecurity_filedb.xcodeproj */, + 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */, + 1879B6C7146DE7D7007E536C /* libsecurity_manifest.xcodeproj */, + 1879B6D3146DE7E0007E536C /* libsecurity_mds.xcodeproj */, + 1879B71F146DE839007E536C /* libsecurity_ssl.xcodeproj */, + 1879B712146DE825007E536C /* libsecurity_smime.xcodeproj */, + 1879B72B146DE844007E536C /* libsecurity_transform.xcodeproj */, + 1879B6DF146DE7E7007E536C /* libsecurity_ocspd.xcodeproj */, + 1879B6F8146DE7F7007E536C /* libsecurity_sd_cspdl.xcodeproj */, + 1879B6EC146DE7EE007E536C /* libsecurity_pkcs12.xcodeproj */, + 184461A3146E9D3200B12992 /* libsecurityd.xcodeproj */, + 18270F0814CF43C000B05E7F /* libDER.xcodeproj */, + ); + name = libsecurity; + sourceTree = ""; + }; + 181EA421146D4A2A00A6D320 /* config */ = { + isa = PBXGroup; + children = ( + 18BFC44017C43393005DE6C3 /* executable.xcconfig */, + 18BBC6801471EF1600F2B224 /* security.xcconfig */, + 181EA422146D4A2A00A6D320 /* base.xcconfig */, + 181EA423146D4A2A00A6D320 /* debug.xcconfig */, + 181EA424146D4A2A00A6D320 /* lib.xcconfig */, + 0C6C632F15D19DE600BC68CD /* test.xcconfig */, + 4CB23B91169F5CFF003A0131 /* command.xcconfig */, + 181EA425146D4A2A00A6D320 /* release.xcconfig */, + ); + path = config; + sourceTree = ""; + }; + 18270EEB14CF331500B05E7F /* ipc */ = { + isa = PBXGroup; + children = ( + 18BEB19614CF74C100C8BD36 /* com.apple.secd.plist */, + 18270EEC14CF333400B05E7F /* client.c */, + 18270EED14CF333400B05E7F /* com.apple.securityd.plist */, + 18270EEE14CF333400B05E7F /* securityd_client.h */, + 18270EEF14CF333400B05E7F /* securityd_ipc_types.h */, + 18270EF014CF333400B05E7F /* securityd_rep.defs */, + 18270EF114CF333400B05E7F /* securityd_req.defs */, + 18270EF214CF333400B05E7F /* securityd_server.h */, + 18270EF314CF333400B05E7F /* server.c */, + ); + name = ipc; + path = sec/ipc; + sourceTree = ""; + }; + 18270F0914CF43C000B05E7F /* Products */ = { + isa = PBXGroup; + children = ( + 18270F1214CF43C000B05E7F /* libDER.a */, + 18270F1414CF43C000B05E7F /* parseCert */, + 18270F1614CF43C000B05E7F /* libDERUtils.a */, + 18270F1814CF43C000B05E7F /* parseCrl */, + 18270F1A14CF43C000B05E7F /* parseTicket */, + ); + name = Products; + sourceTree = ""; + }; + 18270F3114CF448600B05E7F /* security_utilities */ = { + isa = PBXGroup; + children = ( + 18270F3A14CF44C400B05E7F /* debugging.c */, + 18270F3B14CF44C400B05E7F /* debugging.h */, + ); + path = security_utilities; + sourceTree = ""; + }; + 182BB228146F0674000BF1F3 /* Resources */ = { + isa = PBXGroup; + children = ( + BEFB63681B6834AB0052149A /* AppWorkaround.plist */, + 187D6B8F15D4359F00E27494 /* authorization.buttons.strings */, + 187D6B9115D4359F00E27494 /* authorization.prompts.strings */, + 43A598591B0CF2AB00D14A7B /* CloudKeychain.strings */, + 188AD8D81471FE3D0081C619 /* FDELocalizable.strings */, + 182BB55C146F4544000BF1F3 /* FDEPrefs.plist */, + BE8C5F0916F7CE450074CF86 /* framework.sb */, + 188AD8DA1471FE3D0081C619 /* InfoPlist.strings */, + 182BB229146F068B000BF1F3 /* iToolsTrustedApps.plist */, + 1879B4A8146DC9D7007E536C /* mds */, + 52B006BF15238F76005D4556 /* TimeStampingPrefs.plist */, + ); + name = Resources; + sourceTree = ""; + }; + 182BB555146F450F000BF1F3 /* plugins */ = { + isa = PBXGroup; + children = ( + 182BB556146F4510000BF1F3 /* csparser-Info.plist */, + 182BB557146F4510000BF1F3 /* csparser.cpp */, + 182BB558146F4510000BF1F3 /* csparser.exp */, + ); + path = plugins; + sourceTree = ""; + }; + 182BB5A9146FEB27000BF1F3 /* derived_src */ = { + isa = PBXGroup; + children = ( + 18B647EF14D9F75300F538BF /* generateErrStrings.mm */, + 18500F9F14708F19006F9AB4 /* SecErrorMessages.strings */, + 18500F9A14708D0E006F9AB4 /* SecDebugErrorMessages.strings */, + ); + name = derived_src; + sourceTree = ""; + }; + 184461A4146E9D3200B12992 /* Products */ = { + isa = PBXGroup; + children = ( + 184461B1146E9D3300B12992 /* libsecurityd_client.a */, + 184461B5146E9D3300B12992 /* libsecurityd_server.a */, + 184461B9146E9D3300B12992 /* ucspc.a */, + ); + name = Products; + sourceTree = ""; + }; + 186CDD0314CA10E700AF9171 /* sec */ = { + isa = PBXGroup; + children = ( + 186CDD1614CA11C700AF9171 /* sec.xcodeproj */, + ); + path = sec; + sourceTree = ""; + }; + 186CDD1714CA11C700AF9171 /* Products */ = { + isa = PBXGroup; + children = ( + 18D4053B14CE2C1600A2BE4E /* libsecurity.a */, + 18270C7D14CE573D00B05E7F /* libsecurityd.a */, + 186CDD1E14CA11C700AF9171 /* libSecItemShimOSX.a */, + BE8D22BC1ABB747B009A4E18 /* libSecTrustOSX.a */, + 18270F6014CF655B00B05E7F /* libsecipc_client.a */, + 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */, + 4C1288EC15FFE9D7008CE3E3 /* libSOSRegressions.a */, + 4C1288EE15FFE9D7008CE3E3 /* libSecurityRegressions.a */, + 4C1288F015FFE9D7008CE3E3 /* libsecuritydRegressions.a */, + 4C1288F215FFE9D7008CE3E3 /* libSecOtrOSX.a */, + 4C01DE32164C3793006798CD /* libCloudKeychainProxy.a */, + CD63AD0C1A8061FA001B5671 /* libIDSKeychainSyncingProxy.a */, + 4CB23B76169F5873003A0131 /* libSecurityTool.a */, + 4CB23B78169F5873003A0131 /* libSecurityCommands.a */, + 4CB23B7A169F5873003A0131 /* libSOSCommands.a */, + 0C4EAE721766865000773425 /* libsecdRegressions.a */, + E760796F1951F99600F69731 /* libSWCAgent.a */, + E76079D51951FDA800F69731 /* liblogging.a */, + ); + name = Products; + sourceTree = ""; + }; + 186CDE7914CA3A3800AF9171 /* secd */ = { + isa = PBXGroup; + children = ( + 18270EEB14CF331500B05E7F /* ipc */, + 18270F3114CF448600B05E7F /* security_utilities */, + ); + name = secd; + sourceTree = ""; + }; + 1879B4A6146DC971007E536C /* Headers */ = { + isa = PBXGroup; + children = ( + D41685831B3A288F001FB54E /* oids.h */, + 18446146146E923200B12992 /* Authorization.h */, + 18446147146E923200B12992 /* AuthorizationDB.h */, + 18446148146E923200B12992 /* AuthorizationPlugin.h */, + 18446144146E923200B12992 /* AuthorizationTags.h */, + 18446145146E923200B12992 /* AuthSession.h */, + 1879B4AD146DCA84007E536C /* certextensions.h */, + 182BB36E146F13B4000BF1F3 /* CipherSuite.h */, + 18446170146E982800B12992 /* CMSDecoder.h */, + 18446171146E982800B12992 /* CMSEncoder.h */, + 1844617F146E9A8500B12992 /* CodeSigning.h */, + 18446180146E9A8500B12992 /* CSCommon.h */, + 1879B4AE146DCA84007E536C /* cssm.h */, + 1879B4AF146DCA84007E536C /* cssmaci.h */, + 1879B4B0146DCA84007E536C /* cssmapi.h */, + 1879B4B1146DCA84007E536C /* cssmapple.h */, + 1879B4B2146DCA84007E536C /* cssmcli.h */, + 1879B4B3146DCA84007E536C /* cssmconfig.h */, + 1879B4B4146DCA84007E536C /* cssmcspi.h */, + 1879B4B5146DCA84007E536C /* cssmdli.h */, + 1879B4B6146DCA84007E536C /* cssmerr.h */, + 1879B4B7146DCA84007E536C /* cssmkrapi.h */, + 1879B4B8146DCA84007E536C /* cssmkrspi.h */, + 1879B4B9146DCA84007E536C /* cssmspi.h */, + 1879B4BA146DCA84007E536C /* cssmtpi.h */, + 1879B4BB146DCA84007E536C /* cssmtype.h */, + 1879B4BC146DCA84007E536C /* eisl.h */, + 1879B4BD146DCA84007E536C /* emmspi.h */, + 1879B4BE146DCA84007E536C /* emmtype.h */, + 182BB356146F1198000BF1F3 /* mds.h */, + 182BB357146F1198000BF1F3 /* mds_schema.h */, + 18B647E814D9EB6300F538BF /* oidsalg.h */, + 18B647EA14D9EE4300F538BF /* oidsattr.h */, + 1879B4C1146DCA84007E536C /* oidsbase.h */, + 1879B4C2146DCA84007E536C /* oidscert.h */, + 1879B4C3146DCA84007E536C /* oidscrl.h */, + 182BB187146EAD4C000BF1F3 /* SecAccess.h */, + 44B2603E18F81A6A008DF20F /* SecAccessControl.h */, + 182BB188146EAD4C000BF1F3 /* SecACL.h */, + 184460AB146DFCC100B12992 /* SecAsn1Coder.h */, + 184460AC146DFCC100B12992 /* SecAsn1Templates.h */, + 184460AD146DFCC100B12992 /* SecAsn1Types.h */, + 182BB189146EAD4C000BF1F3 /* SecBase.h */, + 182BB18A146EAD4C000BF1F3 /* SecCertificate.h */, + 182BB199146EAD4C000BF1F3 /* SecCertificateOIDs.h */, + 18446181146E9A8500B12992 /* SecCode.h */, + 18446184146E9A8500B12992 /* SecCodeHost.h */, + 182BB3A6146F1BEC000BF1F3 /* SecCustomTransform.h */, + 182BB3A7146F1BEC000BF1F3 /* SecDecodeTransform.h */, + 182BB3A3146F1BEC000BF1F3 /* SecDigestTransform.h */, + 182BB3A8146F1BEC000BF1F3 /* SecEncodeTransform.h */, + 182BB3A9146F1BEC000BF1F3 /* SecEncryptTransform.h */, + 182BB18B146EAD4C000BF1F3 /* SecIdentity.h */, + 182BB18C146EAD4C000BF1F3 /* SecIdentitySearch.h */, + 182BB197146EAD4C000BF1F3 /* SecImportExport.h */, + 182BB18D146EAD4C000BF1F3 /* SecItem.h */, + 182BB18E146EAD4C000BF1F3 /* SecKey.h */, + 182BB18F146EAD4C000BF1F3 /* SecKeychain.h */, + 182BB190146EAD4C000BF1F3 /* SecKeychainItem.h */, + 182BB191146EAD4C000BF1F3 /* SecKeychainSearch.h */, + 182BB192146EAD4C000BF1F3 /* SecPolicy.h */, + 182BB193146EAD4C000BF1F3 /* SecPolicySearch.h */, + 182BB19A146EAD4C000BF1F3 /* SecRandom.h */, + 182BB3A4146F1BEC000BF1F3 /* SecReadTransform.h */, + 18446183146E9A8500B12992 /* SecRequirement.h */, + 182BB3AA146F1BEC000BF1F3 /* SecSignVerifyTransform.h */, + 18446182146E9A8500B12992 /* SecStaticCode.h */, + 1844617E146E9A8500B12992 /* SecTask.h */, + BEC3A76716F79497003E5634 /* SecTaskPriv.h */, + 182BB3A5146F1BEC000BF1F3 /* SecTransform.h */, + 182BB3AB146F1BEC000BF1F3 /* SecTransformReadTransform.h */, + 182BB194146EAD4C000BF1F3 /* SecTrust.h */, + 182BB195146EAD4C000BF1F3 /* SecTrustedApplication.h */, + 182BB198146EAD4C000BF1F3 /* SecTrustSettings.h */, + 182BB315146F0E7E000BF1F3 /* SecureDownload.h */, + 182BB36F146F13B4000BF1F3 /* SecureTransport.h */, + 182BB196146EAD4C000BF1F3 /* Security.h */, + 1879B4C4146DCA84007E536C /* x509defs.h */, + ); + name = Headers; + sourceTree = ""; + }; + 1879B4A7146DC999007E536C /* PrivateHeaders */ = { + isa = PBXGroup; + children = ( + 524492691AFD6CB70043695A /* der_plist.h */, + 184460A1146DFCB700B12992 /* asn1Templates.h */, + 1844614F146E923B00B12992 /* AuthorizationPriv.h */, + 1844614E146E923B00B12992 /* AuthorizationTagsPriv.h */, + 1844609A146DFCB700B12992 /* certExtensionTemplates.h */, + 18446168146E95D700B12992 /* checkpw.h */, + 18446174146E982D00B12992 /* CMSPrivate.h */, + 1844618C146E9A8F00B12992 /* CSCommonPriv.h */, + 1844609B146DFCB700B12992 /* csrTemplates.h */, + 1879B4AB146DCA4A007E536C /* cssmapplePriv.h */, + 184460A0146DFCB700B12992 /* keyTemplates.h */, + 182BB35A146F11A1000BF1F3 /* mdspriv.h */, + 1844609D146DFCB700B12992 /* nameTemplates.h */, + 1844609C146DFCB700B12992 /* ocspTemplates.h */, + 1844609F146DFCB700B12992 /* osKeyTemplates.h */, + 182BB1B2146EAD5D000BF1F3 /* SecAccessPriv.h */, + 44B2606918F81BFE008DF20F /* SecAccessControlPriv.h */, + 18446099146DFCB700B12992 /* secasn1t.h */, + 18446194146E9A8F00B12992 /* SecAssessment.h */, + 182BB1B3146EAD5D000BF1F3 /* SecBasePriv.h */, + 182BB1B4146EAD5D000BF1F3 /* SecCertificateBundle.h */, + 182BB1B5146EAD5D000BF1F3 /* SecCertificatePriv.h */, + 182BB1B6146EAD5D000BF1F3 /* SecCertificateRequest.h */, + AC5688BA18B4396D00F0526C /* SecCMS.h */, + 182BB383146F14D2000BF1F3 /* SecCmsBase.h */, + 182BB384146F14D2000BF1F3 /* SecCmsContentInfo.h */, + 182BB385146F14D2000BF1F3 /* SecCmsDecoder.h */, + 182BB386146F14D2000BF1F3 /* SecCmsDigestContext.h */, + 182BB387146F14D2000BF1F3 /* SecCmsDigestedData.h */, + 182BB388146F14D2000BF1F3 /* SecCmsEncoder.h */, + 182BB389146F14D2000BF1F3 /* SecCmsEncryptedData.h */, + 182BB38A146F14D2000BF1F3 /* SecCmsEnvelopedData.h */, + 182BB38B146F14D2000BF1F3 /* SecCmsMessage.h */, + 182BB38C146F14D2000BF1F3 /* SecCmsRecipientInfo.h */, + 182BB38D146F14D2000BF1F3 /* SecCmsSignedData.h */, + 182BB38E146F14D2000BF1F3 /* SecCmsSignerInfo.h */, + 18446193146E9A8F00B12992 /* SecCodeHostLib.h */, + 1844618D146E9A8F00B12992 /* SecCodePriv.h */, + 18446190146E9A8F00B12992 /* SecCodeSigner.h */, + 0C03D60317D93E810087643B /* SecDH.h */, + 18BBC7351471F5A300F2B224 /* SecExternalSourceTransform.h */, + 182BB1AF146EAD5D000BF1F3 /* SecFDERecoveryAsymmetricCrypto.h */, + 182BB1B7146EAD5D000BF1F3 /* SecIdentityPriv.h */, + 182BB1C4146EAD5D000BF1F3 /* SecIdentitySearchPriv.h */, + 18446191146E9A8F00B12992 /* SecIntegrity.h */, + 18446192146E9A8F00B12992 /* SecIntegrityLib.h */, + 182BB1CA146EAD5D000BF1F3 /* SecItemPriv.h */, + 4CE7EA7D1AEAF50F0067F5BD /* SecItemBackup.h */, + 182BB1CB146EAD5D000BF1F3 /* SecKeychainItemExtendedAttributes.h */, + 182BB1B8146EAD5D000BF1F3 /* SecKeychainItemPriv.h */, + 182BB1B9146EAD5D000BF1F3 /* SecKeychainPriv.h */, + 182BB1C5146EAD5D000BF1F3 /* SecKeychainSearchPriv.h */, + 182BB1BA146EAD5D000BF1F3 /* SecKeyPriv.h */, + 182BB317146F0E94000BF1F3 /* SecManifest.h */, + 182BB3B6146F1BF9000BF1F3 /* SecNullTransform.h */, + 182BB1B0146EAD5D000BF1F3 /* SecPassword.h */, + CDDE9D1C1729DF250013B0E8 /* SecPasswordGenerate.h */, + 182BB1BB146EAD5D000BF1F3 /* SecPolicyPriv.h */, + 182BB1CF146EAD5D000BF1F3 /* SecRandomP.h */, + 182BB1CE146EAD5D000BF1F3 /* SecRecoveryPassword.h */, + 1844618F146E9A8F00B12992 /* SecRequirementPriv.h */, + 182BB38F146F14D2000BF1F3 /* SecSMIME.h */, + 1844618E146E9A8F00B12992 /* SecStaticCodePriv.h */, + 182BB3B7146F1BF9000BF1F3 /* SecTransformInternal.h */, + 182BB1BC146EAD5D000BF1F3 /* SecTrustedApplicationPriv.h */, + 182BB1BD146EAD5D000BF1F3 /* SecTrustPriv.h */, + 182BB1C6146EAD5D000BF1F3 /* SecTrustSettingsPriv.h */, + 182BB318146F0E94000BF1F3 /* SecureDownloadInternal.h */, + 182BB372146F13BB000BF1F3 /* SecureTransportPriv.h */, + 0C4F055D15C9E51A00F9DFD5 /* sslTypes.h */, + 52F8DE201AF2E57300A2C271 /* SOSBackupSliceKeyBag.h */, + 48FDA84D1AF989F600A9366F /* SOSCloudCircleInternal.h */, + 4CB86AE6167A6FF200F46643 /* SOSCircle.h */, + 4CB86AE7167A6FF200F46643 /* SOSCloudCircle.h */, + 52F8DE231AF2E58B00A2C271 /* SOSForerunnerSession.h */, + 4CB86AED167A6FF300F46643 /* SOSPeerInfo.h */, + CD8B5A9C1B618ED9004D4AEF /* SOSPeerInfoPriv.h */, + CD4F43CC1B546A1900FE3569 /* SOSPeerInfoV2.h */, + 52F8DE4B1AF2EB6600A2C271 /* SOSTypes.h */, + 52F8DDF91AF2E56600A2C271 /* SOSViews.h */, + 182BB1C8146EAD5D000BF1F3 /* TrustSettingsSchema.h */, + 52B5A9C01519330300664F11 /* tsaSupport.h */, + 52AEA484153C7581005AFC59 /* tsaSupportPriv.h */, + 52B5A9C11519330300664F11 /* tsaTemplates.h */, + 1844609E146DFCB700B12992 /* X509Templates.h */, + ); + name = PrivateHeaders; + sourceTree = ""; + }; + 1879B4A8146DC9D7007E536C /* mds */ = { + isa = PBXGroup; + children = ( + 182BB3C4146F1DCB000BF1F3 /* sd_cspdl_common.mdsinfo */, + 1879B4A9146DCA18007E536C /* cssm.mdsinfo */, + 1844605B146DE93E00B12992 /* csp_capabilities.mdsinfo */, + 1844605C146DE93E00B12992 /* csp_capabilities_common.mds */, + 1844605D146DE93E00B12992 /* csp_common.mdsinfo */, + 1844605E146DE93E00B12992 /* csp_primary.mdsinfo */, + 184460C3146E7B1E00B12992 /* cspdl_common.mdsinfo */, + 184460C4146E7B1E00B12992 /* cspdl_csp_capabilities.mdsinfo */, + 184460C5146E7B1E00B12992 /* cspdl_csp_primary.mdsinfo */, + 184460C6146E7B1E00B12992 /* cspdl_dl_primary.mdsinfo */, + 184460E1146E806700B12992 /* dl_common.mdsinfo */, + 184460E2146E806700B12992 /* dl_primary.mdsinfo */, + 18446103146E82C800B12992 /* cl_common.mdsinfo */, + 18446104146E82C800B12992 /* cl_primary.mdsinfo */, + 18446112146E85A300B12992 /* tp_common.mdsinfo */, + 18446113146E85A300B12992 /* tp_policyOids.mdsinfo */, + 18446114146E85A300B12992 /* tp_primary.mdsinfo */, + ); + name = mds; + sourceTree = ""; + }; + 1879B533146DDBE5007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B538146DDBE5007E536C /* libsecurity_utilities.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B548146DE212007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B54F146DE212007E536C /* libsecurity_cdsa_utils.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B551146DE227007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B55A146DE227007E536C /* libsecurity_cdsa_utilities.a */, + 1879B55C146DE227007E536C /* Schemas */, + ); + name = Products; + sourceTree = ""; + }; + 1879B55E146DE244007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B565146DE244007E536C /* libsecurity_cssm.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B5BD146DE6C8007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B5C6146DE6C8007E536C /* libsecurity_apple_csp.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B5CA146DE6CE007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B5D2146DE6CE007E536C /* libsecurity_apple_cspdl.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B5D6146DE6D7007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B5DE146DE6D7007E536C /* libsecurity_apple_file_dl.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B5E2146DE6E7007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B5EB146DE6E8007E536C /* libsecurity_apple_x509_cl.a */, + 1879B5EF146DE6E8007E536C /* apple_x509_cl.bundle */, + ); + name = Products; + sourceTree = ""; + }; + 1879B5F1146DE6FD007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B5F9146DE6FD007E536C /* libsecurity_apple_x509_tp.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B5FD146DE704007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1885B3F914D8D9B100519375 /* libASN1.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B60A146DE70A007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B612146DE70A007E536C /* libsecurity_authorization.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B616146DE715007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B61E146DE715007E536C /* libsecurity_cdsa_client.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B622146DE720007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B62B146DE720007E536C /* libsecurity_cdsa_plugin.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B638146DE748007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B644146DE748007E536C /* libsecurity_checkpw.a */, + 1879B648146DE748007E536C /* test-checkpw */, + 1879B64A146DE748007E536C /* perf-checkpw */, + ); + name = Products; + sourceTree = ""; + }; + 1879B64C146DE750007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B654146DE750007E536C /* libsecurity_cms.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B658146DE756007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B666146DE757007E536C /* libsecurity_codesigning.a */, + 1879B66A146DE757007E536C /* libintegrity.a */, + 1879B66C146DE757007E536C /* libcodehost.a */, + C2432A0815C7112A0096DB5B /* gkunpack */, + EB2E1F58166D6B3700A7EF61 /* com.apple.CodeSigningHelper.xpc */, + ); + name = Products; + sourceTree = ""; + }; + 1879B66E146DE75D007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B676146DE75E007E536C /* libsecurity_comcryption.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B67A146DE76E007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B684146DE76F007E536C /* libsecurity_cryptkit.a */, + 1879B688146DE76F007E536C /* libCryptKit.a */, + 1879B68A146DE76F007E536C /* CryptKitSignature.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B695146DE797007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B69D146DE797007E536C /* libsecurity_filedb.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B6A1146DE79F007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B6B3146DE7A0007E536C /* libsecurity_keychain.a */, + 1879B6B7146DE7A0007E536C /* XPCKeychainSandboxCheck.xpc */, + 52B5A8F6151928B400664F11 /* XPCTimeStampingService.xpc */, + 0CBD50B316C325F000713B6C /* libsecurity_keychain_regressions.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B6C8146DE7D7007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B6D0146DE7D7007E536C /* libsecurity_manifest.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B6D4146DE7E0007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B6DC146DE7E0007E536C /* libsecurity_mds.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B6E0146DE7E7007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B6E9146DE7E8007E536C /* libsecurity_ocspd.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B6ED146DE7EE007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B6F5146DE7EF007E536C /* libsecurity_pkcs12.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B6F9146DE7F7007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B701146DE7F7007E536C /* libsecurity_sd_cspdl.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B713146DE825007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B71C146DE825007E536C /* libsecurity_smime.a */, + ACB6171818B5231800EBEDD7 /* libsecurity_smime_regressions.a */, + ); + name = Products; + sourceTree = ""; + }; + 1879B720146DE839007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B728146DE839007E536C /* libsecurity_ssl.a */, + 0C6D77CF15C8B66000BB4405 /* libsecurity_ssl_regressions.a */, + 0C6D77D115C8B66000BB4405 /* dtlsEchoClient */, + 0C6D77D315C8B66000BB4405 /* dtlsEchoServer */, + ); + name = Products; + sourceTree = ""; + }; + 1879B72C146DE844007E536C /* Products */ = { + isa = PBXGroup; + children = ( + 1879B739146DE845007E536C /* libsecurity_transform.a */, + 1879B73D146DE845007E536C /* unit-tests.octest */, + 1879B73F146DE845007E536C /* 100-sha2 */, + 1879B741146DE845007E536C /* input-speed-test */, + ); + name = Products; + sourceTree = ""; + }; + 18F234ED15C9F9A700060520 /* authd */ = { + isa = PBXGroup; + children = ( + 18F234F915C9FA3B00060520 /* agent.c */, + 18F234FA15C9FA3B00060520 /* agent.h */, + 18F2351A15C9FA3C00060520 /* authd_private.h */, + 18F234FB15C9FA3B00060520 /* authdb.c */, + 18F234FC15C9FA3B00060520 /* authdb.h */, + 18F234FD15C9FA3B00060520 /* authitems.c */, + 18F234FE15C9FA3B00060520 /* authitems.h */, + 18F234FF15C9FA3B00060520 /* authtoken.c */, + 18F2350015C9FA3B00060520 /* authtoken.h */, + 18F2350115C9FA3B00060520 /* authtypes.h */, + 18F2350215C9FA3B00060520 /* authutilities.c */, + 18F2350315C9FA3B00060520 /* authutilities.h */, + 18F2350415C9FA3B00060520 /* ccaudit.c */, + 18F2350515C9FA3B00060520 /* ccaudit.h */, + 182A191015D09AFF006AB103 /* connection.c */, + 182A190F15D09AF0006AB103 /* connection.h */, + 18F2350615C9FA3B00060520 /* crc.c */, + 18F2350715C9FA3B00060520 /* crc.h */, + 18F2350815C9FA3B00060520 /* credential.c */, + 18F2350915C9FA3B00060520 /* credential.h */, + 18F2350A15C9FA3B00060520 /* debugging.c */, + 18F2350B15C9FA3B00060520 /* debugging.h */, + 18F2350F15C9FA3B00060520 /* engine.c */, + 18F2351015C9FA3B00060520 /* engine.h */, + 18F2351115C9FA3B00060520 /* main.c */, + 18F2351215C9FA3B00060520 /* mechanism.c */, + 18F2351315C9FA3B00060520 /* mechanism.h */, + 18F2351415C9FA3C00060520 /* object.c */, + 18F2351515C9FA3C00060520 /* object.h */, + 18F2351615C9FA3C00060520 /* process.c */, + 18F2351715C9FA3C00060520 /* process.h */, + 18F2351815C9FA3C00060520 /* rule.c */, + 18F2351915C9FA3C00060520 /* rule.h */, + 18F2351D15C9FA3C00060520 /* server.c */, + 18F2351E15C9FA3C00060520 /* server.h */, + 18F2351F15C9FA3C00060520 /* session.c */, + 18F2352015C9FA3C00060520 /* session.h */, + 18F2353415C9FA7F00060520 /* Supporting Files */, + ); + path = authd; + sourceTree = ""; + }; + 18F2353415C9FA7F00060520 /* Supporting Files */ = { + isa = PBXGroup; + children = ( + 18D6803916B768D500DF6D2E /* com.apple.authd */, + 18CFEE8715DEE25200E3F2A3 /* com.apple.authd.sb */, + 187D6B9515D436BF00E27494 /* authorization.plist */, + 18F2350D15C9FA3B00060520 /* InfoPlist.strings */, + 18F2351B15C9FA3C00060520 /* Info.plist */, + 18F2351C15C9FA3C00060520 /* security.auth-Prefix.pch */, + ); + name = "Supporting Files"; + sourceTree = ""; + }; + 3705CAA31A896CEE00402F75 /* SecTask */ = { + isa = PBXGroup; + children = ( + 3705CACD1A896DA800402F75 /* main.c */, + 3705CACC1A896D5A00402F75 /* SecTask-Entitlements.plist */, + ); + name = SecTask; + sourceTree = ""; + }; + 37A7CEAC197DB8FA00926CE8 /* codesign_tests */ = { + isa = PBXGroup; + children = ( + 37CD05011A8A87E50053CCD0 /* CaspianTests */, + 3705CAA31A896CEE00402F75 /* SecTask */, + 371AB2CA1A04050700A08CF2 /* teamid.sh */, + 37A7CEAD197DB8FA00926CE8 /* FatDynamicValidation.c */, + 37A7CEDB197DCDD700926CE8 /* validation.sh */, + ); + path = codesign_tests; + sourceTree = ""; + }; + 37AB39101A44A88000B56E04 /* gk_reset_check */ = { + isa = PBXGroup; + children = ( + 37AB39111A44A88000B56E04 /* gk_reset_check.c */, + ); + path = gk_reset_check; + sourceTree = ""; + }; + 37CD05011A8A87E50053CCD0 /* CaspianTests */ = { + isa = PBXGroup; + children = ( + 37CD05021A8A87E50053CCD0 /* CaspianTests */, + 37CD05041A8A96DD0053CCD0 /* LocalCaspianTestRun.sh */, + ); + path = CaspianTests; + sourceTree = ""; + }; + 4C0F6FAF1985879300178101 /* sectask */ = { + isa = PBXGroup; + children = ( + 4C0F6F861985877800178101 /* SecEntitlements.h */, + ); + name = sectask; + path = ../sectask; + sourceTree = ""; + }; + 4C1288F615FFECF2008CE3E3 /* utilities */ = { + isa = PBXGroup; + children = ( + 0CC3355B16C1EF5D00399E53 /* regressions.xcodeproj */, + 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */, + ); + path = utilities; + sourceTree = ""; + }; + 4C12893815FFECF3008CE3E3 /* Products */ = { + isa = PBXGroup; + children = ( + 4C12894015FFECF3008CE3E3 /* libutilities.a */, + 4C12894215FFECF3008CE3E3 /* libutilitiesRegressions.a */, + ); + name = Products; + sourceTree = ""; + }; + 4C96F7C316D6DF8400D3B39D /* Keychain Circle Notification */ = { + isa = PBXGroup; + children = ( + 4CD1980B16DD3BDF00A9E8FD /* NSArray+mapWithBlock.h */, + 4CD1980C16DD3BDF00A9E8FD /* NSArray+mapWithBlock.m */, + 4C96F7CF16D6DF8400D3B39D /* KNAppDelegate.h */, + 4C96F7D016D6DF8400D3B39D /* KNAppDelegate.m */, + 4C96F7D216D6DF8400D3B39D /* MainMenu.xib */, + 4C5DD44217A5E31900696A79 /* KNPersistentState.h */, + 4C5DD44317A5E31900696A79 /* KNPersistentState.m */, + 4C96F7C416D6DF8400D3B39D /* Supporting Files */, + 4CB9121C17750E6500C1CCCA /* entitlments.plist */, + ); + path = "Keychain Circle Notification"; + sourceTree = ""; + }; + 4C96F7C416D6DF8400D3B39D /* Supporting Files */ = { + isa = PBXGroup; + children = ( + 4C7D456417BEE6B700DDD88F /* NSDictionary+compactDescription.h */, + 4C7D456517BEE6B700DDD88F /* NSDictionary+compactDescription.m */, + 4C7D456617BEE6B700DDD88F /* NSSet+compactDescription.h */, + 4C7D456717BEE6B700DDD88F /* NSSet+compactDescription.m */, + 4C7D453B17BEE69B00DDD88F /* NSString+compactDescription.h */, + 4C7D453C17BEE69B00DDD88F /* NSString+compactDescription.m */, + 5328475117850741009118DC /* Localizable.strings */, + 4C96F7C516D6DF8400D3B39D /* Keychain Circle Notification-Info.plist */, + 4C96F7C616D6DF8400D3B39D /* InfoPlist.strings */, + 4C96F7C916D6DF8400D3B39D /* main.m */, + 4C96F7CB16D6DF8400D3B39D /* Keychain Circle Notification-Prefix.pch */, + 4C49390C16E51ACE00CE110C /* com.apple.security.keychain-circle-notification.plist */, + ); + name = "Supporting Files"; + sourceTree = ""; + }; + 4CB23B48169F5873003A0131 /* security2 */ = { + isa = PBXGroup; + children = ( + 4CB23B4B169F5873003A0131 /* security2.1 */, + 4CB23B80169F58DE003A0131 /* security_tool_commands.c */, + 4CB23B82169F592C003A0131 /* sub_commands.h */, + ); + path = security2; + sourceTree = ""; + }; + 4CC7A7B516CC2A85003E10C1 /* KeychainDemoApp */ = { + isa = PBXGroup; + children = ( + 4CC7A7C116CC2A85003E10C1 /* KDAppDelegate.h */, + 4CC7A7C216CC2A85003E10C1 /* KDAppDelegate.m */, + 4C85DED816DBD5BF00ED8D47 /* KDCirclePeer.h */, + 4C85DED916DBD5BF00ED8D47 /* KDCirclePeer.m */, + 4CC7A7F416CD95D2003E10C1 /* KDSecItems.h */, + 4CC7A7F516CD95D3003E10C1 /* KDSecItems.m */, + 4CC7A7C416CC2A85003E10C1 /* MainMenu.xib */, + 4C96F73816D5372C00D3B39D /* KDSecCircle.h */, + 4C96F73916D5372C00D3B39D /* KDSecCircle.m */, + 4CC7A7B616CC2A85003E10C1 /* Supporting Files */, + ); + name = KeychainDemoApp; + path = Keychain; + sourceTree = ""; + }; + 4CC7A7B616CC2A85003E10C1 /* Supporting Files */ = { + isa = PBXGroup; + children = ( + 4C2505B616D2DF9F002CE025 /* Icon.icns */, + 4CC7A7B716CC2A85003E10C1 /* Keychain-Info.plist */, + 4CC7A7B816CC2A85003E10C1 /* InfoPlist.strings */, + 4CC7A7BB16CC2A85003E10C1 /* main.m */, + 4CC7A7BD16CC2A85003E10C1 /* Keychain-Prefix.pch */, + 4CC7A7BE16CC2A85003E10C1 /* Credits.rtf */, + ); + name = "Supporting Files"; + sourceTree = ""; + }; + 5214700D16977CB800DF0DB3 /* CloudKeychainProxy */ = { + isa = PBXGroup; + children = ( + 52C3D235169B56860091D9D3 /* ckdmain.m */, + 5214700E16977CB800DF0DB3 /* Supporting Files */, + ); + path = CloudKeychainProxy; + sourceTree = ""; + }; + 5214700E16977CB800DF0DB3 /* Supporting Files */ = { + isa = PBXGroup; + children = ( + 5214702416977FEC00DF0DB3 /* cloudkeychain.entitlements.plist */, + 5214702516977FEC00DF0DB3 /* com.apple.security.cloudkeychainproxy.plist */, + 5214700F16977CB800DF0DB3 /* CloudKeychainProxy-Info.plist */, + 5214701016977CB800DF0DB3 /* InfoPlist.strings */, + ); + name = "Supporting Files"; + sourceTree = ""; + }; + 5EF7C20B1B00E25400E5E99C /* secacltests */ = { + isa = PBXGroup; + children = ( + 5EF7C23A1B00E48200E5E99C /* main.c */, + 5EF7C23C1B00E48200E5E99C /* secacltests-entitlements.plist */, + 5EF7C23D1B00E48200E5E99C /* testlist.h */, + 5EC01FED1B0CA7E0009FBB75 /* sec_acl_stress.c */, + ); + path = secacltests; + sourceTree = ""; + }; + 721680A7179B40F600406BB4 /* iCloudStats */ = { + isa = PBXGroup; + children = ( + 721680A8179B40F600406BB4 /* main.c */, + 721680AA179B40F600406BB4 /* iCloudStats.1 */, + 721680BD179B4F9100406BB4 /* com.apple.iCloudStats.plist */, + ); + path = iCloudStats; + sourceTree = ""; + }; + 72756C00175D485D00F52070 /* cloud_keychain_diagnose */ = { + isa = PBXGroup; + children = ( + 72756C30175D48C100F52070 /* cloud_keychain_diagnose.c */, + 72756C03175D485D00F52070 /* Supporting Files */, + ); + path = cloud_keychain_diagnose; + sourceTree = ""; + }; + 72756C03175D485D00F52070 /* Supporting Files */ = { + isa = PBXGroup; + children = ( + 72756C04175D485D00F52070 /* cloud_keychain_diagnose-Prefix.pch */, + ); + name = "Supporting Files"; + sourceTree = ""; + }; + BE94B7D91AD8421F00A7216D /* trustd */ = { + isa = PBXGroup; + children = ( + BE94B7DA1AD8424700A7216D /* com.apple.trustd.asl */, + BE48AE241ADF1FD3000836C1 /* com.apple.trustd.agent.plist */, + BE48AE261ADF2011000836C1 /* com.apple.trustd.plist */, + BE94B7DB1AD8424700A7216D /* com.apple.trustd.sb */, + BE94B7A51AD83AF800A7216D /* trustd-Info.plist */, + BE7048911AD84C53000402D8 /* trustd-Prefix.pch */, + ); + path = trustd; + sourceTree = SOURCE_ROOT; + }; + CD63ACE11A8061FA001B5671 /* IDSKeychainSyncingProxy */ = { + isa = PBXGroup; + children = ( + CD63AD151A8064C2001B5671 /* idksmain.m */, + CD63ACE21A8061FA001B5671 /* Supporting Files */, + ); + path = IDSKeychainSyncingProxy; + sourceTree = ""; + }; + CD63ACE21A8061FA001B5671 /* Supporting Files */ = { + isa = PBXGroup; + children = ( + CD63AD181A8064DE001B5671 /* IDSKeychainSyncingProxy-Info.plist */, + CD63AD191A8064DE001B5671 /* idskeychainsyncingproxy.entitlements.plist */, + CDF91EC81AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist */, + CD50D6D21A841C0E00C35E74 /* com.apple.security.idskeychainsyncingproxy.plist */, + ); + name = "Supporting Files"; + sourceTree = ""; + }; + EB22F3CE18A26B640016A8EC /* Breadcrumb */ = { + isa = PBXGroup; + children = ( + EBD8B52718A55668004A650F /* README */, + EB22F3F518A26BA50016A8EC /* bc-10-knife-on-bread.c */, + EB22F3F618A26BA50016A8EC /* breadcrumb_regressions.h */, + EB22F3F718A26BA50016A8EC /* SecBreadcrumb.c */, + EB22F3F818A26BA50016A8EC /* SecBreadcrumb.h */, + ); + name = Breadcrumb; + sourceTree = ""; + }; + F93C493C1AB8FF670047E01A /* ckcdiagnose */ = { + isa = PBXGroup; + children = ( + F93C493D1AB8FF670047E01A /* ckcdiagnose.sh */, + ); + name = ckcdiagnose; + path = ../ckcdiagnose; + sourceTree = ""; + }; +/* End PBXGroup section */ + +/* Begin PBXHeadersBuildPhase section */ + 18073848146D0D4E00F05C24 /* Headers */ = { + isa = PBXHeadersBuildPhase; + buildActionMask = 2147483647; + files = ( + CD8B5A9D1B618ED9004D4AEF /* SOSPeerInfoPriv.h in Headers */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 18FE67E71471A3AA00A2CBE3 /* Headers */ = { + isa = PBXHeadersBuildPhase; + buildActionMask = 2147483647; + files = ( + 18FE68021471A42900A2CBE3 /* SecDigestTransform.h in Headers */, + 18FE68031471A42900A2CBE3 /* SecReadTransform.h in Headers */, + 18FE68041471A42900A2CBE3 /* SecTransform.h in Headers */, + 18FE68051471A42900A2CBE3 /* SecCustomTransform.h in Headers */, + 18FE68061471A42900A2CBE3 /* SecDecodeTransform.h in Headers */, + 18FE68071471A42900A2CBE3 /* SecEncodeTransform.h in Headers */, + 18FE68081471A42900A2CBE3 /* SecEncryptTransform.h in Headers */, + 18FE68091471A42900A2CBE3 /* SecSignVerifyTransform.h in Headers */, + 18FE680A1471A42900A2CBE3 /* SecTransformReadTransform.h in Headers */, + 18FE680B1471A42900A2CBE3 /* CipherSuite.h in Headers */, + 18FE680C1471A42900A2CBE3 /* SecureTransport.h in Headers */, + 18FE680D1471A42900A2CBE3 /* mds.h in Headers */, + 18FE680E1471A42900A2CBE3 /* mds_schema.h in Headers */, + 18FE680F1471A42900A2CBE3 /* SecureDownload.h in Headers */, + 18FE68101471A42900A2CBE3 /* SecAccess.h in Headers */, + 18FE68111471A42900A2CBE3 /* SecACL.h in Headers */, + 18FE68121471A42900A2CBE3 /* SecBase.h in Headers */, + 18FE68131471A42900A2CBE3 /* SecCertificate.h in Headers */, + 18FE68141471A42900A2CBE3 /* SecIdentity.h in Headers */, + 18FE68151471A42900A2CBE3 /* SecIdentitySearch.h in Headers */, + 18FE68161471A42900A2CBE3 /* SecItem.h in Headers */, + 18FE68171471A42900A2CBE3 /* SecKey.h in Headers */, + 18FE68181471A42900A2CBE3 /* SecKeychain.h in Headers */, + 18FE68191471A42900A2CBE3 /* SecKeychainItem.h in Headers */, + 18FE681A1471A42900A2CBE3 /* SecKeychainSearch.h in Headers */, + 18FE681B1471A42900A2CBE3 /* SecPolicy.h in Headers */, + 18FE681C1471A42900A2CBE3 /* SecPolicySearch.h in Headers */, + 18FE681D1471A42900A2CBE3 /* SecTrust.h in Headers */, + 18FE681E1471A42900A2CBE3 /* SecTrustedApplication.h in Headers */, + 18FE681F1471A42900A2CBE3 /* Security.h in Headers */, + 18FE68201471A42900A2CBE3 /* SecImportExport.h in Headers */, + 18FE68211471A42900A2CBE3 /* SecTrustSettings.h in Headers */, + 18FE68221471A42900A2CBE3 /* SecCertificateOIDs.h in Headers */, + 18FE68231471A42900A2CBE3 /* SecRandom.h in Headers */, + D41685841B3A288F001FB54E /* oids.h in Headers */, + 18FE68241471A42900A2CBE3 /* SecTask.h in Headers */, + 18FE68251471A42900A2CBE3 /* CodeSigning.h in Headers */, + 18FE68261471A42900A2CBE3 /* CSCommon.h in Headers */, + 18FE68271471A42900A2CBE3 /* SecCode.h in Headers */, + 18FE68281471A42900A2CBE3 /* SecStaticCode.h in Headers */, + 18FE68291471A42900A2CBE3 /* SecRequirement.h in Headers */, + 18FE682A1471A42900A2CBE3 /* SecCodeHost.h in Headers */, + 18FE682B1471A42900A2CBE3 /* CMSDecoder.h in Headers */, + 18FE682C1471A42900A2CBE3 /* CMSEncoder.h in Headers */, + EB22F3FA18A26BCE0016A8EC /* SecBreadcrumb.h in Headers */, + 18FE682D1471A42900A2CBE3 /* AuthorizationTags.h in Headers */, + 18FE682E1471A42900A2CBE3 /* AuthSession.h in Headers */, + 18FE682F1471A42900A2CBE3 /* Authorization.h in Headers */, + 18FE68301471A42900A2CBE3 /* AuthorizationDB.h in Headers */, + 18FE68311471A42900A2CBE3 /* AuthorizationPlugin.h in Headers */, + 18FE68321471A42900A2CBE3 /* SecAsn1Coder.h in Headers */, + 18FE68331471A42900A2CBE3 /* SecAsn1Templates.h in Headers */, + 18FE68341471A42900A2CBE3 /* SecAsn1Types.h in Headers */, + 44B2606818F81A7D008DF20F /* SecAccessControl.h in Headers */, + 18FE68351471A42900A2CBE3 /* certextensions.h in Headers */, + 18FE68361471A42900A2CBE3 /* cssm.h in Headers */, + 18FE68371471A42900A2CBE3 /* cssmaci.h in Headers */, + 18FE68381471A42900A2CBE3 /* cssmapi.h in Headers */, + 18FE68391471A42900A2CBE3 /* cssmapple.h in Headers */, + 18FE683A1471A42900A2CBE3 /* cssmcli.h in Headers */, + 18FE683B1471A42900A2CBE3 /* cssmconfig.h in Headers */, + 18FE683C1471A42900A2CBE3 /* cssmcspi.h in Headers */, + 18FE683D1471A42900A2CBE3 /* cssmdli.h in Headers */, + 18FE683E1471A42900A2CBE3 /* cssmerr.h in Headers */, + 18FE683F1471A42900A2CBE3 /* cssmkrapi.h in Headers */, + 18FE68401471A42900A2CBE3 /* cssmkrspi.h in Headers */, + 18FE68411471A42900A2CBE3 /* cssmspi.h in Headers */, + 18FE68421471A42900A2CBE3 /* cssmtpi.h in Headers */, + 18FE68431471A42900A2CBE3 /* cssmtype.h in Headers */, + 18FE68441471A42900A2CBE3 /* eisl.h in Headers */, + 18FE68451471A42900A2CBE3 /* emmspi.h in Headers */, + 18FE68461471A42900A2CBE3 /* emmtype.h in Headers */, + 18FE68491471A42900A2CBE3 /* oidsbase.h in Headers */, + 18FE684A1471A42900A2CBE3 /* oidscert.h in Headers */, + 18FE684B1471A42900A2CBE3 /* oidscrl.h in Headers */, + 18FE684C1471A42900A2CBE3 /* x509defs.h in Headers */, + 18FE684D1471A46600A2CBE3 /* asn1Templates.h in Headers */, + 18FE684E1471A46600A2CBE3 /* AuthorizationPriv.h in Headers */, + 18FE684F1471A46600A2CBE3 /* AuthorizationTagsPriv.h in Headers */, + 4CE7EAA31AEAF5230067F5BD /* SecItemBackup.h in Headers */, + 18FE68501471A46600A2CBE3 /* certExtensionTemplates.h in Headers */, + 18FE68511471A46600A2CBE3 /* checkpw.h in Headers */, + CDDE9D1E1729E2E60013B0E8 /* SecPasswordGenerate.h in Headers */, + 18FE68521471A46600A2CBE3 /* CMSPrivate.h in Headers */, + 5244926A1AFD6CB70043695A /* der_plist.h in Headers */, + 18FE68531471A46600A2CBE3 /* CSCommonPriv.h in Headers */, + 18FE68541471A46600A2CBE3 /* csrTemplates.h in Headers */, + 18FE68551471A46600A2CBE3 /* cssmapplePriv.h in Headers */, + 18FE68561471A46600A2CBE3 /* keyTemplates.h in Headers */, + 18FE68571471A46600A2CBE3 /* mdspriv.h in Headers */, + 18FE68581471A46600A2CBE3 /* nameTemplates.h in Headers */, + 18FE68591471A46600A2CBE3 /* ocspTemplates.h in Headers */, + 44B2606A18F81C0F008DF20F /* SecAccessControlPriv.h in Headers */, + 18FE685A1471A46600A2CBE3 /* osKeyTemplates.h in Headers */, + 18FE685B1471A46600A2CBE3 /* SecAccessPriv.h in Headers */, + 18FE685C1471A46600A2CBE3 /* secasn1t.h in Headers */, + 18FE685D1471A46600A2CBE3 /* SecAssessment.h in Headers */, + 18FE685E1471A46600A2CBE3 /* SecBasePriv.h in Headers */, + 18FE685F1471A46600A2CBE3 /* SecCertificateBundle.h in Headers */, + 18FE68611471A46600A2CBE3 /* SecCertificatePriv.h in Headers */, + 18FE68621471A46600A2CBE3 /* SecCertificateRequest.h in Headers */, + 18FE68631471A46600A2CBE3 /* SecCmsBase.h in Headers */, + AC5688BC18B4396D00F0526C /* SecCMS.h in Headers */, + 18FE68641471A46600A2CBE3 /* SecCmsContentInfo.h in Headers */, + 18FE68651471A46600A2CBE3 /* SecCmsDecoder.h in Headers */, + 18FE68661471A46600A2CBE3 /* SecCmsDigestContext.h in Headers */, + 18FE68671471A46600A2CBE3 /* SecCmsDigestedData.h in Headers */, + 18FE68681471A46600A2CBE3 /* SecCmsEncoder.h in Headers */, + 18FE68691471A46600A2CBE3 /* SecCmsEncryptedData.h in Headers */, + 18FE686A1471A46600A2CBE3 /* SecCmsEnvelopedData.h in Headers */, + 18FE686B1471A46600A2CBE3 /* SecCmsMessage.h in Headers */, + 18FE686C1471A46600A2CBE3 /* SecCmsRecipientInfo.h in Headers */, + 18FE686D1471A46600A2CBE3 /* SecCmsSignedData.h in Headers */, + 18FE686E1471A46600A2CBE3 /* SecCmsSignerInfo.h in Headers */, + 18FE686F1471A46600A2CBE3 /* SecCodeHostLib.h in Headers */, + 18FE68701471A46600A2CBE3 /* SecCodePriv.h in Headers */, + 18FE68711471A46600A2CBE3 /* SecCodeSigner.h in Headers */, + 18FE68721471A46600A2CBE3 /* SecFDERecoveryAsymmetricCrypto.h in Headers */, + 18FE68731471A46600A2CBE3 /* SecIdentityPriv.h in Headers */, + 4C0F6F871985877800178101 /* SecEntitlements.h in Headers */, + 18FE68741471A46600A2CBE3 /* SecIdentitySearchPriv.h in Headers */, + 18FE68751471A46600A2CBE3 /* SecIntegrity.h in Headers */, + 18FE68761471A46600A2CBE3 /* SecIntegrityLib.h in Headers */, + 18FE68771471A46600A2CBE3 /* SecItemPriv.h in Headers */, + 18FE68781471A46600A2CBE3 /* SecKeychainItemExtendedAttributes.h in Headers */, + 0C03D62B17D93EED0087643B /* SecDH.h in Headers */, + 18FE68791471A46600A2CBE3 /* SecKeychainItemPriv.h in Headers */, + 18FE687A1471A46600A2CBE3 /* SecKeychainPriv.h in Headers */, + 18FE687B1471A46700A2CBE3 /* SecKeychainSearchPriv.h in Headers */, + 18FE687C1471A46700A2CBE3 /* SecKeyPriv.h in Headers */, + 18FE687D1471A46700A2CBE3 /* SecManifest.h in Headers */, + 18FE687E1471A46700A2CBE3 /* SecNullTransform.h in Headers */, + 18FE687F1471A46700A2CBE3 /* SecPassword.h in Headers */, + 18FE68801471A46700A2CBE3 /* SecPolicyPriv.h in Headers */, + 18FE68811471A46700A2CBE3 /* SecRandomP.h in Headers */, + 18FE68821471A46700A2CBE3 /* SecRecoveryPassword.h in Headers */, + 18FE68831471A46700A2CBE3 /* SecRequirementPriv.h in Headers */, + 18FE68841471A46700A2CBE3 /* SecSMIME.h in Headers */, + 18FE68851471A46700A2CBE3 /* SecStaticCodePriv.h in Headers */, + 18FE68861471A46700A2CBE3 /* SecTransformInternal.h in Headers */, + 18FE68871471A46700A2CBE3 /* SecTrustedApplicationPriv.h in Headers */, + BEC3A76816F79497003E5634 /* SecTaskPriv.h in Headers */, + 18FE68881471A46700A2CBE3 /* SecTrustPriv.h in Headers */, + 18FE68891471A46700A2CBE3 /* SecTrustSettingsPriv.h in Headers */, + 18FE688A1471A46700A2CBE3 /* SecureDownloadInternal.h in Headers */, + 18FE688B1471A46700A2CBE3 /* SecureTransportPriv.h in Headers */, + 18FE688C1471A46700A2CBE3 /* TrustSettingsSchema.h in Headers */, + 18FE688D1471A46700A2CBE3 /* X509Templates.h in Headers */, + 0C4F055E15C9E51A00F9DFD5 /* sslTypes.h in Headers */, + 18BBC7361471F5A300F2B224 /* SecExternalSourceTransform.h in Headers */, + 18B647EC14D9F20500F538BF /* oidsalg.h in Headers */, + 52B5A9C21519330300664F11 /* tsaSupport.h in Headers */, + 52B5A9C31519330300664F11 /* tsaTemplates.h in Headers */, + 52AEA489153C778C005AFC59 /* tsaSupportPriv.h in Headers */, + 18B647ED14D9F20F00F538BF /* oidsattr.h in Headers */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4AF95B8B16193B1B00662B04 /* Headers */ = { + isa = PBXHeadersBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXHeadersBuildPhase section */ + +/* Begin PBXNativeTarget section */ + 0C6C630A15D193C800BC68CD /* sectests */ = { + isa = PBXNativeTarget; + buildConfigurationList = 0C6C631215D193C900BC68CD /* Build configuration list for PBXNativeTarget "sectests" */; + buildPhases = ( + 0C6C630715D193C800BC68CD /* Sources */, + 0C6C630815D193C800BC68CD /* Frameworks */, + ); + buildRules = ( + ); + dependencies = ( + 0C6C632E15D19D2900BC68CD /* PBXTargetDependency */, + ACB6173F18B5232700EBEDD7 /* PBXTargetDependency */, + 0CBD50C716C3260D00713B6C /* PBXTargetDependency */, + 0CCEBDB316C2CFD4001BD7F6 /* PBXTargetDependency */, + ); + name = sectests; + productName = sectests; + productReference = 0C6C630B15D193C800BC68CD /* sectests */; + productType = "com.apple.product-type.tool"; + }; + 0CC3350716C1ED8000399E53 /* secdtests */ = { + isa = PBXNativeTarget; + buildConfigurationList = 0CC3352A16C1ED8000399E53 /* Build configuration list for PBXNativeTarget "secdtests" */; + buildPhases = ( + 0CC3351616C1ED8000399E53 /* Sources */, + 0CC3351B16C1ED8000399E53 /* Frameworks */, + ); + buildRules = ( + ); + dependencies = ( + 0CC3350A16C1ED8000399E53 /* PBXTargetDependency */, + 0CC3351016C1ED8000399E53 /* PBXTargetDependency */, + 0CC3351216C1ED8000399E53 /* PBXTargetDependency */, + 0CC3351416C1ED8000399E53 /* PBXTargetDependency */, + 0CC3350816C1ED8000399E53 /* PBXTargetDependency */, + 0CC3356216C1EF8B00399E53 /* PBXTargetDependency */, + 0CC3350C16C1ED8000399E53 /* PBXTargetDependency */, + 0CCEBDBD16C30948001BD7F6 /* PBXTargetDependency */, + 0C4EAE7917668DFF00773425 /* PBXTargetDependency */, + ); + name = secdtests; + productName = sectests; + productReference = 0CC3352D16C1ED8000399E53 /* secdtests */; + productType = "com.apple.product-type.tool"; + }; + 1807384A146D0D4E00F05C24 /* Security */ = { + isa = PBXNativeTarget; + buildConfigurationList = 18073875146D0D4E00F05C24 /* Build configuration list for PBXNativeTarget "Security" */; + buildPhases = ( + 18073846146D0D4E00F05C24 /* Sources */, + 18073847146D0D4E00F05C24 /* Frameworks */, + 18073848146D0D4E00F05C24 /* Headers */, + 18500F961470828E006F9AB4 /* Run Script Generate Strings */, + 18073849146D0D4E00F05C24 /* Resources */, + 43A599151B0CFC8200D14A7B /* CopyFiles */, + 18500F9114707E10006F9AB4 /* Run Script Copy XPC Service */, + EB5D73121B0CB0E0009CAA47 /* Old SOS header location */, + ); + buildRules = ( + E778BFB91717461800302C14 /* PBXBuildRule */, + ); + dependencies = ( + 1879B545146DE18D007E536C /* PBXTargetDependency */, + BE8D22951ABB747A009A4E18 /* PBXTargetDependency */, + 4AD6F6F41651CC2500DB4CE6 /* PBXTargetDependency */, + 4C12894415FFED03008CE3E3 /* PBXTargetDependency */, + 18FE688F1471A4C900A2CBE3 /* PBXTargetDependency */, + 1885B45114D9AB3D00519375 /* PBXTargetDependency */, + 18270F5D14CF655B00B05E7F /* PBXTargetDependency */, + 18AD56A614CDED59008233F2 /* PBXTargetDependency */, + 182BB410146F248D000BF1F3 /* PBXTargetDependency */, + 1879B56C146DE2CF007E536C /* PBXTargetDependency */, + 18B9655C1472F83C005A4D2E /* PBXTargetDependency */, + 182BB4E7146F25AF000BF1F3 /* PBXTargetDependency */, + 182BB3EE146F248D000BF1F3 /* PBXTargetDependency */, + 182BB3F0146F248D000BF1F3 /* PBXTargetDependency */, + 182BB3F2146F248D000BF1F3 /* PBXTargetDependency */, + 182BB3F4146F248D000BF1F3 /* PBXTargetDependency */, + 182BB3F6146F248D000BF1F3 /* PBXTargetDependency */, + 182BB3F8146F248D000BF1F3 /* PBXTargetDependency */, + 182BB3FC146F248D000BF1F3 /* PBXTargetDependency */, + 182BB3FE146F248D000BF1F3 /* PBXTargetDependency */, + 182BB400146F248D000BF1F3 /* PBXTargetDependency */, + 182BB402146F248D000BF1F3 /* PBXTargetDependency */, + 182BB404146F248D000BF1F3 /* PBXTargetDependency */, + 182BB406146F248D000BF1F3 /* PBXTargetDependency */, + 182BB408146F248D000BF1F3 /* PBXTargetDependency */, + 182BB40A146F248D000BF1F3 /* PBXTargetDependency */, + 182BB40C146F248D000BF1F3 /* PBXTargetDependency */, + 182BB40E146F248D000BF1F3 /* PBXTargetDependency */, + 182BB412146F248D000BF1F3 /* PBXTargetDependency */, + 182BB414146F248D000BF1F3 /* PBXTargetDependency */, + 182BB418146F248D000BF1F3 /* PBXTargetDependency */, + 182BB41A146F248D000BF1F3 /* PBXTargetDependency */, + 182BB3EC146F2448000BF1F3 /* PBXTargetDependency */, + 18446082146DF52F00B12992 /* PBXTargetDependency */, + 1879B56E146DE2D3007E536C /* PBXTargetDependency */, + 5208C0FE16A0D3980062DDC5 /* PBXTargetDependency */, + E76079FA1951FDF600F69731 /* PBXTargetDependency */, + 182BB22C146F07DD000BF1F3 /* PBXTargetDependency */, + 529FF2201523BD7F0029D842 /* PBXTargetDependency */, + ); + name = Security; + productName = Security; + productReference = 1807384B146D0D4E00F05C24 /* Security.framework */; + productType = "com.apple.product-type.framework"; + }; + 18270ED514CF282600B05E7F /* secd */ = { + isa = PBXNativeTarget; + buildConfigurationList = 18270EDD14CF282600B05E7F /* Build configuration list for PBXNativeTarget "secd" */; + buildPhases = ( + 18270ED214CF282600B05E7F /* Sources */, + 18270ED314CF282600B05E7F /* Frameworks */, + 18BEB19914CF7F0B00C8BD36 /* CopyFiles */, + BE5976DD1AD73BE50066DECE /* CopyFiles */, + 0C6D003C177B545D0095D167 /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + 4C8D8650177A75100019A804 /* PBXTargetDependency */, + 4C01DF13164C3E74006798CD /* PBXTargetDependency */, + 4C7D8764160A746E00D041E3 /* PBXTargetDependency */, + 18270EE314CF28D900B05E7F /* PBXTargetDependency */, + 18270EE114CF28D000B05E7F /* PBXTargetDependency */, + ); + name = secd; + productName = secd; + productReference = 18270ED614CF282600B05E7F /* secd */; + productType = "com.apple.product-type.tool"; + }; + 182BB567146F4DCA000BF1F3 /* csparser */ = { + isa = PBXNativeTarget; + buildConfigurationList = 182BB572146F4DCB000BF1F3 /* Build configuration list for PBXNativeTarget "csparser" */; + buildPhases = ( + 182BB564146F4DCA000BF1F3 /* Sources */, + 182BB565146F4DCA000BF1F3 /* Frameworks */, + 182BB566146F4DCA000BF1F3 /* Resources */, + 182BB583146FDD3C000BF1F3 /* ShellScript */, + ); + buildRules = ( + ); + dependencies = ( + 182BB596146FE27F000BF1F3 /* PBXTargetDependency */, + 182BB58F146FE11C000BF1F3 /* PBXTargetDependency */, + 182BB58D146FE0FF000BF1F3 /* PBXTargetDependency */, + 182BB588146FE001000BF1F3 /* PBXTargetDependency */, + ); + name = csparser; + productName = csparser; + productReference = 182BB568146F4DCA000BF1F3 /* csparser.bundle */; + productType = "com.apple.product-type.bundle"; + }; + 18F234EA15C9F9A600060520 /* authd */ = { + isa = PBXNativeTarget; + buildConfigurationList = 18F234F615C9F9A700060520 /* Build configuration list for PBXNativeTarget "authd" */; + buildPhases = ( + 4AF95B8B16193B1B00662B04 /* Headers */, + 18F234E715C9F9A600060520 /* Sources */, + 18F234E815C9F9A600060520 /* Frameworks */, + 187D6B9615D4381C00E27494 /* Copy authorization.plist */, + 18CFEE8815DEE2BA00E3F2A3 /* Copy sandbox profile */, + 4A5C178F161A9DE000ABF784 /* CopyFiles */, + 18D6803A16B768DE00DF6D2E /* Copy asl module */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = authd; + productName = security.auth; + productReference = 18F234EB15C9F9A600060520 /* authd.xpc */; + productType = "com.apple.product-type.bundle"; + }; + 18FE67E91471A3AA00A2CBE3 /* copyHeaders */ = { + isa = PBXNativeTarget; + buildConfigurationList = 18FE67FB1471A3AA00A2CBE3 /* Build configuration list for PBXNativeTarget "copyHeaders" */; + buildPhases = ( + 18FE67E71471A3AA00A2CBE3 /* Headers */, + 4CB86AE4167A6F3D00F46643 /* Copy SecureObjectSync Headers */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = copyHeaders; + productName = copyHeaders; + productReference = 18FE67EA1471A3AA00A2CBE3 /* Security.framework */; + productType = "com.apple.product-type.framework"; + }; + 3705CAD11A896DE800402F75 /* SecTaskTest */ = { + isa = PBXNativeTarget; + buildConfigurationList = 3705CAD61A896DE800402F75 /* Build configuration list for PBXNativeTarget "SecTaskTest" */; + buildPhases = ( + 3705CACE1A896DE800402F75 /* Sources */, + 3705CACF1A896DE800402F75 /* Frameworks */, + 3705CAD01A896DE800402F75 /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = SecTaskTest; + productName = SecTaskTest; + productReference = 3705CAD21A896DE800402F75 /* SecTaskTest */; + productType = "com.apple.product-type.tool"; + }; + 37A7CEAA197DB8FA00926CE8 /* codesign_tests */ = { + isa = PBXNativeTarget; + buildConfigurationList = 37A7CED8197DB8FA00926CE8 /* Build configuration list for PBXNativeTarget "codesign_tests" */; + buildPhases = ( + 37A7CEA7197DB8FA00926CE8 /* Sources */, + 37A7CEA8197DB8FA00926CE8 /* Frameworks */, + 37A7CEDC197DCECD00926CE8 /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = codesign_tests; + productName = codesign_tests; + productReference = 37A7CEAB197DB8FA00926CE8 /* codesign_tests */; + productType = "com.apple.product-type.tool"; + }; + 37AB390E1A44A88000B56E04 /* gk_reset_check */ = { + isa = PBXNativeTarget; + buildConfigurationList = 37AB393C1A44A88000B56E04 /* Build configuration list for PBXNativeTarget "gk_reset_check" */; + buildPhases = ( + 37AB390B1A44A88000B56E04 /* Sources */, + 37AB390C1A44A88000B56E04 /* Frameworks */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = gk_reset_check; + productName = gk_reset_check; + productReference = 37AB390F1A44A88000B56E04 /* gk_reset_check */; + productType = "com.apple.product-type.tool"; + }; + 4C96F7C016D6DF8300D3B39D /* Keychain Circle Notification */ = { + isa = PBXNativeTarget; + buildConfigurationList = 4C96F7D516D6DF8400D3B39D /* Build configuration list for PBXNativeTarget "Keychain Circle Notification" */; + buildPhases = ( + 4C96F7BD16D6DF8300D3B39D /* Sources */, + 4C96F7BE16D6DF8300D3B39D /* Frameworks */, + 4C96F7BF16D6DF8300D3B39D /* Resources */, + 4C49390E16E51ED100CE110C /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + 4374574E1B2787950051E20E /* PBXTargetDependency */, + ); + name = "Keychain Circle Notification"; + productName = "Keychain Circle Notification"; + productReference = 4C96F7C116D6DF8300D3B39D /* Keychain Circle Notification.app */; + productType = "com.apple.product-type.application"; + }; + 4CB23B45169F5873003A0131 /* security2 */ = { + isa = PBXNativeTarget; + buildConfigurationList = 4CB23B7F169F5873003A0131 /* Build configuration list for PBXNativeTarget "security2" */; + buildPhases = ( + 4CB23B42169F5873003A0131 /* Sources */, + 4CB23B43169F5873003A0131 /* Frameworks */, + 4CB23B44169F5873003A0131 /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + 4CB23B88169F597D003A0131 /* PBXTargetDependency */, + 4CB23B86169F5971003A0131 /* PBXTargetDependency */, + 4CB23B84169F5961003A0131 /* PBXTargetDependency */, + ); + name = security2; + productName = security2; + productReference = 4CB23B46169F5873003A0131 /* security2 */; + productType = "com.apple.product-type.tool"; + }; + 4CC7A7B216CC2A84003E10C1 /* Cloud Keychain Utility */ = { + isa = PBXNativeTarget; + buildConfigurationList = 4CC7A7EF16CC2A85003E10C1 /* Build configuration list for PBXNativeTarget "Cloud Keychain Utility" */; + buildPhases = ( + 4CC7A7AF16CC2A84003E10C1 /* Sources */, + 4CC7A7B016CC2A84003E10C1 /* Frameworks */, + 4CC7A7B116CC2A84003E10C1 /* Resources */, + ); + buildRules = ( + ); + dependencies = ( + 4381B9AC1B28E0F4002BBC79 /* PBXTargetDependency */, + ); + name = "Cloud Keychain Utility"; + productName = Keychain; + productReference = 4CC7A7B316CC2A84003E10C1 /* Cloud Keychain Utility.app */; + productType = "com.apple.product-type.application"; + }; + 5214700516977CB800DF0DB3 /* CloudKeychainProxy */ = { + isa = PBXNativeTarget; + buildConfigurationList = 5214701416977CB800DF0DB3 /* Build configuration list for PBXNativeTarget "CloudKeychainProxy" */; + buildPhases = ( + 5214700216977CB800DF0DB3 /* Sources */, + 5214700316977CB800DF0DB3 /* Frameworks */, + 5214700416977CB800DF0DB3 /* Resources */, + 5214702316977EA600DF0DB3 /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + 5214701A16977D2500DF0DB3 /* PBXTargetDependency */, + 5214701816977D1D00DF0DB3 /* PBXTargetDependency */, + ); + name = CloudKeychainProxy; + productName = CloudKeychainProxy; + productReference = 5214700616977CB800DF0DB3 /* CloudKeychainProxy.bundle */; + productType = "com.apple.product-type.bundle"; + }; + 5EF7C2091B00E25400E5E99C /* secacltests */ = { + isa = PBXNativeTarget; + buildConfigurationList = 5EF7C2381B00E25400E5E99C /* Build configuration list for PBXNativeTarget "secacltests" */; + buildPhases = ( + 5EF7C2061B00E25400E5E99C /* Sources */, + 5EF7C2071B00E25400E5E99C /* Frameworks */, + ); + buildRules = ( + ); + dependencies = ( + 5ED88B701B0DEF4700F3B047 /* PBXTargetDependency */, + 5ED88B6E1B0DEF3100F3B047 /* PBXTargetDependency */, + 5EFB69C21B0CBFC30095A36E /* PBXTargetDependency */, + 5EE556971B01DA3E006F78F2 /* PBXTargetDependency */, + 5EE556951B01DA33006F78F2 /* PBXTargetDependency */, + 5EE556931B01DA24006F78F2 /* PBXTargetDependency */, + 5EE556911B01D9F5006F78F2 /* PBXTargetDependency */, + 5EE556671B01D9A8006F78F2 /* PBXTargetDependency */, + ); + name = secacltests; + productName = secacltests; + productReference = 5EF7C20A1B00E25400E5E99C /* secacltests */; + productType = "com.apple.product-type.tool"; + }; + 72756BFD175D485D00F52070 /* cloud_keychain_diagnose */ = { + isa = PBXNativeTarget; + buildConfigurationList = 72756C2F175D485D00F52070 /* Build configuration list for PBXNativeTarget "cloud_keychain_diagnose" */; + buildPhases = ( + 72756BFA175D485D00F52070 /* Sources */, + 72756BFB175D485D00F52070 /* Frameworks */, + 72756BFC175D485D00F52070 /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = cloud_keychain_diagnose; + productName = cloud_keychain_diagnose; + productReference = 72756BFE175D485D00F52070 /* cloud_keychain_diagnose */; + productType = "com.apple.product-type.tool"; + }; + BE48ADF71ADF1DF4000836C1 /* trustd */ = { + isa = PBXNativeTarget; + buildConfigurationList = BE48AE1E1ADF1DF4000836C1 /* Build configuration list for PBXNativeTarget "trustd" */; + buildPhases = ( + BE48AE021ADF1DF4000836C1 /* Sources */, + BE48AE041ADF1DF4000836C1 /* Frameworks */, + BE48AE191ADF1DF4000836C1 /* CopyFiles */, + BE48AE1B1ADF1DF4000836C1 /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + BE48ADF81ADF1DF4000836C1 /* PBXTargetDependency */, + BE48AE001ADF1DF4000836C1 /* PBXTargetDependency */, + BE48ADFE1ADF1DF4000836C1 /* PBXTargetDependency */, + BE48ADFA1ADF1DF4000836C1 /* PBXTargetDependency */, + BE48ADFC1ADF1DF4000836C1 /* PBXTargetDependency */, + BE48AE231ADF1E66000836C1 /* PBXTargetDependency */, + ); + name = trustd; + productName = secd; + productReference = BE48AE211ADF1DF4000836C1 /* trustd */; + productType = "com.apple.product-type.tool"; + }; + BE94B77E1AD83AF700A7216D /* trustd.xpc */ = { + isa = PBXNativeTarget; + buildConfigurationList = BE94B7A11AD83AF700A7216D /* Build configuration list for PBXNativeTarget "trustd.xpc" */; + buildPhases = ( + BE94B7801AD83AF700A7216D /* Sources */, + BE94B7931AD83AF700A7216D /* Frameworks */, + BE94B79B1AD83AF700A7216D /* Copy sandbox profile */, + BE94B79F1AD83AF700A7216D /* Copy asl module */, + ); + buildRules = ( + ); + dependencies = ( + BE94B7E11AD8442600A7216D /* PBXTargetDependency */, + BE94B7E91AD8447B00A7216D /* PBXTargetDependency */, + BE94B7E71AD8446C00A7216D /* PBXTargetDependency */, + BE94B7EF1AD8453300A7216D /* PBXTargetDependency */, + BE94B7E51AD8446500A7216D /* PBXTargetDependency */, + BE94B7EB1AD8449300A7216D /* PBXTargetDependency */, + ); + name = trustd.xpc; + productName = security.auth; + productReference = BE94B7A41AD83AF700A7216D /* trustd.xpc */; + productType = "com.apple.product-type.bundle"; + }; + CD63ACDF1A8061FA001B5671 /* IDSKeychainSyncingProxy */ = { + isa = PBXNativeTarget; + buildConfigurationList = CD63AD101A8061FA001B5671 /* Build configuration list for PBXNativeTarget "IDSKeychainSyncingProxy" */; + buildPhases = ( + CD63ACDC1A8061FA001B5671 /* Sources */, + CD63ACDD1A8061FA001B5671 /* Frameworks */, + CD63ACDE1A8061FA001B5671 /* Resources */, + CD63AD1D1A806552001B5671 /* CopyFiles */, + CDF91EF41AAE025C00E88CF7 /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + CD63AD141A8063B7001B5671 /* PBXTargetDependency */, + CD63AD121A8063AF001B5671 /* PBXTargetDependency */, + ); + name = IDSKeychainSyncingProxy; + productName = IDSKeychainSyncingProxy; + productReference = CD63ACE01A8061FA001B5671 /* IDSKeychainSyncingProxy.bundle */; + productType = "com.apple.product-type.bundle"; + }; +/* End PBXNativeTarget section */ + +/* Begin PBXProject section */ + 18073841146D0D4E00F05C24 /* Project object */ = { + isa = PBXProject; + attributes = { + LastUpgradeCheck = 0700; + TargetAttributes = { + 3705CAD11A896DE800402F75 = { + CreatedOnToolsVersion = 7.0; + }; + 37A7CEAA197DB8FA00926CE8 = { + CreatedOnToolsVersion = 6.0; + }; + 37AB390E1A44A88000B56E04 = { + CreatedOnToolsVersion = 6.3; + }; + 5EF7C2091B00E25400E5E99C = { + CreatedOnToolsVersion = 7.0; + }; + CD63ACDF1A8061FA001B5671 = { + CreatedOnToolsVersion = 7.0; + }; + F93C49311AB8FD350047E01A = { + CreatedOnToolsVersion = 6.3; + }; + }; + }; + buildConfigurationList = 18073844146D0D4E00F05C24 /* Build configuration list for PBXProject "OSX" */; + compatibilityVersion = "Xcode 3.2"; + developmentRegion = English; + hasScannedForEncodings = 0; + knownRegions = ( + en, + Base, + ); + mainGroup = 1807383F146D0D4E00F05C24; + productRefGroup = 1807384C146D0D4E00F05C24 /* Products */; + projectDirPath = ""; + projectReferences = ( + { + ProductGroup = 18270F0914CF43C000B05E7F /* Products */; + ProjectRef = 18270F0814CF43C000B05E7F /* libDER.xcodeproj */; + }, + { + ProductGroup = 1879B5BD146DE6C8007E536C /* Products */; + ProjectRef = 1879B5BC146DE6C8007E536C /* libsecurity_apple_csp.xcodeproj */; + }, + { + ProductGroup = 1879B5CA146DE6CE007E536C /* Products */; + ProjectRef = 1879B5C9146DE6CE007E536C /* libsecurity_apple_cspdl.xcodeproj */; + }, + { + ProductGroup = 1879B5D6146DE6D7007E536C /* Products */; + ProjectRef = 1879B5D5146DE6D7007E536C /* libsecurity_apple_file_dl.xcodeproj */; + }, + { + ProductGroup = 1879B5E2146DE6E7007E536C /* Products */; + ProjectRef = 1879B5E1146DE6E7007E536C /* libsecurity_apple_x509_cl.xcodeproj */; + }, + { + ProductGroup = 1879B5F1146DE6FD007E536C /* Products */; + ProjectRef = 1879B5F0146DE6FD007E536C /* libsecurity_apple_x509_tp.xcodeproj */; + }, + { + ProductGroup = 1879B5FD146DE704007E536C /* Products */; + ProjectRef = 1879B5FC146DE704007E536C /* libsecurity_asn1.xcodeproj */; + }, + { + ProductGroup = 1879B60A146DE70A007E536C /* Products */; + ProjectRef = 1879B609146DE70A007E536C /* libsecurity_authorization.xcodeproj */; + }, + { + ProductGroup = 1879B616146DE715007E536C /* Products */; + ProjectRef = 1879B615146DE715007E536C /* libsecurity_cdsa_client.xcodeproj */; + }, + { + ProductGroup = 1879B622146DE720007E536C /* Products */; + ProjectRef = 1879B621146DE720007E536C /* libsecurity_cdsa_plugin.xcodeproj */; + }, + { + ProductGroup = 1879B551146DE227007E536C /* Products */; + ProjectRef = 1879B550146DE227007E536C /* libsecurity_cdsa_utilities.xcodeproj */; + }, + { + ProductGroup = 1879B548146DE212007E536C /* Products */; + ProjectRef = 1879B547146DE212007E536C /* libsecurity_cdsa_utils.xcodeproj */; + }, + { + ProductGroup = 1879B638146DE748007E536C /* Products */; + ProjectRef = 1879B637146DE748007E536C /* libsecurity_checkpw.xcodeproj */; + }, + { + ProductGroup = 1879B64C146DE750007E536C /* Products */; + ProjectRef = 1879B64B146DE750007E536C /* libsecurity_cms.xcodeproj */; + }, + { + ProductGroup = 1879B658146DE756007E536C /* Products */; + ProjectRef = 1879B657146DE756007E536C /* libsecurity_codesigning.xcodeproj */; + }, + { + ProductGroup = 1879B66E146DE75D007E536C /* Products */; + ProjectRef = 1879B66D146DE75D007E536C /* libsecurity_comcryption.xcodeproj */; + }, + { + ProductGroup = 1879B67A146DE76E007E536C /* Products */; + ProjectRef = 1879B679146DE76E007E536C /* libsecurity_cryptkit.xcodeproj */; + }, + { + ProductGroup = 1879B55E146DE244007E536C /* Products */; + ProjectRef = 1879B55D146DE244007E536C /* libsecurity_cssm.xcodeproj */; + }, + { + ProductGroup = 1879B695146DE797007E536C /* Products */; + ProjectRef = 1879B694146DE797007E536C /* libsecurity_filedb.xcodeproj */; + }, + { + ProductGroup = 1879B6A1146DE79F007E536C /* Products */; + ProjectRef = 1879B6A0146DE79F007E536C /* libsecurity_keychain.xcodeproj */; + }, + { + ProductGroup = 1879B6C8146DE7D7007E536C /* Products */; + ProjectRef = 1879B6C7146DE7D7007E536C /* libsecurity_manifest.xcodeproj */; + }, + { + ProductGroup = 1879B6D4146DE7E0007E536C /* Products */; + ProjectRef = 1879B6D3146DE7E0007E536C /* libsecurity_mds.xcodeproj */; + }, + { + ProductGroup = 1879B6E0146DE7E7007E536C /* Products */; + ProjectRef = 1879B6DF146DE7E7007E536C /* libsecurity_ocspd.xcodeproj */; + }, + { + ProductGroup = 1879B6ED146DE7EE007E536C /* Products */; + ProjectRef = 1879B6EC146DE7EE007E536C /* libsecurity_pkcs12.xcodeproj */; + }, + { + ProductGroup = 1879B6F9146DE7F7007E536C /* Products */; + ProjectRef = 1879B6F8146DE7F7007E536C /* libsecurity_sd_cspdl.xcodeproj */; + }, + { + ProductGroup = 1879B713146DE825007E536C /* Products */; + ProjectRef = 1879B712146DE825007E536C /* libsecurity_smime.xcodeproj */; + }, + { + ProductGroup = 1879B720146DE839007E536C /* Products */; + ProjectRef = 1879B71F146DE839007E536C /* libsecurity_ssl.xcodeproj */; + }, + { + ProductGroup = 1879B72C146DE844007E536C /* Products */; + ProjectRef = 1879B72B146DE844007E536C /* libsecurity_transform.xcodeproj */; + }, + { + ProductGroup = 1879B533146DDBE5007E536C /* Products */; + ProjectRef = 1879B532146DDBE5007E536C /* libsecurity_utilities.xcodeproj */; + }, + { + ProductGroup = 184461A4146E9D3200B12992 /* Products */; + ProjectRef = 184461A3146E9D3200B12992 /* libsecurityd.xcodeproj */; + }, + { + ProductGroup = 0CC3355C16C1EF5D00399E53 /* Products */; + ProjectRef = 0CC3355B16C1EF5D00399E53 /* regressions.xcodeproj */; + }, + { + ProductGroup = 186CDD1714CA11C700AF9171 /* Products */; + ProjectRef = 186CDD1614CA11C700AF9171 /* sec.xcodeproj */; + }, + { + ProductGroup = 0C6D77DF15C8C06500BB4405 /* Products */; + ProjectRef = 0C6D77DE15C8C06500BB4405 /* tlsnke.xcodeproj */; + }, + { + ProductGroup = 4C12893815FFECF3008CE3E3 /* Products */; + ProjectRef = 4C12893715FFECF3008CE3E3 /* utilities.xcodeproj */; + }, + ); + projectRoot = ""; + targets = ( + 186F778814E59FB200434E1F /* Security_frameworks */, + 186F778C14E59FDA00434E1F /* Security_executables */, + 0C6C642915D5ADB500BC68CD /* Security_kexts */, + 182BB598146FE295000BF1F3 /* World */, + 1807384A146D0D4E00F05C24 /* Security */, + 182BB567146F4DCA000BF1F3 /* csparser */, + 18FE67E91471A3AA00A2CBE3 /* copyHeaders */, + 18270ED514CF282600B05E7F /* secd */, + 0CC3350716C1ED8000399E53 /* secdtests */, + 0C6C630A15D193C800BC68CD /* sectests */, + 18F234EA15C9F9A600060520 /* authd */, + BE94B77E1AD83AF700A7216D /* trustd.xpc */, + BE48ADF71ADF1DF4000836C1 /* trustd */, + 5214700516977CB800DF0DB3 /* CloudKeychainProxy */, + CD63ACDF1A8061FA001B5671 /* IDSKeychainSyncingProxy */, + 4CB23B45169F5873003A0131 /* security2 */, + 4CC7A7B216CC2A84003E10C1 /* Cloud Keychain Utility */, + 4C96F7C016D6DF8300D3B39D /* Keychain Circle Notification */, + 4CE4729E16D833FD009070D1 /* Security_temporary_UI */, + 72756BFD175D485D00F52070 /* cloud_keychain_diagnose */, + 37A7CEAA197DB8FA00926CE8 /* codesign_tests */, + 37AB390E1A44A88000B56E04 /* gk_reset_check */, + 3705CAD11A896DE800402F75 /* SecTaskTest */, + F93C49311AB8FD350047E01A /* ckcdiagnose.sh */, + 5EF7C2091B00E25400E5E99C /* secacltests */, + ); + }; +/* End PBXProject section */ + +/* Begin PBXReferenceProxy section */ + 0C4EAE721766865000773425 /* libsecdRegressions.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecdRegressions.a; + remoteRef = 0C4EAE711766865000773425 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 0C6D77CF15C8B66000BB4405 /* libsecurity_ssl_regressions.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_ssl_regressions.a; + remoteRef = 0C6D77CE15C8B66000BB4405 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 0C6D77D115C8B66000BB4405 /* dtlsEchoClient */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = dtlsEchoClient; + remoteRef = 0C6D77D015C8B66000BB4405 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 0C6D77D315C8B66000BB4405 /* dtlsEchoServer */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = dtlsEchoServer; + remoteRef = 0C6D77D215C8B66000BB4405 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 0C6D77EB15C8C06600BB4405 /* tlsnketest */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = tlsnketest; + remoteRef = 0C6D77EA15C8C06600BB4405 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 0C6D77ED15C8C06600BB4405 /* libtlssocket.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libtlssocket.a; + remoteRef = 0C6D77EC15C8C06600BB4405 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 0CBD50B316C325F000713B6C /* libsecurity_keychain_regressions.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_keychain_regressions.a; + remoteRef = 0CBD50B216C325F000713B6C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 0CC3356016C1EF5D00399E53 /* libregressions.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libregressions.a; + remoteRef = 0CC3355F16C1EF5D00399E53 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 18270C7D14CE573D00B05E7F /* libsecurityd.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurityd.a; + remoteRef = 18270C7C14CE573D00B05E7F /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 18270F1214CF43C000B05E7F /* libDER.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libDER.a; + remoteRef = 18270F1114CF43C000B05E7F /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 18270F1414CF43C000B05E7F /* parseCert */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = parseCert; + remoteRef = 18270F1314CF43C000B05E7F /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 18270F1614CF43C000B05E7F /* libDERUtils.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libDERUtils.a; + remoteRef = 18270F1514CF43C000B05E7F /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 18270F1814CF43C000B05E7F /* parseCrl */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = parseCrl; + remoteRef = 18270F1714CF43C000B05E7F /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 18270F1A14CF43C000B05E7F /* parseTicket */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = parseTicket; + remoteRef = 18270F1914CF43C000B05E7F /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 18270F6014CF655B00B05E7F /* libsecipc_client.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecipc_client.a; + remoteRef = 18270F5F14CF655B00B05E7F /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 184461B1146E9D3300B12992 /* libsecurityd_client.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurityd_client.a; + remoteRef = 184461B0146E9D3300B12992 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 184461B5146E9D3300B12992 /* libsecurityd_server.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurityd_server.a; + remoteRef = 184461B4146E9D3300B12992 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 184461B9146E9D3300B12992 /* ucspc.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = ucspc.a; + remoteRef = 184461B8146E9D3300B12992 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 186CDD1E14CA11C700AF9171 /* libSecItemShimOSX.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libSecItemShimOSX.a; + remoteRef = 186CDD1D14CA11C700AF9171 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B538146DDBE5007E536C /* libsecurity_utilities.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_utilities.a; + remoteRef = 1879B537146DDBE5007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B54F146DE212007E536C /* libsecurity_cdsa_utils.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_cdsa_utils.a; + remoteRef = 1879B54E146DE212007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B55A146DE227007E536C /* libsecurity_cdsa_utilities.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_cdsa_utilities.a; + remoteRef = 1879B559146DE227007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B55C146DE227007E536C /* Schemas */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = Schemas; + remoteRef = 1879B55B146DE227007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B565146DE244007E536C /* libsecurity_cssm.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_cssm.a; + remoteRef = 1879B564146DE244007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B5C6146DE6C8007E536C /* libsecurity_apple_csp.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_apple_csp.a; + remoteRef = 1879B5C5146DE6C8007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B5D2146DE6CE007E536C /* libsecurity_apple_cspdl.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_apple_cspdl.a; + remoteRef = 1879B5D1146DE6CE007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B5DE146DE6D7007E536C /* libsecurity_apple_file_dl.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_apple_file_dl.a; + remoteRef = 1879B5DD146DE6D7007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B5EB146DE6E8007E536C /* libsecurity_apple_x509_cl.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_apple_x509_cl.a; + remoteRef = 1879B5EA146DE6E8007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B5EF146DE6E8007E536C /* apple_x509_cl.bundle */ = { + isa = PBXReferenceProxy; + fileType = wrapper.cfbundle; + path = apple_x509_cl.bundle; + remoteRef = 1879B5EE146DE6E8007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B5F9146DE6FD007E536C /* libsecurity_apple_x509_tp.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_apple_x509_tp.a; + remoteRef = 1879B5F8146DE6FD007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B612146DE70A007E536C /* libsecurity_authorization.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_authorization.a; + remoteRef = 1879B611146DE70A007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B61E146DE715007E536C /* libsecurity_cdsa_client.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_cdsa_client.a; + remoteRef = 1879B61D146DE715007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B62B146DE720007E536C /* libsecurity_cdsa_plugin.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_cdsa_plugin.a; + remoteRef = 1879B62A146DE720007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B644146DE748007E536C /* libsecurity_checkpw.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_checkpw.a; + remoteRef = 1879B643146DE748007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B648146DE748007E536C /* test-checkpw */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = "test-checkpw"; + remoteRef = 1879B647146DE748007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B64A146DE748007E536C /* perf-checkpw */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = "perf-checkpw"; + remoteRef = 1879B649146DE748007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B654146DE750007E536C /* libsecurity_cms.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_cms.a; + remoteRef = 1879B653146DE750007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B666146DE757007E536C /* libsecurity_codesigning.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_codesigning.a; + remoteRef = 1879B665146DE757007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B66A146DE757007E536C /* libintegrity.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libintegrity.a; + remoteRef = 1879B669146DE757007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B66C146DE757007E536C /* libcodehost.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libcodehost.a; + remoteRef = 1879B66B146DE757007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B676146DE75E007E536C /* libsecurity_comcryption.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_comcryption.a; + remoteRef = 1879B675146DE75E007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B684146DE76F007E536C /* libsecurity_cryptkit.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_cryptkit.a; + remoteRef = 1879B683146DE76F007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B688146DE76F007E536C /* libCryptKit.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libCryptKit.a; + remoteRef = 1879B687146DE76F007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B68A146DE76F007E536C /* CryptKitSignature.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = CryptKitSignature.a; + remoteRef = 1879B689146DE76F007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B69D146DE797007E536C /* libsecurity_filedb.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_filedb.a; + remoteRef = 1879B69C146DE797007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B6B3146DE7A0007E536C /* libsecurity_keychain.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_keychain.a; + remoteRef = 1879B6B2146DE7A0007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B6B7146DE7A0007E536C /* XPCKeychainSandboxCheck.xpc */ = { + isa = PBXReferenceProxy; + fileType = wrapper.application; + path = XPCKeychainSandboxCheck.xpc; + remoteRef = 1879B6B6146DE7A0007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B6D0146DE7D7007E536C /* libsecurity_manifest.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_manifest.a; + remoteRef = 1879B6CF146DE7D7007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B6DC146DE7E0007E536C /* libsecurity_mds.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_mds.a; + remoteRef = 1879B6DB146DE7E0007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B6E9146DE7E8007E536C /* libsecurity_ocspd.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_ocspd.a; + remoteRef = 1879B6E8146DE7E8007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B6F5146DE7EF007E536C /* libsecurity_pkcs12.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_pkcs12.a; + remoteRef = 1879B6F4146DE7EF007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B701146DE7F7007E536C /* libsecurity_sd_cspdl.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_sd_cspdl.a; + remoteRef = 1879B700146DE7F7007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B71C146DE825007E536C /* libsecurity_smime.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_smime.a; + remoteRef = 1879B71B146DE825007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B728146DE839007E536C /* libsecurity_ssl.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_ssl.a; + remoteRef = 1879B727146DE839007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B739146DE845007E536C /* libsecurity_transform.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_transform.a; + remoteRef = 1879B738146DE845007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B73D146DE845007E536C /* unit-tests.octest */ = { + isa = PBXReferenceProxy; + fileType = wrapper.cfbundle; + path = "unit-tests.octest"; + remoteRef = 1879B73C146DE845007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B73F146DE845007E536C /* 100-sha2 */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = "100-sha2"; + remoteRef = 1879B73E146DE845007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1879B741146DE845007E536C /* input-speed-test */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = "input-speed-test"; + remoteRef = 1879B740146DE845007E536C /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 1885B3F914D8D9B100519375 /* libASN1.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libASN1.a; + remoteRef = 1885B3F814D8D9B100519375 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 18D4053B14CE2C1600A2BE4E /* libsecurity.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity.a; + remoteRef = 18D4053A14CE2C1600A2BE4E /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4C01DE32164C3793006798CD /* libCloudKeychainProxy.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libCloudKeychainProxy.a; + remoteRef = 4C01DE31164C3793006798CD /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4C1288EA15FFE9D7008CE3E3 /* libSecureObjectSync.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libSecureObjectSync.a; + remoteRef = 4C1288E915FFE9D7008CE3E3 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4C1288EC15FFE9D7008CE3E3 /* libSOSRegressions.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libSOSRegressions.a; + remoteRef = 4C1288EB15FFE9D7008CE3E3 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4C1288EE15FFE9D7008CE3E3 /* libSecurityRegressions.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libSecurityRegressions.a; + remoteRef = 4C1288ED15FFE9D7008CE3E3 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4C1288F015FFE9D7008CE3E3 /* libsecuritydRegressions.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecuritydRegressions.a; + remoteRef = 4C1288EF15FFE9D7008CE3E3 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4C1288F215FFE9D7008CE3E3 /* libSecOtrOSX.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libSecOtrOSX.a; + remoteRef = 4C1288F115FFE9D7008CE3E3 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4C12894015FFECF3008CE3E3 /* libutilities.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libutilities.a; + remoteRef = 4C12893F15FFECF3008CE3E3 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4C12894215FFECF3008CE3E3 /* libutilitiesRegressions.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libutilitiesRegressions.a; + remoteRef = 4C12894115FFECF3008CE3E3 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4CB23B76169F5873003A0131 /* libSecurityTool.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libSecurityTool.a; + remoteRef = 4CB23B75169F5873003A0131 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4CB23B78169F5873003A0131 /* libSecurityCommands.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libSecurityCommands.a; + remoteRef = 4CB23B77169F5873003A0131 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 4CB23B7A169F5873003A0131 /* libSOSCommands.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libSOSCommands.a; + remoteRef = 4CB23B79169F5873003A0131 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 52B5A8F6151928B400664F11 /* XPCTimeStampingService.xpc */ = { + isa = PBXReferenceProxy; + fileType = wrapper.application; + path = XPCTimeStampingService.xpc; + remoteRef = 52B5A8F5151928B400664F11 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + ACB6171818B5231800EBEDD7 /* libsecurity_smime_regressions.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libsecurity_smime_regressions.a; + remoteRef = ACB6171718B5231800EBEDD7 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + BE8D22BC1ABB747B009A4E18 /* libSecTrustOSX.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libSecTrustOSX.a; + remoteRef = BE8D22BB1ABB747B009A4E18 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + C2432A0815C7112A0096DB5B /* gkunpack */ = { + isa = PBXReferenceProxy; + fileType = "compiled.mach-o.executable"; + path = gkunpack; + remoteRef = C2432A0715C7112A0096DB5B /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + CD63AD0C1A8061FA001B5671 /* libIDSKeychainSyncingProxy.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libIDSKeychainSyncingProxy.a; + remoteRef = CD63AD0B1A8061FA001B5671 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + E7421C7E1ADC8E0D005FC1C0 /* tlsnke.kext */ = { + isa = PBXReferenceProxy; + fileType = wrapper.cfbundle; + path = tlsnke.kext; + remoteRef = E7421C7D1ADC8E0D005FC1C0 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + E760796F1951F99600F69731 /* libSWCAgent.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = libSWCAgent.a; + remoteRef = E760796E1951F99600F69731 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + E76079D51951FDA800F69731 /* liblogging.a */ = { + isa = PBXReferenceProxy; + fileType = archive.ar; + path = liblogging.a; + remoteRef = E76079D41951FDA800F69731 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; + EB2E1F58166D6B3700A7EF61 /* com.apple.CodeSigningHelper.xpc */ = { + isa = PBXReferenceProxy; + fileType = wrapper.cfbundle; + path = com.apple.CodeSigningHelper.xpc; + remoteRef = EB2E1F57166D6B3700A7EF61 /* PBXContainerItemProxy */; + sourceTree = BUILT_PRODUCTS_DIR; + }; +/* End PBXReferenceProxy section */ + +/* Begin PBXResourcesBuildPhase section */ + 18073849146D0D4E00F05C24 /* Resources */ = { + isa = PBXResourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 1879B4AA146DCA18007E536C /* cssm.mdsinfo in Resources */, + 1844605F146DE93E00B12992 /* csp_capabilities.mdsinfo in Resources */, + 18446060146DE93E00B12992 /* csp_capabilities_common.mds in Resources */, + 18446061146DE93E00B12992 /* csp_common.mdsinfo in Resources */, + 18446062146DE93E00B12992 /* csp_primary.mdsinfo in Resources */, + 184460C7146E7B1E00B12992 /* cspdl_common.mdsinfo in Resources */, + 184460C8146E7B1E00B12992 /* cspdl_csp_capabilities.mdsinfo in Resources */, + 184460C9146E7B1E00B12992 /* cspdl_csp_primary.mdsinfo in Resources */, + 184460CA146E7B1E00B12992 /* cspdl_dl_primary.mdsinfo in Resources */, + 184460E3146E806700B12992 /* dl_common.mdsinfo in Resources */, + 184460E4146E806700B12992 /* dl_primary.mdsinfo in Resources */, + 18446105146E82C800B12992 /* cl_common.mdsinfo in Resources */, + 18446106146E82C800B12992 /* cl_primary.mdsinfo in Resources */, + 18446115146E85A300B12992 /* tp_common.mdsinfo in Resources */, + 18446116146E85A300B12992 /* tp_policyOids.mdsinfo in Resources */, + 18446117146E85A300B12992 /* tp_primary.mdsinfo in Resources */, + 182BB3C5146F1DCB000BF1F3 /* sd_cspdl_common.mdsinfo in Resources */, + 182BB22A146F068B000BF1F3 /* iToolsTrustedApps.plist in Resources */, + 182BB55F146F4544000BF1F3 /* FDEPrefs.plist in Resources */, + 18500F9B14708D0E006F9AB4 /* SecDebugErrorMessages.strings in Resources */, + 18500FA114708F19006F9AB4 /* SecErrorMessages.strings in Resources */, + BE8C5F0A16F7CE450074CF86 /* framework.sb in Resources */, + 188AD8DC1471FE3E0081C619 /* FDELocalizable.strings in Resources */, + 188AD8DD1471FE3E0081C619 /* InfoPlist.strings in Resources */, + 52B006C015238F76005D4556 /* TimeStampingPrefs.plist in Resources */, + 187D6B9315D435BD00E27494 /* authorization.buttons.strings in Resources */, + BEFB63691B6834AB0052149A /* AppWorkaround.plist in Resources */, + 187D6B9415D435C700E27494 /* authorization.prompts.strings in Resources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 182BB566146F4DCA000BF1F3 /* Resources */ = { + isa = PBXResourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4C96F7BF16D6DF8300D3B39D /* Resources */ = { + isa = PBXResourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 532847791785076B009118DC /* Localizable.strings in Resources */, + 4C49390D16E51ACE00CE110C /* com.apple.security.keychain-circle-notification.plist in Resources */, + 4C96F7C816D6DF8400D3B39D /* InfoPlist.strings in Resources */, + 4C96F7D416D6DF8400D3B39D /* MainMenu.xib in Resources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4CC7A7B116CC2A84003E10C1 /* Resources */ = { + isa = PBXResourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 4C2505B716D2DF9F002CE025 /* Icon.icns in Resources */, + 4CC7A7BA16CC2A85003E10C1 /* InfoPlist.strings in Resources */, + 4CC7A7C016CC2A85003E10C1 /* Credits.rtf in Resources */, + 4CC7A7C616CC2A85003E10C1 /* MainMenu.xib in Resources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 5214700416977CB800DF0DB3 /* Resources */ = { + isa = PBXResourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + CDAE4BC21A86F6FF0000AA84 /* cloudkeychain.entitlements.plist in Resources */, + 5214701216977CB800DF0DB3 /* InfoPlist.strings in Resources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + CD63ACDE1A8061FA001B5671 /* Resources */ = { + isa = PBXResourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + CDB22CE31A9D2EA70043E348 /* IDSKeychainSyncingProxy-Info.plist in Resources */, + CDAE4B9A1A86F6F20000AA84 /* idskeychainsyncingproxy.entitlements.plist in Resources */, + CDF91EC91AAE022600E88CF7 /* com.apple.private.alloy.keychainsync.plist in Resources */, + CD276BE41A83F204003226BC /* InfoPlist.strings in Resources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXResourcesBuildPhase section */ + +/* Begin PBXShellScriptBuildPhase section */ + 182BB583146FDD3C000BF1F3 /* ShellScript */ = { + isa = PBXShellScriptBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + inputPaths = ( + ); + outputPaths = ( + ); + runOnlyForDeploymentPostprocessing = 0; + shellPath = /bin/sh; + shellScript = "cd ${BUILT_PRODUCTS_DIR}/Security.framework\n/bin/ln -sF Versions/Current/PlugIns PlugIns\nexit 0"; + showEnvVarsInLog = 0; + }; + 18500F9114707E10006F9AB4 /* Run Script Copy XPC Service */ = { + isa = PBXShellScriptBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + inputPaths = ( + ); + name = "Run Script Copy XPC Service"; + outputPaths = ( + ); + runOnlyForDeploymentPostprocessing = 0; + shellPath = /bin/sh; + shellScript = "DST=${BUILT_PRODUCTS_DIR}/${CONTENTS_FOLDER_PATH}/XPCServices\n\nXPC_SERVICE=XPCKeychainSandboxCheck.xpc\nditto -v ${BUILT_PRODUCTS_DIR}/${XPC_SERVICE} ${DST}/${XPC_SERVICE}\nif [ $0 -ne 0 ]; then\n\texit $0;\nfi\n\nXPC_SERVICE=XPCTimeStampingService.xpc\nif [ $0 -ne 0 ]; then\n\texit $0;\nfi\n\nif [ ! -h ${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}/XPCServices ]; then\n ln -s Versions/Current/XPCServices ${BUILT_PRODUCTS_DIR}/${FULL_PRODUCT_NAME}/XPCServices\nfi\n\nexit 0"; + showEnvVarsInLog = 0; + }; + 18500F961470828E006F9AB4 /* Run Script Generate Strings */ = { + isa = PBXShellScriptBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + inputPaths = ( + ); + name = "Run Script Generate Strings"; + outputPaths = ( + ); + runOnlyForDeploymentPostprocessing = 0; + shellPath = /bin/sh; + shellScript = "DERIVED_SRC=${BUILT_PRODUCTS_DIR}/derived_src\nmkdir -p ${DERIVED_SRC}\n\n# make error message string files\n\nGENDEBUGSTRS[0]=YES; ERRORSTRINGS[0]=${DERIVED_SRC}/SecDebugErrorMessages.strings\nGENDEBUGSTRS[1]=NO ; ERRORSTRINGS[1]=${DERIVED_SRC}/en.lproj/SecErrorMessages.strings\n\nmkdir -p ${DERIVED_SRC}/en.lproj\n\nfor ((ix=0;ix<2;ix++)) ; do\nperl lib/generateErrStrings.pl \\\n${GENDEBUGSTRS[ix]} \\\n${DERIVED_SRC} \\\n${ERRORSTRINGS[ix]} \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/Authorization.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/AuthSession.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecureTransport.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecBase.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmerr.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmapple.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/CSCommon.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/AuthorizationPriv.h \\\n${PROJECT_DIR}/libsecurity_keychain/lib/MacOSErrorStrings.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/SecureTransportPriv.h\ndone"; + showEnvVarsInLog = 0; + }; + 18F2360315CB30EC00060520 /* ShellScript */ = { + isa = PBXShellScriptBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + inputPaths = ( + ); + outputPaths = ( + ); + runOnlyForDeploymentPostprocessing = 0; + shellPath = /bin/sh; + shellScript = "DST=${BUILT_PRODUCTS_DIR}/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices\n\nXPC_SERVICE=authd.xpc\nditto -v ${BUILT_PRODUCTS_DIR}/${XPC_SERVICE} ${DST}/${XPC_SERVICE}\n\nXPC_SERVICE=trustd.xpc\nditto -v ${BUILT_PRODUCTS_DIR}/${XPC_SERVICE} ${DST}/${XPC_SERVICE}\n\nexit 0"; + showEnvVarsInLog = 0; + }; +/* End PBXShellScriptBuildPhase section */ + +/* Begin PBXSourcesBuildPhase section */ + 0C6C630715D193C800BC68CD /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 0CCEBDB116C2CFC1001BD7F6 /* main.c in Sources */, + EB22F3FB18A26BE40016A8EC /* bc-10-knife-on-bread.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 0CC3351616C1ED8000399E53 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 0CC3355A16C1EEE700399E53 /* main.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 18073846146D0D4E00F05C24 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 18A5493315EFD3690059E6DC /* dummy.cpp in Sources */, + E778BFBC17176DDE00302C14 /* security.exp-in in Sources */, + EB22F3F918A26BCA0016A8EC /* SecBreadcrumb.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 18270ED214CF282600B05E7F /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 18270EF614CF334A00B05E7F /* server.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 182BB564146F4DCA000BF1F3 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 182BB57F146F51A5000BF1F3 /* csparser.cpp in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 18F234E715C9F9A600060520 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 18F2352115C9FA3C00060520 /* agent.c in Sources */, + 18F2352215C9FA3C00060520 /* authdb.c in Sources */, + 18F2352315C9FA3C00060520 /* authitems.c in Sources */, + 18F2352415C9FA3C00060520 /* authtoken.c in Sources */, + 18F2352515C9FA3C00060520 /* authutilities.c in Sources */, + 18F2352615C9FA3C00060520 /* ccaudit.c in Sources */, + 18F2352715C9FA3C00060520 /* crc.c in Sources */, + 18F2352815C9FA3C00060520 /* credential.c in Sources */, + 18F2352915C9FA3C00060520 /* debugging.c in Sources */, + 18F2352B15C9FA3C00060520 /* engine.c in Sources */, + 18F2352C15C9FA3C00060520 /* main.c in Sources */, + 18F2352D15C9FA3C00060520 /* mechanism.c in Sources */, + 18F2352E15C9FA3C00060520 /* object.c in Sources */, + 18F2352F15C9FA3C00060520 /* process.c in Sources */, + 18F2353015C9FA3C00060520 /* rule.c in Sources */, + 18F2353215C9FA3C00060520 /* server.c in Sources */, + 18F2353315C9FA3C00060520 /* session.c in Sources */, + 182A191115D09AFF006AB103 /* connection.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 3705CACE1A896DE800402F75 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 3705CAD91A896E0600402F75 /* main.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 37A7CEA7197DB8FA00926CE8 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 37A7CEAE197DB8FA00926CE8 /* FatDynamicValidation.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 37AB390B1A44A88000B56E04 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 37AB39121A44A88000B56E04 /* gk_reset_check.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4C96F7BD16D6DF8300D3B39D /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 4CAEACCC16D6FBF600263776 /* KDSecCircle.m in Sources */, + 4C5DD46A17A5E5D000696A79 /* KNPersistentState.m in Sources */, + 4CD1980E16DD3BDF00A9E8FD /* NSArray+mapWithBlock.m in Sources */, + 4C7D456817BEED0400DDD88F /* NSDictionary+compactDescription.m in Sources */, + 4C7D453D17BEE69B00DDD88F /* NSString+compactDescription.m in Sources */, + 4C96F7CA16D6DF8400D3B39D /* main.m in Sources */, + 4C85DEDB16DBD5BF00ED8D47 /* KDCirclePeer.m in Sources */, + 4C96F7D116D6DF8400D3B39D /* KNAppDelegate.m in Sources */, + 4C7D456917BEED1400DDD88F /* NSSet+compactDescription.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4CB23B42169F5873003A0131 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 4CB23B81169F58DE003A0131 /* security_tool_commands.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 4CC7A7AF16CC2A84003E10C1 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 4C96F76016D5462F00D3B39D /* KDSecCircle.m in Sources */, + 4C85DEDA16DBD5BF00ED8D47 /* KDCirclePeer.m in Sources */, + 4CC7A7BC16CC2A85003E10C1 /* main.m in Sources */, + 4CC7A7C316CC2A85003E10C1 /* KDAppDelegate.m in Sources */, + 4CC7A7F616CD99E2003E10C1 /* KDSecItems.m in Sources */, + 4CD1980D16DD3BDF00A9E8FD /* NSArray+mapWithBlock.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 5214700216977CB800DF0DB3 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 52C3D236169B56860091D9D3 /* ckdmain.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 5EF7C2061B00E25400E5E99C /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 5EC01FEE1B0CA7E0009FBB75 /* sec_acl_stress.c in Sources */, + 5EF7C23E1B00E48200E5E99C /* main.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 72756BFA175D485D00F52070 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 72756C31175D48C100F52070 /* cloud_keychain_diagnose.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + BE48AE021ADF1DF4000836C1 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + BE48AE031ADF1DF4000836C1 /* server.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + BE94B7801AD83AF700A7216D /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + BE94B7CD1AD83B9900A7216D /* server.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + CD63ACDC1A8061FA001B5671 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + CD63AD161A8064C2001B5671 /* idksmain.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; +/* End PBXSourcesBuildPhase section */ + +/* Begin PBXTargetDependency section */ + 0C4EAE7917668DFF00773425 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecdRegressions; + targetProxy = 0C4EAE7817668DFF00773425 /* PBXContainerItemProxy */; + }; + 0C6C632E15D19D2900BC68CD /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_ssl_regressions; + targetProxy = 0C6C632D15D19D2900BC68CD /* PBXContainerItemProxy */; + }; + 0CBD50C716C3260D00713B6C /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_keychain_regressions; + targetProxy = 0CBD50C616C3260D00713B6C /* PBXContainerItemProxy */; + }; + 0CC3350816C1ED8000399E53 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecureObjectSync; + targetProxy = 0CC3350916C1ED8000399E53 /* PBXContainerItemProxy */; + }; + 0CC3350A16C1ED8000399E53 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = utilities; + targetProxy = 0CC3350B16C1ED8000399E53 /* PBXContainerItemProxy */; + }; + 0CC3350C16C1ED8000399E53 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSOSRegressions; + targetProxy = 0CC3350D16C1ED8000399E53 /* PBXContainerItemProxy */; + }; + 0CC3351016C1ED8000399E53 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity; + targetProxy = 0CC3351116C1ED8000399E53 /* PBXContainerItemProxy */; + }; + 0CC3351216C1ED8000399E53 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecipc_client; + targetProxy = 0CC3351316C1ED8000399E53 /* PBXContainerItemProxy */; + }; + 0CC3351416C1ED8000399E53 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecItemShimOSX; + targetProxy = 0CC3351516C1ED8000399E53 /* PBXContainerItemProxy */; + }; + 0CC3356216C1EF8B00399E53 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = regressions; + targetProxy = 0CC3356116C1EF8B00399E53 /* PBXContainerItemProxy */; + }; + 0CCEBDB316C2CFD4001BD7F6 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = regressions; + targetProxy = 0CCEBDB216C2CFD4001BD7F6 /* PBXContainerItemProxy */; + }; + 0CCEBDBA16C303D8001BD7F6 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 0CC3350716C1ED8000399E53 /* secdtests */; + targetProxy = 0CCEBDB916C303D8001BD7F6 /* PBXContainerItemProxy */; + }; + 0CCEBDBD16C30948001BD7F6 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = utilitiesRegressions; + targetProxy = 0CCEBDBC16C30948001BD7F6 /* PBXContainerItemProxy */; + }; + 0CFC55E315DDB86500BEC89E /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 0C6C630A15D193C800BC68CD /* sectests */; + targetProxy = 0CFC55E215DDB86500BEC89E /* PBXContainerItemProxy */; + }; + 18270EE114CF28D000B05E7F /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity; + targetProxy = 18270EE014CF28D000B05E7F /* PBXContainerItemProxy */; + }; + 18270EE314CF28D900B05E7F /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurityd; + targetProxy = 18270EE214CF28D900B05E7F /* PBXContainerItemProxy */; + }; + 18270F5D14CF655B00B05E7F /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecipc_client; + targetProxy = 18270F5C14CF655B00B05E7F /* PBXContainerItemProxy */; + }; + 182BB22C146F07DD000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = XPCKeychainSandboxCheck; + targetProxy = 182BB22B146F07DD000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB3EC146F2448000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_apple_x509_tp; + targetProxy = 182BB3EB146F2448000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB3EE146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_pkcs12; + targetProxy = 182BB3ED146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB3F0146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_transform; + targetProxy = 182BB3EF146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB3F2146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_ocspd; + targetProxy = 182BB3F1146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB3F4146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_comcryption; + targetProxy = 182BB3F3146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB3F6146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_checkpw; + targetProxy = 182BB3F5146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB3F8146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_ssl; + targetProxy = 182BB3F7146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB3FC146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_apple_cspdl; + targetProxy = 182BB3FB146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB3FE146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_sd_cspdl; + targetProxy = 182BB3FD146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB400146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_manifest; + targetProxy = 182BB3FF146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB402146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_smime; + targetProxy = 182BB401146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB404146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_cms; + targetProxy = 182BB403146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB406146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_apple_csp; + targetProxy = 182BB405146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB408146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_apple_x509_cl; + targetProxy = 182BB407146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB40A146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_keychain; + targetProxy = 182BB409146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB40C146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_apple_file_dl; + targetProxy = 182BB40B146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB40E146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_authorization; + targetProxy = 182BB40D146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB410146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_cdsa_utilities; + targetProxy = 182BB40F146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB412146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_cryptkit; + targetProxy = 182BB411146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB414146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_cdsa_client; + targetProxy = 182BB413146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB418146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_filedb; + targetProxy = 182BB417146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB41A146F248D000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_mds; + targetProxy = 182BB419146F248D000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB4E7146F25AF000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_codesigning; + targetProxy = 182BB4E6146F25AF000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB588146FE001000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_codesigning; + targetProxy = 182BB587146FE001000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB58D146FE0FF000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_cdsa_utilities; + targetProxy = 182BB58C146FE0FF000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB58F146FE11C000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_utilities; + targetProxy = 182BB58E146FE11C000BF1F3 /* PBXContainerItemProxy */; + }; + 182BB596146FE27F000BF1F3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 1807384A146D0D4E00F05C24 /* Security */; + targetProxy = 182BB595146FE27F000BF1F3 /* PBXContainerItemProxy */; + }; + 18446082146DF52F00B12992 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_cdsa_plugin; + targetProxy = 18446081146DF52F00B12992 /* PBXContainerItemProxy */; + }; + 186F779114E5A00F00434E1F /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 18270ED514CF282600B05E7F /* secd */; + targetProxy = 186F779014E5A00F00434E1F /* PBXContainerItemProxy */; + }; + 186F779314E5A01700434E1F /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 1807384A146D0D4E00F05C24 /* Security */; + targetProxy = 186F779214E5A01700434E1F /* PBXContainerItemProxy */; + }; + 186F779514E5A01C00434E1F /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 182BB567146F4DCA000BF1F3 /* csparser */; + targetProxy = 186F779414E5A01C00434E1F /* PBXContainerItemProxy */; + }; + 186F779714E5A04200434E1F /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 18FE67E91471A3AA00A2CBE3 /* copyHeaders */; + targetProxy = 186F779614E5A04200434E1F /* PBXContainerItemProxy */; + }; + 186F779914E5A06500434E1F /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 186F778814E59FB200434E1F /* Security_frameworks */; + targetProxy = 186F779814E5A06500434E1F /* PBXContainerItemProxy */; + }; + 186F779B14E5A06800434E1F /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 186F778C14E59FDA00434E1F /* Security_executables */; + targetProxy = 186F779A14E5A06800434E1F /* PBXContainerItemProxy */; + }; + 1879B545146DE18D007E536C /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_utilities; + targetProxy = 1879B544146DE18D007E536C /* PBXContainerItemProxy */; + }; + 1879B56C146DE2CF007E536C /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_cdsa_utils; + targetProxy = 1879B56B146DE2CF007E536C /* PBXContainerItemProxy */; + }; + 1879B56E146DE2D3007E536C /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_cssm; + targetProxy = 1879B56D146DE2D3007E536C /* PBXContainerItemProxy */; + }; + 1885B45114D9AB3D00519375 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libASN1; + targetProxy = 1885B45014D9AB3D00519375 /* PBXContainerItemProxy */; + }; + 18AD56A614CDED59008233F2 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = sec; + targetProxy = 18AD56A514CDED59008233F2 /* PBXContainerItemProxy */; + }; + 18B9655C1472F83C005A4D2E /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = world; + targetProxy = 18B9655B1472F83C005A4D2E /* PBXContainerItemProxy */; + }; + 18F235FF15CA100300060520 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 18F234EA15C9F9A600060520 /* authd */; + targetProxy = 18F235FE15CA100300060520 /* PBXContainerItemProxy */; + }; + 18FE688F1471A4C900A2CBE3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 18FE67E91471A3AA00A2CBE3 /* copyHeaders */; + targetProxy = 18FE688E1471A4C900A2CBE3 /* PBXContainerItemProxy */; + }; + 3705CADE1A8971DF00402F75 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 3705CAD11A896DE800402F75 /* SecTaskTest */; + targetProxy = 3705CADD1A8971DF00402F75 /* PBXContainerItemProxy */; + }; + 37A7CEDA197DBA8700926CE8 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 37A7CEAA197DB8FA00926CE8 /* codesign_tests */; + targetProxy = 37A7CED9197DBA8700926CE8 /* PBXContainerItemProxy */; + }; + 37AB39401A44A95500B56E04 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 37AB390E1A44A88000B56E04 /* gk_reset_check */; + targetProxy = 37AB393F1A44A95500B56E04 /* PBXContainerItemProxy */; + }; + 4374574E1B2787950051E20E /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = utilities; + targetProxy = 4374574D1B2787950051E20E /* PBXContainerItemProxy */; + }; + 4381B9AC1B28E0F4002BBC79 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = utilities; + targetProxy = 4381B9AB1B28E0F4002BBC79 /* PBXContainerItemProxy */; + }; + 4AD6F6F41651CC2500DB4CE6 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecOtrOSX; + targetProxy = 4AD6F6F31651CC2500DB4CE6 /* PBXContainerItemProxy */; + }; + 4C01DF13164C3E74006798CD /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecureObjectSync; + targetProxy = 4C01DF12164C3E74006798CD /* PBXContainerItemProxy */; + }; + 4C12894415FFED03008CE3E3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = utilities; + targetProxy = 4C12894315FFED03008CE3E3 /* PBXContainerItemProxy */; + }; + 4C797BC916D83A3100C7B586 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 4C96F7C016D6DF8300D3B39D /* Keychain Circle Notification */; + targetProxy = 4C797BC816D83A3100C7B586 /* PBXContainerItemProxy */; + }; + 4C797BF116D83A3800C7B586 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 4CC7A7B216CC2A84003E10C1 /* Cloud Keychain Utility */; + targetProxy = 4C797BF016D83A3800C7B586 /* PBXContainerItemProxy */; + }; + 4C7D8764160A746E00D041E3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = utilities; + targetProxy = 4C7D8763160A746E00D041E3 /* PBXContainerItemProxy */; + }; + 4C8D8650177A75100019A804 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecipc_client; + targetProxy = 4C8D864F177A75100019A804 /* PBXContainerItemProxy */; + }; + 4CB23B84169F5961003A0131 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSOSCommands; + targetProxy = 4CB23B83169F5961003A0131 /* PBXContainerItemProxy */; + }; + 4CB23B86169F5971003A0131 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecurityCommands; + targetProxy = 4CB23B85169F5971003A0131 /* PBXContainerItemProxy */; + }; + 4CB23B88169F597D003A0131 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecurityTool; + targetProxy = 4CB23B87169F597D003A0131 /* PBXContainerItemProxy */; + }; + 4CB23B90169F59D8003A0131 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 4CB23B45169F5873003A0131 /* security2 */; + targetProxy = 4CB23B8F169F59D8003A0131 /* PBXContainerItemProxy */; + }; + 5208C0FE16A0D3980062DDC5 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecureObjectSync; + targetProxy = 5208C0FD16A0D3980062DDC5 /* PBXContainerItemProxy */; + }; + 5214701816977D1D00DF0DB3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = utilities; + targetProxy = 5214701716977D1D00DF0DB3 /* PBXContainerItemProxy */; + }; + 5214701A16977D2500DF0DB3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libCloudKeychainProxy; + targetProxy = 5214701916977D2500DF0DB3 /* PBXContainerItemProxy */; + }; + 521470291697842500DF0DB3 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 5214700516977CB800DF0DB3 /* CloudKeychainProxy */; + targetProxy = 521470281697842500DF0DB3 /* PBXContainerItemProxy */; + }; + 529FF2201523BD7F0029D842 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = XPCTimeStampingService; + targetProxy = 529FF21F1523BD7F0029D842 /* PBXContainerItemProxy */; + }; + 5ED88B6E1B0DEF3100F3B047 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libDER; + targetProxy = 5ED88B6D1B0DEF3100F3B047 /* PBXContainerItemProxy */; + }; + 5ED88B701B0DEF4700F3B047 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecipc_client; + targetProxy = 5ED88B6F1B0DEF4700F3B047 /* PBXContainerItemProxy */; + }; + 5EE556671B01D9A8006F78F2 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurityd; + targetProxy = 5EE556661B01D9A8006F78F2 /* PBXContainerItemProxy */; + }; + 5EE556911B01D9F5006F78F2 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = regressions; + targetProxy = 5EE556901B01D9F5006F78F2 /* PBXContainerItemProxy */; + }; + 5EE556931B01DA24006F78F2 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity; + targetProxy = 5EE556921B01DA24006F78F2 /* PBXContainerItemProxy */; + }; + 5EE556951B01DA33006F78F2 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecureObjectSync; + targetProxy = 5EE556941B01DA33006F78F2 /* PBXContainerItemProxy */; + }; + 5EE556971B01DA3E006F78F2 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = utilities; + targetProxy = 5EE556961B01DA3E006F78F2 /* PBXContainerItemProxy */; + }; + 5EF7C2541B00EEC000E5E99C /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 5EF7C2091B00E25400E5E99C /* secacltests */; + targetProxy = 5EF7C2531B00EEC000E5E99C /* PBXContainerItemProxy */; + }; + 5EFB69C21B0CBFC30095A36E /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecItemShimOSX; + targetProxy = 5EFB69C11B0CBFC30095A36E /* PBXContainerItemProxy */; + }; + 722CF218175D602F00BCE0A5 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 72756BFD175D485D00F52070 /* cloud_keychain_diagnose */; + targetProxy = 722CF217175D602F00BCE0A5 /* PBXContainerItemProxy */; + }; + ACB6173F18B5232700EBEDD7 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity_smime_regressions; + targetProxy = ACB6173E18B5232700EBEDD7 /* PBXContainerItemProxy */; + }; + BE48ADF81ADF1DF4000836C1 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecipc_client; + targetProxy = BE48ADF91ADF1DF4000836C1 /* PBXContainerItemProxy */; + }; + BE48ADFA1ADF1DF4000836C1 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecureObjectSync; + targetProxy = BE48ADFB1ADF1DF4000836C1 /* PBXContainerItemProxy */; + }; + BE48ADFC1ADF1DF4000836C1 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = utilities; + targetProxy = BE48ADFD1ADF1DF4000836C1 /* PBXContainerItemProxy */; + }; + BE48ADFE1ADF1DF4000836C1 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurityd; + targetProxy = BE48ADFF1ADF1DF4000836C1 /* PBXContainerItemProxy */; + }; + BE48AE001ADF1DF4000836C1 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity; + targetProxy = BE48AE011ADF1DF4000836C1 /* PBXContainerItemProxy */; + }; + BE48AE231ADF1E66000836C1 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecTrustOSX; + targetProxy = BE48AE221ADF1E66000836C1 /* PBXContainerItemProxy */; + }; + BE48AE291ADF204E000836C1 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = BE48ADF71ADF1DF4000836C1 /* trustd */; + targetProxy = BE48AE281ADF204E000836C1 /* PBXContainerItemProxy */; + }; + BE8D22951ABB747A009A4E18 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecTrustOSX; + targetProxy = BE8D22941ABB747A009A4E18 /* PBXContainerItemProxy */; + }; + BE94B7E11AD8442600A7216D /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecipc_client; + targetProxy = BE94B7E01AD8442600A7216D /* PBXContainerItemProxy */; + }; + BE94B7E51AD8446500A7216D /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = utilities; + targetProxy = BE94B7E41AD8446500A7216D /* PBXContainerItemProxy */; + }; + BE94B7E71AD8446C00A7216D /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurityd; + targetProxy = BE94B7E61AD8446C00A7216D /* PBXContainerItemProxy */; + }; + BE94B7E91AD8447B00A7216D /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libsecurity; + targetProxy = BE94B7E81AD8447B00A7216D /* PBXContainerItemProxy */; + }; + BE94B7EB1AD8449300A7216D /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecTrustOSX; + targetProxy = BE94B7EA1AD8449300A7216D /* PBXContainerItemProxy */; + }; + BE94B7EF1AD8453300A7216D /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libSecureObjectSync; + targetProxy = BE94B7EE1AD8453300A7216D /* PBXContainerItemProxy */; + }; + C2432A2515C726B50096DB5B /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = gkunpack; + targetProxy = C2432A2415C726B50096DB5B /* PBXContainerItemProxy */; + }; + CD63AD121A8063AF001B5671 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = libIDSKeychainSyncingProxy; + targetProxy = CD63AD111A8063AF001B5671 /* PBXContainerItemProxy */; + }; + CD63AD141A8063B7001B5671 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = utilities; + targetProxy = CD63AD131A8063B7001B5671 /* PBXContainerItemProxy */; + }; + CDEB2BD21A8151CD00B0E23A /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = CD63ACDF1A8061FA001B5671 /* IDSKeychainSyncingProxy */; + targetProxy = CDEB2BD11A8151CD00B0E23A /* PBXContainerItemProxy */; + }; + E76079FA1951FDF600F69731 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = liblogging; + targetProxy = E76079F91951FDF600F69731 /* PBXContainerItemProxy */; + }; + EBB9FFE01682E71F00FF9774 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + name = CodeSigningHelper; + targetProxy = EBB9FFDF1682E71F00FF9774 /* PBXContainerItemProxy */; + }; + F94E7A971ACC8CC200F23132 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = F93C49311AB8FD350047E01A /* ckcdiagnose.sh */; + targetProxy = F94E7A961ACC8CC200F23132 /* PBXContainerItemProxy */; + }; +/* End PBXTargetDependency section */ + +/* Begin PBXVariantGroup section */ + 18500F9F14708F19006F9AB4 /* SecErrorMessages.strings */ = { + isa = PBXVariantGroup; + children = ( + 18500FA014708F19006F9AB4 /* en */, + ); + name = SecErrorMessages.strings; + path = ../../Security; + sourceTree = BUILT_PRODUCTS_DIR; + }; + 187D6B8F15D4359F00E27494 /* authorization.buttons.strings */ = { + isa = PBXVariantGroup; + children = ( + 187D6B9015D4359F00E27494 /* en */, + ); + name = authorization.buttons.strings; + sourceTree = ""; + }; + 187D6B9115D4359F00E27494 /* authorization.prompts.strings */ = { + isa = PBXVariantGroup; + children = ( + 187D6B9215D4359F00E27494 /* en */, + ); + name = authorization.prompts.strings; + sourceTree = ""; + }; + 188AD8D81471FE3D0081C619 /* FDELocalizable.strings */ = { + isa = PBXVariantGroup; + children = ( + 188AD8D91471FE3D0081C619 /* en */, + ); + name = FDELocalizable.strings; + sourceTree = ""; + }; + 188AD8DA1471FE3D0081C619 /* InfoPlist.strings */ = { + isa = PBXVariantGroup; + children = ( + 188AD8DB1471FE3E0081C619 /* en */, + ); + name = InfoPlist.strings; + sourceTree = ""; + }; + 18F2350D15C9FA3B00060520 /* InfoPlist.strings */ = { + isa = PBXVariantGroup; + children = ( + 18F2350E15C9FA3B00060520 /* en */, + ); + name = InfoPlist.strings; + path = en.lproj; + sourceTree = ""; + }; + 43A598591B0CF2AB00D14A7B /* CloudKeychain.strings */ = { + isa = PBXVariantGroup; + children = ( + 43A598581B0CF2AB00D14A7B /* English */, + ); + name = CloudKeychain.strings; + path = ../../resources; + sourceTree = ""; + }; + 4C96F7C616D6DF8400D3B39D /* InfoPlist.strings */ = { + isa = PBXVariantGroup; + children = ( + 4C96F7C716D6DF8400D3B39D /* en */, + ); + name = InfoPlist.strings; + sourceTree = ""; + }; + 4C96F7D216D6DF8400D3B39D /* MainMenu.xib */ = { + isa = PBXVariantGroup; + children = ( + D46E9CEE1B1E5DEF00ED650E /* Base */, + ); + name = MainMenu.xib; + sourceTree = ""; + }; + 4CC7A7B816CC2A85003E10C1 /* InfoPlist.strings */ = { + isa = PBXVariantGroup; + children = ( + 4CC7A7B916CC2A85003E10C1 /* en */, + ); + name = InfoPlist.strings; + sourceTree = ""; + }; + 4CC7A7BE16CC2A85003E10C1 /* Credits.rtf */ = { + isa = PBXVariantGroup; + children = ( + 4CC7A7BF16CC2A85003E10C1 /* en */, + ); + name = Credits.rtf; + sourceTree = ""; + }; + 4CC7A7C416CC2A85003E10C1 /* MainMenu.xib */ = { + isa = PBXVariantGroup; + children = ( + D46E9CED1B1E5DEF00ED650E /* Base */, + ); + name = MainMenu.xib; + sourceTree = ""; + }; + 5214701016977CB800DF0DB3 /* InfoPlist.strings */ = { + isa = PBXVariantGroup; + children = ( + 5214701116977CB800DF0DB3 /* en */, + ); + name = InfoPlist.strings; + sourceTree = ""; + }; + 5328475117850741009118DC /* Localizable.strings */ = { + isa = PBXVariantGroup; + children = ( + 5328475217850741009118DC /* en */, + ); + name = Localizable.strings; + sourceTree = ""; + }; + CD276BE21A83F204003226BC /* InfoPlist.strings */ = { + isa = PBXVariantGroup; + children = ( + CD276BE31A83F204003226BC /* en */, + ); + name = InfoPlist.strings; + sourceTree = ""; + }; +/* End PBXVariantGroup section */ + +/* Begin XCBuildConfiguration section */ + 0C6C631315D193C900BC68CD /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */; + buildSettings = { + CODE_SIGN_ENTITLEMENTS = "sectests/SecurityTests-Entitlements.plist"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + /usr/lib/system, + ); + OTHER_LDFLAGS = "-t"; + VALID_ARCHS = x86_64; + }; + name = Debug; + }; + 0C6C631415D193C900BC68CD /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */; + buildSettings = { + CODE_SIGN_ENTITLEMENTS = "sectests/SecurityTests-Entitlements.plist"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + /usr/lib/system, + ); + OTHER_LDFLAGS = "-t"; + VALID_ARCHS = x86_64; + }; + name = Release; + }; + 0C6C642B15D5ADB500BC68CD /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 0C6C642C15D5ADB500BC68CD /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; + 0CC3352B16C1ED8000399E53 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */; + buildSettings = { + CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(PROJECT_DIR)/sec", + "$(PROJECT_DIR)/utilities", + ); + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + /usr/lib/system, + ); + OTHER_LDFLAGS = "-t"; + "OTHER_LDFLAGS[sdk=macosx*]" = ( + "-t", + "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + "-framework", + AppleSystemInfo, + ); + PRODUCT_NAME = secdtests; + VALID_ARCHS = x86_64; + }; + name = Debug; + }; + 0CC3352C16C1ED8000399E53 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */; + buildSettings = { + CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(PROJECT_DIR)/sec", + "$(PROJECT_DIR)/utilities", + ); + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + /usr/lib/system, + ); + OTHER_LDFLAGS = "-t"; + "OTHER_LDFLAGS[sdk=macosx*]" = ( + "-t", + "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + "-framework", + AppleSystemInfo, + ); + PRODUCT_NAME = secdtests; + VALID_ARCHS = x86_64; + }; + name = Release; + }; + 18073873146D0D4E00F05C24 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 181EA423146D4A2A00A6D320 /* debug.xcconfig */; + buildSettings = { + }; + name = Debug; + }; + 18073874146D0D4E00F05C24 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 181EA425146D4A2A00A6D320 /* release.xcconfig */; + buildSettings = { + }; + name = Release; + }; + 18073876146D0D4E00F05C24 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */; + buildSettings = { + COMBINE_HIDPI_IMAGES = YES; + EXPORTED_SYMBOLS_FILE = "$(BUILT_PRODUCTS_DIR)/$(TARGETNAME).$(CURRENT_ARCH).exp"; + INFOPLIST_FILE = "lib/Info-Security.plist"; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + /usr/lib/system, + ); + OTHER_LDFLAGS = "-laks"; + "OTHER_LDFLAGS[sdk=*simulator*]" = ""; + }; + name = Debug; + }; + 18073877146D0D4E00F05C24 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */; + buildSettings = { + COMBINE_HIDPI_IMAGES = YES; + EXPORTED_SYMBOLS_FILE = "$(BUILT_PRODUCTS_DIR)/$(TARGETNAME).$(CURRENT_ARCH).exp"; + INFOPLIST_FILE = "lib/Info-Security.plist"; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + /usr/lib/system, + ); + ORDER_FILE = lib/Security.order; + OTHER_LDFLAGS = "-laks"; + "OTHER_LDFLAGS[sdk=*simulator*]" = ""; + SECTORDER_FLAGS = "-order_file_statistics"; + }; + name = Release; + }; + 18270EDE14CF282600B05E7F /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */; + buildSettings = { + CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist; + GCC_PREPROCESSOR_DEFINITIONS = ( + "SECITEM_SHIM_OSX=1", + "SECTRUST_OSX=0", + "$(inherited)", + ); + GCC_TREAT_WARNINGS_AS_ERRORS = YES; + HEADER_SEARCH_PATHS = ( + "$(PROJECT_DIR)/sec", + "$(PROJECT_DIR)/sec/securityd", + "$(PROJECT_DIR)/sec/ipc", + "$(PROJECT_DIR)/sec/SOSCircle", + "$(PROJECT_DIR)/utilities", + "$(PROJECT_DIR)", + "$(PROJECT_DIR)/../ios/asn1", + "$(PROJECT_DIR)/../libsecurity_keychain/libDER", + "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers", + "$(inherited)", + ); + INSTALL_PATH = /usr/libexec; + "OTHER_LDFLAGS[sdk=macosx*]" = ( + "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + "-framework", + AppleSystemInfo, + ); + USE_HEADERMAP = NO; + VALID_ARCHS = x86_64; + }; + name = Debug; + }; + 18270EDF14CF282600B05E7F /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */; + buildSettings = { + CODE_SIGN_ENTITLEMENTS = sec/securityd/entitlements.plist; + GCC_PREPROCESSOR_DEFINITIONS = ( + "SECITEM_SHIM_OSX=1", + "SECTRUST_OSX=0", + "$(inherited)", + ); + GCC_TREAT_WARNINGS_AS_ERRORS = YES; + HEADER_SEARCH_PATHS = ( + "$(PROJECT_DIR)/sec", + "$(PROJECT_DIR)/sec/securityd", + "$(PROJECT_DIR)/sec/ipc", + "$(PROJECT_DIR)/sec/SOSCircle", + "$(PROJECT_DIR)/utilities", + "$(PROJECT_DIR)", + "$(PROJECT_DIR)/../ios/asn1", + "$(PROJECT_DIR)/../libsecurity_keychain/libDER", + "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers", + "$(inherited)", + ); + INSTALL_PATH = /usr/libexec; + "OTHER_LDFLAGS[sdk=macosx*]" = ( + "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + "-framework", + AppleSystemInfo, + ); + USE_HEADERMAP = NO; + VALID_ARCHS = x86_64; + }; + name = Release; + }; + 182BB573146F4DCB000BF1F3 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */; + buildSettings = { + COMBINE_HIDPI_IMAGES = YES; + EXPORTED_SYMBOLS_FILE = lib/plugins/csparser.exp; + INFOPLIST_FILE = "lib/plugins/csparser-Info.plist"; + INSTALLHDRS_SCRIPT_PHASE = NO; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/PlugIns"; + WRAPPER_EXTENSION = bundle; + }; + name = Debug; + }; + 182BB574146F4DCB000BF1F3 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */; + buildSettings = { + COMBINE_HIDPI_IMAGES = YES; + EXPORTED_SYMBOLS_FILE = lib/plugins/csparser.exp; + INFOPLIST_FILE = "lib/plugins/csparser-Info.plist"; + INSTALLHDRS_SCRIPT_PHASE = NO; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/PlugIns"; + WRAPPER_EXTENSION = bundle; + }; + name = Release; + }; + 182BB59A146FE295000BF1F3 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 182BB59B146FE295000BF1F3 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; + 186F778A14E59FB200434E1F /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 186F778B14E59FB200434E1F /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; + 186F778E14E59FDA00434E1F /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 186F778F14E59FDA00434E1F /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; + 18F234F715C9F9A700060520 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */; + buildSettings = { + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_IMPLICIT_SIGN_CONVERSION = YES; + CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COMBINE_HIDPI_IMAGES = YES; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_PRECOMPILE_PREFIX_HEADER = YES; + GCC_PREFIX_HEADER = "authd/security.auth-Prefix.pch"; + GCC_TREAT_IMPLICIT_FUNCTION_DECLARATIONS_AS_ERRORS = YES; + GCC_TREAT_INCOMPATIBLE_POINTER_TYPE_WARNINGS_AS_ERRORS = YES; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_MISSING_FIELD_INITIALIZERS = YES; + GCC_WARN_ABOUT_MISSING_NEWLINE = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_INITIALIZER_NOT_FULLY_BRACKETED = YES; + GCC_WARN_SHADOW = YES; + GCC_WARN_SIGN_COMPARE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNKNOWN_PRAGMAS = YES; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_LABEL = YES; + GCC_WARN_UNUSED_PARAMETER = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INFOPLIST_FILE = authd/Info.plist; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices"; + MACH_O_TYPE = mh_execute; + PRODUCT_NAME = "$(TARGET_NAME)"; + RUN_CLANG_STATIC_ANALYZER = YES; + SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator"; + WRAPPER_EXTENSION = xpc; + }; + name = Debug; + }; + 18F234F815C9F9A700060520 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */; + buildSettings = { + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_IMPLICIT_SIGN_CONVERSION = YES; + CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COMBINE_HIDPI_IMAGES = YES; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_PRECOMPILE_PREFIX_HEADER = YES; + GCC_PREFIX_HEADER = "authd/security.auth-Prefix.pch"; + GCC_TREAT_IMPLICIT_FUNCTION_DECLARATIONS_AS_ERRORS = YES; + GCC_TREAT_INCOMPATIBLE_POINTER_TYPE_WARNINGS_AS_ERRORS = YES; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_MISSING_FIELD_INITIALIZERS = YES; + GCC_WARN_ABOUT_MISSING_NEWLINE = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_INITIALIZER_NOT_FULLY_BRACKETED = YES; + GCC_WARN_SHADOW = YES; + GCC_WARN_SIGN_COMPARE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNKNOWN_PRAGMAS = YES; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_LABEL = YES; + GCC_WARN_UNUSED_PARAMETER = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INFOPLIST_FILE = authd/Info.plist; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices"; + MACH_O_TYPE = mh_execute; + PRODUCT_NAME = "$(TARGET_NAME)"; + SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator"; + WRAPPER_EXTENSION = xpc; + }; + name = Release; + }; + 18FE67FC1471A3AA00A2CBE3 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */; + buildSettings = { + CODE_SIGN_IDENTITY = ""; + COMBINE_HIDPI_IMAGES = YES; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks"; + PRODUCT_NAME = Security; + }; + name = Debug; + }; + 18FE67FD1471A3AA00A2CBE3 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */; + buildSettings = { + CODE_SIGN_IDENTITY = ""; + COMBINE_HIDPI_IMAGES = YES; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks"; + PRODUCT_NAME = Security; + }; + name = Release; + }; + 3705CAD71A896DE800402F75 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 181EA422146D4A2A00A6D320 /* base.xcconfig */; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = YES; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_ENTITLEMENTS = "codesign_tests/SecTask-Entitlements.plist"; + CODE_SIGN_IDENTITY = "-"; + COPY_PHASE_STRIP = NO; + ENABLE_STRICT_OBJC_MSGSEND = YES; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_DYNAMIC_NO_PIC = NO; + GCC_OPTIMIZATION_LEVEL = 0; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INSTALL_PATH = /AppleInternal/CoreOS/codesign_tests/; + MTL_ENABLE_DEBUG_INFO = YES; + ONLY_ACTIVE_ARCH = YES; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = macosx; + }; + name = Debug; + }; + 3705CAD81A896DE800402F75 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 181EA422146D4A2A00A6D320 /* base.xcconfig */; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = YES; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_ENTITLEMENTS = "codesign_tests/SecTask-Entitlements.plist"; + CODE_SIGN_IDENTITY = "-"; + COPY_PHASE_STRIP = NO; + DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + ENABLE_NS_ASSERTIONS = NO; + ENABLE_STRICT_OBJC_MSGSEND = YES; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INSTALL_PATH = /AppleInternal/CoreOS/codesign_tests/; + MTL_ENABLE_DEBUG_INFO = NO; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = macosx; + }; + name = Release; + }; + 37A7CEAF197DB8FA00926CE8 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 4CB23B91169F5CFF003A0131 /* command.xcconfig */; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = YES; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_IDENTITY = "-"; + COPY_PHASE_STRIP = NO; + ENABLE_STRICT_OBJC_MSGSEND = YES; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_DYNAMIC_NO_PIC = NO; + GCC_OPTIMIZATION_LEVEL = 0; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INSTALL_PATH = /AppleInternal/CoreOS/codesign_tests; + MTL_ENABLE_DEBUG_INFO = YES; + ONLY_ACTIVE_ARCH = YES; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 37A7CEB0197DB8FA00926CE8 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 4CB23B91169F5CFF003A0131 /* command.xcconfig */; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = YES; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_IDENTITY = "-"; + COPY_PHASE_STRIP = YES; + DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + ENABLE_NS_ASSERTIONS = NO; + ENABLE_STRICT_OBJC_MSGSEND = YES; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INSTALL_PATH = /AppleInternal/CoreOS/codesign_tests; + MTL_ENABLE_DEBUG_INFO = NO; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; + 37AB39131A44A88000B56E04 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 4CB23B91169F5CFF003A0131 /* command.xcconfig */; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = YES; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COPY_PHASE_STRIP = NO; + ENABLE_STRICT_OBJC_MSGSEND = YES; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_DYNAMIC_NO_PIC = NO; + GCC_OPTIMIZATION_LEVEL = 0; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INSTALL_PATH = /AppleInternal/PackageDataTools; + MTL_ENABLE_DEBUG_INFO = YES; + ONLY_ACTIVE_ARCH = YES; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 37AB39141A44A88000B56E04 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 4CB23B91169F5CFF003A0131 /* command.xcconfig */; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = YES; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COPY_PHASE_STRIP = NO; + ENABLE_NS_ASSERTIONS = NO; + ENABLE_STRICT_OBJC_MSGSEND = YES; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INSTALL_PATH = /AppleInternal/PackageDataTools; + MTL_ENABLE_DEBUG_INFO = NO; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; + 4C96F7D616D6DF8400D3B39D /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_ENTITLEMENTS = "Keychain Circle Notification/entitlments.plist"; + CODE_SIGN_IDENTITY = "-"; + COMBINE_HIDPI_IMAGES = YES; + COPY_PHASE_STRIP = NO; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/System/Library/PrivateFrameworks", + ); + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_DYNAMIC_NO_PIC = NO; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_OPTIMIZATION_LEVEL = 0; + GCC_PREFIX_HEADER = "Keychain Circle Notification/Keychain Circle Notification-Prefix.pch"; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/System/Library/Frameworks/Security.framework/PrivateHeaders", + "$(SDKROOT)/System/Library/Frameworks/CoreFoundation.framework/PrivateHeaders", + "$(PROJECT_DIR)/sec", + ); + INFOPLIST_FILE = "Keychain Circle Notification/Keychain Circle Notification-Info.plist"; + INSTALL_PATH = /System/Library/CoreServices; + ONLY_ACTIVE_ARCH = YES; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = ""; + VALID_ARCHS = x86_64; + WRAPPER_EXTENSION = app; + }; + name = Debug; + }; + 4C96F7D716D6DF8400D3B39D /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_ENTITLEMENTS = "Keychain Circle Notification/entitlments.plist"; + CODE_SIGN_IDENTITY = "-"; + COMBINE_HIDPI_IMAGES = YES; + COPY_PHASE_STRIP = YES; + DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + ENABLE_NS_ASSERTIONS = NO; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/System/Library/PrivateFrameworks", + ); + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_PREFIX_HEADER = "Keychain Circle Notification/Keychain Circle Notification-Prefix.pch"; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/System/Library/Frameworks/Security.framework/PrivateHeaders", + "$(SDKROOT)/System/Library/Frameworks/CoreFoundation.framework/PrivateHeaders", + "$(PROJECT_DIR)/sec", + ); + INFOPLIST_FILE = "Keychain Circle Notification/Keychain Circle Notification-Info.plist"; + INSTALL_PATH = /System/Library/CoreServices; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = ""; + VALID_ARCHS = x86_64; + WRAPPER_EXTENSION = app; + }; + name = Release; + }; + 4CB23B4D169F5873003A0131 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 4CB23B91169F5CFF003A0131 /* command.xcconfig */; + buildSettings = { + CODE_SIGN_ENTITLEMENTS = sec/SecurityTool/entitlements.plist; + CODE_SIGN_IDENTITY = "-"; + DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + ONLY_ACTIVE_ARCH = YES; + PRODUCT_NAME = security2; + PROVISIONING_PROFILE = ""; + }; + name = Debug; + }; + 4CB23B4E169F5873003A0131 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 4CB23B91169F5CFF003A0131 /* command.xcconfig */; + buildSettings = { + CODE_SIGN_ENTITLEMENTS = sec/SecurityTool/entitlements.plist; + CODE_SIGN_IDENTITY = "-"; + DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + PRODUCT_NAME = security2; + PROVISIONING_PROFILE = ""; + }; + name = Release; + }; + 4CC7A7C716CC2A85003E10C1 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_ENTITLEMENTS = sec/SecurityTool/entitlements.plist; + CODE_SIGN_IDENTITY = "-"; + COMBINE_HIDPI_IMAGES = YES; + COPY_PHASE_STRIP = NO; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/System/Library/PrivateFrameworks", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_DYNAMIC_NO_PIC = NO; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_OPTIMIZATION_LEVEL = 0; + GCC_PREFIX_HEADER = "Keychain/Keychain-Prefix.pch"; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/System/Library/Frameworks/Security.framework/PrivateHeaders", + "$(SDKROOT)/System/Library/Frameworks/CoreFoundation.framework/PrivateHeaders", + "$(PROJECT_DIR)/sec", + ); + INFOPLIST_FILE = "Keychain/Keychain-Info.plist"; + INSTALL_PATH = /AppleInternal/Applications; + ONLY_ACTIVE_ARCH = YES; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = ""; + VALID_ARCHS = x86_64; + WRAPPER_EXTENSION = app; + }; + name = Debug; + }; + 4CC7A7C816CC2A85003E10C1 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_ENTITLEMENTS = sec/SecurityTool/entitlements.plist; + CODE_SIGN_IDENTITY = "-"; + COMBINE_HIDPI_IMAGES = YES; + COPY_PHASE_STRIP = YES; + DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + ENABLE_NS_ASSERTIONS = NO; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/System/Library/PrivateFrameworks", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_PREFIX_HEADER = "Keychain/Keychain-Prefix.pch"; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/System/Library/Frameworks/Security.framework/PrivateHeaders", + "$(SDKROOT)/System/Library/Frameworks/CoreFoundation.framework/PrivateHeaders", + "$(PROJECT_DIR)/sec", + ); + INFOPLIST_FILE = "Keychain/Keychain-Info.plist"; + INSTALL_PATH = /AppleInternal/Applications; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = ""; + VALID_ARCHS = x86_64; + WRAPPER_EXTENSION = app; + }; + name = Release; + }; + 4CE4729F16D833FE009070D1 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 4CE472A016D833FE009070D1 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; + 5214701516977CB800DF0DB3 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */; + buildSettings = { + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_ENTITLEMENTS = CloudKeychainProxy/cloudkeychain.entitlements.plist; + CODE_SIGN_IDENTITY = "-"; + COMBINE_HIDPI_IMAGES = YES; + COPY_PHASE_STRIP = NO; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + "$(SDKROOT)/System/Library/Frameworks", + ); + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_DYNAMIC_NO_PIC = NO; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_OPTIMIZATION_LEVEL = 0; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INFOPLIST_FILE = "CloudKeychainProxy/CloudKeychainProxy-Info.plist"; + INSTALL_PATH = "$(INDIGO_INSTALL_PATH_PREFIX)$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/Resources"; + MACH_O_TYPE = mh_execute; + ONLY_ACTIVE_ARCH = YES; + "OTHER_LDFLAGS[sdk=iphoneos*]" = ( + "$(inherited)", + "-framework", + MobileKeyBag, + ); + PRODUCT_NAME = "$(TARGET_NAME)"; + PROVISIONING_PROFILE = ""; + VALID_ARCHS = "armv6 armv7 x86_64"; + WRAPPER_EXTENSION = bundle; + }; + name = Debug; + }; + 5214701616977CB800DF0DB3 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */; + buildSettings = { + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_ENTITLEMENTS = CloudKeychainProxy/cloudkeychain.entitlements.plist; + CODE_SIGN_IDENTITY = "-"; + COMBINE_HIDPI_IMAGES = YES; + COPY_PHASE_STRIP = YES; + DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + "$(SDKROOT)/System/Library/Frameworks", + ); + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INFOPLIST_FILE = "CloudKeychainProxy/CloudKeychainProxy-Info.plist"; + INSTALL_PATH = "$(INDIGO_INSTALL_PATH_PREFIX)$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/Resources"; + MACH_O_TYPE = mh_execute; + "OTHER_LDFLAGS[sdk=iphoneos*]" = ( + "$(inherited)", + "-framework", + MobileKeyBag, + ); + PRODUCT_NAME = "$(TARGET_NAME)"; + PROVISIONING_PROFILE = ""; + VALID_ARCHS = "armv6 armv7 x86_64"; + WRAPPER_EXTENSION = bundle; + }; + name = Release; + }; + 5EF7C20E1B00E25400E5E99C /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */; + buildSettings = { + CLANG_ENABLE_OBJC_ARC = YES; + CODE_SIGN_ENTITLEMENTS = "../secacltests/secacltests-entitlements.plist"; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + "NO_SERVER=1", + ); + GCC_WARN_UNDECLARED_SELECTOR = YES; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(PROJECT_DIR)/sec", + "$(PROJECT_DIR)/utilities", + ); + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + /usr/lib/system, + ); + OTHER_LDFLAGS = "-t"; + "OTHER_LDFLAGS[sdk=macosx*]" = ( + "-t", + "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + PRODUCT_NAME = "$(TARGET_NAME)"; + VALID_ARCHS = x86_64; + }; + name = Debug; + }; + 5EF7C20F1B00E25400E5E99C /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 0C6C632F15D19DE600BC68CD /* test.xcconfig */; + buildSettings = { + CLANG_ENABLE_OBJC_ARC = YES; + CODE_SIGN_ENTITLEMENTS = "../secacltests/secacltests-entitlements.plist"; + GCC_WARN_UNDECLARED_SELECTOR = YES; + HEADER_SEARCH_PATHS = ( + "$(inherited)", + "$(PROJECT_DIR)/sec", + "$(PROJECT_DIR)/utilities", + ); + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + /usr/lib/system, + ); + OTHER_LDFLAGS = "-t"; + "OTHER_LDFLAGS[sdk=macosx*]" = ( + "-t", + "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + PRODUCT_NAME = "$(TARGET_NAME)"; + VALID_ARCHS = x86_64; + }; + name = Release; + }; + 72756C07175D485D00F52070 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 4CB23B91169F5CFF003A0131 /* command.xcconfig */; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + ARCHS = "$(ARCHS_STANDARD)"; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = YES; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COPY_PHASE_STRIP = NO; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_DYNAMIC_NO_PIC = NO; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_OPTIMIZATION_LEVEL = 0; + GCC_PRECOMPILE_PREFIX_HEADER = NO; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + ONLY_ACTIVE_ARCH = YES; + OTHER_LDFLAGS = "-laks"; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 72756C08175D485D00F52070 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 4CB23B91169F5CFF003A0131 /* command.xcconfig */; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + ARCHS = "$(ARCHS_STANDARD)"; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_MODULES = YES; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COPY_PHASE_STRIP = YES; + DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + ENABLE_NS_ASSERTIONS = NO; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_PRECOMPILE_PREFIX_HEADER = NO; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_UNDECLARED_SELECTOR = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + OTHER_LDFLAGS = "-laks"; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; + BE48AE1F1ADF1DF4000836C1 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */; + buildSettings = { + GCC_PREPROCESSOR_DEFINITIONS = ( + "SECITEM_SHIM_OSX=1", + "SECTRUST_OSX=0", + "TRUSTD_SERVER=1", + "$(inherited)", + ); + GCC_TREAT_WARNINGS_AS_ERRORS = YES; + HEADER_SEARCH_PATHS = ( + "$(PROJECT_DIR)/sec", + "$(PROJECT_DIR)/sec/securityd", + "$(PROJECT_DIR)/sec/ipc", + "$(PROJECT_DIR)/sec/SOSCircle", + "$(PROJECT_DIR)/utilities", + "$(PROJECT_DIR)", + "$(PROJECT_DIR)/../ios/asn1", + "$(PROJECT_DIR)/../libsecurity_keychain/libDER", + "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers", + "$(inherited)", + ); + INSTALL_PATH = /usr/libexec; + "OTHER_LDFLAGS[sdk=macosx*]" = ( + "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + "-framework", + AppleSystemInfo, + ); + PRODUCT_NAME = trustd; + USE_HEADERMAP = NO; + VALID_ARCHS = x86_64; + }; + name = Debug; + }; + BE48AE201ADF1DF4000836C1 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BBC6801471EF1600F2B224 /* security.xcconfig */; + buildSettings = { + GCC_PREPROCESSOR_DEFINITIONS = ( + "SECITEM_SHIM_OSX=1", + "SECTRUST_OSX=0", + "TRUSTD_SERVER=1", + "$(inherited)", + ); + GCC_TREAT_WARNINGS_AS_ERRORS = YES; + HEADER_SEARCH_PATHS = ( + "$(PROJECT_DIR)/sec", + "$(PROJECT_DIR)/sec/securityd", + "$(PROJECT_DIR)/sec/ipc", + "$(PROJECT_DIR)/sec/SOSCircle", + "$(PROJECT_DIR)/utilities", + "$(PROJECT_DIR)", + "$(PROJECT_DIR)/../ios/asn1", + "$(PROJECT_DIR)/../libsecurity_keychain/libDER", + "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers", + "$(inherited)", + ); + INSTALL_PATH = /usr/libexec; + "OTHER_LDFLAGS[sdk=macosx*]" = ( + "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + "-framework", + AppleSystemInfo, + ); + PRODUCT_NAME = trustd; + USE_HEADERMAP = NO; + VALID_ARCHS = x86_64; + }; + name = Release; + }; + BE94B7A21AD83AF700A7216D /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_IMPLICIT_SIGN_CONVERSION = YES; + CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COMBINE_HIDPI_IMAGES = YES; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_PREPROCESSOR_DEFINITIONS = ( + "SECITEM_SHIM_OSX=1", + "SECTRUST_OSX=0", + "TRUSTD_SERVER=1", + "$(inherited)", + ); + GCC_TREAT_IMPLICIT_FUNCTION_DECLARATIONS_AS_ERRORS = YES; + GCC_TREAT_INCOMPATIBLE_POINTER_TYPE_WARNINGS_AS_ERRORS = YES; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_MISSING_FIELD_INITIALIZERS = YES; + GCC_WARN_ABOUT_MISSING_NEWLINE = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_INITIALIZER_NOT_FULLY_BRACKETED = YES; + GCC_WARN_SHADOW = YES; + GCC_WARN_SIGN_COMPARE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNKNOWN_PRAGMAS = YES; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_LABEL = YES; + GCC_WARN_UNUSED_PARAMETER = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + HEADER_SEARCH_PATHS = ( + "$(PROJECT_DIR)/sec", + "$(PROJECT_DIR)/sec/securityd", + "$(PROJECT_DIR)/sec/ipc", + "$(PROJECT_DIR)/sec/SOSCircle", + "$(PROJECT_DIR)/utilities", + "$(PROJECT_DIR)", + "$(PROJECT_DIR)/../ios/asn1", + "$(PROJECT_DIR)/../libsecurity_keychain/libDER", + "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers", + "$(inherited)", + ); + INFOPLIST_FILE = "trustd/trustd-Info.plist"; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices"; + MACH_O_TYPE = mh_execute; + "OTHER_LDFLAGS[sdk=macosx*]" = ( + "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + "-framework", + AppleSystemInfo, + ); + PRODUCT_NAME = trustd; + RUN_CLANG_STATIC_ANALYZER = YES; + SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator"; + USE_HEADERMAP = NO; + VALID_ARCHS = "armv6 armv7 x86_64 x86_64h"; + WRAPPER_EXTENSION = xpc; + }; + name = Debug; + }; + BE94B7A31AD83AF700A7216D /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_IMPLICIT_SIGN_CONVERSION = YES; + CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + COMBINE_HIDPI_IMAGES = YES; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_PREPROCESSOR_DEFINITIONS = ( + "SECITEM_SHIM_OSX=1", + "SECTRUST_OSX=0", + "TRUSTD_SERVER=1", + "$(inherited)", + ); + GCC_TREAT_IMPLICIT_FUNCTION_DECLARATIONS_AS_ERRORS = YES; + GCC_TREAT_INCOMPATIBLE_POINTER_TYPE_WARNINGS_AS_ERRORS = YES; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_MISSING_FIELD_INITIALIZERS = YES; + GCC_WARN_ABOUT_MISSING_NEWLINE = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_INITIALIZER_NOT_FULLY_BRACKETED = YES; + GCC_WARN_SHADOW = YES; + GCC_WARN_SIGN_COMPARE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNKNOWN_PRAGMAS = YES; + GCC_WARN_UNUSED_FUNCTION = YES; + GCC_WARN_UNUSED_LABEL = YES; + GCC_WARN_UNUSED_PARAMETER = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + HEADER_SEARCH_PATHS = ( + "$(PROJECT_DIR)/sec", + "$(PROJECT_DIR)/sec/securityd", + "$(PROJECT_DIR)/sec/ipc", + "$(PROJECT_DIR)/sec/SOSCircle", + "$(PROJECT_DIR)/utilities", + "$(PROJECT_DIR)", + "$(PROJECT_DIR)/../ios/asn1", + "$(PROJECT_DIR)/../libsecurity_keychain/libDER", + "$(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers", + "$(inherited)", + ); + INFOPLIST_FILE = "trustd/trustd-Info.plist"; + INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/${FRAMEWORK_VERSION}/XPCServices"; + MACH_O_TYPE = mh_execute; + "OTHER_LDFLAGS[sdk=macosx*]" = ( + "-F$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + "-framework", + AppleSystemInfo, + ); + PRODUCT_NAME = trustd; + SUPPORTED_PLATFORMS = "macosx iphoneos iphonesimulator"; + USE_HEADERMAP = NO; + VALID_ARCHS = "armv6 armv7 x86_64 x86_64h"; + WRAPPER_EXTENSION = xpc; + }; + name = Release; + }; + CD63ACE41A8061FA001B5671 /* Debug */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */; + buildSettings = { + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_ENTITLEMENTS = IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist; + CODE_SIGN_IDENTITY = "-"; + COMBINE_HIDPI_IMAGES = YES; + COPY_PHASE_STRIP = NO; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_DYNAMIC_NO_PIC = NO; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_OPTIMIZATION_LEVEL = 0; + GCC_PREPROCESSOR_DEFINITIONS = ( + "DEBUG=1", + "$(inherited)", + ); + GCC_SYMBOLS_PRIVATE_EXTERN = NO; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INFOPLIST_FILE = "IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist"; + INSTALL_PATH = "$(INDIGO_INSTALL_PATH_PREFIX)$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/Resources"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + "$(DEVELOPER_DIR)/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.Internal.sdk/usr/local/lib", + ); + MACH_O_TYPE = mh_execute; + ONLY_ACTIVE_ARCH = YES; + "OTHER_LDFLAGS[sdk=iphoneos*]" = ( + "$(inherited)", + "-framework", + MobileKeyBag, + ); + PRODUCT_NAME = "$(TARGET_NAME)"; + PROVISIONING_PROFILE = ""; + VALID_ARCHS = "armv6 armv7 x86_64"; + WRAPPER_EXTENSION = bundle; + }; + name = Debug; + }; + CD63ACE51A8061FA001B5671 /* Release */ = { + isa = XCBuildConfiguration; + baseConfigurationReference = 18BFC44017C43393005DE6C3 /* executable.xcconfig */; + buildSettings = { + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_CXX_LIBRARY = "libc++"; + CLANG_ENABLE_OBJC_ARC = YES; + CLANG_WARN_CONSTANT_CONVERSION = YES; + CLANG_WARN_EMPTY_BODY = YES; + CLANG_WARN_ENUM_CONVERSION = YES; + CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; + CODE_SIGN_ENTITLEMENTS = IDSKeychainSyncingProxy/idskeychainsyncingproxy.entitlements.plist; + CODE_SIGN_IDENTITY = "-"; + COMBINE_HIDPI_IMAGES = YES; + COPY_PHASE_STRIP = YES; + DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_ENABLE_OBJC_EXCEPTIONS = YES; + GCC_WARN_64_TO_32_BIT_CONVERSION = YES; + GCC_WARN_ABOUT_RETURN_TYPE = YES; + GCC_WARN_UNINITIALIZED_AUTOS = YES; + GCC_WARN_UNUSED_VARIABLE = YES; + INFOPLIST_FILE = "IDSKeychainSyncingProxy/IDSKeychainSyncingProxy-Info.plist"; + INSTALL_PATH = "$(INDIGO_INSTALL_PATH_PREFIX)$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/Resources"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + "$(DEVELOPER_DIR)/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.Internal.sdk/usr/local/lib", + ); + MACH_O_TYPE = mh_execute; + "OTHER_LDFLAGS[sdk=iphoneos*]" = ( + "$(inherited)", + "-framework", + MobileKeyBag, + ); + PRODUCT_NAME = "$(TARGET_NAME)"; + PROVISIONING_PROFILE = ""; + VALID_ARCHS = "armv6 armv7 x86_64"; + WRAPPER_EXTENSION = bundle; + }; + name = Release; + }; + F93C49331AB8FD350047E01A /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + F93C49341AB8FD350047E01A /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; +/* End XCBuildConfiguration section */ + +/* Begin XCConfigurationList section */ + 0C6C631215D193C900BC68CD /* Build configuration list for PBXNativeTarget "sectests" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 0C6C631315D193C900BC68CD /* Debug */, + 0C6C631415D193C900BC68CD /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 0C6C642A15D5ADB500BC68CD /* Build configuration list for PBXAggregateTarget "Security_kexts" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 0C6C642B15D5ADB500BC68CD /* Debug */, + 0C6C642C15D5ADB500BC68CD /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 0CC3352A16C1ED8000399E53 /* Build configuration list for PBXNativeTarget "secdtests" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 0CC3352B16C1ED8000399E53 /* Debug */, + 0CC3352C16C1ED8000399E53 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 18073844146D0D4E00F05C24 /* Build configuration list for PBXProject "OSX" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 18073873146D0D4E00F05C24 /* Debug */, + 18073874146D0D4E00F05C24 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 18073875146D0D4E00F05C24 /* Build configuration list for PBXNativeTarget "Security" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 18073876146D0D4E00F05C24 /* Debug */, + 18073877146D0D4E00F05C24 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 18270EDD14CF282600B05E7F /* Build configuration list for PBXNativeTarget "secd" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 18270EDE14CF282600B05E7F /* Debug */, + 18270EDF14CF282600B05E7F /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 182BB572146F4DCB000BF1F3 /* Build configuration list for PBXNativeTarget "csparser" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 182BB573146F4DCB000BF1F3 /* Debug */, + 182BB574146F4DCB000BF1F3 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 182BB599146FE295000BF1F3 /* Build configuration list for PBXAggregateTarget "World" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 182BB59A146FE295000BF1F3 /* Debug */, + 182BB59B146FE295000BF1F3 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 186F778914E59FB200434E1F /* Build configuration list for PBXAggregateTarget "Security_frameworks" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 186F778A14E59FB200434E1F /* Debug */, + 186F778B14E59FB200434E1F /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 186F778D14E59FDA00434E1F /* Build configuration list for PBXAggregateTarget "Security_executables" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 186F778E14E59FDA00434E1F /* Debug */, + 186F778F14E59FDA00434E1F /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 18F234F615C9F9A700060520 /* Build configuration list for PBXNativeTarget "authd" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 18F234F715C9F9A700060520 /* Debug */, + 18F234F815C9F9A700060520 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 18FE67FB1471A3AA00A2CBE3 /* Build configuration list for PBXNativeTarget "copyHeaders" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 18FE67FC1471A3AA00A2CBE3 /* Debug */, + 18FE67FD1471A3AA00A2CBE3 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 3705CAD61A896DE800402F75 /* Build configuration list for PBXNativeTarget "SecTaskTest" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 3705CAD71A896DE800402F75 /* Debug */, + 3705CAD81A896DE800402F75 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 37A7CED8197DB8FA00926CE8 /* Build configuration list for PBXNativeTarget "codesign_tests" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 37A7CEAF197DB8FA00926CE8 /* Debug */, + 37A7CEB0197DB8FA00926CE8 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 37AB393C1A44A88000B56E04 /* Build configuration list for PBXNativeTarget "gk_reset_check" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 37AB39131A44A88000B56E04 /* Debug */, + 37AB39141A44A88000B56E04 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 4C96F7D516D6DF8400D3B39D /* Build configuration list for PBXNativeTarget "Keychain Circle Notification" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 4C96F7D616D6DF8400D3B39D /* Debug */, + 4C96F7D716D6DF8400D3B39D /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 4CB23B7F169F5873003A0131 /* Build configuration list for PBXNativeTarget "security2" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 4CB23B4D169F5873003A0131 /* Debug */, + 4CB23B4E169F5873003A0131 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 4CC7A7EF16CC2A85003E10C1 /* Build configuration list for PBXNativeTarget "Cloud Keychain Utility" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 4CC7A7C716CC2A85003E10C1 /* Debug */, + 4CC7A7C816CC2A85003E10C1 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 4CE472C716D833FE009070D1 /* Build configuration list for PBXAggregateTarget "Security_temporary_UI" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 4CE4729F16D833FE009070D1 /* Debug */, + 4CE472A016D833FE009070D1 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 5214701416977CB800DF0DB3 /* Build configuration list for PBXNativeTarget "CloudKeychainProxy" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 5214701516977CB800DF0DB3 /* Debug */, + 5214701616977CB800DF0DB3 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 5EF7C2381B00E25400E5E99C /* Build configuration list for PBXNativeTarget "secacltests" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 5EF7C20E1B00E25400E5E99C /* Debug */, + 5EF7C20F1B00E25400E5E99C /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 72756C2F175D485D00F52070 /* Build configuration list for PBXNativeTarget "cloud_keychain_diagnose" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 72756C07175D485D00F52070 /* Debug */, + 72756C08175D485D00F52070 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + BE48AE1E1ADF1DF4000836C1 /* Build configuration list for PBXNativeTarget "trustd" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + BE48AE1F1ADF1DF4000836C1 /* Debug */, + BE48AE201ADF1DF4000836C1 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + BE94B7A11AD83AF700A7216D /* Build configuration list for PBXNativeTarget "trustd.xpc" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + BE94B7A21AD83AF700A7216D /* Debug */, + BE94B7A31AD83AF700A7216D /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + CD63AD101A8061FA001B5671 /* Build configuration list for PBXNativeTarget "IDSKeychainSyncingProxy" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + CD63ACE41A8061FA001B5671 /* Debug */, + CD63ACE51A8061FA001B5671 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + F93C49321AB8FD350047E01A /* Build configuration list for PBXAggregateTarget "ckcdiagnose.sh" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + F93C49331AB8FD350047E01A /* Debug */, + F93C49341AB8FD350047E01A /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; +/* End XCConfigurationList section */ + }; + rootObject = 18073841146D0D4E00F05C24 /* Project object */; +} diff --git a/Security.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings b/OSX/OSX.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings similarity index 100% rename from Security.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings rename to OSX/OSX.xcodeproj/project.xcworkspace/xcshareddata/WorkspaceSettings.xcsettings diff --git a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/World.xcscheme b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/World.xcscheme new file mode 100644 index 00000000..0aa8246d --- /dev/null +++ b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/World.xcscheme @@ -0,0 +1,132 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/copyHeaders.xcscheme b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/copyHeaders.xcscheme new file mode 100644 index 00000000..cf5e1e5c --- /dev/null +++ b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/copyHeaders.xcscheme @@ -0,0 +1,89 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/secdtests.xcscheme b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/secdtests.xcscheme new file mode 100644 index 00000000..fe54a353 --- /dev/null +++ b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/secdtests.xcscheme @@ -0,0 +1,222 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/OSX/OSX.xcodeproj/xcshareddata/xcschemes/sectests.xcscheme b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/sectests.xcscheme new file mode 100644 index 00000000..cf04ed9c --- /dev/null +++ b/OSX/OSX.xcodeproj/xcshareddata/xcschemes/sectests.xcscheme @@ -0,0 +1,91 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Security/README b/OSX/README similarity index 100% rename from Security/README rename to OSX/README diff --git a/Security/asl/com.apple.securityd b/OSX/asl/com.apple.securityd similarity index 91% rename from Security/asl/com.apple.securityd rename to OSX/asl/com.apple.securityd index 9a003307..2a02a345 100644 --- a/Security/asl/com.apple.securityd +++ b/OSX/asl/com.apple.securityd @@ -11,6 +11,7 @@ ? [= Sender com.apple.securityd] file security.log ? [= Sender com.apple.secd] file security.log ? [= Sender CloudKeychainProxy] file security.log +? [= Sender IDSKeychainSyncingProxy] file security.log ? [= Sender securityd] file security.log ? [= Sender secd] file security.log ? [= Sender securityd_service] file security.log @@ -23,6 +24,7 @@ ? [= Sender com.apple.securityd] [> Level error] claim ? [= Sender com.apple.secd] [> Level error] claim ? [= Sender CloudKeychainProxy] [> Level error] claim +? [= Sender IDSKeychainSyncingProxy] [> Level error] claim ? [= Sender securityd] [> Level error] claim ? [= Sender secd] [> Level error] claim ? [= Sender securityd_service] [> Level error] claim diff --git a/OSX/authd/Info.plist b/OSX/authd/Info.plist new file mode 100644 index 00000000..0573db37 --- /dev/null +++ b/OSX/authd/Info.plist @@ -0,0 +1,31 @@ + + + + + CFBundleDevelopmentRegion + English + CFBundleExecutable + ${EXECUTABLE_NAME} + CFBundleIdentifier + com.apple.${PRODUCT_NAME:rfc1034identifier} + CFBundleInfoDictionaryVersion + 6.0 + CFBundleName + ${PRODUCT_NAME} + CFBundlePackageType + XPC! + CFBundleShortVersionString + 1.0 + CFBundleSignature + ???? + CFBundleVersion + ${CURRENT_PROJECT_VERSION} + NSHumanReadableCopyright + Copyright © 2012-2015 Apple. All rights reserved. + XPCService + + ServiceType + System + + + diff --git a/Security/authd/agent.c b/OSX/authd/agent.c similarity index 83% rename from Security/authd/agent.c rename to OSX/authd/agent.c index 4cdab906..653734e6 100644 --- a/Security/authd/agent.c +++ b/OSX/authd/agent.c @@ -18,10 +18,9 @@ #include #include -#define SECURITYAGENT_BOOTSTRAP_NAME_BASE "com.apple.security.agentMain" -#define SECURITYAGENT_STUB_BOOTSTRAP_NAME_BASE "com.apple.security.agentStub" -//#define SECURITYAGENT_LOGINWINDOW_BOOTSTRAP_NAME_BASE "com.apple.security.agent.login" -#define AUTHORIZATIONHOST_BOOTSTRAP_NAME_BASE "com.apple.security.authhost" +#define SECURITYAGENT_BOOTSTRAP_NAME_BASE "com.apple.security.agent" +#define SECURITYAGENT_LOGINWINDOW_BOOTSTRAP_NAME_BASE "com.apple.security.agent.login" +#define AUTHORIZATIONHOST_BOOTSTRAP_NAME_BASE "com.apple.security.authhost" #define UUID_INITIALIZER_FROM_SESSIONID(sessionid) \ { 0,0,0,0, 0,0,0,0, 0,0,0,0, (unsigned char)((0xff000000 & (sessionid))>>24), (unsigned char)((0x00ff0000 & (sessionid))>>16), (unsigned char)((0x0000ff00 & (sessionid))>>8), (unsigned char)((0x000000ff & (sessionid))) } @@ -37,7 +36,6 @@ struct _agent_s { uint64_t status; xpc_connection_t agentConnection; - xpc_connection_t agentStubConnection; dispatch_queue_t eventQueue; dispatch_queue_t actionQueue; @@ -60,12 +58,7 @@ _agent_finalize(CFTypeRef value) xpc_release(agent->agentConnection); agent->agentConnection = NULL; } - - if (NULL != agent->agentStubConnection) { - xpc_release(agent->agentStubConnection); - agent->agentStubConnection = NULL; - } - + // Now that we've released any XPC connection that may (or may not) be present // it's safe to go ahead and free our memory. This is provided that all other // blocks that were added to the event queue before the axe came down on the @@ -122,8 +115,7 @@ agent_create(engine_t engine, mechanism_t mech, auth_token_t auth, process_t pro agent->context = auth_items_create(); agent->pluginState = init; agent->agentPid = process_get_pid(proc); - agent->agentStubConnection = NULL; - + const audit_info_s *audit_info = auth_token_get_audit_info(auth); auditinfo_addr_t tempAddr; @@ -131,48 +123,31 @@ agent_create(engine_t engine, mechanism_t mech, auth_token_t auth, process_t pro auditon(A_GETSINFO_ADDR, &tempAddr, sizeof(tempAddr)); LOGV("agent[%i]: Stored auid %d fetched auid %d", agent->agentPid, audit_info->auid, tempAddr.ai_auid); - uid_t auid = tempAddr.ai_auid; - uuid_t sessionUUID = UUID_INITIALIZER_FROM_SESSIONID((uint32_t)audit_info->asid); + uid_t auid = tempAddr.ai_auid; + uuid_t sessionUUID = UUID_INITIALIZER_FROM_SESSIONID((uint32_t)audit_info->asid); agent->eventQueue = dispatch_queue_create("Agent Event Queue", 0); agent->actionQueue = dispatch_queue_create("Agent Action Queue", 0); - mach_port_t bootstrapPort = process_get_bootstrap(proc); if (!mechanism_is_privileged(mech)) { - if ((int32_t)auid != -1) { - agent->agentStubConnection = xpc_connection_create_mach_service(SECURITYAGENT_STUB_BOOTSTRAP_NAME_BASE, NULL, 0); - xpc_connection_set_target_uid(agent->agentStubConnection, auid); - LOGV("agent[%i]: Creating a security agent stub", agent->agentPid); - xpc_connection_set_event_handler(agent->agentStubConnection, ^(xpc_object_t object){}); // Yes, this is a dummy handler, we never ever care about any responses from the stub. It can die in a fire for all I care. - xpc_connection_resume(agent->agentStubConnection); - - xpc_object_t wakeupMessage = xpc_dictionary_create(NULL, NULL, 0); - xpc_dictionary_set_data(wakeupMessage, AUTH_XPC_SESSION_UUID, sessionUUID, sizeof(uuid_t)); - xpc_object_t responseMessage = xpc_connection_send_message_with_reply_sync(agent->agentStubConnection, wakeupMessage); - if (xpc_get_type(responseMessage) == XPC_TYPE_DICTIONARY) { - LOGV("agent[%i]: Valid response received from stub", agent->agentPid); - } else { - LOGV("agent[%i]: Error response received from stub", agent->agentPid); - } - xpc_release(wakeupMessage); - xpc_release(responseMessage); - - mach_port_t newBootstrapPort = auth_token_get_creator_bootstrap(auth); - if (newBootstrapPort != MACH_PORT_NULL) { - bootstrapPort = newBootstrapPort; - } - } - - agent->agentConnection = xpc_connection_create_mach_service(SECURITYAGENT_BOOTSTRAP_NAME_BASE, NULL,0); - xpc_connection_set_instance(agent->agentConnection, sessionUUID); - LOGV("agent[%i]: Creating a security agent", agent->agentPid); - doSwitchAudit = true; - doSwitchBootstrap = true; + if (auid != AU_DEFAUDITID) { + // User => regular user-level SecurityAgent + agent->agentConnection = xpc_connection_create_mach_service(SECURITYAGENT_BOOTSTRAP_NAME_BASE, NULL, 0); + xpc_connection_set_target_uid(agent->agentConnection, auid); + LOGV("agent[%i]: Creating a standard security agent", agent->agentPid); + } else { + // Root session => loginwindow SecurityAgent + agent->agentConnection = xpc_connection_create_mach_service(SECURITYAGENT_LOGINWINDOW_BOOTSTRAP_NAME_BASE, NULL, 0); + xpc_connection_set_instance(agent->agentConnection, sessionUUID); + LOGV("agent[%i]: Creating a loginwindow security agent", agent->agentPid); + doSwitchAudit = true; + doSwitchBootstrap = true; + } } else { agent->agentConnection = xpc_connection_create_mach_service(AUTHORIZATIONHOST_BOOTSTRAP_NAME_BASE, NULL, 0); xpc_connection_set_instance(agent->agentConnection, sessionUUID); LOGV("agent[%i]: Creating a standard authhost", agent->agentPid); - doSwitchAudit = true; + doSwitchAudit = true; doSwitchBootstrap = true; } @@ -219,7 +194,7 @@ agent_create(engine_t engine, mechanism_t mech, auth_token_t auth, process_t pro if (doSwitchBootstrap) { LOGV("agent[%i]: attaching a bootstrap port", agent->agentPid); - xpc_dictionary_set_mach_send(requestObject, AUTH_XPC_BOOTSTRAP_PORT, bootstrapPort); + xpc_dictionary_set_mach_send(requestObject, AUTH_XPC_BOOTSTRAP_PORT, process_get_bootstrap(proc)); } // This loop will be repeated until we can get ahold of a SecurityAgent, or get a fatal error @@ -398,6 +373,6 @@ agent_clear_interrupt(agent_t agent) } void -agent_recieve(agent_t agent) +agent_receive(agent_t __unused agent) { } diff --git a/Security/authd/agent.h b/OSX/authd/agent.h similarity index 99% rename from Security/authd/agent.h rename to OSX/authd/agent.h index 96c382a1..6ae0365e 100644 --- a/Security/authd/agent.h +++ b/OSX/authd/agent.h @@ -89,7 +89,7 @@ AUTH_NONNULL_ALL mechanism_t agent_get_mechanism(agent_t); AUTH_NONNULL_ALL -void agent_recieve(agent_t); +void agent_receive(agent_t); AUTH_NONNULL_ALL void diff --git a/Security/authd/authd_private.h b/OSX/authd/authd_private.h similarity index 93% rename from Security/authd/authd_private.h rename to OSX/authd/authd_private.h index 4ada56ee..d1a6404d 100644 --- a/Security/authd/authd_private.h +++ b/OSX/authd/authd_private.h @@ -44,7 +44,7 @@ extern "C" { #define AUTH_XPC_TYPE "_type" #define AUTH_XPC_RIGHTS "_rights" -#define AUTH_XPC_ENVIROMENT "_enviroment" +#define AUTH_XPC_ENVIRONMENT "_environment" #define AUTH_XPC_FLAGS "_flags" #define AUTH_XPC_BLOB "_blob" #define AUTH_XPC_STATUS "_status" @@ -66,7 +66,6 @@ extern "C" { #define AUTH_XPC_REQUEST_METHOD_DEACTIVATE "_agent_request_deactivate" #define AUTH_XPC_REQUEST_METHOD_DESTROY "_agent_request_destroy" #define AUTH_XPC_REQUEST_METHOD_INTERRUPT "_agent_request_interrupt" -#define AUTH_XPC_REQUEST_METHOD_SET_PREFS "_agent_request_setprefs" #define AUTH_XPC_REPLY_METHOD_KEY "_agent_reply_key" #define AUTH_XPC_REPLY_METHOD_RESULT "_agent_reply_result" #define AUTH_XPC_REPLY_METHOD_INTERRUPT "_agent_reply_interrupt" @@ -80,9 +79,6 @@ extern "C" { #define AUTH_XPC_REPLY_RESULT_VALUE "_agent_reply_result_value" #define AUTH_XPC_AUDIT_SESSION_PORT "_agent_audit_session_port" #define AUTH_XPC_BOOTSTRAP_PORT "_agent_bootstrap_port" -#define AUTH_XPC_SESSION_UUID "_agent_session_uuid" -#define AUTH_XPC_SESSION_PREFS "_agent_session_prefs" -#define AUTH_XPC_SESSION_INPUT_METHOD "_agent_session_inputMethod" typedef struct AuthorizationBlob { uint32_t data[2]; diff --git a/Security/authd/authdb.c b/OSX/authd/authdb.c similarity index 100% rename from Security/authd/authdb.c rename to OSX/authd/authdb.c diff --git a/Security/authd/authdb.h b/OSX/authd/authdb.h similarity index 100% rename from Security/authd/authdb.h rename to OSX/authd/authdb.h diff --git a/Security/authd/authitems.c b/OSX/authd/authitems.c similarity index 99% rename from Security/authd/authitems.c rename to OSX/authd/authitems.c index 1871eaa8..a27aa355 100644 --- a/Security/authd/authitems.c +++ b/OSX/authd/authitems.c @@ -105,7 +105,7 @@ _auth_item_copy_description(CFTypeRef value) CFMutableStringRef desc = CFStringCreateMutable(kCFAllocatorDefault, 0); CFStringAppendFormat(desc, NULL, CFSTR("auth_item: %s, type=%i, length=%li, flags=%x"), item->data.name, item->type, - hidden ? 0 : item->data.valueLength, item->data.flags); + hidden ? 0 : item->data.valueLength, (unsigned int)item->data.flags); switch (item->type) { case AI_TYPE_STRING: @@ -160,7 +160,7 @@ _auth_item_hash(CFTypeRef value) crc = crc64_update(crc, &item->data.flags, sizeof(item->data.flags)); crc = crc64_final(crc); - return crc; + return (CFHashCode)crc; } AUTH_TYPE_INSTANCE(auth_item, @@ -412,7 +412,7 @@ auth_items_get_item_set(auth_items_t items) items->set.count = count; CFTypeRef keys[count], values[count]; CFDictionaryGetKeysAndValues(items->dictionary, keys, values); - for (CFIndex i = 0; i < count; i++) { + for (uint32_t i = 0; i < count; i++) { auth_item_t item = (auth_item_t)values[i]; items->set.items[i] = *auth_item_get_auth_item(item); } diff --git a/Security/authd/authitems.h b/OSX/authd/authitems.h similarity index 98% rename from Security/authd/authitems.h rename to OSX/authd/authitems.h index f55ebab8..94455b79 100644 --- a/Security/authd/authitems.h +++ b/OSX/authd/authitems.h @@ -156,7 +156,7 @@ void auth_items_set_value(auth_items_t, const char *key, uint32_t type, uint32_t AUTH_WARN_RESULT AUTH_MALLOC AUTH_RETURNS_RETAINED auth_rights_t auth_rights_create(void); -AUTH_WARN_RESULT AUTH_MALLOC AUTH_NONNULL_ALL AUTH_RETURNS_RETAINED +AUTH_WARN_RESULT AUTH_MALLOC AUTH_RETURNS_RETAINED auth_rights_t auth_rights_create_with_xpc(const xpc_object_t data); AUTH_WARN_RESULT AUTH_NONNULL_ALL diff --git a/Security/authd/authorization.plist b/OSX/authd/authorization.plist similarity index 98% rename from Security/authd/authorization.plist rename to OSX/authd/authorization.plist index 26ae0530..c7f386a4 100644 --- a/Security/authd/authorization.plist +++ b/OSX/authd/authorization.plist @@ -286,23 +286,6 @@ See remaining rules for examples. rule root-or-entitled-admin-or-authenticate-admin - com.apple.ZFSManager. - - class - rule - comment - Used by zfsmanager to allow access to destructive zfs functions - k-of-n - 1 - rule - - is-root - is-admin - default - - shared - - com.apple.activitymonitor.kill class @@ -447,6 +430,17 @@ See remaining rules for examples. shared + com.apple.iCloud.passwordReset + + class + user + comment + Authenticate as the session owner to reset iCloud password + session-owner + + timeout + 0 + com.apple.library-repair class @@ -839,13 +833,14 @@ See remaining rules for examples. PKINITMechanism:auth,privileged builtin:login-success loginwindow:success + loginwindow:FDESupport,privileged HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login loginwindow:done version - 1 + 3 system.login.fus @@ -888,10 +883,6 @@ See remaining rules for examples. class rule - created - 420083170.08267599 - modified - 420083170.08267599 rule default @@ -949,7 +940,7 @@ See remaining rules for examples. group admin shared - + version 1 @@ -1097,7 +1088,9 @@ See remaining rules for examples. group admin shared - + + version + 1 system.preferences.timemachine diff --git a/Security/authd/authtoken.c b/OSX/authd/authtoken.c similarity index 99% rename from Security/authd/authtoken.c rename to OSX/authd/authtoken.c index e073b894..51f93105 100644 --- a/Security/authd/authtoken.c +++ b/OSX/authd/authtoken.c @@ -239,7 +239,7 @@ auth_token_create_with_audit_info(const audit_info_s* info, bool operateAsLeastP CFReleaseSafe(codePid); if (status) { - LOGV("authtoken[%i]: failed to create code ref (%i)", auth->auditInfo.pid, status); + LOGV("authtoken[%i]: failed to create code ref (%d)", auth->auditInfo.pid, (int)status); CFReleaseNull(auth); goto done; } diff --git a/Security/authd/authtoken.h b/OSX/authd/authtoken.h similarity index 100% rename from Security/authd/authtoken.h rename to OSX/authd/authtoken.h diff --git a/Security/authd/authtypes.h b/OSX/authd/authtypes.h similarity index 100% rename from Security/authd/authtypes.h rename to OSX/authd/authtypes.h diff --git a/Security/authd/authutilities.c b/OSX/authd/authutilities.c similarity index 100% rename from Security/authd/authutilities.c rename to OSX/authd/authutilities.c diff --git a/Security/authd/authutilities.h b/OSX/authd/authutilities.h similarity index 100% rename from Security/authd/authutilities.h rename to OSX/authd/authutilities.h diff --git a/Security/authd/ccaudit.c b/OSX/authd/ccaudit.c similarity index 100% rename from Security/authd/ccaudit.c rename to OSX/authd/ccaudit.c diff --git a/Security/authd/ccaudit.h b/OSX/authd/ccaudit.h similarity index 100% rename from Security/authd/ccaudit.h rename to OSX/authd/ccaudit.h diff --git a/Security/authd/com.apple.authd b/OSX/authd/com.apple.authd similarity index 100% rename from Security/authd/com.apple.authd rename to OSX/authd/com.apple.authd diff --git a/Security/authd/com.apple.authd.sb b/OSX/authd/com.apple.authd.sb similarity index 79% rename from Security/authd/com.apple.authd.sb rename to OSX/authd/com.apple.authd.sb index 1d7e29d1..0c951d01 100644 --- a/Security/authd/com.apple.authd.sb +++ b/OSX/authd/com.apple.authd.sb @@ -11,13 +11,14 @@ (allow file-read* file-write* (regex #"^/private/var/db/auth\.db.*$") - (literal "/private/var/db/mds/system/mds.lock")) + (literal "/private/var/db/mds/system/mds.lock") + (subpath (param "TMP_DIR"))) (allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd") (global-name "com.apple.PowerManagement.control") - (global-name "com.apple.security.agentMain") - (global-name "com.apple.security.agentStub") + (global-name "com.apple.security.agent") + (global-name "com.apple.security.agent.login") (global-name "com.apple.security.authhost") (global-name "com.apple.SecurityServer") (global-name "com.apple.system.opendirectoryd.api") diff --git a/Security/authd/connection.c b/OSX/authd/connection.c similarity index 98% rename from Security/authd/connection.c rename to OSX/authd/connection.c index e88f93f7..c9e54a60 100644 --- a/Security/authd/connection.c +++ b/OSX/authd/connection.c @@ -97,7 +97,7 @@ void connection_set_engine(connection_t conn, engine_t engine) }); } -void connection_destory_agents(connection_t conn) +void connection_destroy_agents(connection_t conn) { dispatch_sync(conn->dispatch_queue_internal, ^{ if (conn->engine) { diff --git a/Security/authd/connection.h b/OSX/authd/connection.h similarity index 94% rename from Security/authd/connection.h rename to OSX/authd/connection.h index 4cf51d2a..dcf3014e 100644 --- a/Security/authd/connection.h +++ b/OSX/authd/connection.h @@ -23,7 +23,7 @@ AUTH_NONNULL1 void connection_set_engine(connection_t, engine_t); AUTH_NONNULL_ALL -void connection_destory_agents(connection_t); +void connection_destroy_agents(connection_t); AUTH_NONNULL_ALL bool connection_get_syslog_warn(connection_t); diff --git a/Security/authd/crc.c b/OSX/authd/crc.c similarity index 100% rename from Security/authd/crc.c rename to OSX/authd/crc.c diff --git a/Security/authd/crc.h b/OSX/authd/crc.h similarity index 100% rename from Security/authd/crc.h rename to OSX/authd/crc.h diff --git a/Security/authd/credential.c b/OSX/authd/credential.c similarity index 99% rename from Security/authd/credential.c rename to OSX/authd/credential.c index c800b5ae..10832909 100644 --- a/Security/authd/credential.c +++ b/OSX/authd/credential.c @@ -64,7 +64,7 @@ _credential_hash(CFTypeRef value) crc = crc64_update(crc, &cred->shared, sizeof(cred->shared)); crc = crc64_final(crc); - return crc; + return (CFHashCode)crc; } static Boolean diff --git a/Security/authd/credential.h b/OSX/authd/credential.h similarity index 100% rename from Security/authd/credential.h rename to OSX/authd/credential.h diff --git a/Security/authd/debugging.c b/OSX/authd/debugging.c similarity index 100% rename from Security/authd/debugging.c rename to OSX/authd/debugging.c diff --git a/Security/authd/debugging.h b/OSX/authd/debugging.h similarity index 100% rename from Security/authd/debugging.h rename to OSX/authd/debugging.h diff --git a/Security/sec/SOSCircle/CloudKeychainProxy/en.lproj/InfoPlist.strings b/OSX/authd/en.lproj/InfoPlist.strings similarity index 100% rename from Security/sec/SOSCircle/CloudKeychainProxy/en.lproj/InfoPlist.strings rename to OSX/authd/en.lproj/InfoPlist.strings diff --git a/Security/authd/engine.c b/OSX/authd/engine.c similarity index 96% rename from Security/authd/engine.c rename to OSX/authd/engine.c index e9247196..276ac5f2 100644 --- a/Security/authd/engine.c +++ b/OSX/authd/engine.c @@ -555,7 +555,7 @@ _evaluate_authentication(engine_t engine, rule_t rule) status = _evaluate_mechanisms(engine, mechanisms); - LOGV("engine[%i]: evaluate mechanisms result %i", connection_get_pid(engine->conn), status); + LOGV("engine[%i]: evaluate mechanisms result %d", connection_get_pid(engine->conn), (int)status); // successfully ran mechanisms to obtain credential if (status == errAuthorizationSuccess) { @@ -821,7 +821,7 @@ _evaluate_class_mechanism(engine_t engine, rule_t rule) auth_items_set_int(engine->hints, AGENT_HINT_TRIES, engine->tries); status = _evaluate_mechanisms(engine, mechanisms); - LOGV("engine[%i]: evaluate mechanisms result %i", connection_get_pid(engine->conn), status); + LOGV("engine[%i]: evaluate mechanisms result %d", connection_get_pid(engine->conn), (int)status); if (status == errAuthorizationSuccess) { credential_t newCred = NULL; @@ -950,20 +950,20 @@ done: return r; } -static void _parse_enviroment(engine_t engine, auth_items_t enviroment) +static void _parse_environment(engine_t engine, auth_items_t environment) { - require(enviroment != NULL, done); + require(environment != NULL, done); #if DEBUG - LOGV("engine[%i]: Dumping Enviroment", connection_get_pid(engine->conn)); - _show_cf(enviroment); + LOGV("engine[%i]: Dumping Environment", connection_get_pid(engine->conn)); + _show_cf(environment); #endif // Check if a credential was passed into the environment and we were asked to extend the rights if (engine->flags & kAuthorizationFlagExtendRights) { - const char * user = auth_items_get_string(enviroment, kAuthorizationEnvironmentUsername); - const char * pass = auth_items_get_string(enviroment, kAuthorizationEnvironmentPassword); - bool shared = auth_items_exist(enviroment, kAuthorizationEnvironmentShared); + const char * user = auth_items_get_string(environment, kAuthorizationEnvironmentUsername); + const char * pass = auth_items_get_string(environment, kAuthorizationEnvironmentPassword); + bool shared = auth_items_exist(environment, kAuthorizationEnvironmentShared); require(user != NULL, done); struct passwd *pw = getpwnam(user); @@ -1008,7 +1008,7 @@ static bool _verify_sandbox(engine_t engine, const char * right) #pragma mark - #pragma mark engine methods -OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t enviroment, AuthorizationFlags flags) +OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t environment, AuthorizationFlags flags) { __block OSStatus status = errAuthorizationSuccess; __block bool savePassword = false; @@ -1023,9 +1023,9 @@ OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t en engine->flags = flags; - if (enviroment) { - _parse_enviroment(engine, enviroment); - auth_items_copy(engine->hints, enviroment); + if (environment) { + _parse_environment(engine, environment); + auth_items_copy(engine->hints, environment); } auth_items_copy(engine->context, auth_token_get_context(engine->auth)); @@ -1084,7 +1084,7 @@ OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t en LOG("Succeeded authorizing right '%s' by client '%s' [%d] for authorization created by '%s' [%d] (%X,%d)", key, process_get_code_url(engine->proc), process_get_pid(engine->proc), - auth_token_get_code_url(engine->auth), auth_token_get_pid(engine->auth), engine->flags, auth_token_least_privileged(engine->auth)); + auth_token_get_code_url(engine->auth), auth_token_get_pid(engine->auth), (unsigned int)engine->flags, auth_token_least_privileged(engine->auth)); break; case errAuthorizationDenied: case errAuthorizationInteractionNotAllowed: @@ -1092,15 +1092,15 @@ OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t en if (engine->flags & kAuthorizationFlagInteractionAllowed) { LOG("Failed to authorize right '%s' by client '%s' [%d] for authorization created by '%s' [%d] (%X,%d) (%i)", key, process_get_code_url(engine->proc), process_get_pid(engine->proc), - auth_token_get_code_url(engine->auth), auth_token_get_pid(engine->auth), engine->flags, auth_token_least_privileged(engine->auth), status); + auth_token_get_code_url(engine->auth), auth_token_get_pid(engine->auth), (unsigned int)engine->flags, auth_token_least_privileged(engine->auth), (int)status); } else { - LOGV("Failed to authorize right '%s' by client '%s' [%d] for authorization created by '%s' [%d] (%X,%d) (%i)", + LOGV("Failed to authorize right '%s' by client '%s' [%d] for authorization created by '%s' [%d] (%X,%d) (%d)", key, process_get_code_url(engine->proc), process_get_pid(engine->proc), - auth_token_get_code_url(engine->auth), auth_token_get_pid(engine->auth), engine->flags, auth_token_least_privileged(engine->auth), status); + auth_token_get_code_url(engine->auth), auth_token_get_pid(engine->auth), (unsigned int)engine->flags, auth_token_least_privileged(engine->auth), (int)status); } break; default: - LOGE("engine[%i]: evaluate returned %i returning errAuthorizationInternal", connection_get_pid(engine->conn), status); + LOGE("engine[%i]: evaluate returned %d returning errAuthorizationInternal", connection_get_pid(engine->conn), (int)status); status = errAuthorizationInternal; break; } @@ -1128,7 +1128,7 @@ OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t en status = errAuthorizationDenied; } - LOGV("engine[%i]: authorize result: %i", connection_get_pid(engine->conn), status); + LOGV("engine[%i]: authorize result: %d", connection_get_pid(engine->conn), (int)status); if ((engine->flags & kAuthorizationFlagExtendRights) && !(engine->flags & kAuthorizationFlagDestroyRights)) { _cf_set_iterate(engine->credentials, ^bool(CFTypeRef value) { @@ -1278,7 +1278,7 @@ OSStatus engine_verify_modification(engine_t engine, rule_t rule, bool remove, b status = engine_authorize(engine, checkRight, NULL, kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights); done: - LOGV("engine[%i]: authorizing %s for db modification: %i", connection_get_pid(engine->conn), right, status); + LOGV("engine[%i]: authorizing %s for db modification: %d", connection_get_pid(engine->conn), right, (int)status); CFReleaseSafe(checkRight); return status; } diff --git a/Security/authd/engine.h b/OSX/authd/engine.h similarity index 95% rename from Security/authd/engine.h rename to OSX/authd/engine.h index 9ca5355a..45a04204 100644 --- a/Security/authd/engine.h +++ b/OSX/authd/engine.h @@ -14,7 +14,7 @@ AUTH_WARN_RESULT AUTH_MALLOC AUTH_NONNULL_ALL AUTH_RETURNS_RETAINED engine_t engine_create(connection_t, auth_token_t); AUTH_NONNULL1 AUTH_NONNULL2 -OSStatus engine_authorize(engine_t, auth_rights_t rights, auth_items_t enviroment, AuthorizationFlags); +OSStatus engine_authorize(engine_t, auth_rights_t rights, auth_items_t environment, AuthorizationFlags); AUTH_NONNULL_ALL OSStatus engine_verify_modification(engine_t, rule_t, bool remove, bool force_modify); diff --git a/OSX/authd/main.c b/OSX/authd/main.c new file mode 100644 index 00000000..39b39203 --- /dev/null +++ b/OSX/authd/main.c @@ -0,0 +1,225 @@ +/* Copyright (c) 2012-2013 Apple Inc. All Rights Reserved. */ + +#include "debugging.h" +#include "server.h" +#include "process.h" +#include "session.h" +#include "authtoken.h" +#include "engine.h" +#include "authd_private.h" +#include "connection.h" + +#include + +#include +#include +#include +#include +#include + +#if DEBUG +#include +#endif + +static void +security_auth_peer_event_handler(xpc_connection_t connection, xpc_object_t event) +{ + __block OSStatus status = errAuthorizationDenied; + + connection_t conn = (connection_t)xpc_connection_get_context(connection); + require_action(conn != NULL, done, LOGE("xpc[%i]: process context not found", xpc_connection_get_pid(connection))); + + CFRetainSafe(conn); + + xpc_type_t type = xpc_get_type(event); + + if (type == XPC_TYPE_ERROR) { + if (event == XPC_ERROR_CONNECTION_INVALID) { + // The client process on the other end of the connection has either + // crashed or cancelled the connection. After receiving this error, + // the connection is in an invalid state, and you do not need to + // call xpc_connection_cancel(). Just tear down any associated state + // here. + LOGV("xpc[%i]: client disconnected", xpc_connection_get_pid(connection)); + connection_destroy_agents(conn); + } else if (event == XPC_ERROR_TERMINATION_IMMINENT) { + // Handle per-connection termination cleanup. + LOGD("xpc[%i]: per-connection termination", xpc_connection_get_pid(connection)); + } + } else { + assert(type == XPC_TYPE_DICTIONARY); + + xpc_object_t reply = xpc_dictionary_create_reply(event); + require(reply != NULL, done); + + uint64_t auth_type = xpc_dictionary_get_uint64(event, AUTH_XPC_TYPE); + LOGV("xpc[%i]: received message type=%llu", connection_get_pid(conn), auth_type); + + switch (auth_type) { + case AUTHORIZATION_CREATE: + status = authorization_create(conn,event,reply); + break; + case AUTHORIZATION_CREATE_WITH_AUDIT_TOKEN: + status = authorization_create_with_audit_token(conn,event,reply); + break; + case AUTHORIZATION_FREE: + status = authorization_free(conn,event,reply); + break; + case AUTHORIZATION_COPY_RIGHTS: + status = authorization_copy_rights(conn,event,reply); + break; + case AUTHORIZATION_COPY_INFO: + status = authorization_copy_info(conn,event,reply); + break; + case AUTHORIZATION_MAKE_EXTERNAL_FORM: + status = authorization_make_external_form(conn,event,reply); + break; + case AUTHORIZATION_CREATE_FROM_EXTERNAL_FORM: + status = authorization_create_from_external_form(conn,event,reply); + break; + case AUTHORIZATION_RIGHT_GET: + status = authorization_right_get(conn,event,reply); + break; + case AUTHORIZATION_RIGHT_SET: + status = authorization_right_set(conn,event,reply); + break; + case AUTHORIZATION_RIGHT_REMOVE: + status = authorization_right_remove(conn,event,reply); + break; + case SESSION_SET_USER_PREFERENCES: + status = session_set_user_preferences(conn,event,reply); + break; + case AUTHORIZATION_DISMISS: + connection_destroy_agents(conn); + status = errAuthorizationSuccess; + break; + case AUTHORIZATION_ENABLE_SMARTCARD: + status = authorization_enable_smartcard(conn,event,reply); + break; + case AUTHORIZATION_SETUP: + { + mach_port_t bootstrap = xpc_dictionary_copy_mach_send(event, AUTH_XPC_BOOTSTRAP); + if (!process_set_bootstrap(connection_get_process(conn), bootstrap)) { + if (bootstrap != MACH_PORT_NULL) { + mach_port_deallocate(mach_task_self(), bootstrap); + } + } + } + status = errAuthorizationSuccess; + break; +#if DEBUG + case AUTHORIZATION_DEV: + server_dev(); + break; +#endif + default: + break; + } + + xpc_dictionary_set_int64(reply, AUTH_XPC_STATUS, status); + xpc_connection_send_message(connection, reply); + xpc_release(reply); + } + +done: + CFReleaseSafe(conn); +} + +static void +connection_finalizer(void * conn) +{ + LOGD("xpc[%i]: connection_finalizer", connection_get_pid(conn)); + server_unregister_connection(conn); + +//#if DEBUG +// malloc_printf("-=-=-=- connection_finalizer() -=-=-=-\n"); +// malloc_zone_print(malloc_default_zone(), false); +//#endif +} + +static void +security_auth_event_handler(xpc_connection_t xpc_conn) +{ + connection_t conn = server_register_connection(xpc_conn); + + if (conn) { + xpc_connection_set_context(xpc_conn, conn); + xpc_connection_set_finalizer_f(xpc_conn, connection_finalizer); + + xpc_connection_set_event_handler(xpc_conn, ^(xpc_object_t event) { + xpc_retain(xpc_conn); + xpc_retain(event); + dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ + security_auth_peer_event_handler(xpc_conn, event); + xpc_release(event); + xpc_release(xpc_conn); + }); + }); + xpc_connection_resume(xpc_conn); + + } else { + LOGE("xpc[%i]: failed to register connection", xpc_connection_get_pid(xpc_conn)); + xpc_connection_cancel(xpc_conn); + } +} + +static void sandbox(const char *tmpdir) +{ + char *errorbuf; + const char *sandbox_params[] = {"TMP_DIR", tmpdir, NULL}; + int32_t rc; + + rc = sandbox_init_with_parameters(SECURITY_AUTH_NAME, SANDBOX_NAMED, sandbox_params, &errorbuf); + if (rc) { + LOGE("server: sandbox_init failed %s (%i)", errorbuf, rc); + sandbox_free_error(errorbuf); +#ifndef DEBUG + abort(); +#endif + } +} + +int main(int argc AUTH_UNUSED, const char *argv[] AUTH_UNUSED) +{ +//#if DEBUG +// malloc_printf("-=-=-=- main() -=-=-=-\n"); +// malloc_zone_print(malloc_default_zone(), false); +//#endif + + LOGV("starting"); + + // authd needs to provide a writeable temp dir for SQLite + // Insecure temporary directory in authd (/tmp/authd) + char darwin_tmp[PATH_MAX]; + size_t len = confstr(_CS_DARWIN_USER_TEMP_DIR, darwin_tmp, sizeof(darwin_tmp)); + if (len == 0 || len >= PATH_MAX) { + LOGE("Invalid _CS_DARWIN_USER_TEMP_DIR"); + return errAuthorizationInternal; + } + + char *real_tmp = realpath(darwin_tmp, NULL); + if (real_tmp == NULL) { + LOGE("realpath( %s ) FAILED", darwin_tmp); + return errAuthorizationInternal; + } + + setenv("SQLITE_TMPDIR", real_tmp, 1); + sandbox(real_tmp); + free(real_tmp); + + if (server_init() != errAuthorizationSuccess) { + LOGE("auth: server_init() failed"); + return errAuthorizationInternal; + } + +//#if DEBUG +// malloc_printf("-=-=-=- server_init() -=-=-=-\n"); +// malloc_zone_print(malloc_default_zone(), false); +//#endif + + xpc_main(security_auth_event_handler); + + server_cleanup(); + + return 0; +} diff --git a/Security/authd/mechanism.c b/OSX/authd/mechanism.c similarity index 99% rename from Security/authd/mechanism.c rename to OSX/authd/mechanism.c index f2860f12..2c2625a4 100644 --- a/Security/authd/mechanism.c +++ b/OSX/authd/mechanism.c @@ -90,7 +90,7 @@ _mechanism_hash(CFTypeRef value) crc = crc64_update(crc, &priv, sizeof(priv)); crc = crc64_final(crc); - return crc; + return (CFHashCode)crc; } AUTH_TYPE_INSTANCE(mechanism, diff --git a/Security/authd/mechanism.h b/OSX/authd/mechanism.h similarity index 100% rename from Security/authd/mechanism.h rename to OSX/authd/mechanism.h diff --git a/Security/authd/object.c b/OSX/authd/object.c similarity index 100% rename from Security/authd/object.c rename to OSX/authd/object.c diff --git a/Security/authd/object.h b/OSX/authd/object.h similarity index 100% rename from Security/authd/object.h rename to OSX/authd/object.h diff --git a/Security/authd/process.c b/OSX/authd/process.c similarity index 98% rename from Security/authd/process.c rename to OSX/authd/process.c index 59e78f40..ce530651 100644 --- a/Security/authd/process.c +++ b/OSX/authd/process.c @@ -144,13 +144,13 @@ process_create(const audit_info_s * auditInfo, session_t session) CFReleaseSafe(codePid); if (status) { - LOGE("process[%i]: failed to create code ref %i", proc->auditInfo.pid, status); + LOGE("process[%i]: failed to create code ref %d", proc->auditInfo.pid, (int)status); CFReleaseNull(proc); goto done; } status = SecCodeCopySigningInformation(proc->codeRef, kSecCSRequirementInformation, &code_info); - require_noerr_action(status, done, LOGV("process[%i]: SecCodeCopySigningInformation failed with %i", proc->auditInfo.pid, status)); + require_noerr_action(status, done, LOGV("process[%i]: SecCodeCopySigningInformation failed with %d", proc->auditInfo.pid, (int)status)); CFTypeRef value = NULL; if (CFDictionaryGetValueIfPresent(code_info, kSecCodeInfoDesignatedRequirement, (const void**)&value)) { @@ -263,7 +263,7 @@ process_add_auth_token(process_t proc, auth_token_t auth) } void -process_remove_auth_token(process_t proc, auth_token_t auth, AuthorizationFlags flags) +process_remove_auth_token(process_t proc, auth_token_t auth, uint32_t flags) { dispatch_sync(proc->dispatch_queue, ^{ bool destroy = false; @@ -455,7 +455,7 @@ bool process_verify_requirment(process_t proc, SecRequirementRef requirment) { OSStatus status = SecCodeCheckValidity(proc->codeRef, kSecCSDefaultFlags, requirment); if (status != errSecSuccess) { - LOGV("process[%i]: code requirement check failed (%d)", proc->auditInfo.pid, status); + LOGV("process[%i]: code requirement check failed (%d)", proc->auditInfo.pid, (int)status); } return (status == errSecSuccess); } diff --git a/Security/authd/process.h b/OSX/authd/process.h similarity index 100% rename from Security/authd/process.h rename to OSX/authd/process.h diff --git a/Security/authd/rule.c b/OSX/authd/rule.c similarity index 99% rename from Security/authd/rule.c rename to OSX/authd/rule.c index e1395280..a307f81e 100644 --- a/Security/authd/rule.c +++ b/OSX/authd/rule.c @@ -94,7 +94,7 @@ _rule_hash(CFTypeRef value) { rule_t rule = (rule_t)value; const char * str = rule_get_name(rule); - return crc64(str, strlen(str)); + return (CFHashCode)crc64(str, strlen(str)); } AUTH_TYPE_INSTANCE(rule, diff --git a/Security/authd/rule.h b/OSX/authd/rule.h similarity index 100% rename from Security/authd/rule.h rename to OSX/authd/rule.h diff --git a/Security/authd/security.auth-Prefix.pch b/OSX/authd/security.auth-Prefix.pch similarity index 100% rename from Security/authd/security.auth-Prefix.pch rename to OSX/authd/security.auth-Prefix.pch diff --git a/OSX/authd/server.c b/OSX/authd/server.c new file mode 100644 index 00000000..b29182f1 --- /dev/null +++ b/OSX/authd/server.c @@ -0,0 +1,1169 @@ +/* Copyright (c) 2012-2013 Apple Inc. All Rights Reserved. */ + +#include "server.h" +#include "session.h" +#include "process.h" +#include "authtoken.h" +#include "authdb.h" +#include "rule.h" +#include "authutilities.h" +#include "crc.h" +#include "mechanism.h" +#include "agent.h" +#include "authitems.h" +#include "debugging.h" +#include "engine.h" +#include "connection.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define MAX_PROCESS_RIGHTS 100 + +static CFMutableDictionaryRef gProcessMap = NULL; +static CFMutableDictionaryRef gSessionMap = NULL; +static CFMutableDictionaryRef gAuthTokenMap = NULL; +static authdb_t gDatabase = NULL; + +static dispatch_queue_t power_queue; +static bool gInDarkWake = false; +static IOPMConnection gIOPMconn = NULL; +static bool gXPCTransaction = false; + +static dispatch_queue_t +get_server_dispatch_queue() +{ + static dispatch_once_t onceToken; + static dispatch_queue_t server_queue = NULL; + + dispatch_once(&onceToken, ^{ + server_queue = dispatch_queue_create("com.apple.security.auth.server", DISPATCH_QUEUE_SERIAL); + check(server_queue != NULL); + }); + + return server_queue; +} + +static Boolean _processEqualCallBack(const void *value1, const void *value2) +{ + audit_info_s * info1 = (audit_info_s*)value1; + audit_info_s * info2 = (audit_info_s*)value2; + if (info1->pid == info2->pid) { + if (info1->tid == info2->tid) { + return true; + } + } + return false; +} + +static CFHashCode _processHashCallBack(const void *value) +{ + audit_info_s * info = (audit_info_s*)value; + uint64_t crc = crc64_init(); + crc = crc64_update(crc, &info->pid, sizeof(info->pid)); + crc = crc64_update(crc, &info->tid, sizeof(info->tid)); + crc = crc64_final(crc); + return (CFHashCode)crc; +} + +static const CFDictionaryKeyCallBacks kProcessMapKeyCallBacks = { + .version = 0, + .retain = NULL, + .release = NULL, + .copyDescription = NULL, + .equal = &_processEqualCallBack, + .hash = &_processHashCallBack +}; + +static Boolean _sessionEqualCallBack(const void *value1, const void *value2) +{ + return (*(session_id_t*)value1) == (*(session_id_t*)value2); +} + +static CFHashCode _sessionHashCallBack(const void *value) +{ + return (CFHashCode)(*(session_id_t*)(value)); +} + +static const CFDictionaryKeyCallBacks kSessionMapKeyCallBacks = { + .version = 0, + .retain = NULL, + .release = NULL, + .copyDescription = NULL, + .equal = &_sessionEqualCallBack, + .hash = &_sessionHashCallBack +}; + +void server_cleanup() +{ + CFRelease(gProcessMap); + CFRelease(gSessionMap); + CFRelease(gAuthTokenMap); + + IOPMConnectionSetDispatchQueue(gIOPMconn, NULL); + IOPMConnectionRelease(gIOPMconn); + + dispatch_queue_t queue = get_server_dispatch_queue(); + if (queue) { + dispatch_release(queue); + } + dispatch_release(power_queue); +} + +static void _IOMPCallBack(void * param AUTH_UNUSED, IOPMConnection connection, IOPMConnectionMessageToken token, IOPMSystemPowerStateCapabilities capabilities) +{ + LOGV("server: IOMP powerstates %i", capabilities); + if (capabilities & kIOPMSystemPowerStateCapabilityDisk) + LOGV("server: disk"); + if (capabilities & kIOPMSystemPowerStateCapabilityNetwork) + LOGV("server: net"); + if (capabilities & kIOPMSystemPowerStateCapabilityAudio) + LOGV("server: audio"); + if (capabilities & kIOPMSystemPowerStateCapabilityVideo) + LOGV("server: video"); + + /* if cpu and no display -> in DarkWake */ + LOGD("server: DarkWake check current=%i==%i", (capabilities & (kIOPMSystemPowerStateCapabilityCPU|kIOPMSystemPowerStateCapabilityVideo)), kIOPMSystemPowerStateCapabilityCPU); + if ((capabilities & (kIOPMSystemPowerStateCapabilityCPU|kIOPMSystemPowerStateCapabilityVideo)) == kIOPMSystemPowerStateCapabilityCPU) { + LOGV("server: enter DarkWake"); + gInDarkWake = true; + } else if (gInDarkWake) { + LOGV("server: exit DarkWake"); + gInDarkWake = false; + } + + (void)IOPMConnectionAcknowledgeEvent(connection, token); + + return; +} + +static void +_setupDarkWake(void *__unused ctx) +{ + IOReturn ret; + + IOPMConnectionCreate(CFSTR("IOPowerWatcher"), + kIOPMSystemPowerStateCapabilityDisk + | kIOPMSystemPowerStateCapabilityNetwork + | kIOPMSystemPowerStateCapabilityAudio + | kIOPMSystemPowerStateCapabilityVideo, + &gIOPMconn); + + ret = IOPMConnectionSetNotification(gIOPMconn, NULL, _IOMPCallBack); + if (ret != kIOReturnSuccess) + return; + + IOPMConnectionSetDispatchQueue(gIOPMconn, power_queue); + + IOPMScheduleUserActiveChangedNotification(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(bool active) { + if (active) { + gInDarkWake = false; + } + }); +} + +bool server_in_dark_wake() +{ + return gInDarkWake; +} + +authdb_t server_get_database() +{ + return gDatabase; +} + +static void _setupAuditSessionMonitor() +{ + dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ + au_sdev_handle_t *dev = au_sdev_open(AU_SDEVF_ALLSESSIONS); + int event; + auditinfo_addr_t aia; + + if (NULL == dev) { + LOGE("server: could not open %s %d", AUDIT_SDEV_PATH, errno); + return; + } + + for (;;) { + if (0 != au_sdev_read_aia(dev, &event, &aia)) { + LOGE("server: au_sdev_read_aia failed: %d", errno); + continue; + } + LOGD("server: au_sdev_handle_t event=%i, session=%i", event, aia.ai_asid); + if (event == AUE_SESSION_CLOSE) { + dispatch_async(get_server_dispatch_queue(), ^{ + LOGV("server: session %i destroyed", aia.ai_asid); + CFDictionaryRemoveValue(gSessionMap, &aia.ai_asid); + }); + } + } + + }); +} + +static void _setupSignalHandlers() +{ + signal(SIGTERM, SIG_IGN); + static dispatch_source_t sigtermHandler; + sigtermHandler = dispatch_source_create(DISPATCH_SOURCE_TYPE_SIGNAL, SIGTERM, 0, get_server_dispatch_queue()); + if (sigtermHandler) { + dispatch_source_set_event_handler(sigtermHandler, ^{ + + // should we clean up any state? + exit(EXIT_SUCCESS); + }); + dispatch_resume(sigtermHandler); + } +} + +OSStatus server_init(void) +{ + OSStatus status = errAuthorizationSuccess; + + auditinfo_addr_t info; + memset(&info, 0, sizeof(info)); + getaudit_addr(&info, sizeof(info)); + LOGV("server: uid=%i, sid=%i", info.ai_auid, info.ai_asid); + + require_action(get_server_dispatch_queue() != NULL, done, status = errAuthorizationInternal); + + gProcessMap = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kProcessMapKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + require_action(gProcessMap != NULL, done, status = errAuthorizationInternal); + + gSessionMap = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kSessionMapKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + require_action(gSessionMap != NULL, done, status = errAuthorizationInternal); + + gAuthTokenMap = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kAuthTokenKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + require_action(gAuthTokenMap != NULL, done, status = errAuthorizationInternal); + + gDatabase = authdb_create(); + require_action(gDatabase != NULL, done, status = errAuthorizationInternal); + + // check to see if we have an updates + authdb_connection_t dbconn = authdb_connection_acquire(gDatabase); + authdb_maintenance(dbconn); + authdb_connection_release(&dbconn); + + power_queue = dispatch_queue_create("com.apple.security.auth.power", DISPATCH_QUEUE_SERIAL); + require_action(power_queue != NULL, done, status = errAuthorizationInternal); + dispatch_async_f(power_queue, NULL, _setupDarkWake); + + _setupAuditSessionMonitor(); + _setupSignalHandlers(); + +done: + return status; +} + +static void _server_parse_audit_token(audit_token_t * token, audit_info_s * info) +{ + if (token && info) { + memset(info, 0, sizeof(*info)); + au_tid_t tid; + memset(&tid, 0, sizeof(tid)); + audit_token_to_au32(*token, &info->auid, &info->euid, + &info->egid, &info->ruid, &info->rgid, + &info->pid, &info->asid, &tid); + info->tid = tid.port; + info->opaqueToken = *token; + } +} + +connection_t +server_register_connection(xpc_connection_t connection) +{ + __block connection_t conn = NULL; + __block session_t session = NULL; + __block process_t proc = NULL; + __block CFIndex conn_count = 0; + + require(connection != NULL, done); + + audit_token_t auditToken; + audit_info_s info; + xpc_connection_get_audit_token(connection, &auditToken); + _server_parse_audit_token(&auditToken, &info); + + + dispatch_sync(get_server_dispatch_queue(), ^{ + session = (session_t)CFDictionaryGetValue(gSessionMap, &info.asid); + if (session) { + CFRetain(session); + } else { + session = session_create(info.asid); + CFDictionarySetValue(gSessionMap, session_get_key(session), session); + } + + proc = (process_t)CFDictionaryGetValue(gProcessMap, &info); + if (proc) { + CFRetain(proc); + } + + if (proc) { + conn = connection_create(proc); + conn_count = process_add_connection(proc, conn); + } else { + proc = process_create(&info, session); + if (proc) { + conn = connection_create(proc); + conn_count = process_add_connection(proc, conn); + session_add_process(session, proc); + CFDictionarySetValue(gProcessMap, process_get_key(proc), proc); + } + } + + if (!gXPCTransaction) { + xpc_transaction_begin(); + gXPCTransaction = true; + } + }); + + LOGV("server[%i]: registered connection (total=%li)", info.pid, conn_count); + +done: + CFReleaseSafe(session); + CFReleaseSafe(proc); + return conn; +} + +void +server_unregister_connection(connection_t conn) +{ + if (conn != NULL) { + process_t proc = connection_get_process(conn); + + dispatch_sync(get_server_dispatch_queue(), ^{ + CFIndex connectionCount = process_get_connection_count(proc); + LOGV("server[%i]: unregistered connection (total=%li)", process_get_pid(proc), connectionCount); + + if (connectionCount == 1) { + CFDictionaryRemoveValue(gProcessMap, process_get_key(proc)); + } + + if (CFDictionaryGetCount(gProcessMap) == 0) { + xpc_transaction_end(); + gXPCTransaction = false; + } + }); + // move the destruction of the connection/process off the server queue + CFRelease(conn); + } +} + +void +server_register_auth_token(auth_token_t auth) +{ + if (auth != NULL) { + dispatch_sync(get_server_dispatch_queue(), ^{ + LOGV("server: registering auth %p", auth); + CFDictionarySetValue(gAuthTokenMap, auth_token_get_key(auth), auth); + auth_token_set_state(auth, auth_token_state_registered); + }); + } +} + +void +server_unregister_auth_token(auth_token_t auth) +{ + if (auth != NULL) { + AuthorizationBlob blob = *(AuthorizationBlob*)auth_token_get_key(auth); + dispatch_async(get_server_dispatch_queue(), ^{ + LOGV("server: unregistering auth %p", auth); + CFDictionaryRemoveValue(gAuthTokenMap, &blob); + }); + } +} + +auth_token_t +server_find_copy_auth_token(AuthorizationBlob * blob) +{ + __block auth_token_t auth = NULL; + if (blob != NULL) { + dispatch_sync(get_server_dispatch_queue(), ^{ + auth = (auth_token_t)CFDictionaryGetValue(gAuthTokenMap, blob); + if (auth) { + CFRetain(auth); + } + }); + } + return auth; +} + +session_t +server_find_copy_session(session_id_t sid, bool create) +{ + __block session_t session = NULL; + + dispatch_sync(get_server_dispatch_queue(), ^{ + session = (session_t)CFDictionaryGetValue(gSessionMap, &sid); + if (session) { + CFRetain(session); + } else if (create) { + session = session_create(sid); + if (session) { + CFDictionarySetValue(gSessionMap, session_get_key(session), session); + } + } + }); + + return session; +} + +#pragma mark - +#pragma mark API + +static OSStatus +_process_find_copy_auth_token_from_xpc(process_t proc, xpc_object_t message, auth_token_t * auth_out) +{ + OSStatus status = errAuthorizationSuccess; + require_action(auth_out != NULL, done, status = errAuthorizationInternal); + + size_t len; + AuthorizationBlob * blob = (AuthorizationBlob *)xpc_dictionary_get_data(message, AUTH_XPC_BLOB, &len); + require_action(blob != NULL, done, status = errAuthorizationInvalidRef); + require_action(len == sizeof(AuthorizationBlob), done, status = errAuthorizationInvalidRef); + + auth_token_t auth = process_find_copy_auth_token(proc, blob); + require_action(auth != NULL, done, status = errAuthorizationInvalidRef); + +#if DEBUG + LOGV("server[%i]: authtoken lookup %#x%x %p", process_get_pid(proc), blob->data[1],blob->data[0], auth); +#else + LOGV("server[%i]: authtoken lookup %p", process_get_pid(proc), auth); +#endif + + *auth_out = auth; + +done: + return status; +} + +static OSStatus _server_authorize(connection_t conn, auth_token_t auth, AuthorizationFlags flags, auth_rights_t rights, auth_items_t environment, engine_t * engine_out) +{ + __block OSStatus status = errAuthorizationDenied; + engine_t engine = NULL; + + require_action(conn, done, status = errAuthorizationInternal); + + engine = engine_create(conn, auth); + require_action(engine, done, status = errAuthorizationInternal); + + if (flags & kAuthorizationFlagInteractionAllowed) { + dispatch_sync(connection_get_dispatch_queue(conn), ^{ + connection_set_engine(conn, engine); + status = engine_authorize(engine, rights, environment, flags); + connection_set_engine(conn, NULL); + }); + } else { + status = engine_authorize(engine, rights, environment, flags); + } + +done: + if (engine) { + if (engine_out) { + *engine_out = engine; + } else { + CFRelease(engine); + } + } + return status; +} + +// IN: AUTH_XPC_RIGHTS, AUTH_XPC_ENVIRONMENT, AUTH_XPC_FLAGS +// OUT: AUTH_XPC_BLOB +OSStatus +authorization_create(connection_t conn, xpc_object_t message, xpc_object_t reply) +{ + OSStatus status = errAuthorizationDenied; + + process_t proc = connection_get_process(conn); + + // Passed in args + auth_rights_t rights = auth_rights_create_with_xpc(xpc_dictionary_get_value(message, AUTH_XPC_RIGHTS)); + auth_items_t environment = auth_items_create_with_xpc(xpc_dictionary_get_value(message, AUTH_XPC_ENVIRONMENT)); + AuthorizationFlags flags = (AuthorizationFlags)xpc_dictionary_get_uint64(message, AUTH_XPC_FLAGS); + + // Create Authorization Token + auth_token_t auth = auth_token_create(proc, flags & kAuthorizationFlagLeastPrivileged); + require_action(auth != NULL, done, status = errAuthorizationInternal); + + if (!(flags & kAuthorizationFlagNoData)) { + process_add_auth_token(proc,auth); + } + + status = _server_authorize(conn, auth, flags, rights, environment, NULL); + require_noerr(status, done); + + //reply + xpc_dictionary_set_data(reply, AUTH_XPC_BLOB, auth_token_get_blob(auth), sizeof(AuthorizationBlob)); + +done: + CFReleaseSafe(rights); + CFReleaseSafe(environment); + CFReleaseSafe(auth); + return status; +} + +// IN: AUTH_XPC_DATA, AUTH_XPC_ENVIRONMENT, AUTH_XPC_FLAGS +// OUT: AUTH_XPC_BLOB +OSStatus authorization_create_with_audit_token(connection_t conn, xpc_object_t message, xpc_object_t reply) +{ + OSStatus status = errAuthorizationDenied; + auth_token_t auth = NULL; + + process_t proc = connection_get_process(conn); + require(process_get_uid(proc) == 0, done); //only root can use this call + + // Passed in args + size_t len = 0; + const char * data = xpc_dictionary_get_data(message, AUTH_XPC_DATA, &len); + require(data != NULL, done); + require(len == sizeof(audit_token_t), done); + +// auth_items_t environment = auth_items_create_with_xpc(xpc_dictionary_get_value(message, AUTH_XPC_ENVIRONMENT)); + AuthorizationFlags flags = (AuthorizationFlags)xpc_dictionary_get_uint64(message, AUTH_XPC_FLAGS); + + audit_info_s auditInfo; + _server_parse_audit_token((audit_token_t*)data, &auditInfo); + + // Create Authorization Token + auth = auth_token_create(proc, flags & kAuthorizationFlagLeastPrivileged); + require_action(auth != NULL, done, status = errAuthorizationInternal); + + process_add_auth_token(proc,auth); + + //reply + xpc_dictionary_set_data(reply, AUTH_XPC_BLOB, auth_token_get_blob(auth), sizeof(AuthorizationBlob)); + +done: +// CFReleaseSafe(environment); + CFReleaseSafe(auth); + return status; +} + +// IN: AUTH_XPC_BLOB, AUTH_XPC_FLAGS +// OUT: +OSStatus +authorization_free(connection_t conn, xpc_object_t message, xpc_object_t reply AUTH_UNUSED) +{ + OSStatus status = errAuthorizationSuccess; + AuthorizationFlags flags = 0; + process_t proc = connection_get_process(conn); + + auth_token_t auth = NULL; + status = _process_find_copy_auth_token_from_xpc(proc, message, &auth); + require_noerr(status, done); + + flags = (AuthorizationFlags)xpc_dictionary_get_uint64(message, AUTH_XPC_FLAGS); + + if (flags & kAuthorizationFlagDestroyRights) { + auth_token_credentials_iterate(auth, ^bool(credential_t cred) { + credential_invalidate(cred); + LOGV("engine[%i]: invalidating %scredential %s (%i) from authorization (%p)", connection_get_pid(conn), credential_get_shared(cred) ? "shared " : "", credential_get_name(cred), credential_get_uid(cred), auth); + return true; + }); + + session_credentials_purge(auth_token_get_session(auth)); + } + + process_remove_auth_token(proc, auth, flags); + +done: + CFReleaseSafe(auth); + LOGV("server[%i]: AuthorizationFree %d (flags:%x)", connection_get_pid(conn), (int)status, (unsigned int)flags); + return status; +} + +// IN: AUTH_XPC_BLOB, AUTH_XPC_RIGHTS, AUTH_XPC_ENVIRONMENT, AUTH_XPC_FLAGS +// OUT: AUTH_XPC_OUT_ITEMS +OSStatus +authorization_copy_rights(connection_t conn, xpc_object_t message, xpc_object_t reply) +{ + OSStatus status = errAuthorizationDenied; + engine_t engine = NULL; + + process_t proc = connection_get_process(conn); + + // Passed in args + auth_rights_t rights = auth_rights_create_with_xpc(xpc_dictionary_get_value(message, AUTH_XPC_RIGHTS)); + auth_items_t environment = auth_items_create_with_xpc(xpc_dictionary_get_value(message, AUTH_XPC_ENVIRONMENT)); + AuthorizationFlags flags = (AuthorizationFlags)xpc_dictionary_get_uint64(message, AUTH_XPC_FLAGS); + + auth_token_t auth = NULL; + status = _process_find_copy_auth_token_from_xpc(proc, message, &auth); + require_noerr(status, done); + + status = _server_authorize(conn, auth, flags, rights, environment, &engine); + require_noerr(status, done); + + //reply + xpc_object_t outItems = auth_rights_export_xpc(engine_get_granted_rights(engine)); + xpc_dictionary_set_value(reply, AUTH_XPC_OUT_ITEMS, outItems); + xpc_release_safe(outItems); + +done: + CFReleaseSafe(rights); + CFReleaseSafe(environment); + CFReleaseSafe(auth); + CFReleaseSafe(engine); + + return status; +} + +// IN: AUTH_XPC_BLOB, AUTH_XPC_TAG +// OUT: AUTH_XPC_OUT_ITEMS +OSStatus +authorization_copy_info(connection_t conn, xpc_object_t message, xpc_object_t reply) +{ + + OSStatus status = errAuthorizationSuccess; + auth_items_t items = NULL; + const char * tag = NULL; + + process_t proc = connection_get_process(conn); + + auth_token_t auth = NULL; + status = _process_find_copy_auth_token_from_xpc(proc, message, &auth); + require_noerr(status, done); + + items = auth_items_create(); + + tag = xpc_dictionary_get_string(message, AUTH_XPC_TAG); + LOGV("server[%i]: requested tag: %s", connection_get_pid(conn), tag ? tag : "(all)"); + if (tag) { + size_t len; + const void * data = auth_items_get_data(auth_token_get_context(auth), tag, &len); + if (data) { + auth_items_set_data(items, tag, data, len); + } + } else { + auth_items_copy(items, auth_token_get_context(auth)); + } + +#if DEBUG + LOGV("server[%i]: Dumping requested AuthRef items", connection_get_pid(conn)); + _show_cf(items); +#endif + + //reply + xpc_object_t outItems = auth_items_export_xpc(items); + xpc_dictionary_set_value(reply, AUTH_XPC_OUT_ITEMS, outItems); + xpc_release_safe(outItems); + +done: + CFReleaseSafe(items); + CFReleaseSafe(auth); + LOGV("server[%i]: AuthorizationCopyInfo %i", connection_get_pid(conn), status); + return status; +} + +// IN: AUTH_XPC_BLOB +// OUT: AUTH_XPC_EXTERNAL +OSStatus +authorization_make_external_form(connection_t conn, xpc_object_t message, xpc_object_t reply) +{ + OSStatus status = errAuthorizationSuccess; + + process_t proc = connection_get_process(conn); + + auth_token_t auth = NULL; + status = _process_find_copy_auth_token_from_xpc(proc, message, &auth); + require_noerr(status, done); + + AuthorizationExternalForm exForm; + AuthorizationExternalBlob * exBlob = (AuthorizationExternalBlob *)&exForm; + memset(&exForm, 0, sizeof(exForm)); + + exBlob->blob = *auth_token_get_blob(auth); + exBlob->session = process_get_session_id(proc); + + xpc_dictionary_set_data(reply, AUTH_XPC_EXTERNAL, &exForm, sizeof(exForm)); + server_register_auth_token(auth); + +done: + CFReleaseSafe(auth); + LOGV("server[%i]: AuthorizationMakeExternalForm %d", connection_get_pid(conn), (int)status); + return status; +} + +// IN: AUTH_XPC_EXTERNAL +// OUT: AUTH_XPC_BLOB +OSStatus +authorization_create_from_external_form(connection_t conn, xpc_object_t message, xpc_object_t reply) +{ + OSStatus status = errAuthorizationSuccess; + auth_token_t auth = NULL; + + process_t proc = connection_get_process(conn); + + size_t len; + AuthorizationExternalForm * exForm = (AuthorizationExternalForm *)xpc_dictionary_get_data(message, AUTH_XPC_EXTERNAL, &len); + require_action(exForm != NULL, done, status = errAuthorizationInternal); + require_action(len == sizeof(AuthorizationExternalForm), done, status = errAuthorizationInvalidRef); + + AuthorizationExternalBlob * exBlob = (AuthorizationExternalBlob *)exForm; + auth = server_find_copy_auth_token(&exBlob->blob); + require_action(auth != NULL, done, status = errAuthorizationDenied); + + process_add_auth_token(proc, auth); + xpc_dictionary_set_data(reply, AUTH_XPC_BLOB, auth_token_get_blob(auth), sizeof(AuthorizationBlob)); + +done: + CFReleaseSafe(auth); + LOGV("server[%i]: AuthorizationCreateFromExternalForm %d", connection_get_pid(conn), (int)status); + return status; +} + +// IN: AUTH_XPC_RIGHT_NAME +// OUT: AUTH_XPC_DATA +OSStatus +authorization_right_get(connection_t conn AUTH_UNUSED, xpc_object_t message, xpc_object_t reply) +{ + OSStatus status = errAuthorizationDenied; + rule_t rule = NULL; + CFTypeRef cfdict = NULL; + xpc_object_t xpcdict = NULL; + + authdb_connection_t dbconn = authdb_connection_acquire(server_get_database()); + rule = rule_create_with_string(xpc_dictionary_get_string(message, AUTH_XPC_RIGHT_NAME), dbconn); + require(rule != NULL, done); + require(rule_get_id(rule) != 0, done); + + cfdict = rule_copy_to_cfobject(rule, dbconn); + require(cfdict != NULL, done); + + xpcdict = _CFXPCCreateXPCObjectFromCFObject(cfdict); + require(xpcdict != NULL, done); + + // reply + xpc_dictionary_set_value(reply, AUTH_XPC_DATA, xpcdict); + + status = errAuthorizationSuccess; + +done: + authdb_connection_release(&dbconn); + CFReleaseSafe(cfdict); + xpc_release_safe(xpcdict); + CFReleaseSafe(rule); + LOGV("server[%i]: AuthorizationRightGet %d", connection_get_pid(conn), (int)status); + return status; +} + +static bool _prompt_for_modifications(process_t __unused proc, rule_t __unused rule) +{ +// will put back it back at some later date +// SecRequirementRef ruleReq = rule_get_requirment(rule); +// +// if (ruleReq && process_verify_requirment(proc, ruleReq)) { +// return false; +// } + + return true; +} + +static CFIndex _get_mechanism_index(CFArrayRef mechanisms, CFStringRef m_name) +{ + CFIndex index = -1; + require(mechanisms, done); + + CFIndex c = CFArrayGetCount(mechanisms); + CFStringRef i_name = NULL; + for (CFIndex i = 0; i < c; ++i) + { + i_name = CFArrayGetValueAtIndex(mechanisms, i); + if (i_name && (CFGetTypeID(m_name) == CFStringGetTypeID())) { + if (CFStringCompare(i_name, m_name, kCFCompareCaseInsensitive) == kCFCompareEqualTo) { + index = i; + break; + } + } + } + +done: + return index; +} + +static bool _update_rule_mechanism(authdb_connection_t dbconn, const char * rule_name, CFStringRef mechanism_name, CFStringRef insert_after_name, bool remove) +{ + bool updated = false; + rule_t rule = NULL; + rule_t update_rule = NULL; + CFMutableDictionaryRef cfdict = NULL; + CFStringRef update_name = NULL; + + require(mechanism_name, done); + + rule = rule_create_with_string(rule_name, dbconn); + require(rule_get_id(rule) != 0, done); // rule doesn't exist in the database + + cfdict = rule_copy_to_cfobject(rule, dbconn); + require(cfdict != NULL, done); + + CFMutableArrayRef mechanisms = NULL; + bool res = CFDictionaryGetValueIfPresent(cfdict, CFSTR(kAuthorizationRuleParameterMechanisms), (void*)&mechanisms); + require(res == true, done); + + CFIndex index = -1; + + if (remove) { + index = _get_mechanism_index(mechanisms, mechanism_name); + } else { + if (insert_after_name) { + if ((index = _get_mechanism_index(mechanisms, insert_after_name)) != -1) { + index++; + } else { + index = 0; // if we couldn't find the index add it to the begining + } + } else { + index = 0; + } + } + + if (index != -1) { + if(remove) { + CFArrayRemoveValueAtIndex(mechanisms, index); + } else { + if (index < CFArrayGetCount(mechanisms)) { + require_action(CFStringCompare(CFArrayGetValueAtIndex(mechanisms, index), mechanism_name, kCFCompareCaseInsensitive) != kCFCompareEqualTo, done, updated = true); + } + CFArrayInsertValueAtIndex(mechanisms, index, mechanism_name); + } + + CFDictionarySetValue(cfdict, CFSTR(kAuthorizationRuleParameterMechanisms), mechanisms); + + // and write it back + update_name = CFStringCreateWithCString(kCFAllocatorDefault, rule_name, kCFStringEncodingUTF8); + require(update_name, done); + update_rule = rule_create_with_plist(rule_get_type(rule), update_name, cfdict, dbconn); + require(update_rule, done); + + require(rule_sql_commit(update_rule, dbconn, CFAbsoluteTimeGetCurrent(), NULL), done); + } + + updated = true; + +done: + CFReleaseSafe(rule); + CFReleaseSafe(update_rule); + CFReleaseSafe(cfdict); + CFReleaseSafe(update_name); + return updated; +} + +/// IN: AUTH_XPC_BLOB, AUTH_XPC_INT64 +// OUT: +OSStatus +authorization_enable_smartcard(connection_t conn, xpc_object_t message, xpc_object_t reply AUTH_UNUSED) +{ + const CFStringRef SMARTCARD_LINE = CFSTR("builtin:smartcard-sniffer,privileged"); + const CFStringRef BUILTIN_LINE = CFSTR("builtin:policy-banner"); + const char* SYSTEM_LOGIN_CONSOLE = "system.login.console"; + const char* AUTHENTICATE = "authenticate"; + + __block OSStatus status = errAuthorizationSuccess; + bool enable_smartcard = false; + authdb_connection_t dbconn = NULL; + auth_token_t auth = NULL; + auth_rights_t checkRight = NULL; + + process_t proc = connection_get_process(conn); + + status = _process_find_copy_auth_token_from_xpc(proc, message, &auth); + require_noerr(status, done); + + checkRight = auth_rights_create(); + auth_rights_add(checkRight, "config.modify.smartcard"); + status = _server_authorize(conn, auth, kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights, checkRight, NULL, NULL); + require_noerr(status, done); + + enable_smartcard = xpc_dictionary_get_bool(message, AUTH_XPC_DATA); + + dbconn = authdb_connection_acquire(server_get_database()); + + if (!_update_rule_mechanism(dbconn, SYSTEM_LOGIN_CONSOLE, SMARTCARD_LINE, BUILTIN_LINE, enable_smartcard ? false : true)) { + status = errAuthorizationInternal; + LOGE("server[%i]: smartcard: enable(%i) failed to update %s", connection_get_pid(conn), enable_smartcard, SYSTEM_LOGIN_CONSOLE); + } + if (!_update_rule_mechanism(dbconn, AUTHENTICATE, SMARTCARD_LINE, NULL, enable_smartcard ? false : true)) { + status = errAuthorizationInternal; + LOGE("server[%i]: smartcard: enable(%i) failed to update %s", connection_get_pid(conn), enable_smartcard, AUTHENTICATE); + } + + authdb_checkpoint(dbconn); + +done: + authdb_connection_release(&dbconn); + CFReleaseSafe(checkRight); + CFReleaseSafe(auth); + return status; +} + +static int64_t _process_get_identifier_count(process_t proc, authdb_connection_t conn) +{ + __block int64_t result = 0; + + authdb_step(conn, "SELECT COUNT(*) AS cnt FROM rules WHERE identifier = ? ", ^(sqlite3_stmt *stmt) { + sqlite3_bind_text(stmt, 1, process_get_identifier(proc), -1, NULL); + }, ^bool(auth_items_t data) { + result = auth_items_get_int64(data, "cnt"); + return true; + }); + + return result; +} + +static int64_t _get_max_process_rights() +{ + static dispatch_once_t onceToken; + static int64_t max_rights = MAX_PROCESS_RIGHTS; + + //sudo defaults write /Library/Preferences/com.apple.authd max_process_rights -bool true + dispatch_once(&onceToken, ^{ + CFTypeRef max = (CFNumberRef)CFPreferencesCopyValue(CFSTR("max_process_rights"), CFSTR(SECURITY_AUTH_NAME), kCFPreferencesAnyUser, kCFPreferencesCurrentHost); + + if (max && CFGetTypeID(max) == CFNumberGetTypeID()) { + CFNumberGetValue(max, kCFNumberSInt64Type, &max_rights); + } + CFReleaseSafe(max); + }); + + return max_rights; +} + +// IN: AUTH_XPC_BLOB, AUTH_XPC_RIGHT_NAME, AUTH_XPC_DATA +// OUT: +OSStatus +authorization_right_set(connection_t conn, xpc_object_t message, xpc_object_t reply AUTH_UNUSED) +{ + __block OSStatus status = errAuthorizationDenied; + __block engine_t engine = NULL; + CFStringRef cf_rule_name = NULL; + CFDictionaryRef cf_rule_dict = NULL; + rule_t rule = NULL; + rule_t existingRule = NULL; + authdb_connection_t dbconn = NULL; + auth_token_t auth = NULL; + bool force_modify = false; + RuleType rule_type = RT_RIGHT; + const char * rule_name = NULL; + bool auth_rule = false; + + process_t proc = connection_get_process(conn); + + status = _process_find_copy_auth_token_from_xpc(proc, message, &auth); + require_noerr(status, done); + + require_action(xpc_dictionary_get_string(message, AUTH_XPC_RIGHT_NAME) != NULL, done, status = errAuthorizationInternal); + require_action(xpc_dictionary_get_value(message, AUTH_XPC_DATA) != NULL, done, status = errAuthorizationInternal); + + rule_name = xpc_dictionary_get_string(message, AUTH_XPC_RIGHT_NAME); + require(rule_name != NULL, done); + + if (_compare_string(rule_name, "authenticate")) { + rule_type = RT_RULE; + auth_rule = true; + } + + cf_rule_name = CFStringCreateWithCString(kCFAllocatorDefault, rule_name, kCFStringEncodingUTF8); + require(cf_rule_name != NULL, done); + + cf_rule_dict = _CFXPCCreateCFObjectFromXPCObject(xpc_dictionary_get_value(message, AUTH_XPC_DATA)); + require(cf_rule_dict != NULL, done); + + dbconn = authdb_connection_acquire(server_get_database()); + + rule = rule_create_with_plist(rule_type, cf_rule_name, cf_rule_dict, dbconn); + if (process_get_uid(proc) != 0) { + require_action(rule_get_extract_password(rule) == false, done, status = errAuthorizationDenied; LOGE("server[%i]: AuthorizationRightSet not allowed to set extract-password. (denied)", connection_get_pid(conn))); + } + + // if rule doesn't currently exist then we have to check to see if they are over the Max. + if (rule_get_id(rule) == 0) { + if (process_get_identifier(proc) == NULL) { + LOGE("server[%i]: AuthorizationRightSet required for process %s (missing code signature). To add rights to the Authorization database, your process must have a code signature.", connection_get_pid(conn), process_get_code_url(proc)); + force_modify = true; + } else { + int64_t process_rule_count = _process_get_identifier_count(proc, dbconn); + if ((process_rule_count >= _get_max_process_rights())) { + if (!connection_get_syslog_warn(conn)) { + LOGE("server[%i]: AuthorizationRightSet Denied API abuse process %s already contains %lli rights.", connection_get_pid(conn), process_get_code_url(proc), _get_max_process_rights()); + connection_set_syslog_warn(conn); + } + status = errAuthorizationDenied; + goto done; + } + } + } else { + if (auth_rule) { + if (process_get_uid(proc) != 0) { + LOGE("server[%i]: AuthorizationRightSet denied, root required to update the 'authenticate' rule", connection_get_pid(conn)); + status = errAuthorizationDenied; + goto done; + } + } else { + // verify they are updating a right and not a rule + existingRule = rule_create_with_string(rule_get_name(rule), dbconn); + if (rule_get_type(existingRule) == RT_RULE) { + LOGE("server[%i]: AuthorizationRightSet Denied updating '%s' rule is prohibited", connection_get_pid(conn), rule_get_name(existingRule)); + status = errAuthorizationDenied; + goto done; + } + } + } + + if (_prompt_for_modifications(proc,rule)) { + authdb_connection_release(&dbconn); + + dispatch_sync(connection_get_dispatch_queue(conn), ^{ + engine = engine_create(conn, auth); + connection_set_engine(conn, engine); + status = engine_verify_modification(engine, rule, false, force_modify); + connection_set_engine(conn, NULL); + }); + require_noerr(status, done); + + dbconn = authdb_connection_acquire(server_get_database()); + } + + if (rule_sql_commit(rule, dbconn, engine ? engine_get_time(engine) : CFAbsoluteTimeGetCurrent(), proc)) { + LOGV("server[%i]: Successfully updated rule %s", connection_get_pid(conn), rule_get_name(rule)); + authdb_checkpoint(dbconn); + status = errAuthorizationSuccess; + } else { + LOGE("server[%i]: Failed to update rule %s", connection_get_pid(conn), rule_get_name(rule)); + status = errAuthorizationDenied; + } + +done: + authdb_connection_release(&dbconn); + CFReleaseSafe(existingRule); + CFReleaseSafe(cf_rule_name); + CFReleaseSafe(cf_rule_dict); + CFReleaseSafe(auth); + CFReleaseSafe(rule); + CFReleaseSafe(engine); + return status; +} + +// IN: AUTH_XPC_BLOB, AUTH_XPC_RIGHT_NAME +// OUT: +OSStatus +authorization_right_remove(connection_t conn, xpc_object_t message, xpc_object_t reply AUTH_UNUSED) +{ + __block OSStatus status = errAuthorizationDenied; + __block engine_t engine = NULL; + rule_t rule = NULL; + authdb_connection_t dbconn = NULL; + + process_t proc = connection_get_process(conn); + + auth_token_t auth = NULL; + status = _process_find_copy_auth_token_from_xpc(proc, message, &auth); + require_noerr(status, done); + + dbconn = authdb_connection_acquire(server_get_database()); + + rule = rule_create_with_string(xpc_dictionary_get_string(message, AUTH_XPC_RIGHT_NAME), dbconn); + require(rule != NULL, done); + + if (_prompt_for_modifications(proc,rule)) { + authdb_connection_release(&dbconn); + + dispatch_sync(connection_get_dispatch_queue(conn), ^{ + engine = engine_create(conn, auth); + connection_set_engine(conn, engine); + status = engine_verify_modification(engine, rule, true, false); + connection_set_engine(conn, NULL); + }); + require_noerr(status, done); + + dbconn = authdb_connection_acquire(server_get_database()); + } + + if (rule_get_id(rule) != 0) { + rule_sql_remove(rule, dbconn); + } + +done: + authdb_connection_release(&dbconn); + CFReleaseSafe(auth); + CFReleaseSafe(rule); + CFReleaseSafe(engine); + LOGV("server[%i]: AuthorizationRightRemove %d", connection_get_pid(conn), (int)status); + return status; +} + +#pragma mark - +#pragma mark test code + +OSStatus +session_set_user_preferences(connection_t conn, xpc_object_t message, xpc_object_t reply) +{ + (void)conn; + (void)message; + (void)reply; + return errAuthorizationSuccess; +} + +void +server_dev() { +// rule_t rule = rule_create_with_string("system.preferences.accounts"); +// CFDictionaryRef dict = rule_copy_to_cfobject(rule); +// _show_cf(dict); +// CFReleaseSafe(rule); +// CFReleaseSafe(dict); + +// auth_items_t config = NULL; +// double d2 = 0, d1 = 5; +// authdb_get_key_value(server_get_authdb_reader(), "config", &config); +// auth_items_set_double(config, "test", d1); +// d2 = auth_items_get_double(config, "test"); +// LOGV("d1=%f d2=%f", d1, d2); +// CFReleaseSafe(config); + + +// auth_items_t items = auth_items_create(); +// auth_items_set_string(items, "test", "testing 1"); +// auth_items_set_string(items, "test2", "testing 2"); +// auth_items_set_string(items, "test3", "testing 3"); +// auth_items_set_flags(items, "test3", 4); +// auth_items_set_string(items, "apple", "apple"); +// auth_items_set_flags(items, "apple", 1); +// auth_items_set_int(items, "int", 45); +// auth_items_set_flags(items, "int", 2); +// auth_items_set_bool(items, "true", true); +// auth_items_set_bool(items, "false", false); +// auth_items_set(items, "com.apple."); +// auth_show(items); +// LOGD("Yeah it works: %s", auth_items_get_string(items, "test3")); +// LOGD("Yeah it works: %i", auth_items_get_bool(items, "true")); +// LOGD("Yeah it works: %i", auth_items_get_bool(items, "false")); +// LOGD("Yeah it works: %i", auth_items_get_int(items, "int")); +// (void)auth_items_get_bool(items, "test3"); +// AuthorizationItemSet * itemSet = auth_items_get_item_set(items); +// for (uint32_t i = 0; i < itemSet->count; i++) { +// LOGD("item: %s", itemSet->items[i].name); +// } +// +// xpc_object_t xpcdata = SerializeItemSet(auth_items_get_item_set(items)); +// auth_items_t items2 = auth_items_create_with_xpc(xpcdata); +// xpc_release(xpcdata); +// auth_items_remove_with_flags(items2, 7); +//// auth_items_set_string(items2, "test3", "testing 3 very good"); +// auth_items_copy_with_flags(items2, items, 7); +// LOGD("Yeah it works: %s", auth_items_get_string(items2, "test3")); +// auth_show(items2); +// CFReleaseSafe(items2); +// +// CFReleaseSafe(items); +} + diff --git a/Security/authd/server.h b/OSX/authd/server.h similarity index 100% rename from Security/authd/server.h rename to OSX/authd/server.h diff --git a/Security/authd/session.c b/OSX/authd/session.c similarity index 100% rename from Security/authd/session.c rename to OSX/authd/session.c diff --git a/Security/authd/session.h b/OSX/authd/session.h similarity index 100% rename from Security/authd/session.h rename to OSX/authd/session.h diff --git a/Security/cloud_keychain_diagnose/cloud_keychain_diagnose-Prefix.pch b/OSX/cloud_keychain_diagnose/cloud_keychain_diagnose-Prefix.pch similarity index 100% rename from Security/cloud_keychain_diagnose/cloud_keychain_diagnose-Prefix.pch rename to OSX/cloud_keychain_diagnose/cloud_keychain_diagnose-Prefix.pch diff --git a/OSX/codesign_tests/CaspianTests/CaspianTests b/OSX/codesign_tests/CaspianTests/CaspianTests new file mode 100755 index 00000000..241645c8 --- /dev/null +++ b/OSX/codesign_tests/CaspianTests/CaspianTests @@ -0,0 +1,275 @@ +#!/bin/sh + +# only zin or newer +if expr "$(sw_vers -buildVersion)" : "1[2-9].*[A-Z]" >/dev/null; then + : +# only or SULionDuchess or newer +elif expr "$(sw_vers -buildVersion)" : "11.*[D-Z]" >/dev/null; then + : +else + exit 0 +fi + +v=: + +fails=0 +t=$(mktemp -d /tmp/csXXXXXX) + +runTest () { + test=$1 + shift; + echo "[BEGIN] ${test}" + + ${v} echo cmd: "$@" + "$@" > $t/outfile.txt 2>&1 + res=$? + [ $res != 0 ] && res=1 #normalize + + if expr "$test" : "fail" > /dev/null; then + exp=1 + else + exp=0 + fi + + + if [ $res = $exp ]; then + echo "[PASS] ${test}" + else + cat $t/outfile.txt + echo "[FAIL] ${test}" + fails=$(expr $fails + 1) + fi + rm -f $t/outfile.txt +} + +runTest isroot test $UID = 0 +runTest disable-tests spctl --master-disable +runTest disable-check eval "spctl --status | grep disable > /dev/null" +runTest enable-tests spctl --master-enable +runTest enable-check eval "spctl --status | grep enable >/dev/null" + +runTest enable-tests spctl --test-devid-enable +runTest enable-check eval "spctl --test-devid-status | grep enable >/dev/null" + + +runTest exec-ls spctl -a -t exec /bin/ls +runTest fail-open-txt spctl -a -t open /usr/local/OpenSourceLicenses/xar.txt +runTest fail-open-pdf spctl -a -t open /usr/share//cups/ipptool/testfile.pdf + +app=XXXXX + +selfsign () { + b=$(basename "$2") + + cp -r "$2" ${t}/"${b}" + codesign -s - -f ${t}/"${b}" > /dev/null 2>&1 || exit 1 + + eval $1=\${t}/\${b} +} + +selfsign lsbin /bin/ls +selfsign sysprefs /Applications/System\ Preferences.app + +runTest unpack-caspian-tests tar Cxf $t /AppleInternal/CoreOS/codesign_tests/caspian-tests.tar.gz +runTest unpack-caspian-test-apple-script tar Cxvf $t /AppleInternal/CoreOS/codesign_tests/broken-AppleScript-app.tgz + +ct="$t/caspian-tests/tests" + +runTest fail-exec-ls spctl -a -t exec $lsbin +runTest fail-exec-ls spctl -a -t exec "$sysprefs" + +runTest disable-tests2 spctl --master-disable +runTest disable-check2 eval "spctl --status | grep disable > /dev/null" + +runTest exec-ls spctl -a -t exec $lsbin +runTest exec-ls spctl -a -t exec "$sysprefs" + +runTest enable-tests3 spctl --master-enable +runTest enable-check3 eval "spctl --status | grep enable > /dev/null" + +xardir=/AppleInternal/CoreOS/codesign_tests/xar + +caspianvalid="OSUpgrade-XBS Nothing-valid Nothing-noocsp Nothing-expired" +caspianinvalid="Nothing-adhoc Nothing-revoked Nothing-unsigned" +applescriptbroken="Broken.app" + +runTest fail-install-no-existant-file spctl -a -t install ${xardir}/really-i-dont-exists.pkg + +for a in Nothing-bnisigned ; do + runTest install-${a} spctl -a -t install ${xardir}/${a}.pkg +done +for a in old-sig new-sig ; do + runTest fail-install-${a} spctl -a -t install ${xardir}/${a}.pkg +done +for a in ${caspianvalid}; do + runTest install-${a} spctl -a -t install ${ct}/${a}.pkg +done +for a in ${caspianinvalid}; do + runTest fail-install-${a} spctl -a -t install ${ct}/${a}.pkg +done +for a in ${applescriptbroken}; do + runTest fail-install-${a} spctl -a -t install ${t}/${a}.pkg +done + +runTest disable-tests3 spctl --master-disable +runTest disable-check3 eval "spctl --status | grep disable > /dev/null" + +for a in Nothing-bnisigned; do + runTest install-${a} spctl -a -t install ${xardir}/${a}.pkg +done +for a in ${caspianvalid} ${caspianinvalid}; do + runTest install-master-disabled-${a} spctl -a -t install ${xardir}/${a}.pkg +done + +# +# check path based --add/--disable/--remove +# + +runTest enable-tests4 spctl --master-enable +runTest enable-check4 eval "spctl --status | grep enable > /dev/null" + +runTest copyTextEdit cp -R /Applications/TextEdit.app $t/MyTextEdit.app +runTest codesignMyTextEdit codesign -f -s - $t/MyTextEdit.app + +runTest fail-run-MyTextEdit1 spctl -a -t exec $t/MyTextEdit.app +runTest add-MyTextEdit spctl --add --path $t/MyTextEdit.app +runTest assess-MyTextEdit2 spctl -a -t exec $t/MyTextEdit.app + +runTest disable-MyTextEdit spctl --disable --path $t/MyTextEdit.app +runTest fail-assess-MyTextEdit3 spctl -a -t exec $t/MyTextEdit.app + +runTest enable-MyTextEdit spctl --enable --path $t/MyTextEdit.app +runTest assess-MyTextEdit4 spctl -a -t exec $t/MyTextEdit.app + +runTest remove-MyTextEdit spctl --remove --path $t/MyTextEdit.app +runTest fail-assess-MyTextEdit5 spctl -a -t exec $t/MyTextEdit.app + +runTest disable-tests4 spctl --master-disable +runTest disable-check4 eval "spctl --status | grep disable > /dev/null" + +runTest assess-MyTextEdit6 spctl -a -t exec $t/MyTextEdit.app + +# +# check label based --add/--disable/--remove +# + +runTest enable-tests7 spctl --master-enable +runTest enable-check7 eval "spctl --status | grep enable > /dev/null" + +runTest fail-run-MyTextEdit1 spctl -a -t exec $t/MyTextEdit.app +runTest add-MyTextEdit spctl --add --label CaspianTest --path $t/MyTextEdit.app +runTest assess-MyTextEdit2 spctl -a -t exec $t/MyTextEdit.app + +runTest disable-MyTextEdit spctl --disable --label CaspianTest +runTest fail-assess-MyTextEdit3 spctl -a -t exec $t/MyTextEdit.app + +runTest enable-MyTextEdit spctl --enable --label CaspianTest +runTest assess-MyTextEdit4 spctl -a -t exec $t/MyTextEdit.app + +runTest remove-MyTextEdit spctl --remove --label CaspianTest +runTest fail-assess-MyTextEdit5 spctl -a -t exec $t/MyTextEdit.app + +runTest disable-tests8 spctl --master-disable +runTest disable-check8 eval "spctl --status | grep disable > /dev/null" + +runTest assess-MyTextEdit6 spctl -a -t exec $t/MyTextEdit.app + +# +# check adding certificate based --add/--disable/--remove +# + +runTest enable-tests9 spctl --master-enable +runTest enable-check9 eval "spctl --status | grep enable > /dev/null" + +# clear out existing rules +spctl --remove --label CapsianTest-apple-root > /dev/null 2>&1 + +runTest add-add-anchor-by-label spctl --add --label CapsianTest-apple-root --anchor 611E5B662C593A08FF58D14AE22452D198DF6C60 +runTest add-remove-by-label spctl --remove --label CapsianTest-apple-root + +runTest disable-tests10 spctl --master-disable +runTest disable-check10 eval "spctl --status | grep disable > /dev/null" + +# +# check devid is still revoked while caspian is disabled +# + +runTest fail-0-hello-revoked spctl -a -t exec ${ct}/hello-revoked +runTest 0-hello-expired spctl -a -t exec ${ct}/hello-expired + +# +# check enabled w/o devid +# + +runTest enable-tests11 spctl --master-enable +runTest enable-check11 eval "spctl --status | grep enable > /dev/null" + +runTest fail-1-hello-revoked spctl -a -t exec ${ct}/hello-revoked +#runTest fail-1-hello-expired spctl -a -t exec ${ct}/hello-expired #### failes because of broken ocsp + +# +# check with devid +# + +runTest enable-tests11 spctl --test-devid-enable +runTest enable-check11 eval "spctl --test-devid-status | grep enable > /dev/null" + +runTest fail-1id-hello-revoked spctl -a -t exec ${ct}/hello-revoked +runTest 1id-hello-expired spctl -a -t exec ${ct}/hello-expired + +# +# +# + +runTest disable-tests11 spctl --master-disable +runTest disable-check11 eval "spctl --status | grep disable > /dev/null" + +# +# Check that Capsian is on/off by default +# + +case $(sw_vers -buildVersion) in + 11*) status=disable ;; + 12A154*) status=disable ;; ## was disabled for ZinDP2 + *) status=enable ;; +esac + +rm -f /var/db/.sp_visible /var/db/SystemPolicy-prefs.plist +notifyutil -p com.apple.security.assessment.masterswitch + +runTest enable-check11 eval "spctl --status | grep $status > /dev/null" + +# +# check that --list works +# + +case $(sw_vers -buildVersion) in + 11*) ;; + 12A178*) ;; #disable in dp3 + *) + + runTest checkSystemRule eval "spctl --list | grep 'P0 allow execute'" + runTest addTextEdit spctl --add --path /Applications/TextEdit.app + runTest checkTextEditInList eval "spctl --list | grep TextEdit" + runTest removeTextEdit spctl --remove --path /Applications/TextEdit.app + + runTest checkListRule2 spctl --list --rule 2 + + ;; + +esac + +# +# cleanup +# + +rm -rf $t + +if [ $fails != 0 ] ; then + echo "$fails caspian tests failed" + exit 1 +else + echo "all caspian tests passed" +fi + +exit 0 diff --git a/OSX/codesign_tests/CaspianTests/LocalCaspianTestRun.sh b/OSX/codesign_tests/CaspianTests/LocalCaspianTestRun.sh new file mode 100755 index 00000000..a88e6e7c --- /dev/null +++ b/OSX/codesign_tests/CaspianTests/LocalCaspianTestRun.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +# LocalCaspianTestRun.sh +# Security +# +# Created by Greg Kerr on 2/10/15. +# + +sudo ditto /SWE/Teams/CoreOS/SecEng/BATS/broken-AppleScript-app.tgz /AppleInternal/CoreOS/codesign_tests/ +sudo ditto /SWE/Teams/CoreOS/SecEng/BATS/caspian-tests.tar.gz /AppleInternal/CoreOS/codesign_tests/ +sudo ditto /SWE/Teams/CoreOS/SecEng/BATS/xar /AppleInternal/CoreOS/codesign_tests/xar +sudo chmod g+r /AppleInternal/CoreOS/codesign_tests/xar +sudo chmod o+r /AppleInternal/CoreOS/codesign_tests/xar + +sudo /AppleInternal/CoreOS/codesign_tests/CaspianTests \ No newline at end of file diff --git a/Security/codesign_tests/FatDynamicValidation.c b/OSX/codesign_tests/FatDynamicValidation.c similarity index 100% rename from Security/codesign_tests/FatDynamicValidation.c rename to OSX/codesign_tests/FatDynamicValidation.c diff --git a/OSX/codesign_tests/SecTask-Entitlements.plist b/OSX/codesign_tests/SecTask-Entitlements.plist new file mode 100644 index 00000000..5e977506 --- /dev/null +++ b/OSX/codesign_tests/SecTask-Entitlements.plist @@ -0,0 +1,9 @@ + + + + + com.apple.security.some-entitlement + some-value + + + diff --git a/OSX/codesign_tests/main.c b/OSX/codesign_tests/main.c new file mode 100644 index 00000000..8f8960ef --- /dev/null +++ b/OSX/codesign_tests/main.c @@ -0,0 +1,33 @@ +// +// Copyright (c) 2011 Apple. All rights reserved. +// + +#include +#include +#include +#include + +int main (int argc, const char * argv[]) +{ + long num = 1000; + + while (num-- > 0) { + SecTaskRef secTask = SecTaskCreateFromSelf(NULL); + if (secTask == NULL) + errx(1, "SecTaskCreateFromSelf"); + + CFErrorRef error = NULL; + CFTypeRef value = SecTaskCopyValueForEntitlement(secTask, CFSTR("com.apple.security.some-entitlement"), &error); + if (value == NULL) + errx(1, "SecTaskCopyValueForEntitlement"); + + if (num == 1) + CFShow(value); + + CFRelease(value); + CFRelease(secTask); + } + + return 0; +} + diff --git a/OSX/codesign_tests/teamid.sh b/OSX/codesign_tests/teamid.sh new file mode 100755 index 00000000..75a82c27 --- /dev/null +++ b/OSX/codesign_tests/teamid.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +echo "[TEST] team identifier verification" + +echo "[BEGIN] executable with false team identifier" + +MY_TEMP=$(mktemp /tmp/codesign.XXXXXX) +codesign --verify --verbose=3 $1 2> $MY_TEMP + +if grep -s "invalid or unsupported format for signature" $MY_TEMP +then + echo "[PASS]" +else + echo "[FAIL]" +fi +rm -f $MY_TEMP + diff --git a/Security/codesign_tests/validation.sh b/OSX/codesign_tests/validation.sh similarity index 82% rename from Security/codesign_tests/validation.sh rename to OSX/codesign_tests/validation.sh index c4398936..4ebb1bde 100755 --- a/Security/codesign_tests/validation.sh +++ b/OSX/codesign_tests/validation.sh @@ -14,7 +14,7 @@ fi echo "[BEGIN] Dynamic validate a universal binary" -/AppleInternal/CoreOS/codesign_tests/codesign_tests & +$1 & pid=$! codesign --verify --verbose=3 $! @@ -27,7 +27,7 @@ fi echo "[BEGIN] Dynamic validate a universal binary, 32 bit slice" -arch -i386 /AppleInternal/CoreOS/codesign_tests/codesign_tests & +arch -i386 $1 & pid=$! codesign --verify --verbose=3 $! diff --git a/OSX/config/base.xcconfig b/OSX/config/base.xcconfig new file mode 100644 index 00000000..930d45ed --- /dev/null +++ b/OSX/config/base.xcconfig @@ -0,0 +1,18 @@ +SDKROOT = macosx.internal + +ARCHS = $(ARCHS_STANDARD_32_64_BIT) +CODE_SIGN_IDENTITY = -; +GCC_VERSION = com.apple.compilers.llvm.clang.1_0 +DEBUG_INFORMATION_FORMAT = dwarf-with-dsym +CURRENT_PROJECT_VERSION = $(RC_ProjectSourceVersion) +VERSIONING_SYSTEM = apple-generic; + +DEAD_CODE_STRIPPING = YES + +// Debug symbols should be on obviously +GCC_GENERATE_DEBUGGING_SYMBOLS = YES +COPY_PHASE_STRIP = NO +STRIP_STYLE = debugging +STRIP_INSTALLED_PRODUCT = NO + +WARNING_CFLAGS = -Wno-deprecated-declarations $(inherited) diff --git a/OSX/config/command.xcconfig b/OSX/config/command.xcconfig new file mode 100644 index 00000000..5199da44 --- /dev/null +++ b/OSX/config/command.xcconfig @@ -0,0 +1,15 @@ +// +// command.xcconfig +// Security +// +// Created by J Osborne on 1/10/13. +// +// + +#include "base.xcconfig" + +HEADER_SEARCH_PATHS = $(PROJECT_DIR) $(PROJECT_DIR)/security2 $(PROJECT_DIR)/utilities $(PROJECT_DIR)/sec/ProjectHeaders + +STRIP_STYLE = all +STRIP_INSTALLED_PRODUCT = YES +DEPLOYMENT_POSTPROCESSING = NO diff --git a/Security/config/debug.xcconfig b/OSX/config/debug.xcconfig similarity index 100% rename from Security/config/debug.xcconfig rename to OSX/config/debug.xcconfig diff --git a/OSX/config/executable.xcconfig b/OSX/config/executable.xcconfig new file mode 100644 index 00000000..fc2ad4e2 --- /dev/null +++ b/OSX/config/executable.xcconfig @@ -0,0 +1,9 @@ +#include "base.xcconfig" + +PRODUCT_NAME = $(TARGET_NAME) + +HEADER_SEARCH_PATHS = $(inherited) $(PROJECT_DIR)/sec/ProjectHeaders + +STRIP_STYLE = all +STRIP_INSTALLED_PRODUCT = YES +DEPLOYMENT_POSTPROCESSING = NO diff --git a/OSX/config/lib.xcconfig b/OSX/config/lib.xcconfig new file mode 100644 index 00000000..467c0360 --- /dev/null +++ b/OSX/config/lib.xcconfig @@ -0,0 +1,26 @@ +#include "base.xcconfig" + +PRODUCT_NAME = $(TARGET_NAME) +EXECUTABLE_PREFIX = + +CODE_SIGN_IDENTITY = + +HEADER_SEARCH_PATHS = $(PROJECT_DIR)/../regressions $(PROJECT_DIR)/../include $(BUILT_PRODUCTS_DIR)/derived_src $(BUILT_PRODUCTS_DIR) $(PROJECT_DIR)/lib $(PROJECT_DIR)/../utilities $(inherited) + +SKIP_INSTALL = YES + +ALWAYS_SEARCH_USER_PATHS = YES + +GCC_C_LANGUAGE_STANDARD = gnu99 + +GCC_TREAT_WARNINGS_AS_ERRORS = YES; + +WARNING_CFLAGS = -Wno-error=#warnings -Wmost -Wno-four-char-constants -Wno-unknown-pragmas $(inherited) + +GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = NO + +GCC_SYMBOLS_PRIVATE_EXTERN = NO +GCC_WARN_64_TO_32_BIT_CONVERSION = YES +GCC_WARN_ABOUT_MISSING_PROTOTYPES = YES +GCC_WARN_ABOUT_RETURN_TYPE = YES +GCC_WARN_UNUSED_VARIABLE = YES diff --git a/Security/config/release.xcconfig b/OSX/config/release.xcconfig similarity index 100% rename from Security/config/release.xcconfig rename to OSX/config/release.xcconfig diff --git a/Security/config/security.xcconfig b/OSX/config/security.xcconfig similarity index 94% rename from Security/config/security.xcconfig rename to OSX/config/security.xcconfig index 57e604fc..fad4101e 100644 --- a/Security/config/security.xcconfig +++ b/OSX/config/security.xcconfig @@ -11,7 +11,7 @@ GCC_PRECOMPILE_PREFIX_HEADER = YES ALWAYS_SEARCH_USER_PATHS = NO -HEADER_SEARCH_PATHS = $(PROJECT_DIR)/include $(PROJECT_DIR)/sec/SOSCircle $(PROJECT_DIR)/utilities +HEADER_SEARCH_PATHS = $(PROJECT_DIR)/include $(PROJECT_DIR)/sec/ProjectHeaders $(PROJECT_DIR)/utilities //INSTALLHDRS_SCRIPT_PHASE = YES diff --git a/Security/config/test.xcconfig b/OSX/config/test.xcconfig similarity index 100% rename from Security/config/test.xcconfig rename to OSX/config/test.xcconfig diff --git a/Security/doc/ACLsInCDSA.cwk b/OSX/doc/ACLsInCDSA.cwk similarity index 100% rename from Security/doc/ACLsInCDSA.cwk rename to OSX/doc/ACLsInCDSA.cwk diff --git a/Security/doc/APIStrategy.cwk b/OSX/doc/APIStrategy.cwk similarity index 100% rename from Security/doc/APIStrategy.cwk rename to OSX/doc/APIStrategy.cwk diff --git a/Security/doc/AccessControlArchitecture.cwk b/OSX/doc/AccessControlArchitecture.cwk similarity index 100% rename from Security/doc/AccessControlArchitecture.cwk rename to OSX/doc/AccessControlArchitecture.cwk diff --git a/Security/doc/AppleCL_Spec.doc b/OSX/doc/AppleCL_Spec.doc similarity index 100% rename from Security/doc/AppleCL_Spec.doc rename to OSX/doc/AppleCL_Spec.doc diff --git a/Security/doc/AppleCSP.doc b/OSX/doc/AppleCSP.doc similarity index 100% rename from Security/doc/AppleCSP.doc rename to OSX/doc/AppleCSP.doc diff --git a/Security/doc/AppleTP_Spec.doc b/OSX/doc/AppleTP_Spec.doc similarity index 100% rename from Security/doc/AppleTP_Spec.doc rename to OSX/doc/AppleTP_Spec.doc diff --git a/Security/doc/Apple_OID_Assignments.rtf b/OSX/doc/Apple_OID_Assignments.rtf similarity index 100% rename from Security/doc/Apple_OID_Assignments.rtf rename to OSX/doc/Apple_OID_Assignments.rtf diff --git a/Security/doc/ArchitectureOverview.cwk b/OSX/doc/ArchitectureOverview.cwk similarity index 100% rename from Security/doc/ArchitectureOverview.cwk rename to OSX/doc/ArchitectureOverview.cwk diff --git a/Security/doc/C++Utilities.cwk b/OSX/doc/C++Utilities.cwk similarity index 100% rename from Security/doc/C++Utilities.cwk rename to OSX/doc/C++Utilities.cwk diff --git a/Security/doc/DebuggingAids.cwk b/OSX/doc/DebuggingAids.cwk similarity index 100% rename from Security/doc/DebuggingAids.cwk rename to OSX/doc/DebuggingAids.cwk diff --git a/Security/doc/HowToWriteA_CSP.cwk b/OSX/doc/HowToWriteA_CSP.cwk similarity index 100% rename from Security/doc/HowToWriteA_CSP.cwk rename to OSX/doc/HowToWriteA_CSP.cwk diff --git a/Security/doc/HowToWriteA_Plugin.cwk b/OSX/doc/HowToWriteA_Plugin.cwk similarity index 100% rename from Security/doc/HowToWriteA_Plugin.cwk rename to OSX/doc/HowToWriteA_Plugin.cwk diff --git a/Security/doc/SecuritySupport.doc b/OSX/doc/SecuritySupport.doc similarity index 100% rename from Security/doc/SecuritySupport.doc rename to OSX/doc/SecuritySupport.doc diff --git a/Security/doc/Supported_CSP_Algorithms.doc b/OSX/doc/Supported_CSP_Algorithms.doc similarity index 100% rename from Security/doc/Supported_CSP_Algorithms.doc rename to OSX/doc/Supported_CSP_Algorithms.doc diff --git a/Security/doc/cwk_styles b/OSX/doc/cwk_styles similarity index 100% rename from Security/doc/cwk_styles rename to OSX/doc/cwk_styles diff --git a/OSX/gk_reset_check/gk_reset_check.c b/OSX/gk_reset_check/gk_reset_check.c new file mode 100644 index 00000000..adc39a89 --- /dev/null +++ b/OSX/gk_reset_check/gk_reset_check.c @@ -0,0 +1,19 @@ +// +// main.c +// gk_reset_check +// +// Created by Greg on 12/19/14. +// +// + +#include +#include + +int main(int argc, const char * argv[]) { + // Do not override configuration profiles on users machine + if (CFPreferencesAppValueIsForced(CFSTR("EnableAssessment"), CFSTR("com.apple.systempolicy.control")) == true || + CFPreferencesAppValueIsForced(CFSTR("AllowIdentifiedDevelopers"), CFSTR("com.apple.systempolicy.control")) == true) { + return 1; + } + return 0; +} diff --git a/OSX/include/security_asn1/SecAsn1Coder.c b/OSX/include/security_asn1/SecAsn1Coder.c new file mode 100644 index 00000000..e72dd1a2 --- /dev/null +++ b/OSX/include/security_asn1/SecAsn1Coder.c @@ -0,0 +1,225 @@ +/* + * Copyright (c) 2003-2006,2008-2013 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + * + * SecAsn1Coder.h: ANS1 encode/decode object, ANSI C version. + */ + +#include "SecAsn1Coder.h" +#include "plarenas.h" +#include "prerror.h" +#include "seccomon.h" +#include "secasn1.h" +#include + +/* + * Default chunk size for new arena pool. + * FIXME: analyze & measure different defaults here. I'm pretty sure + * that only performance - not correct behavior - is affected by + * an arena pool's chunk size. + */ +#define CHUNKSIZE_DEF 1024 + +/* + * Caller's SecAsn1CoderRef points to one of these. + */ +typedef struct SecAsn1Coder { + PLArenaPool *mPool; +} SecAsn1Coder_t; + +/* + * Create/destroy SecAsn1Coder object. + */ +OSStatus SecAsn1CoderCreate( + SecAsn1CoderRef *coder) +{ + if(coder == NULL) { + return errSecParam; + } + SecAsn1CoderRef _coder = (SecAsn1CoderRef)malloc(sizeof(SecAsn1Coder_t)); + _coder->mPool = PORT_NewArena(CHUNKSIZE_DEF); + if(_coder->mPool == NULL) { + free(_coder); + return errSecAllocate; + } + *coder = _coder; + return errSecSuccess; +} + +OSStatus SecAsn1CoderRelease( + SecAsn1CoderRef coder) +{ + if(coder == NULL) { + return errSecParam; + } + if(coder->mPool != NULL) { + /* + * Note: we're asking for a memory zero here, but + * PORT_FreeArena doesn't do that (yet). + */ + PORT_FreeArena(coder->mPool, PR_TRUE); + coder->mPool = NULL; + } + free(coder); + return errSecSuccess; +} + +/* + * DER decode an untyped item per the specified template array. + * The result is allocated in this SecAsn1Coder's memory pool and + * is freed when this object is released. + * + * The dest pointer is a template-specific struct allocated by the caller + * and must be zeroed by the caller. + */ +OSStatus SecAsn1Decode( + SecAsn1CoderRef coder, + const void *src, // DER-encoded source + size_t len, + const SecAsn1Template *templ, + void *dest) +{ + if((coder == NULL) || (src == NULL) || (templ == NULL) || (dest == NULL)) { + return errSecParam; + } + SECStatus prtn = SEC_ASN1Decode(coder->mPool, dest, templ, (const char *)src, len); + if(prtn) { + return errSecDecode; + } + else { + return errSecSuccess; + } +} + +/* + * Convenience routine, decode from a SecAsn1Item. + */ +OSStatus SecAsn1DecodeData( + SecAsn1CoderRef coder, + const SecAsn1Item *src, + const SecAsn1Template *templ, + void *dest) +{ + return SecAsn1Decode(coder, src->Data, src->Length, templ, dest); +} + +/* + * DER encode. The encoded data (in dest.Data) is allocated in this + * SecAsn1Coder's memory pool and is freed when this object is released. + * + * The src pointer is a template-specific struct. + */ +OSStatus SecAsn1EncodeItem( + SecAsn1CoderRef coder, + const void *src, + const SecAsn1Template *templ, + SecAsn1Item *dest) +{ + if((coder == NULL) || (src == NULL) || (templ == NULL) || (dest == NULL)) { + return errSecParam; + } + dest->Data = NULL; + dest->Length = 0; + + SecAsn1Item *rtnItem = SEC_ASN1EncodeItem(coder->mPool, dest, src, templ); + if(rtnItem == NULL) { + /* FIXME what to return here? */ + return errSecParam; + } + else { + return errSecSuccess; + } +} + +/* + * Some alloc-related methods which come in handy when using + * this object. All memory is allocated using this object's + * memory pool. Caller never has to free it. Used for + * temp allocs of memory which only needs a scope which is the + * same as this object. + * + * These return a errSecAllocate in the highly unlikely event of + * a malloc failure. + */ +void *SecAsn1Malloc( + SecAsn1CoderRef coder, + size_t len) +{ +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wnonnull" + // After introducing nullability annotations, coder is supposed to be nonnull, suppress the warning + if(coder == NULL) { + return NULL; + } +#pragma clang diagnostic pop + return PORT_ArenaAlloc(coder->mPool, len); +} + +/* malloc item.Data, set item.Length */ +OSStatus SecAsn1AllocItem( + SecAsn1CoderRef coder, + SecAsn1Item *item, + size_t len) +{ + if((coder == NULL) || (item == NULL)) { + return errSecParam; + } + item->Data = (uint8_t *)PORT_ArenaAlloc(coder->mPool, len); + if(item->Data == NULL) { + return errSecAllocate; + } + item->Length = len; + return errSecSuccess; +} + +/* malloc and copy, various forms */ +OSStatus SecAsn1AllocCopy( + SecAsn1CoderRef coder, + const void *src, + size_t len, + SecAsn1Item *dest) +{ + if(src == NULL) { + return errSecParam; + } + OSStatus ortn = SecAsn1AllocItem(coder, dest, len); + if(ortn) { + return ortn; + } + memmove(dest->Data, src, len); + return errSecSuccess; +} + +OSStatus SecAsn1AllocCopyItem( + SecAsn1CoderRef coder, + const SecAsn1Item *src, + SecAsn1Item *dest) +{ + return SecAsn1AllocCopy(coder, src->Data, src->Length, dest); +} + +bool SecAsn1OidCompare(const SecAsn1Oid *oid1, const SecAsn1Oid *oid2) { + if (!oid1 || !oid2) + return oid1 == oid2; + if (oid1->Length != oid2->Length) + return false; + return !memcmp(oid1->Data, oid2->Data, oid1->Length); +} diff --git a/OSX/include/security_asn1/SecAsn1Coder.h b/OSX/include/security_asn1/SecAsn1Coder.h new file mode 100644 index 00000000..00002aee --- /dev/null +++ b/OSX/include/security_asn1/SecAsn1Coder.h @@ -0,0 +1,153 @@ +/* + * Copyright (c) 2003-2006,2008-2013 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + * + * SecAsn1Coder.h: ANS1 encode/decode object. + * + * A SecAsn1Coder is capable of encoding and decoding both DER and BER data + * streams, based on caller-supplied templates which in turn are based + * upon ASN.1 specifications. A SecAsn1Coder allocates memory during encode + * and decode using a memory pool which is owned and managed by the SecAsn1Coder + * object, and which is freed when the SecAsn1Coder object os released. + */ + +#ifndef _SEC_ASN1_CODER_H_ +#define _SEC_ASN1_CODER_H_ + +#include +#include +#include +#include /* error codes */ + +#ifdef __cplusplus +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN + +/* + * Opaque reference to a SecAsn1Coder object. + */ +typedef struct SecAsn1Coder *SecAsn1CoderRef; + +/* + * Create/destroy SecAsn1Coder object. + */ +OSStatus SecAsn1CoderCreate( + SecAsn1CoderRef __nullable * __nonnull coder); + +OSStatus SecAsn1CoderRelease( + SecAsn1CoderRef coder); + +/* + * DER decode an untyped item per the specified template array. + * The result is allocated in this SecAsn1Coder's memory pool and + * is freed when this object is released. + * + * The templates argument points to a an array of SecAsn1Templates + * defining the object to be decoded; the end of the array is + * indicated by a SecAsn1Template with file kind equalling 0. + * + * The dest pointer is a template-specific struct allocated by the caller + * and must be zeroed by the caller. + * + * Returns errSecUnknownFormat on decode-specific error. + */ +OSStatus SecAsn1Decode( + SecAsn1CoderRef coder, + const void *src, // DER-encoded source + size_t len, + const SecAsn1Template *templates, + void *dest); + +/* + * Convenience routine, decode from a SecAsn1Item. + */ +OSStatus SecAsn1DecodeData( + SecAsn1CoderRef coder, + const SecAsn1Item *src, + const SecAsn1Template *templ, + void *dest); + +/* + * DER encode. The encoded data (in dest.Data) is allocated in this + * SecAsn1Coder's memory pool and is freed when this object is released. + * + * The src pointer is a template-specific struct. + * + * The templates argument points to a an array of SecAsn1Templates + * defining the object to be decoded; the end of the array is + * indicated by a SecAsn1Template with file kind equalling 0. + */ +OSStatus SecAsn1EncodeItem( + SecAsn1CoderRef coder, + const void *src, + const SecAsn1Template *templates, + SecAsn1Item *dest); + +/* + * Some alloc-related methods which come in handy when using + * this object. All memory is allocated using this object's + * memory pool. Caller never has to free it. Used for + * temp allocs of memory which only needs a scope which is the + * same as this object. + * + * All except SecAsn1Malloc return a errSecAllocate in the highly + * unlikely event of a malloc failure. + * + * SecAsn1Malloc() returns a pointer to allocated memory, like + * malloc(). + */ +void *SecAsn1Malloc( + SecAsn1CoderRef coder, + size_t len); + +/* Allocate item.Data, set item.Length */ +OSStatus SecAsn1AllocItem( + SecAsn1CoderRef coder, + SecAsn1Item *item, + size_t len); + +/* Allocate and copy, various forms */ +OSStatus SecAsn1AllocCopy( + SecAsn1CoderRef coder, + const void *src, /* memory copied from here */ + size_t len, /* length to allocate & copy */ + SecAsn1Item *dest); /* dest->Data allocated and copied to; + * dest->Length := len */ + +OSStatus SecAsn1AllocCopyItem( + SecAsn1CoderRef coder, + const SecAsn1Item *src, /* src->Length bytes allocated and copied from + * src->Data */ + SecAsn1Item *dest); /* dest->Data allocated and copied to; + * dest->Length := src->Length */ + +/* Compare two decoded OIDs. Returns true iff they are equivalent. */ +bool SecAsn1OidCompare(const SecAsn1Oid *oid1, const SecAsn1Oid *oid2); + +CF_ASSUME_NONNULL_END + +#ifdef __cplusplus +} +#endif + +#endif /* _SEC_ASN1_CODER_H_ */ diff --git a/Security/libsecurity_asn1/lib/SecAsn1Templates.c b/OSX/include/security_asn1/SecAsn1Templates.c similarity index 100% rename from Security/libsecurity_asn1/lib/SecAsn1Templates.c rename to OSX/include/security_asn1/SecAsn1Templates.c diff --git a/OSX/include/security_asn1/SecAsn1Templates.h b/OSX/include/security_asn1/SecAsn1Templates.h new file mode 100644 index 00000000..800e1264 --- /dev/null +++ b/OSX/include/security_asn1/SecAsn1Templates.h @@ -0,0 +1,135 @@ +/* + * Copyright (c) 2003-2006,2008,2010-2012 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + * + * SecAsn1Templates.h - Common ASN1 primitive templates for use with SecAsn1Coder. + */ + +#ifndef _SEC_ASN1_TEMPLATES_H_ +#define _SEC_ASN1_TEMPLATES_H_ + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN + +/************************************************************************/ + +/* + * Generic Templates + * One for each of the simple types, plus a special one for ANY, plus: + * - a pointer to each one of those + * - a set of each one of those + * - a sequence of each one of those + */ + +extern const SecAsn1Template kSecAsn1AnyTemplate[]; +extern const SecAsn1Template kSecAsn1BitStringTemplate[]; +extern const SecAsn1Template kSecAsn1BMPStringTemplate[]; +extern const SecAsn1Template kSecAsn1BooleanTemplate[]; +extern const SecAsn1Template kSecAsn1EnumeratedTemplate[]; +extern const SecAsn1Template kSecAsn1GeneralizedTimeTemplate[]; +extern const SecAsn1Template kSecAsn1IA5StringTemplate[]; +extern const SecAsn1Template kSecAsn1IntegerTemplate[]; +extern const SecAsn1Template kSecAsn1UnsignedIntegerTemplate[]; +extern const SecAsn1Template kSecAsn1NullTemplate[]; +extern const SecAsn1Template kSecAsn1ObjectIDTemplate[]; +extern const SecAsn1Template kSecAsn1OctetStringTemplate[]; +extern const SecAsn1Template kSecAsn1PrintableStringTemplate[]; +extern const SecAsn1Template kSecAsn1T61StringTemplate[]; +extern const SecAsn1Template kSecAsn1UniversalStringTemplate[]; +extern const SecAsn1Template kSecAsn1UTCTimeTemplate[]; +extern const SecAsn1Template kSecAsn1UTF8StringTemplate[]; +extern const SecAsn1Template kSecAsn1VisibleStringTemplate[]; +extern const SecAsn1Template kSecAsn1TeletexStringTemplate[]; + +extern const SecAsn1Template kSecAsn1PointerToAnyTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToBitStringTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToBMPStringTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToBooleanTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToEnumeratedTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToGeneralizedTimeTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToIA5StringTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToIntegerTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToNullTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToObjectIDTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToOctetStringTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToPrintableStringTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToT61StringTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToUniversalStringTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToUTCTimeTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToUTF8StringTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToVisibleStringTemplate[]; +extern const SecAsn1Template kSecAsn1PointerToTeletexStringTemplate[]; + +extern const SecAsn1Template kSecAsn1SequenceOfAnyTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfBitStringTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfBMPStringTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfBooleanTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfEnumeratedTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfGeneralizedTimeTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfIA5StringTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfIntegerTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfNullTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfObjectIDTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfOctetStringTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfPrintableStringTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfT61StringTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfUniversalStringTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfUTCTimeTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfUTF8StringTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfVisibleStringTemplate[]; +extern const SecAsn1Template kSecAsn1SequenceOfTeletexStringTemplate[]; + +extern const SecAsn1Template kSecAsn1SetOfAnyTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfBitStringTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfBMPStringTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfBooleanTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfEnumeratedTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfGeneralizedTimeTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfIA5StringTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfIntegerTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfNullTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfObjectIDTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfOctetStringTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfPrintableStringTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfT61StringTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfUniversalStringTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfUTCTimeTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfUTF8StringTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfVisibleStringTemplate[]; +extern const SecAsn1Template kSecAsn1SetOfTeletexStringTemplate[]; + +/* + * Template for skipping a subitem; only used when decoding. + */ +extern const SecAsn1Template kSecAsn1SkipTemplate[]; + +CF_ASSUME_NONNULL_END + +#ifdef __cplusplus +} +#endif + +#endif /* _SEC_ASN1_TEMPLATES_H_ */ diff --git a/OSX/include/security_asn1/SecAsn1Types.h b/OSX/include/security_asn1/SecAsn1Types.h new file mode 100644 index 00000000..df78b872 --- /dev/null +++ b/OSX/include/security_asn1/SecAsn1Types.h @@ -0,0 +1,244 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + */ + +/* + * Types for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished + * Encoding Rules). + */ + +#ifndef _SEC_ASN1_TYPES_H_ +#define _SEC_ASN1_TYPES_H_ + +#include /* Boolean */ +#include +#include + +#include +#if TARGET_OS_EMBEDDED || TARGET_IPHONE_SIMULATOR +/* @@@ We need something that tells us which platform we are building + for that let's us distinguish if we are doing an emulator build. */ + +typedef struct { + size_t Length; + uint8_t * __nullable Data; +} SecAsn1Item, SecAsn1Oid; + +typedef struct { + SecAsn1Oid algorithm; + SecAsn1Item parameters; +} SecAsn1AlgId; + +typedef struct { + SecAsn1AlgId algorithm; + SecAsn1Item subjectPublicKey; +} SecAsn1PubKeyInfo; + +#else +#include +#include + +typedef CSSM_DATA SecAsn1Item; +typedef CSSM_OID SecAsn1Oid; +typedef CSSM_X509_ALGORITHM_IDENTIFIER SecAsn1AlgId; +typedef CSSM_X509_SUBJECT_PUBLIC_KEY_INFO SecAsn1PubKeyInfo; + +#endif + +CF_ASSUME_NONNULL_BEGIN + +/* + * An array of these structures defines a BER/DER encoding for an object. + * + * The array usually starts with a dummy entry whose kind is SEC_ASN1_SEQUENCE; + * such an array is terminated with an entry where kind == 0. (An array + * which consists of a single component does not require a second dummy + * entry -- the array is only searched as long as previous component(s) + * instruct it.) + */ +typedef struct SecAsn1Template_struct { + /* + * Kind of item being decoded/encoded, including tags and modifiers. + */ + uint32_t kind; + + /* + * This value is the offset from the base of the structure (i.e., the + * (void *) passed as 'src' to SecAsn1EncodeItem, or the 'dst' argument + * passed to SecAsn1CoderRef()) to the field that holds the value being + * decoded/encoded. + */ + uint32_t offset; + + /* + * When kind suggests it (e.g., SEC_ASN1_POINTER, SEC_ASN1_GROUP, + * SEC_ASN1_INLINE, or a component that is *not* a SEC_ASN1_UNIVERSAL), + * this points to a sub-template for nested encoding/decoding. + * OR, iff SEC_ASN1_DYNAMIC is set, then this is a pointer to a pointer + * to a function which will return the appropriate template when called + * at runtime. NOTE! that explicit level of indirection, which is + * necessary because ANSI does not allow you to store a function + * pointer directly as a "void *" so we must store it separately and + * dereference it to get at the function pointer itself. + */ + const void *sub; + + /* + * In the first element of a template array, the value is the size + * of the structure to allocate when this template is being referenced + * by another template via SEC_ASN1_POINTER or SEC_ASN1_GROUP. + * In all other cases, the value is ignored. + */ + uint32_t size; +} SecAsn1Template; + + +/* + * BER/DER values for ASN.1 identifier octets. + */ +#define SEC_ASN1_TAG_MASK 0xff + +/* + * BER/DER universal type tag numbers. + */ +#define SEC_ASN1_TAGNUM_MASK 0x1f +#define SEC_ASN1_BOOLEAN 0x01 +#define SEC_ASN1_INTEGER 0x02 +#define SEC_ASN1_BIT_STRING 0x03 +#define SEC_ASN1_OCTET_STRING 0x04 +#define SEC_ASN1_NULL 0x05 +#define SEC_ASN1_OBJECT_ID 0x06 +#define SEC_ASN1_OBJECT_DESCRIPTOR 0x07 +/* External type and instance-of type 0x08 */ +#define SEC_ASN1_REAL 0x09 +#define SEC_ASN1_ENUMERATED 0x0a +#define SEC_ASN1_EMBEDDED_PDV 0x0b +#define SEC_ASN1_UTF8_STRING 0x0c +/* not used 0x0d */ +/* not used 0x0e */ +/* not used 0x0f */ +#define SEC_ASN1_SEQUENCE 0x10 +#define SEC_ASN1_SET 0x11 +#define SEC_ASN1_NUMERIC_STRING 0x12 +#define SEC_ASN1_PRINTABLE_STRING 0x13 +#define SEC_ASN1_T61_STRING 0x14 +#define SEC_ASN1_VIDEOTEX_STRING 0x15 +#define SEC_ASN1_IA5_STRING 0x16 +#define SEC_ASN1_UTC_TIME 0x17 +#define SEC_ASN1_GENERALIZED_TIME 0x18 +#define SEC_ASN1_GRAPHIC_STRING 0x19 +#define SEC_ASN1_VISIBLE_STRING 0x1a +#define SEC_ASN1_GENERAL_STRING 0x1b +#define SEC_ASN1_UNIVERSAL_STRING 0x1c +/* not used 0x1d */ +#define SEC_ASN1_BMP_STRING 0x1e +#define SEC_ASN1_HIGH_TAG_NUMBER 0x1f +#define SEC_ASN1_TELETEX_STRING SEC_ASN1_T61_STRING + +/* + * Modifiers to type tags. These are also specified by a/the + * standard, and must not be changed. + */ +#define SEC_ASN1_METHOD_MASK 0x20 +#define SEC_ASN1_PRIMITIVE 0x00 +#define SEC_ASN1_CONSTRUCTED 0x20 + +#define SEC_ASN1_CLASS_MASK 0xc0 +#define SEC_ASN1_UNIVERSAL 0x00 +#define SEC_ASN1_APPLICATION 0x40 +#define SEC_ASN1_CONTEXT_SPECIFIC 0x80 +#define SEC_ASN1_PRIVATE 0xc0 + +/* + * Our additions, used for templates. + * These are not defined by any standard; the values are used internally only. + * Just be careful to keep them out of the low 8 bits. + */ +#define SEC_ASN1_OPTIONAL 0x00100 +#define SEC_ASN1_EXPLICIT 0x00200 +#define SEC_ASN1_ANY 0x00400 +#define SEC_ASN1_INLINE 0x00800 +#define SEC_ASN1_POINTER 0x01000 +#define SEC_ASN1_GROUP 0x02000 /* with SET or SEQUENCE means + * SET OF or SEQUENCE OF */ +#define SEC_ASN1_DYNAMIC 0x04000 /* subtemplate is found by calling + * a function at runtime */ +#define SEC_ASN1_SKIP 0x08000 /* skip a field; only for decoding */ +#define SEC_ASN1_INNER 0x10000 /* with ANY means capture the + * contents only (not the id, len, + * or eoc); only for decoding */ +#define SEC_ASN1_SAVE 0x20000 /* stash away the encoded bytes first; + * only for decoding */ +#define SEC_ASN1_SKIP_REST 0x80000 /* skip all following fields; + * only for decoding */ +#define SEC_ASN1_CHOICE 0x100000 /* pick one from a template */ + +/* + * Indicate that a type SEC_ASN1_INTEGER is actually signed. + * The default is unsigned, which causes a leading zero to be + * encoded if the MS bit of the source data is 1. + */ +#define SEC_ASN1_SIGNED_INT 0X800000 + +/* Shorthand/Aliases */ +#define SEC_ASN1_SEQUENCE_OF (SEC_ASN1_GROUP | SEC_ASN1_SEQUENCE) +#define SEC_ASN1_SET_OF (SEC_ASN1_GROUP | SEC_ASN1_SET) +#define SEC_ASN1_ANY_CONTENTS (SEC_ASN1_ANY | SEC_ASN1_INNER) + +/* + * Function used for SEC_ASN1_DYNAMIC. + * "arg" is a pointer to the top-level structure being encoded or + * decoded. + * + * "enc" when true, means that we are encoding (false means decoding) + * + * "buf" For decode only; points to the start of the decoded data for + * the current template. Callee can use the tag at this location + * to infer the returned template. Not used on encode. + * + * "Dest" points to the template-specific item being decoded to + * or encoded from. (This is as opposed to arg, which + * points to the start of the struct associated with the + * current array of templates). + */ + +typedef const SecAsn1Template * SecAsn1TemplateChooser( + void *arg, + Boolean enc, + const char *buf, + void *dest); + +typedef SecAsn1TemplateChooser * SecAsn1TemplateChooserPtr; + +CF_ASSUME_NONNULL_END + +#endif /* _SEC_ASN1_TYPES_H_ */ diff --git a/Security/libsecurity_asn1/lib/SecNssCoder.cpp b/OSX/include/security_asn1/SecNssCoder.cpp similarity index 100% rename from Security/libsecurity_asn1/lib/SecNssCoder.cpp rename to OSX/include/security_asn1/SecNssCoder.cpp diff --git a/Security/libsecurity_asn1/lib/SecNssCoder.h b/OSX/include/security_asn1/SecNssCoder.h similarity index 100% rename from Security/libsecurity_asn1/lib/SecNssCoder.h rename to OSX/include/security_asn1/SecNssCoder.h diff --git a/Security/libsecurity_asn1/lib/X509Templates.c b/OSX/include/security_asn1/X509Templates.c similarity index 100% rename from Security/libsecurity_asn1/lib/X509Templates.c rename to OSX/include/security_asn1/X509Templates.c diff --git a/Security/libsecurity_asn1/lib/X509Templates.h b/OSX/include/security_asn1/X509Templates.h similarity index 100% rename from Security/libsecurity_asn1/lib/X509Templates.h rename to OSX/include/security_asn1/X509Templates.h diff --git a/Security/libsecurity_asn1/lib/asn1Templates.h b/OSX/include/security_asn1/asn1Templates.h similarity index 100% rename from Security/libsecurity_asn1/lib/asn1Templates.h rename to OSX/include/security_asn1/asn1Templates.h diff --git a/Security/libsecurity_asn1/lib/certExtensionTemplates.c b/OSX/include/security_asn1/certExtensionTemplates.c similarity index 100% rename from Security/libsecurity_asn1/lib/certExtensionTemplates.c rename to OSX/include/security_asn1/certExtensionTemplates.c diff --git a/Security/libsecurity_asn1/lib/certExtensionTemplates.h b/OSX/include/security_asn1/certExtensionTemplates.h similarity index 100% rename from Security/libsecurity_asn1/lib/certExtensionTemplates.h rename to OSX/include/security_asn1/certExtensionTemplates.h diff --git a/Security/libsecurity_asn1/lib/csrTemplates.c b/OSX/include/security_asn1/csrTemplates.c similarity index 100% rename from Security/libsecurity_asn1/lib/csrTemplates.c rename to OSX/include/security_asn1/csrTemplates.c diff --git a/Security/libsecurity_asn1/lib/csrTemplates.h b/OSX/include/security_asn1/csrTemplates.h similarity index 100% rename from Security/libsecurity_asn1/lib/csrTemplates.h rename to OSX/include/security_asn1/csrTemplates.h diff --git a/Security/libsecurity_asn1/lib/keyTemplates.c b/OSX/include/security_asn1/keyTemplates.c similarity index 100% rename from Security/libsecurity_asn1/lib/keyTemplates.c rename to OSX/include/security_asn1/keyTemplates.c diff --git a/Security/libsecurity_asn1/lib/keyTemplates.h b/OSX/include/security_asn1/keyTemplates.h similarity index 100% rename from Security/libsecurity_asn1/lib/keyTemplates.h rename to OSX/include/security_asn1/keyTemplates.h diff --git a/Security/libsecurity_asn1/lib/nameTemplates.c b/OSX/include/security_asn1/nameTemplates.c similarity index 100% rename from Security/libsecurity_asn1/lib/nameTemplates.c rename to OSX/include/security_asn1/nameTemplates.c diff --git a/Security/libsecurity_asn1/lib/nameTemplates.h b/OSX/include/security_asn1/nameTemplates.h similarity index 100% rename from Security/libsecurity_asn1/lib/nameTemplates.h rename to OSX/include/security_asn1/nameTemplates.h diff --git a/Security/libsecurity_asn1/lib/nsprPortX.c b/OSX/include/security_asn1/nsprPortX.c similarity index 100% rename from Security/libsecurity_asn1/lib/nsprPortX.c rename to OSX/include/security_asn1/nsprPortX.c diff --git a/Security/libsecurity_asn1/lib/nssUtils.c b/OSX/include/security_asn1/nssUtils.c similarity index 100% rename from Security/libsecurity_asn1/lib/nssUtils.c rename to OSX/include/security_asn1/nssUtils.c diff --git a/Security/libsecurity_asn1/lib/nssUtils.h b/OSX/include/security_asn1/nssUtils.h similarity index 100% rename from Security/libsecurity_asn1/lib/nssUtils.h rename to OSX/include/security_asn1/nssUtils.h diff --git a/Security/libsecurity_asn1/lib/nssilckt.h b/OSX/include/security_asn1/nssilckt.h similarity index 100% rename from Security/libsecurity_asn1/lib/nssilckt.h rename to OSX/include/security_asn1/nssilckt.h diff --git a/Security/libsecurity_asn1/lib/nssilock.h b/OSX/include/security_asn1/nssilock.h similarity index 100% rename from Security/libsecurity_asn1/lib/nssilock.h rename to OSX/include/security_asn1/nssilock.h diff --git a/Security/libsecurity_asn1/lib/nsslocks.h b/OSX/include/security_asn1/nsslocks.h similarity index 100% rename from Security/libsecurity_asn1/lib/nsslocks.h rename to OSX/include/security_asn1/nsslocks.h diff --git a/OSX/include/security_asn1/ocspTemplates.c b/OSX/include/security_asn1/ocspTemplates.c new file mode 100644 index 00000000..0dcbf947 --- /dev/null +++ b/OSX/include/security_asn1/ocspTemplates.c @@ -0,0 +1,298 @@ +/* + * Copyright (c) 2003-2006,2008-2012 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + * + * ocspTemplates.cpp - ASN1 templates OCSP requests and responses. + */ + +#include "ocspTemplates.h" +#include "keyTemplates.h" /* for kSecAsn1AlgorithmIDTemplate */ +#include "SecAsn1Templates.h" +#include +#include + +// MARK: ----- OCSP Request ----- + +const SecAsn1Template kSecAsn1OCSPCertIDTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPCertID) }, + { SEC_ASN1_INLINE, + offsetof(SecAsn1OCSPCertID, algId), + kSecAsn1AlgorithmIDTemplate }, + { SEC_ASN1_OCTET_STRING, offsetof(SecAsn1OCSPCertID, issuerNameHash) }, + { SEC_ASN1_OCTET_STRING, offsetof(SecAsn1OCSPCertID, issuerPubKeyHash) }, + /* serial number is SIGNED integer */ + { SEC_ASN1_INTEGER | SEC_ASN1_SIGNED_INT, + offsetof(SecAsn1OCSPCertID, serialNumber) }, + { 0 } +}; + +const SecAsn1Template kSecAsn1OCSPRequestTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPRequest) }, + { SEC_ASN1_INLINE, + offsetof(SecAsn1OCSPRequest, reqCert), + kSecAsn1OCSPCertIDTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 0, + offsetof(SecAsn1OCSPRequest, extensions), + kSecAsn1SequenceOfCertExtensionTemplate }, + { 0 } +}; + +const SecAsn1Template kSecAsn1OCSPSignatureTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPSignature) }, + { SEC_ASN1_INLINE, + offsetof(SecAsn1OCSPSignature, algId), + kSecAsn1AlgorithmIDTemplate }, + { SEC_ASN1_BIT_STRING, offsetof(SecAsn1OCSPSignature, sig) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 0, + offsetof(SecAsn1OCSPSignature, certs), + kSecAsn1SequenceOfAnyTemplate }, + { 0 } +}; + +const SecAsn1Template kSecAsn1OCSPTbsRequestTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPTbsRequest) }, + /* optional version, explicit tag 0, default 0 */ + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(SecAsn1OCSPTbsRequest, version), + kSecAsn1PointerToIntegerTemplate }, + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1, + offsetof(SecAsn1OCSPTbsRequest, requestorName), + kSecAsn1GeneralNameTemplate }, + { SEC_ASN1_SEQUENCE_OF, + offsetof(SecAsn1OCSPTbsRequest, requestList), + kSecAsn1OCSPRequestTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 2, + offsetof(SecAsn1OCSPTbsRequest, requestExtensions), + kSecAsn1SequenceOfCertExtensionTemplate }, + { 0 } +}; + +const SecAsn1Template kSecAsn1OCSPSignedRequestTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPSignedRequest) }, + { SEC_ASN1_INLINE, + offsetof(SecAsn1OCSPSignedRequest, tbsRequest), + kSecAsn1OCSPTbsRequestTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_POINTER | SEC_ASN1_EXPLICIT | 0, + offsetof(SecAsn1OCSPSignedRequest, signature), + kSecAsn1OCSPSignatureTemplate }, + { 0 } +}; + +// MARK: ----- OCSP Response ----- + +const SecAsn1Template kSecAsn1OCSPRevokedInfoTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPRevokedInfo) }, + { SEC_ASN1_GENERALIZED_TIME, offsetof(SecAsn1OCSPRevokedInfo, revocationTime) }, + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(SecAsn1OCSPRevokedInfo, revocationReason) , + kSecAsn1PointerToEnumeratedTemplate }, + { 0 } +}; + +/* three context-specific templates, app picks one of these */ + +/* + * Encode/decode CertStatus separately using one of these †hree templates. + * The result goes into SecAsn1OCSPSingleResponse.certStatus on encode. + */ +const SecAsn1Template kSecAsn1OCSPCertStatusGoodTemplate[] = { + { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(SecAsn1OCSPCertStatus, nullData), + kSecAsn1NullTemplate } +}; + +const SecAsn1Template kSecAsn1OCSPCertStatusRevokedTemplate[] = { + { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | 1, + offsetof(SecAsn1OCSPCertStatus, revokedInfo) , + kSecAsn1OCSPRevokedInfoTemplate } +}; + +const SecAsn1Template kSecAsn1OCSPCertStatusUnknownTemplate[] = { + { SEC_ASN1_CONTEXT_SPECIFIC | 2, + offsetof(SecAsn1OCSPCertStatus, nullData), + kSecAsn1NullTemplate } +}; + +const SecAsn1Template kSecAsn1OCSPSingleResponseTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPSingleResponse) }, + { SEC_ASN1_INLINE, + offsetof(SecAsn1OCSPSingleResponse, certID), + kSecAsn1OCSPCertIDTemplate }, + { SEC_ASN1_ANY, + offsetof(SecAsn1OCSPSingleResponse, certStatus), + kSecAsn1AnyTemplate }, + { SEC_ASN1_GENERALIZED_TIME, offsetof(SecAsn1OCSPSingleResponse, thisUpdate) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT | 0, + offsetof(SecAsn1OCSPSingleResponse, nextUpdate), + kSecAsn1PointerToGeneralizedTimeTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 1, + offsetof(SecAsn1OCSPSingleResponse, singleExtensions), + kSecAsn1SequenceOfCertExtensionTemplate }, + { 0 } +}; + +/* + * support for ResponderID CHOICE + */ +const SecAsn1Template kSecAsn1OCSPResponderIDAsNameTemplate[] = { + { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, + offsetof(SecAsn1OCSPResponderID, byName), + kSecAsn1AnyTemplate } +}; + +const SecAsn1Template kSecAsn1OCSPResponderIDAsKeyTemplate[] = { + { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2, + offsetof(SecAsn1OCSPResponderID, byKey), + kSecAsn1OctetStringTemplate } +}; + +const SecAsn1Template kSecAsn1OCSPResponseDataTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPResponseData) }, + /* optional version, explicit tag 0, default 0 */ + { SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(SecAsn1OCSPResponseData, version), + kSecAsn1PointerToIntegerTemplate }, + { SEC_ASN1_ANY, + offsetof(SecAsn1OCSPResponseData, responderID), + kSecAsn1AnyTemplate }, + { SEC_ASN1_GENERALIZED_TIME, offsetof(SecAsn1OCSPResponseData, producedAt) }, + { SEC_ASN1_SEQUENCE_OF, + offsetof(SecAsn1OCSPResponseData, responses), + kSecAsn1OCSPSingleResponseTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 1, + offsetof(SecAsn1OCSPResponseData, responseExtensions), + kSecAsn1SequenceOfCertExtensionTemplate }, + { 0 } +}; + +const SecAsn1Template kSecAsn1OCSPBasicResponseTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPBasicResponse) }, + { SEC_ASN1_ANY, offsetof(SecAsn1OCSPBasicResponse, tbsResponseData) }, + { SEC_ASN1_INLINE, + offsetof(SecAsn1OCSPBasicResponse, algId), + kSecAsn1AlgorithmIDTemplate }, + { SEC_ASN1_BIT_STRING, offsetof(SecAsn1OCSPBasicResponse, sig) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 0, + offsetof(SecAsn1OCSPBasicResponse, certs), + kSecAsn1SequenceOfAnyTemplate }, + { 0 } +}; + +const SecAsn1Template kSecAsn1OCSPResponseBytesTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPResponseBytes) }, + { SEC_ASN1_OBJECT_ID, offsetof(SecAsn1OCSPResponseBytes, responseType) }, + { SEC_ASN1_OCTET_STRING, offsetof(SecAsn1OCSPResponseBytes, response) }, + { 0 } +}; + +const SecAsn1Template kSecAsn1OCSPPtrToResponseBytesTemplate[] = { + { SEC_ASN1_POINTER, 0, kSecAsn1OCSPResponseBytesTemplate } +}; + +const SecAsn1Template kSecAsn1OCSPResponseTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPResponse) }, + { SEC_ASN1_ENUMERATED, offsetof(SecAsn1OCSPResponse, responseStatus) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 0, + offsetof(SecAsn1OCSPResponse, responseBytes), + kSecAsn1OCSPPtrToResponseBytesTemplate }, + { 0 } +}; + +// MARK: ---- OCSPD RPC ---- + +const SecAsn1Template kSecAsn1OCSPDRequestTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPDRequest) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 0, + offsetof(SecAsn1OCSPDRequest, cacheWriteDisable), + kSecAsn1PointerToBooleanTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 1, + offsetof(SecAsn1OCSPDRequest, cacheReadDisable), + kSecAsn1PointerToBooleanTemplate }, + { SEC_ASN1_OCTET_STRING, offsetof(SecAsn1OCSPDRequest, certID) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 2, + offsetof(SecAsn1OCSPDRequest, ocspReq), + kSecAsn1PointerToOctetStringTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 3, + offsetof(SecAsn1OCSPDRequest, localRespURI), + kSecAsn1PointerToIA5StringTemplate }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + SEC_ASN1_EXPLICIT | 4, + offsetof(SecAsn1OCSPDRequest, urls), + kSecAsn1SequenceOfIA5StringTemplate }, + { 0 } +}; + +const SecAsn1Template kSecAsn1OCSPDRequestsTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPDRequests) }, + { SEC_ASN1_INTEGER, offsetof(SecAsn1OCSPDRequests, version) }, + { SEC_ASN1_SEQUENCE_OF, + offsetof(SecAsn1OCSPDRequests, requests), + kSecAsn1OCSPDRequestTemplate }, + { 0 } +}; + +const SecAsn1Template kSecAsn1OCSPDReplyTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPDReply) }, + { SEC_ASN1_ANY, offsetof(SecAsn1OCSPDReply, certID) }, + { SEC_ASN1_ANY, offsetof(SecAsn1OCSPDReply, ocspResp) }, + { 0 } +}; + +const SecAsn1Template kSecAsn1OCSPDRepliesTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(SecAsn1OCSPReplies) }, + { SEC_ASN1_INTEGER, offsetof(SecAsn1OCSPReplies, version) }, + { SEC_ASN1_SEQUENCE_OF, + offsetof(SecAsn1OCSPReplies, replies), + kSecAsn1OCSPDReplyTemplate }, + { 0 } +}; diff --git a/Security/libsecurity_asn1/lib/ocspTemplates.h b/OSX/include/security_asn1/ocspTemplates.h similarity index 100% rename from Security/libsecurity_asn1/lib/ocspTemplates.h rename to OSX/include/security_asn1/ocspTemplates.h diff --git a/Security/libsecurity_asn1/lib/oidsalg.c b/OSX/include/security_asn1/oidsalg.c similarity index 100% rename from Security/libsecurity_asn1/lib/oidsalg.c rename to OSX/include/security_asn1/oidsalg.c diff --git a/Security/libsecurity_asn1/lib/oidsalg.h b/OSX/include/security_asn1/oidsalg.h similarity index 100% rename from Security/libsecurity_asn1/lib/oidsalg.h rename to OSX/include/security_asn1/oidsalg.h diff --git a/Security/libsecurity_asn1/lib/oidsattr.c b/OSX/include/security_asn1/oidsattr.c similarity index 100% rename from Security/libsecurity_asn1/lib/oidsattr.c rename to OSX/include/security_asn1/oidsattr.c diff --git a/Security/libsecurity_asn1/lib/oidsattr.h b/OSX/include/security_asn1/oidsattr.h similarity index 100% rename from Security/libsecurity_asn1/lib/oidsattr.h rename to OSX/include/security_asn1/oidsattr.h diff --git a/OSX/include/security_asn1/oidsbase.h b/OSX/include/security_asn1/oidsbase.h new file mode 100644 index 00000000..4f723a47 --- /dev/null +++ b/OSX/include/security_asn1/oidsbase.h @@ -0,0 +1,363 @@ +/* + * Copyright (c) 1999-2001,2003-2004,2008-2010,2012,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + * + * oidsbase.h -- Basic Object Identifier Macros and Data Types. + */ + +#include "SecAsn1Types.h" + +#ifndef _OIDSBASE_H_ +#define _OIDSBASE_H_ 1 + +#ifdef __cplusplus +extern "C" { +#endif + +#define SECASN1OID_DEF(NAME, VALUE, ARGS...) \ +static const uint8_t _##NAME[] = { VALUE, ## ARGS }; \ +const SecAsn1Oid NAME = { sizeof(_##NAME), (uint8_t *)_##NAME } + +/* Intel CSSM */ + +#define INTEL 96, 134, 72, 1, 134, 248, 77 +#define INTEL_LENGTH 7 + +#define INTEL_CDSASECURITY INTEL, 2 +#define INTEL_CDSASECURITY_LENGTH (INTEL_LENGTH + 1) + +#define INTEL_SEC_FORMATS INTEL_CDSASECURITY, 1 +#define INTEL_SEC_FORMATS_LENGTH (INTEL_CDSASECURITY_LENGTH + 1) + +#define INTEL_SEC_ALGS INTEL_CDSASECURITY, 2, 5 +#define INTEL_SEC_ALGS_LENGTH (INTEL_CDSASECURITY_LENGTH + 2) + +#define INTEL_SEC_OBJECT_BUNDLE INTEL_SEC_FORMATS, 4 +#define INTEL_SEC_OBJECT_BUNDLE_LENGTH (INTEL_SEC_FORMATS_LENGTH + 1) + +#define INTEL_CERT_AND_PRIVATE_KEY_2_0 INTEL_SEC_OBJECT_BUNDLE, 1 +#define INTEL_CERT_AND_PRIVATE_KEY_2_0_LENGTH (INTEL_SEC_OBJECT_BUNDLE_LENGTH + 1) + +/* Suffix specifying format or representation of a field value */ +/* Note that if a format suffix is not specified, a flat data +representation is implied */ +#define INTEL_X509_C_DATATYPE 1 +#define INTEL_X509_LDAPSTRING_DATATYPE 2 + +#define OID_ISO_CCITT_DIR_SERVICE 85 +#define OID_DS OID_ISO_CCITT_DIR_SERVICE +#define OID_DS_LENGTH 1 +#define OID_ATTR_TYPE OID_DS, 4 +#define OID_ATTR_TYPE_LENGTH OID_DS_LENGTH + 1 +#define OID_EXTENSION OID_DS, 29 +#define OID_EXTENSION_LENGTH OID_DS_LENGTH + 1 +#define OID_ISO_STANDARD 40 +#define OID_ISO_MEMBER 42 +#define OID_US OID_ISO_MEMBER, 134, 72 + +#define OID_ISO_IDENTIFIED_ORG 43 +#define OID_OSINET OID_ISO_IDENTIFIED_ORG, 4 +#define OID_GOSIP OID_ISO_IDENTIFIED_ORG, 5 +#define OID_DOD OID_ISO_IDENTIFIED_ORG, 6 +#define OID_OIW OID_ISO_IDENTIFIED_ORG, 14 + +#define OID_ITU_RFCDATA_MEMBER_LENGTH 1 +#define OID_ITU_RFCDATA 9 + +/* From the PKCS Standards */ +#define OID_ISO_MEMBER_LENGTH 1 +#define OID_US_LENGTH OID_ISO_MEMBER_LENGTH + 2 +#define OID_RSA OID_US, 134, 247, 13 +#define OID_RSA_LENGTH OID_US_LENGTH + 3 +#define OID_RSA_HASH OID_RSA, 2 +#define OID_RSA_HASH_LENGTH OID_RSA_LENGTH + 1 +#define OID_RSA_ENCRYPT OID_RSA, 3 +#define OID_RSA_ENCRYPT_LENGTH OID_RSA_LENGTH + 1 +#define OID_PKCS OID_RSA, 1 +#define OID_PKCS_LENGTH OID_RSA_LENGTH +1 +#define OID_PKCS_1 OID_PKCS, 1 +#define OID_PKCS_1_LENGTH OID_PKCS_LENGTH +1 +#define OID_PKCS_2 OID_PKCS, 2 +#define OID_PKCS_3 OID_PKCS, 3 +#define OID_PKCS_3_LENGTH OID_PKCS_LENGTH +1 +#define OID_PKCS_4 OID_PKCS, 4 +#define OID_PKCS_5 OID_PKCS, 5 +#define OID_PKCS_5_LENGTH OID_PKCS_LENGTH +1 +#define OID_PKCS_6 OID_PKCS, 6 +#define OID_PKCS_7 OID_PKCS, 7 +#define OID_PKCS_7_LENGTH OID_PKCS_LENGTH +1 +#define OID_PKCS_8 OID_PKCS, 8 +#define OID_PKCS_9 OID_PKCS, 9 +#define OID_PKCS_9_LENGTH OID_PKCS_LENGTH +1 +#define OID_PKCS_10 OID_PKCS, 10 +#define OID_PKCS_11 OID_PKCS, 11 +#define OID_PKCS_11_LENGTH OID_PKCS_LENGTH +1 +#define OID_PKCS_12 OID_PKCS, 12 +#define OID_PKCS_12_LENGTH OID_PKCS_LENGTH +1 + +/* ANSI X9.42 */ +#define OID_ANSI_X9_42 OID_US, 206, 62, 2 +#define OID_ANSI_X9_42_LEN OID_US_LENGTH + 3 +#define OID_ANSI_X9_42_SCHEME OID_ANSI_X9_42, 3 +#define OID_ANSI_X9_42_SCHEME_LEN OID_ANSI_X9_42_LEN + 1 +#define OID_ANSI_X9_42_NAMED_SCHEME OID_ANSI_X9_42, 4 +#define OID_ANSI_X9_42_NAMED_SCHEME_LEN OID_ANSI_X9_42_LEN + 1 + +/* ANSI X9.62 (1 2 840 10045) */ +#define OID_ANSI_X9_62 0x2A, 0x86, 0x48, 0xCE, 0x3D +#define OID_ANSI_X9_62_LEN 5 +#define OID_ANSI_X9_62_FIELD_TYPE OID_ANSI_X9_62, 1 +#define OID_ANSI_X9_62_PUBKEY_TYPE OID_ANSI_X9_62, 2 +#define OID_ANSI_X9_62_ELL_CURVE OID_ANSI_X9_62, 3 +#define OID_ANSI_X9_62_ELL_CURVE_LEN OID_ANSI_X9_62_LEN+1 +#define OID_ANSI_X9_62_C_TWO_CURVE OID_ANSI_X9_62_ELL_CURVE, 0 +#define OID_ANSI_X9_62_PRIME_CURVE OID_ANSI_X9_62_ELL_CURVE, 1 +#define OID_ANSI_X9_62_SIG_TYPE OID_ANSI_X9_62, 4 +#define OID_ANSI_X9_62_SIG_TYPE_LEN OID_ANSI_X9_62_LEN+1 + +/* PKIX */ +#define OID_PKIX OID_DOD, 1, 5, 5, 7 +#define OID_PKIX_LENGTH 6 +#define OID_PE OID_PKIX, 1 +#define OID_PE_LENGTH OID_PKIX_LENGTH + 1 +#define OID_QT OID_PKIX, 2 +#define OID_QT_LENGTH OID_PKIX_LENGTH + 1 +#define OID_KP OID_PKIX, 3 +#define OID_KP_LENGTH OID_PKIX_LENGTH + 1 +#define OID_OTHER_NAME OID_PKIX, 8 +#define OID_OTHER_NAME_LENGTH OID_PKIX_LENGTH + 1 +#define OID_PDA OID_PKIX, 9 +#define OID_PDA_LENGTH OID_PKIX_LENGTH + 1 +#define OID_QCS OID_PKIX, 11 +#define OID_QCS_LENGTH OID_PKIX_LENGTH + 1 +#define OID_AD OID_PKIX, 48 +#define OID_AD_LENGTH OID_PKIX_LENGTH + 1 +#define OID_AD_OCSP OID_AD, 1 +#define OID_AD_OCSP_LENGTH OID_AD_LENGTH + 1 + +/* ETSI */ +#define OID_ETSI 0x04, 0x00 +#define OID_ETSI_LENGTH 2 +#define OID_ETSI_QCS 0x04, 0x00, 0x8E, 0x46, 0x01 +#define OID_ETSI_QCS_LENGTH 5 + +#define OID_OIW_SECSIG OID_OIW, 3 +#define OID_OIW_LENGTH 2 +#define OID_OIW_SECSIG_LENGTH OID_OIW_LENGTH +1 + +#define OID_OIW_ALGORITHM OID_OIW_SECSIG, 2 +#define OID_OIW_ALGORITHM_LENGTH OID_OIW_SECSIG_LENGTH +1 + +/* NIST defined digest algorithm arc (2, 16, 840, 1, 101, 3, 4, 2) */ +#define OID_NIST_HASHALG 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02 +#define OID_NIST_HASHALG_LENGTH 8 + +/* Kerberos PKINIT */ +#define OID_KERBv5 0x2b, 6, 1, 5, 2 +#define OID_KERBv5_LEN 5 +#define OID_KERBv5_PKINIT OID_KERBv5, 3 +#define OID_KERBv5_PKINIT_LEN OID_KERBv5_LEN + 1 + +/* Certicom (1 3 132) */ +#define OID_CERTICOM 0x2B, 0x81, 0x04 +#define OID_CERTICOM_LEN 3 +#define OID_CERTICOM_ELL_CURVE OID_CERTICOM, 0 +#define OID_CERTICOM_ELL_CURVE_LEN OID_CERTICOM_LEN+1 + +/* + * Apple-specific OID bases + */ + +/* + * apple OBJECT IDENTIFIER ::= + * { iso(1) member-body(2) US(840) 113635 } + * + * BER = 06 06 2A 86 48 86 F7 63 + */ +#define APPLE_OID OID_US, 0x86, 0xf7, 0x63 +#define APPLE_OID_LENGTH OID_US_LENGTH + 3 + +/* appleDataSecurity OBJECT IDENTIFIER ::= + * { apple 100 } + * { 1 2 840 113635 100 } + * + * BER = 06 07 2A 86 48 86 F7 63 64 + */ +#define APPLE_ADS_OID APPLE_OID, 0x64 +#define APPLE_ADS_OID_LENGTH APPLE_OID_LENGTH + 1 + +/* + * appleTrustPolicy OBJECT IDENTIFIER ::= + * { appleDataSecurity 1 } + * { 1 2 840 113635 100 1 } + * + * BER = 06 08 2A 86 48 86 F7 63 64 01 + */ +#define APPLE_TP_OID APPLE_ADS_OID, 1 +#define APPLE_TP_OID_LENGTH APPLE_ADS_OID_LENGTH + 1 + +/* + * appleSecurityAlgorithm OBJECT IDENTIFIER ::= + * { appleDataSecurity 2 } + * { 1 2 840 113635 100 2 } + * + * BER = 06 08 2A 86 48 86 F7 63 64 02 + */ +#define APPLE_ALG_OID APPLE_ADS_OID, 2 +#define APPLE_ALG_OID_LENGTH APPLE_ADS_OID_LENGTH + 1 + +/* + * appleDotMacCertificate OBJECT IDENTIFIER ::= + * { appleDataSecurity 3 } + * { 1 2 840 113635 100 3 } + */ +#define APPLE_DOTMAC_CERT_OID APPLE_ADS_OID, 3 +#define APPLE_DOTMAC_CERT_OID_LENGTH APPLE_ADS_OID_LENGTH + 1 + +/* + * Basis of Policy OIDs for .mac TP requests + * + * dotMacCertificateRequest OBJECT IDENTIFIER ::= + * { appleDotMacCertificate 1 } + * { 1 2 840 113635 100 3 1 } + */ +#define APPLE_DOTMAC_CERT_REQ_OID APPLE_DOTMAC_CERT_OID, 1 +#define APPLE_DOTMAC_CERT_REQ_OID_LENGTH APPLE_DOTMAC_CERT_OID_LENGTH + 1 + +/* + * Basis of .mac Certificate Extensions + * + * dotMacCertificateExtension OBJECT IDENTIFIER ::= + * { appleDotMacCertificate 2 } + * { 1 2 840 113635 100 3 2 } + */ +#define APPLE_DOTMAC_CERT_EXTEN_OID APPLE_DOTMAC_CERT_OID, 2 +#define APPLE_DOTMAC_CERT_EXTEN_OID_LENGTH APPLE_DOTMAC_CERT_OID_LENGTH + 1 + +/* + * Basis of .mac Certificate request OID/value identifiers + * + * dotMacCertificateRequestValues OBJECT IDENTIFIER ::= + * { appleDotMacCertificate 3 } + * { 1 2 840 113635 100 3 3 } + */ +#define APPLE_DOTMAC_CERT_REQ_VALUE_OID APPLE_DOTMAC_CERT_OID, 3 +#define APPLE_DOTMAC_CERT_REQ_VALUE_OID_LENGTH APPLE_DOTMAC_CERT_OID_LENGTH + 1 + +/* + * Basis of Apple-specific extended key usages + * + * appleExtendedKeyUsage OBJECT IDENTIFIER ::= + * { appleDataSecurity 4 } + * { 1 2 840 113635 100 4 } + */ +#define APPLE_EKU_OID APPLE_ADS_OID, 4 +#define APPLE_EKU_OID_LENGTH APPLE_ADS_OID_LENGTH + 1 + +/* + * Basis of Apple Code Signing extended key usages + * appleCodeSigning OBJECT IDENTIFIER ::= + * { appleExtendedKeyUsage 1 } + * { 1 2 840 113635 100 4 1 } + */ +#define APPLE_EKU_CODE_SIGNING APPLE_EKU_OID, 1 +#define APPLE_EKU_CODE_SIGNING_LENGTH APPLE_EKU_OID_LENGTH + 1 + +/* + * Basis of Apple-specific Certificate Policy identifiers + * appleCertificatePolicies OBJECT IDENTIFIER ::= + * { appleDataSecurity 5 } + * { 1 2 840 113635 100 5 } + */ +#define APPLE_CERT_POLICIES APPLE_ADS_OID, 5 +#define APPLE_CERT_POLICIES_LENGTH APPLE_ADS_OID_LENGTH + 1 + +/* + * Basis of Apple-specific certificate extensions + * appleCertificateExtensions OBJECT IDENTIFIER ::= + * { appleDataSecurity 6 } + * { 1 2 840 113635 100 6 } + */ +#define APPLE_EXTENSION_OID APPLE_ADS_OID, 6 +#define APPLE_EXTENSION_OID_LENGTH APPLE_ADS_OID_LENGTH + 1 + +/* + * Basis of Apple-specific Code Signing certificate extensions + * appleCertificateExtensionCodeSigning OBJECT IDENTIFIER ::= + * { appleCertificateExtensions 1 } + * { 1 2 840 113635 100 6 1 } + */ +#define APPLE_EXTENSION_CODE_SIGNING APPLE_EXTENSION_OID, 1 +#define APPLE_EXTENSION_CODE_SIGNING_LENGTH APPLE_EXTENSION_OID_LENGTH + 1 + +/* + * Netscape OIDs. + */ +#define NETSCAPE_BASE_OID 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42 +#define NETSCAPE_BASE_OID_LEN 7 + +/* + * Netscape cert extension. + * + * netscape-cert-extension OBJECT IDENTIFIER ::= + * { 2 16 840 1 113730 1 } + * + * BER = 06 08 60 86 48 01 86 F8 42 01 + */ +#define NETSCAPE_CERT_EXTEN NETSCAPE_BASE_OID, 0x01 +#define NETSCAPE_CERT_EXTEN_LENGTH NETSCAPE_BASE_OID_LEN + 1 + +#define NETSCAPE_CERT_POLICY NETSCAPE_BASE_OID, 0x04 +#define NETSCAPE_CERT_POLICY_LENGTH NETSCAPE_BASE_OID_LEN + 1 + + +/* Google OIDs: 1.3.6.1.4.1.11129. */ +#define GOOGLE_BASE_OID OID_DOD, 0x01, 0x04, 0x01, 0xD6, 0x79 +#define GOOGLE_BASE_OID_LEN OID_DOD_LEN + 5 +#define GOOGLE_EMBEDDED_SCT_OID GOOGLE_BASE_OID, 0x02, 0x04, 0x02 +#define GOOGLE_OCSP_SCT_OID GOOGLE_BASE_OID, 0x02, 0x04, 0x05 + +/* + * Domain Component OID + */ +#define OID_ITU_RFCDATA_2342 OID_ITU_RFCDATA, 0x49, 0x86 +#define OID_ITU_RFCDATA_2342_LENGTH OID_ITU_RFCDATA_MEMBER_LENGTH + 2 + +#define OID_ITU_RFCDATA_2342_UCL OID_ITU_RFCDATA_2342, 0x49, 0x1F, 0x12, 0x8C +#define OID_ITU_RFCDATA_2342_UCL_LENGTH OID_ITU_RFCDATA_2342_LENGTH + 4 + +#define OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT OID_ITU_RFCDATA_2342_UCL, 0xE4 +#define OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_LENGTH OID_ITU_RFCDATA_2342_UCL_LENGTH + 1 + +#define OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_ATTRIBUTES OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT, 0x81 +#define OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_ATTRIBUTES_LENGTH OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_LENGTH + 1 + +#define OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_ATTRIBUTES_DOMAINCOMPONENT OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_ATTRIBUTES, 0x99 +#define OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_ATTRIBUTES_DOMAINCOMPONENT_LENGTH OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_ATTRIBUTES_LENGTH + 1 + +#define OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_ATTRIBUTES_USERID OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_ATTRIBUTES, 0x81 +#define OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_ATTRIBUTES_USERID_LENGTH OID_ITU_RFCDATA_2342_UCL_DIRECTORYPILOT_ATTRIBUTES_LENGTH + 1 + +#ifdef __cplusplus +} +#endif + +#endif /* _OIDSBASE_H_ */ diff --git a/OSX/include/security_asn1/oidsocsp.c b/OSX/include/security_asn1/oidsocsp.c new file mode 100644 index 00000000..bb08e125 --- /dev/null +++ b/OSX/include/security_asn1/oidsocsp.c @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2009-2010,2012 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +/* + File: oidsocsp.cpp + + Contains: Object Identifiers for OCSP + */ + +#include "oidsbase.h" +#include "oidsocsp.h" + +SECASN1OID_DEF(OID_PKIX_OCSP, OID_AD_OCSP); +SECASN1OID_DEF(OID_PKIX_OCSP_BASIC, OID_AD_OCSP, 1); +SECASN1OID_DEF(OID_PKIX_OCSP_NONCE, OID_AD_OCSP, 2); +SECASN1OID_DEF(OID_PKIX_OCSP_CRL, OID_AD_OCSP, 3); +SECASN1OID_DEF(OID_PKIX_OCSP_RESPONSE, OID_AD_OCSP, 4); +SECASN1OID_DEF(OID_PKIX_OCSP_NOCHECK, OID_AD_OCSP, 5); +SECASN1OID_DEF(OID_PKIX_OCSP_ARCHIVE_CUTOFF, OID_AD_OCSP, 6); +SECASN1OID_DEF(OID_PKIX_OCSP_SERVICE_LOCATOR, OID_AD_OCSP, 7); + +SECASN1OID_DEF(OID_GOOGLE_OCSP_SCT, GOOGLE_OCSP_SCT_OID); diff --git a/OSX/include/security_asn1/oidsocsp.h b/OSX/include/security_asn1/oidsocsp.h new file mode 100644 index 00000000..82dde8f9 --- /dev/null +++ b/OSX/include/security_asn1/oidsocsp.h @@ -0,0 +1,51 @@ +/* + * Copyright (c) 2009-2010,2012 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + * + * oidsocsp.h -- Object Identifiers for OCSP + */ + +#ifndef _OIDSOCSP_H_ +#define _OIDSOCSP_H_ 1 + +#ifdef __cplusplus +extern "C" { +#endif + +#include "SecAsn1Types.h" + +extern const SecAsn1Oid + /* OCSP */ + OID_PKIX_OCSP, + OID_PKIX_OCSP_BASIC, + OID_PKIX_OCSP_NONCE, + OID_PKIX_OCSP_CRL, + OID_PKIX_OCSP_RESPONSE, + OID_PKIX_OCSP_NOCHECK, + OID_PKIX_OCSP_ARCHIVE_CUTOFF, + OID_PKIX_OCSP_SERVICE_LOCATOR, + OID_GOOGLE_OCSP_SCT; + +#ifdef __cplusplus +} +#endif + +#endif /* _OIDSOCSP_H_ */ diff --git a/Security/libsecurity_asn1/lib/osKeyTemplates.c b/OSX/include/security_asn1/osKeyTemplates.c similarity index 100% rename from Security/libsecurity_asn1/lib/osKeyTemplates.c rename to OSX/include/security_asn1/osKeyTemplates.c diff --git a/Security/libsecurity_asn1/lib/osKeyTemplates.h b/OSX/include/security_asn1/osKeyTemplates.h similarity index 100% rename from Security/libsecurity_asn1/lib/osKeyTemplates.h rename to OSX/include/security_asn1/osKeyTemplates.h diff --git a/Security/libsecurity_asn1/lib/pkcs12Templates.c b/OSX/include/security_asn1/pkcs12Templates.c similarity index 100% rename from Security/libsecurity_asn1/lib/pkcs12Templates.c rename to OSX/include/security_asn1/pkcs12Templates.c diff --git a/Security/libsecurity_asn1/lib/pkcs12Templates.h b/OSX/include/security_asn1/pkcs12Templates.h similarity index 100% rename from Security/libsecurity_asn1/lib/pkcs12Templates.h rename to OSX/include/security_asn1/pkcs12Templates.h diff --git a/Security/libsecurity_asn1/lib/pkcs7Templates.c b/OSX/include/security_asn1/pkcs7Templates.c similarity index 100% rename from Security/libsecurity_asn1/lib/pkcs7Templates.c rename to OSX/include/security_asn1/pkcs7Templates.c diff --git a/Security/libsecurity_asn1/lib/pkcs7Templates.h b/OSX/include/security_asn1/pkcs7Templates.h similarity index 100% rename from Security/libsecurity_asn1/lib/pkcs7Templates.h rename to OSX/include/security_asn1/pkcs7Templates.h diff --git a/Security/libsecurity_asn1/lib/plarena.c b/OSX/include/security_asn1/plarena.c similarity index 100% rename from Security/libsecurity_asn1/lib/plarena.c rename to OSX/include/security_asn1/plarena.c diff --git a/Security/libsecurity_asn1/lib/plarena.h b/OSX/include/security_asn1/plarena.h similarity index 100% rename from Security/libsecurity_asn1/lib/plarena.h rename to OSX/include/security_asn1/plarena.h diff --git a/Security/libsecurity_asn1/lib/plarenas.h b/OSX/include/security_asn1/plarenas.h similarity index 100% rename from Security/libsecurity_asn1/lib/plarenas.h rename to OSX/include/security_asn1/plarenas.h diff --git a/Security/libsecurity_asn1/lib/plstr.h b/OSX/include/security_asn1/plstr.h similarity index 100% rename from Security/libsecurity_asn1/lib/plstr.h rename to OSX/include/security_asn1/plstr.h diff --git a/Security/libsecurity_asn1/lib/prbit.h b/OSX/include/security_asn1/prbit.h similarity index 100% rename from Security/libsecurity_asn1/lib/prbit.h rename to OSX/include/security_asn1/prbit.h diff --git a/Security/libsecurity_asn1/lib/prcpucfg.h b/OSX/include/security_asn1/prcpucfg.h similarity index 100% rename from Security/libsecurity_asn1/lib/prcpucfg.h rename to OSX/include/security_asn1/prcpucfg.h diff --git a/Security/libsecurity_asn1/lib/prcvar.h b/OSX/include/security_asn1/prcvar.h similarity index 100% rename from Security/libsecurity_asn1/lib/prcvar.h rename to OSX/include/security_asn1/prcvar.h diff --git a/Security/libsecurity_asn1/lib/prenv.h b/OSX/include/security_asn1/prenv.h similarity index 100% rename from Security/libsecurity_asn1/lib/prenv.h rename to OSX/include/security_asn1/prenv.h diff --git a/Security/libsecurity_asn1/lib/prerr.h b/OSX/include/security_asn1/prerr.h similarity index 100% rename from Security/libsecurity_asn1/lib/prerr.h rename to OSX/include/security_asn1/prerr.h diff --git a/Security/libsecurity_asn1/lib/prerror.h b/OSX/include/security_asn1/prerror.h similarity index 100% rename from Security/libsecurity_asn1/lib/prerror.h rename to OSX/include/security_asn1/prerror.h diff --git a/Security/libsecurity_asn1/lib/prinit.h b/OSX/include/security_asn1/prinit.h similarity index 100% rename from Security/libsecurity_asn1/lib/prinit.h rename to OSX/include/security_asn1/prinit.h diff --git a/Security/libsecurity_asn1/lib/prinrval.h b/OSX/include/security_asn1/prinrval.h similarity index 100% rename from Security/libsecurity_asn1/lib/prinrval.h rename to OSX/include/security_asn1/prinrval.h diff --git a/Security/libsecurity_asn1/lib/prlock.h b/OSX/include/security_asn1/prlock.h similarity index 100% rename from Security/libsecurity_asn1/lib/prlock.h rename to OSX/include/security_asn1/prlock.h diff --git a/Security/libsecurity_asn1/lib/prlog.h b/OSX/include/security_asn1/prlog.h similarity index 100% rename from Security/libsecurity_asn1/lib/prlog.h rename to OSX/include/security_asn1/prlog.h diff --git a/Security/libsecurity_asn1/lib/prlong.h b/OSX/include/security_asn1/prlong.h similarity index 100% rename from Security/libsecurity_asn1/lib/prlong.h rename to OSX/include/security_asn1/prlong.h diff --git a/Security/libsecurity_asn1/lib/prmem.h b/OSX/include/security_asn1/prmem.h similarity index 100% rename from Security/libsecurity_asn1/lib/prmem.h rename to OSX/include/security_asn1/prmem.h diff --git a/Security/libsecurity_asn1/lib/prmon.h b/OSX/include/security_asn1/prmon.h similarity index 100% rename from Security/libsecurity_asn1/lib/prmon.h rename to OSX/include/security_asn1/prmon.h diff --git a/Security/libsecurity_asn1/lib/protypes.h b/OSX/include/security_asn1/protypes.h similarity index 100% rename from Security/libsecurity_asn1/lib/protypes.h rename to OSX/include/security_asn1/protypes.h diff --git a/Security/libsecurity_asn1/lib/prthread.h b/OSX/include/security_asn1/prthread.h similarity index 100% rename from Security/libsecurity_asn1/lib/prthread.h rename to OSX/include/security_asn1/prthread.h diff --git a/Security/libsecurity_asn1/lib/prtime.h b/OSX/include/security_asn1/prtime.h similarity index 100% rename from Security/libsecurity_asn1/lib/prtime.h rename to OSX/include/security_asn1/prtime.h diff --git a/Security/libsecurity_asn1/lib/prtypes.h b/OSX/include/security_asn1/prtypes.h similarity index 100% rename from Security/libsecurity_asn1/lib/prtypes.h rename to OSX/include/security_asn1/prtypes.h diff --git a/Security/libsecurity_asn1/lib/prvrsion.h b/OSX/include/security_asn1/prvrsion.h similarity index 100% rename from Security/libsecurity_asn1/lib/prvrsion.h rename to OSX/include/security_asn1/prvrsion.h diff --git a/Security/libsecurity_asn1/lib/secErrorStr.c b/OSX/include/security_asn1/secErrorStr.c similarity index 100% rename from Security/libsecurity_asn1/lib/secErrorStr.c rename to OSX/include/security_asn1/secErrorStr.c diff --git a/Security/libsecurity_asn1/lib/secasn1.h b/OSX/include/security_asn1/secasn1.h similarity index 100% rename from Security/libsecurity_asn1/lib/secasn1.h rename to OSX/include/security_asn1/secasn1.h diff --git a/Security/libsecurity_asn1/lib/secasn1d.c b/OSX/include/security_asn1/secasn1d.c similarity index 100% rename from Security/libsecurity_asn1/lib/secasn1d.c rename to OSX/include/security_asn1/secasn1d.c diff --git a/Security/libsecurity_asn1/lib/secasn1e.c b/OSX/include/security_asn1/secasn1e.c similarity index 100% rename from Security/libsecurity_asn1/lib/secasn1e.c rename to OSX/include/security_asn1/secasn1e.c diff --git a/Security/libsecurity_asn1/lib/secasn1t.h b/OSX/include/security_asn1/secasn1t.h similarity index 100% rename from Security/libsecurity_asn1/lib/secasn1t.h rename to OSX/include/security_asn1/secasn1t.h diff --git a/Security/libsecurity_asn1/lib/secasn1u.c b/OSX/include/security_asn1/secasn1u.c similarity index 100% rename from Security/libsecurity_asn1/lib/secasn1u.c rename to OSX/include/security_asn1/secasn1u.c diff --git a/Security/libsecurity_asn1/lib/seccomon.h b/OSX/include/security_asn1/seccomon.h similarity index 100% rename from Security/libsecurity_asn1/lib/seccomon.h rename to OSX/include/security_asn1/seccomon.h diff --git a/Security/libsecurity_asn1/lib/secerr.h b/OSX/include/security_asn1/secerr.h similarity index 100% rename from Security/libsecurity_asn1/lib/secerr.h rename to OSX/include/security_asn1/secerr.h diff --git a/Security/libsecurity_asn1/lib/secport.c b/OSX/include/security_asn1/secport.c similarity index 100% rename from Security/libsecurity_asn1/lib/secport.c rename to OSX/include/security_asn1/secport.c diff --git a/Security/libsecurity_asn1/lib/secport.h b/OSX/include/security_asn1/secport.h similarity index 100% rename from Security/libsecurity_asn1/lib/secport.h rename to OSX/include/security_asn1/secport.h diff --git a/Security/libsecurity_asn1/lib/security_asn1.exp b/OSX/include/security_asn1/security_asn1.exp similarity index 100% rename from Security/libsecurity_asn1/lib/security_asn1.exp rename to OSX/include/security_asn1/security_asn1.exp diff --git a/Security/libsecurity_cdsa_client/lib/DLDBList.cpp b/OSX/include/security_cdsa_client/DLDBList.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/DLDBList.cpp rename to OSX/include/security_cdsa_client/DLDBList.cpp diff --git a/Security/libsecurity_cdsa_client/lib/DLDBList.h b/OSX/include/security_cdsa_client/DLDBList.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/DLDBList.h rename to OSX/include/security_cdsa_client/DLDBList.h diff --git a/Security/libsecurity_cdsa_client/lib/aclclient.cpp b/OSX/include/security_cdsa_client/aclclient.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/aclclient.cpp rename to OSX/include/security_cdsa_client/aclclient.cpp diff --git a/Security/libsecurity_cdsa_client/lib/aclclient.h b/OSX/include/security_cdsa_client/aclclient.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/aclclient.h rename to OSX/include/security_cdsa_client/aclclient.h diff --git a/Security/libsecurity_cdsa_client/lib/clclient.cpp b/OSX/include/security_cdsa_client/clclient.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/clclient.cpp rename to OSX/include/security_cdsa_client/clclient.cpp diff --git a/Security/libsecurity_cdsa_client/lib/clclient.h b/OSX/include/security_cdsa_client/clclient.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/clclient.h rename to OSX/include/security_cdsa_client/clclient.h diff --git a/Security/libsecurity_cdsa_client/lib/cryptoclient.cpp b/OSX/include/security_cdsa_client/cryptoclient.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/cryptoclient.cpp rename to OSX/include/security_cdsa_client/cryptoclient.cpp diff --git a/Security/libsecurity_cdsa_client/lib/cryptoclient.h b/OSX/include/security_cdsa_client/cryptoclient.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/cryptoclient.h rename to OSX/include/security_cdsa_client/cryptoclient.h diff --git a/Security/libsecurity_cdsa_client/lib/cspclient.cpp b/OSX/include/security_cdsa_client/cspclient.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/cspclient.cpp rename to OSX/include/security_cdsa_client/cspclient.cpp diff --git a/Security/libsecurity_cdsa_client/lib/cspclient.h b/OSX/include/security_cdsa_client/cspclient.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/cspclient.h rename to OSX/include/security_cdsa_client/cspclient.h diff --git a/Security/libsecurity_cdsa_client/lib/cssmclient.cpp b/OSX/include/security_cdsa_client/cssmclient.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/cssmclient.cpp rename to OSX/include/security_cdsa_client/cssmclient.cpp diff --git a/Security/libsecurity_cdsa_client/lib/cssmclient.h b/OSX/include/security_cdsa_client/cssmclient.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/cssmclient.h rename to OSX/include/security_cdsa_client/cssmclient.h diff --git a/Security/libsecurity_cdsa_client/lib/dl_standard.cpp b/OSX/include/security_cdsa_client/dl_standard.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/dl_standard.cpp rename to OSX/include/security_cdsa_client/dl_standard.cpp diff --git a/Security/libsecurity_cdsa_client/lib/dl_standard.h b/OSX/include/security_cdsa_client/dl_standard.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/dl_standard.h rename to OSX/include/security_cdsa_client/dl_standard.h diff --git a/Security/libsecurity_cdsa_client/lib/dlclient.cpp b/OSX/include/security_cdsa_client/dlclient.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/dlclient.cpp rename to OSX/include/security_cdsa_client/dlclient.cpp diff --git a/Security/libsecurity_cdsa_client/lib/dlclient.h b/OSX/include/security_cdsa_client/dlclient.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/dlclient.h rename to OSX/include/security_cdsa_client/dlclient.h diff --git a/Security/libsecurity_cdsa_client/lib/dlclientpriv.cpp b/OSX/include/security_cdsa_client/dlclientpriv.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/dlclientpriv.cpp rename to OSX/include/security_cdsa_client/dlclientpriv.cpp diff --git a/Security/libsecurity_cdsa_client/lib/dliterators.cpp b/OSX/include/security_cdsa_client/dliterators.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/dliterators.cpp rename to OSX/include/security_cdsa_client/dliterators.cpp diff --git a/Security/libsecurity_cdsa_client/lib/dliterators.h b/OSX/include/security_cdsa_client/dliterators.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/dliterators.h rename to OSX/include/security_cdsa_client/dliterators.h diff --git a/Security/libsecurity_cdsa_client/lib/dlquery.cpp b/OSX/include/security_cdsa_client/dlquery.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/dlquery.cpp rename to OSX/include/security_cdsa_client/dlquery.cpp diff --git a/Security/libsecurity_cdsa_client/lib/dlquery.h b/OSX/include/security_cdsa_client/dlquery.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/dlquery.h rename to OSX/include/security_cdsa_client/dlquery.h diff --git a/Security/libsecurity_cdsa_client/lib/genkey.cpp b/OSX/include/security_cdsa_client/genkey.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/genkey.cpp rename to OSX/include/security_cdsa_client/genkey.cpp diff --git a/Security/libsecurity_cdsa_client/lib/genkey.h b/OSX/include/security_cdsa_client/genkey.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/genkey.h rename to OSX/include/security_cdsa_client/genkey.h diff --git a/Security/libsecurity_cdsa_client/lib/keychainacl.cpp b/OSX/include/security_cdsa_client/keychainacl.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/keychainacl.cpp rename to OSX/include/security_cdsa_client/keychainacl.cpp diff --git a/Security/libsecurity_cdsa_client/lib/keychainacl.h b/OSX/include/security_cdsa_client/keychainacl.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/keychainacl.h rename to OSX/include/security_cdsa_client/keychainacl.h diff --git a/Security/libsecurity_cdsa_client/lib/keyclient.cpp b/OSX/include/security_cdsa_client/keyclient.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/keyclient.cpp rename to OSX/include/security_cdsa_client/keyclient.cpp diff --git a/Security/libsecurity_cdsa_client/lib/keyclient.h b/OSX/include/security_cdsa_client/keyclient.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/keyclient.h rename to OSX/include/security_cdsa_client/keyclient.h diff --git a/Security/libsecurity_cdsa_client/lib/macclient.cpp b/OSX/include/security_cdsa_client/macclient.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/macclient.cpp rename to OSX/include/security_cdsa_client/macclient.cpp diff --git a/Security/libsecurity_cdsa_client/lib/macclient.h b/OSX/include/security_cdsa_client/macclient.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/macclient.h rename to OSX/include/security_cdsa_client/macclient.h diff --git a/Security/libsecurity_cdsa_client/lib/mds_standard.cpp b/OSX/include/security_cdsa_client/mds_standard.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/mds_standard.cpp rename to OSX/include/security_cdsa_client/mds_standard.cpp diff --git a/Security/libsecurity_cdsa_client/lib/mds_standard.h b/OSX/include/security_cdsa_client/mds_standard.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/mds_standard.h rename to OSX/include/security_cdsa_client/mds_standard.h diff --git a/Security/libsecurity_cdsa_client/lib/mdsclient.cpp b/OSX/include/security_cdsa_client/mdsclient.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/mdsclient.cpp rename to OSX/include/security_cdsa_client/mdsclient.cpp diff --git a/Security/libsecurity_cdsa_client/lib/mdsclient.h b/OSX/include/security_cdsa_client/mdsclient.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/mdsclient.h rename to OSX/include/security_cdsa_client/mdsclient.h diff --git a/Security/libsecurity_cdsa_client/lib/multidldb.cpp b/OSX/include/security_cdsa_client/multidldb.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/multidldb.cpp rename to OSX/include/security_cdsa_client/multidldb.cpp diff --git a/Security/libsecurity_cdsa_client/lib/multidldb.h b/OSX/include/security_cdsa_client/multidldb.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/multidldb.h rename to OSX/include/security_cdsa_client/multidldb.h diff --git a/Security/libsecurity_cdsa_client/lib/securestorage.cpp b/OSX/include/security_cdsa_client/securestorage.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/securestorage.cpp rename to OSX/include/security_cdsa_client/securestorage.cpp diff --git a/Security/libsecurity_cdsa_client/lib/securestorage.h b/OSX/include/security_cdsa_client/securestorage.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/securestorage.h rename to OSX/include/security_cdsa_client/securestorage.h diff --git a/Security/libsecurity_cdsa_client/lib/signclient.cpp b/OSX/include/security_cdsa_client/signclient.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/signclient.cpp rename to OSX/include/security_cdsa_client/signclient.cpp diff --git a/Security/libsecurity_cdsa_client/lib/signclient.h b/OSX/include/security_cdsa_client/signclient.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/signclient.h rename to OSX/include/security_cdsa_client/signclient.h diff --git a/Security/libsecurity_cdsa_client/lib/tpclient.cpp b/OSX/include/security_cdsa_client/tpclient.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/tpclient.cpp rename to OSX/include/security_cdsa_client/tpclient.cpp diff --git a/Security/libsecurity_cdsa_client/lib/tpclient.h b/OSX/include/security_cdsa_client/tpclient.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/tpclient.h rename to OSX/include/security_cdsa_client/tpclient.h diff --git a/Security/libsecurity_cdsa_client/lib/wrapkey.cpp b/OSX/include/security_cdsa_client/wrapkey.cpp similarity index 100% rename from Security/libsecurity_cdsa_client/lib/wrapkey.cpp rename to OSX/include/security_cdsa_client/wrapkey.cpp diff --git a/Security/libsecurity_cdsa_client/lib/wrapkey.h b/OSX/include/security_cdsa_client/wrapkey.h similarity index 100% rename from Security/libsecurity_cdsa_client/lib/wrapkey.h rename to OSX/include/security_cdsa_client/wrapkey.h diff --git a/Security/libsecurity_cdsa_plugin/lib/ACsession.h b/OSX/include/security_cdsa_plugin/ACsession.h similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/ACsession.h rename to OSX/include/security_cdsa_plugin/ACsession.h diff --git a/Security/libsecurity_cdsa_plugin/lib/CLsession.h b/OSX/include/security_cdsa_plugin/CLsession.h similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/CLsession.h rename to OSX/include/security_cdsa_plugin/CLsession.h diff --git a/Security/libsecurity_cdsa_plugin/lib/CSPsession.cpp b/OSX/include/security_cdsa_plugin/CSPsession.cpp similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/CSPsession.cpp rename to OSX/include/security_cdsa_plugin/CSPsession.cpp diff --git a/Security/libsecurity_cdsa_plugin/lib/CSPsession.h b/OSX/include/security_cdsa_plugin/CSPsession.h similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/CSPsession.h rename to OSX/include/security_cdsa_plugin/CSPsession.h diff --git a/Security/libsecurity_cdsa_plugin/lib/DLsession.cpp b/OSX/include/security_cdsa_plugin/DLsession.cpp similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/DLsession.cpp rename to OSX/include/security_cdsa_plugin/DLsession.cpp diff --git a/Security/libsecurity_cdsa_plugin/lib/DLsession.h b/OSX/include/security_cdsa_plugin/DLsession.h similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/DLsession.h rename to OSX/include/security_cdsa_plugin/DLsession.h diff --git a/Security/libsecurity_cdsa_plugin/lib/Database.cpp b/OSX/include/security_cdsa_plugin/Database.cpp similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/Database.cpp rename to OSX/include/security_cdsa_plugin/Database.cpp diff --git a/Security/libsecurity_cdsa_plugin/lib/Database.h b/OSX/include/security_cdsa_plugin/Database.h similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/Database.h rename to OSX/include/security_cdsa_plugin/Database.h diff --git a/Security/libsecurity_cdsa_plugin/lib/DatabaseSession.cpp b/OSX/include/security_cdsa_plugin/DatabaseSession.cpp similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/DatabaseSession.cpp rename to OSX/include/security_cdsa_plugin/DatabaseSession.cpp diff --git a/Security/libsecurity_cdsa_plugin/lib/DatabaseSession.h b/OSX/include/security_cdsa_plugin/DatabaseSession.h similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/DatabaseSession.h rename to OSX/include/security_cdsa_plugin/DatabaseSession.h diff --git a/Security/libsecurity_cdsa_plugin/lib/DbContext.cpp b/OSX/include/security_cdsa_plugin/DbContext.cpp similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/DbContext.cpp rename to OSX/include/security_cdsa_plugin/DbContext.cpp diff --git a/Security/libsecurity_cdsa_plugin/lib/DbContext.h b/OSX/include/security_cdsa_plugin/DbContext.h similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/DbContext.h rename to OSX/include/security_cdsa_plugin/DbContext.h diff --git a/Security/libsecurity_cdsa_plugin/lib/TPsession.h b/OSX/include/security_cdsa_plugin/TPsession.h similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/TPsession.h rename to OSX/include/security_cdsa_plugin/TPsession.h diff --git a/Security/libsecurity_cdsa_plugin/lib/c++plugin.h b/OSX/include/security_cdsa_plugin/c++plugin.h similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/c++plugin.h rename to OSX/include/security_cdsa_plugin/c++plugin.h diff --git a/Security/libsecurity_cdsa_plugin/lib/csputilities.cpp b/OSX/include/security_cdsa_plugin/csputilities.cpp similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/csputilities.cpp rename to OSX/include/security_cdsa_plugin/csputilities.cpp diff --git a/Security/libsecurity_cdsa_plugin/lib/cssmplugin.cpp b/OSX/include/security_cdsa_plugin/cssmplugin.cpp similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/cssmplugin.cpp rename to OSX/include/security_cdsa_plugin/cssmplugin.cpp diff --git a/OSX/include/security_cdsa_plugin/cssmplugin.h b/OSX/include/security_cdsa_plugin/cssmplugin.h new file mode 100644 index 00000000..7059849b --- /dev/null +++ b/OSX/include/security_cdsa_plugin/cssmplugin.h @@ -0,0 +1,130 @@ +/* + * Copyright (c) 2000-2001,2011,2014 Apple Inc. All Rights Reserved. + * + * The contents of this file constitute Original Code as defined in and are + * subject to the Apple Public Source License Version 1.2 (the 'License'). + * You may not use this file except in compliance with the License. Please obtain + * a copy of the License at http://www.apple.com/publicsource and read it before + * using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS + * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT + * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the + * specific language governing rights and limitations under the License. + */ + + +// +// cssmplugin - common header for CSSM plugin modules +// +#ifndef _H_CSSMPLUGIN +#define _H_CSSMPLUGIN + +#include +#include +#include +#include + +#include + +namespace Security { + + +// +// Inherit from this (abstract) class to implement your plugin +// +class CssmPlugin { + NOCOPY(CssmPlugin) +public: + CssmPlugin(); + virtual ~CssmPlugin(); + + void moduleLoad(const Guid &cssmGuid, + const Guid &moduleGuid, + const ModuleCallback &callback); + void moduleUnload(const Guid &cssmGuid, + const Guid &moduleGuid, + const ModuleCallback &callback); + + void moduleAttach(CSSM_MODULE_HANDLE theHandle, + const Guid &cssmGuid, + const Guid &moduleGuid, + const Guid &moduleManagerGuid, + const Guid &callerGuid, + const CSSM_VERSION &Version, + uint32 SubserviceID, + CSSM_SERVICE_TYPE SubServiceType, + CSSM_ATTACH_FLAGS AttachFlags, + CSSM_KEY_HIERARCHY KeyHierarchy, + const CSSM_UPCALLS &Upcalls, + CSSM_MODULE_FUNCS_PTR &FuncTbl); + void moduleDetach(CSSM_MODULE_HANDLE handle); + + const Guid &myGuid() const { return mMyGuid; } + + void sendCallback(CSSM_MODULE_EVENT event, + uint32 ssid, + CSSM_SERVICE_TYPE serviceType) const; + + void sendInsertion(uint32 subId, CSSM_SERVICE_TYPE serviceType) const + { sendCallback(CSSM_NOTIFY_INSERT, subId, serviceType); } + + void sendRemoval(uint32 subId, CSSM_SERVICE_TYPE serviceType) const + { sendCallback(CSSM_NOTIFY_REMOVE, subId, serviceType); } + + void sendFault(uint32 subId, CSSM_SERVICE_TYPE serviceType) const + { sendCallback(CSSM_NOTIFY_FAULT, subId, serviceType); } + +protected: + // subclass-defined methods + virtual void load(); + virtual void unload(); + + // make a session object for your plugin + virtual PluginSession *makeSession(CSSM_MODULE_HANDLE handle, + const CSSM_VERSION &version, + uint32 subserviceId, + CSSM_SERVICE_TYPE subserviceType, + CSSM_ATTACH_FLAGS attachFlags, + const CSSM_UPCALLS &upcalls) = 0; + +private: + // map of (CSSM) handles to attachment objects + struct SessionMap : + public std::unordered_map, + public Mutex { }; + + static ModuleNexus sessionMap; + + Guid mMyGuid; + + // the registered callback. Set during load processing, unset during unload + ModuleCallback mCallback; + bool mLoaded; + +public: + static PluginSession *find(CSSM_MODULE_HANDLE h) + { + StLock _(sessionMap()); + SessionMap::iterator it = sessionMap().find(h); + if (it == sessionMap().end()) + CssmError::throwMe(CSSMERR_CSSM_INVALID_ADDIN_HANDLE); + return it->second; + } +}; + +template +inline SessionClass &findSession(CSSM_MODULE_HANDLE h) +{ + SessionClass *session = dynamic_cast(CssmPlugin::find(h)); + if (session == NULL) + CssmError::throwMe(CSSMERR_CSSM_INVALID_ADDIN_HANDLE); + assert(session->handle() == h); + return *session; +} + +} // end namespace Security + +#endif //_H_CSSMPLUGIN diff --git a/Security/libsecurity_cdsa_plugin/lib/generator.cfg b/OSX/include/security_cdsa_plugin/generator.cfg similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/generator.cfg rename to OSX/include/security_cdsa_plugin/generator.cfg diff --git a/Security/libsecurity_cdsa_plugin/lib/generator.mk b/OSX/include/security_cdsa_plugin/generator.mk similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/generator.mk rename to OSX/include/security_cdsa_plugin/generator.mk diff --git a/Security/libsecurity_cdsa_plugin/lib/generator.pl b/OSX/include/security_cdsa_plugin/generator.pl similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/generator.pl rename to OSX/include/security_cdsa_plugin/generator.pl diff --git a/Security/libsecurity_cdsa_plugin/lib/pluginsession.cpp b/OSX/include/security_cdsa_plugin/pluginsession.cpp similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/pluginsession.cpp rename to OSX/include/security_cdsa_plugin/pluginsession.cpp diff --git a/Security/libsecurity_cdsa_plugin/lib/pluginsession.h b/OSX/include/security_cdsa_plugin/pluginsession.h similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/pluginsession.h rename to OSX/include/security_cdsa_plugin/pluginsession.h diff --git a/Security/libsecurity_cdsa_plugin/lib/pluginspi.h b/OSX/include/security_cdsa_plugin/pluginspi.h similarity index 100% rename from Security/libsecurity_cdsa_plugin/lib/pluginspi.h rename to OSX/include/security_cdsa_plugin/pluginspi.h diff --git a/Security/libsecurity_cdsa_utilities/lib/AuthorizationData.cpp b/OSX/include/security_cdsa_utilities/AuthorizationData.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/AuthorizationData.cpp rename to OSX/include/security_cdsa_utilities/AuthorizationData.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/AuthorizationData.h b/OSX/include/security_cdsa_utilities/AuthorizationData.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/AuthorizationData.h rename to OSX/include/security_cdsa_utilities/AuthorizationData.h diff --git a/Security/libsecurity_cdsa_utilities/lib/AuthorizationWalkers.h b/OSX/include/security_cdsa_utilities/AuthorizationWalkers.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/AuthorizationWalkers.h rename to OSX/include/security_cdsa_utilities/AuthorizationWalkers.h diff --git a/Security/libsecurity_cdsa_utilities/lib/KeySchema.h b/OSX/include/security_cdsa_utilities/KeySchema.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/KeySchema.h rename to OSX/include/security_cdsa_utilities/KeySchema.h diff --git a/Security/libsecurity_cdsa_utilities/lib/KeySchema.m4 b/OSX/include/security_cdsa_utilities/KeySchema.m4 similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/KeySchema.m4 rename to OSX/include/security_cdsa_utilities/KeySchema.m4 diff --git a/Security/libsecurity_cdsa_utilities/lib/Schema.h b/OSX/include/security_cdsa_utilities/Schema.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/Schema.h rename to OSX/include/security_cdsa_utilities/Schema.h diff --git a/Security/libsecurity_cdsa_utilities/lib/Schema.m4 b/OSX/include/security_cdsa_utilities/Schema.m4 similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/Schema.m4 rename to OSX/include/security_cdsa_utilities/Schema.m4 diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_any.cpp b/OSX/include/security_cdsa_utilities/acl_any.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_any.cpp rename to OSX/include/security_cdsa_utilities/acl_any.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_any.h b/OSX/include/security_cdsa_utilities/acl_any.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_any.h rename to OSX/include/security_cdsa_utilities/acl_any.h diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_codesigning.cpp b/OSX/include/security_cdsa_utilities/acl_codesigning.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_codesigning.cpp rename to OSX/include/security_cdsa_utilities/acl_codesigning.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_codesigning.h b/OSX/include/security_cdsa_utilities/acl_codesigning.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_codesigning.h rename to OSX/include/security_cdsa_utilities/acl_codesigning.h diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_comment.cpp b/OSX/include/security_cdsa_utilities/acl_comment.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_comment.cpp rename to OSX/include/security_cdsa_utilities/acl_comment.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_comment.h b/OSX/include/security_cdsa_utilities/acl_comment.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_comment.h rename to OSX/include/security_cdsa_utilities/acl_comment.h diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_password.cpp b/OSX/include/security_cdsa_utilities/acl_password.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_password.cpp rename to OSX/include/security_cdsa_utilities/acl_password.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_password.h b/OSX/include/security_cdsa_utilities/acl_password.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_password.h rename to OSX/include/security_cdsa_utilities/acl_password.h diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_preauth.cpp b/OSX/include/security_cdsa_utilities/acl_preauth.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_preauth.cpp rename to OSX/include/security_cdsa_utilities/acl_preauth.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_preauth.h b/OSX/include/security_cdsa_utilities/acl_preauth.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_preauth.h rename to OSX/include/security_cdsa_utilities/acl_preauth.h diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_process.cpp b/OSX/include/security_cdsa_utilities/acl_process.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_process.cpp rename to OSX/include/security_cdsa_utilities/acl_process.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_process.h b/OSX/include/security_cdsa_utilities/acl_process.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_process.h rename to OSX/include/security_cdsa_utilities/acl_process.h diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_prompted.cpp b/OSX/include/security_cdsa_utilities/acl_prompted.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_prompted.cpp rename to OSX/include/security_cdsa_utilities/acl_prompted.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_prompted.h b/OSX/include/security_cdsa_utilities/acl_prompted.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_prompted.h rename to OSX/include/security_cdsa_utilities/acl_prompted.h diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_protectedpw.cpp b/OSX/include/security_cdsa_utilities/acl_protectedpw.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_protectedpw.cpp rename to OSX/include/security_cdsa_utilities/acl_protectedpw.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_protectedpw.h b/OSX/include/security_cdsa_utilities/acl_protectedpw.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_protectedpw.h rename to OSX/include/security_cdsa_utilities/acl_protectedpw.h diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_secret.cpp b/OSX/include/security_cdsa_utilities/acl_secret.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_secret.cpp rename to OSX/include/security_cdsa_utilities/acl_secret.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_secret.h b/OSX/include/security_cdsa_utilities/acl_secret.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_secret.h rename to OSX/include/security_cdsa_utilities/acl_secret.h diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_threshold.cpp b/OSX/include/security_cdsa_utilities/acl_threshold.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_threshold.cpp rename to OSX/include/security_cdsa_utilities/acl_threshold.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/acl_threshold.h b/OSX/include/security_cdsa_utilities/acl_threshold.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/acl_threshold.h rename to OSX/include/security_cdsa_utilities/acl_threshold.h diff --git a/Security/libsecurity_cdsa_utilities/lib/aclsubject.cpp b/OSX/include/security_cdsa_utilities/aclsubject.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/aclsubject.cpp rename to OSX/include/security_cdsa_utilities/aclsubject.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/aclsubject.h b/OSX/include/security_cdsa_utilities/aclsubject.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/aclsubject.h rename to OSX/include/security_cdsa_utilities/aclsubject.h diff --git a/Security/libsecurity_cdsa_utilities/lib/callback.cpp b/OSX/include/security_cdsa_utilities/callback.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/callback.cpp rename to OSX/include/security_cdsa_utilities/callback.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/callback.h b/OSX/include/security_cdsa_utilities/callback.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/callback.h rename to OSX/include/security_cdsa_utilities/callback.h diff --git a/Security/libsecurity_cdsa_utilities/lib/constdata.cpp b/OSX/include/security_cdsa_utilities/constdata.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/constdata.cpp rename to OSX/include/security_cdsa_utilities/constdata.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/constdata.h b/OSX/include/security_cdsa_utilities/constdata.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/constdata.h rename to OSX/include/security_cdsa_utilities/constdata.h diff --git a/Security/libsecurity_cdsa_utilities/lib/context.cpp b/OSX/include/security_cdsa_utilities/context.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/context.cpp rename to OSX/include/security_cdsa_utilities/context.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/context.h b/OSX/include/security_cdsa_utilities/context.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/context.h rename to OSX/include/security_cdsa_utilities/context.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmacl.cpp b/OSX/include/security_cdsa_utilities/cssmacl.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmacl.cpp rename to OSX/include/security_cdsa_utilities/cssmacl.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmacl.h b/OSX/include/security_cdsa_utilities/cssmacl.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmacl.h rename to OSX/include/security_cdsa_utilities/cssmacl.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmaclpod.cpp b/OSX/include/security_cdsa_utilities/cssmaclpod.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmaclpod.cpp rename to OSX/include/security_cdsa_utilities/cssmaclpod.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmaclpod.h b/OSX/include/security_cdsa_utilities/cssmaclpod.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmaclpod.h rename to OSX/include/security_cdsa_utilities/cssmaclpod.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmalloc.cpp b/OSX/include/security_cdsa_utilities/cssmalloc.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmalloc.cpp rename to OSX/include/security_cdsa_utilities/cssmalloc.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmalloc.h b/OSX/include/security_cdsa_utilities/cssmalloc.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmalloc.h rename to OSX/include/security_cdsa_utilities/cssmalloc.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmbridge.h b/OSX/include/security_cdsa_utilities/cssmbridge.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmbridge.h rename to OSX/include/security_cdsa_utilities/cssmbridge.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmcert.cpp b/OSX/include/security_cdsa_utilities/cssmcert.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmcert.cpp rename to OSX/include/security_cdsa_utilities/cssmcert.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmcert.h b/OSX/include/security_cdsa_utilities/cssmcert.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmcert.h rename to OSX/include/security_cdsa_utilities/cssmcert.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmcred.cpp b/OSX/include/security_cdsa_utilities/cssmcred.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmcred.cpp rename to OSX/include/security_cdsa_utilities/cssmcred.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmcred.h b/OSX/include/security_cdsa_utilities/cssmcred.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmcred.h rename to OSX/include/security_cdsa_utilities/cssmcred.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmdata.cpp b/OSX/include/security_cdsa_utilities/cssmdata.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmdata.cpp rename to OSX/include/security_cdsa_utilities/cssmdata.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmdata.h b/OSX/include/security_cdsa_utilities/cssmdata.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmdata.h rename to OSX/include/security_cdsa_utilities/cssmdata.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmdates.cpp b/OSX/include/security_cdsa_utilities/cssmdates.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmdates.cpp rename to OSX/include/security_cdsa_utilities/cssmdates.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmdates.h b/OSX/include/security_cdsa_utilities/cssmdates.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmdates.h rename to OSX/include/security_cdsa_utilities/cssmdates.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmdb.cpp b/OSX/include/security_cdsa_utilities/cssmdb.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmdb.cpp rename to OSX/include/security_cdsa_utilities/cssmdb.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmdb.h b/OSX/include/security_cdsa_utilities/cssmdb.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmdb.h rename to OSX/include/security_cdsa_utilities/cssmdb.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmdbname.cpp b/OSX/include/security_cdsa_utilities/cssmdbname.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmdbname.cpp rename to OSX/include/security_cdsa_utilities/cssmdbname.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmdbname.h b/OSX/include/security_cdsa_utilities/cssmdbname.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmdbname.h rename to OSX/include/security_cdsa_utilities/cssmdbname.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmendian.cpp b/OSX/include/security_cdsa_utilities/cssmendian.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmendian.cpp rename to OSX/include/security_cdsa_utilities/cssmendian.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmendian.h b/OSX/include/security_cdsa_utilities/cssmendian.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmendian.h rename to OSX/include/security_cdsa_utilities/cssmendian.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmerrors.cpp b/OSX/include/security_cdsa_utilities/cssmerrors.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmerrors.cpp rename to OSX/include/security_cdsa_utilities/cssmerrors.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmerrors.h b/OSX/include/security_cdsa_utilities/cssmerrors.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmerrors.h rename to OSX/include/security_cdsa_utilities/cssmerrors.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmkey.cpp b/OSX/include/security_cdsa_utilities/cssmkey.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmkey.cpp rename to OSX/include/security_cdsa_utilities/cssmkey.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmkey.h b/OSX/include/security_cdsa_utilities/cssmkey.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmkey.h rename to OSX/include/security_cdsa_utilities/cssmkey.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmlist.cpp b/OSX/include/security_cdsa_utilities/cssmlist.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmlist.cpp rename to OSX/include/security_cdsa_utilities/cssmlist.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmlist.h b/OSX/include/security_cdsa_utilities/cssmlist.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmlist.h rename to OSX/include/security_cdsa_utilities/cssmlist.h diff --git a/OSX/include/security_cdsa_utilities/cssmpods.cpp b/OSX/include/security_cdsa_utilities/cssmpods.cpp new file mode 100644 index 00000000..8915894d --- /dev/null +++ b/OSX/include/security_cdsa_utilities/cssmpods.cpp @@ -0,0 +1,179 @@ +/* + * Copyright (c) 2000-2006,2011-2012,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +// +// Miscellaneous CSSM PODWrappers +// +#include +#include +#include + +// +// GUID <-> string conversions. +// Note that we DO check for {} on input and insist on rigid formatting. +// We don't require a terminating null byte on input, but generate it on output. +// +char *Guid::toString(char buffer[stringRepLength+1]) const +{ + sprintf(buffer, "{%8.8x-%4.4hx-%4.4hx-", + int(n2h(Data1)), n2h(Data2), n2h(Data3)); + for (int n = 0; n < 2; n++) + sprintf(buffer + 20 + 2*n, "%2.2hhx", Data4[n]); + buffer[24] = '-'; + for (int n = 2; n < 8; n++) + sprintf(buffer + 21 + 2*n, "%2.2hhx", Data4[n]); + buffer[37] = '}'; + buffer[38] = '\0'; + return buffer; +} + +string Guid::toString() const +{ + char buffer[stringRepLength+1]; + return toString(buffer); +} + +Guid::Guid(const char *s) +{ + parseGuid(s); +} + +Guid::Guid(const string &s) +{ + parseGuid(s.c_str()); +} + +void Guid::parseGuid(const char *string) +{ + // Arguably, we should be more flexible on input. But exactly what + // padding rules should we follow, and how should we try to interprete + // "doubtful" variations? Given that GUIDs are essentially magic + // cookies, everybody's better off if we just cut-and-paste them + // around the universe... + + // do sanity checking, don't assume that what's passed in makes sense + if (string == NULL) + { + CssmError::throwMe(CSSM_ERRCODE_INVALID_GUID); + } + + // what follows had better be big enough + if (strlen(string) < 37) // needed because the code hard codes the length + { + CssmError::throwMe(CSSM_ERRCODE_INVALID_GUID); + } + + int d1; + uint16 d2, d3; + if (sscanf(string, "{%8x-%4hx-%4hx-", &d1, &d2, &d3) != 3) + CssmError::throwMe(CSSM_ERRCODE_INVALID_GUID); + Data1 = h2n(uint32(d1)); + Data2 = h2n(d2); + Data3 = h2n(d3); + // once, we did not expect the - after byte 2 of Data4 + bool newForm = string[24] == '-'; + for (int n = 0; n < 8; n++) { + unsigned char dn; + if (sscanf(string + 20 + 2*n + (newForm && n >= 2), "%2hhx", &dn) != 1) + CssmError::throwMe(CSSM_ERRCODE_INVALID_GUID); + Data4[n] = dn; + } + if (string[37 - !newForm] != '}') + CssmError::throwMe(CSSM_ERRCODE_INVALID_GUID); +} + + +CssmGuidData::CssmGuidData(const CSSM_GUID &guid) : CssmData(buffer, sizeof(buffer)) +{ + Guid::overlay(guid).toString(buffer); +} + + +// +// CssmSubserviceUids. +// Note that for comparison, we ignore the version field. +// This is not necessarily the Right Choice, but suits certain +// constraints in the Sec* layer. Perhaps we might reconsider +// this after a thorough code review to determine the intended +// (by the standard) semantics and proper use. Yeah, right. +// +CssmSubserviceUid::CssmSubserviceUid(const CSSM_GUID &guid, + const CSSM_VERSION *version, uint32 subserviceId, CSSM_SERVICE_TYPE subserviceType) +{ + Guid = guid; + SubserviceId = subserviceId; + SubserviceType = subserviceType; + if (version) + Version = *version; + else + Version.Major = Version.Minor = 0; +} + + +bool CssmSubserviceUid::operator == (const CSSM_SUBSERVICE_UID &otherUid) const +{ + // make sure we don't crash if we get bad data +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wtautological-undefined-compare" + if (&otherUid == 0x0) { return false; } +#pragma clang diagnostic pop + + const CssmSubserviceUid &other = CssmSubserviceUid::overlay(otherUid); + return subserviceId() == other.subserviceId() + && subserviceType() == other.subserviceType() + && guid() == other.guid(); +} + +bool CssmSubserviceUid::operator < (const CSSM_SUBSERVICE_UID &otherUid) const +{ +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wtautological-undefined-compare" + if (&otherUid == 0x0) { return false; } +#pragma clang diagnostic pop + + const CssmSubserviceUid &other = CssmSubserviceUid::overlay(otherUid); + if (subserviceId() < other.subserviceId()) + return true; + if (subserviceId() > other.subserviceId()) + return false; + if (subserviceType() < other.subserviceType()) + return true; + if (subserviceType() > other.subserviceType()) + return false; + return guid() < other.guid(); +} + + +// +// CryptoData & friends +// +CryptoDataClass::~CryptoDataClass() +{ } + +CSSM_RETURN CryptoDataClass::callbackShim(CSSM_DATA *output, void *ctx) +{ + BEGIN_API + *output = reinterpret_cast(ctx)->yield(); + END_API(CSSM) +} diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmpods.h b/OSX/include/security_cdsa_utilities/cssmpods.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmpods.h rename to OSX/include/security_cdsa_utilities/cssmpods.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmtrust.cpp b/OSX/include/security_cdsa_utilities/cssmtrust.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmtrust.cpp rename to OSX/include/security_cdsa_utilities/cssmtrust.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmtrust.h b/OSX/include/security_cdsa_utilities/cssmtrust.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmtrust.h rename to OSX/include/security_cdsa_utilities/cssmtrust.h diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmwalkers.cpp b/OSX/include/security_cdsa_utilities/cssmwalkers.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmwalkers.cpp rename to OSX/include/security_cdsa_utilities/cssmwalkers.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/cssmwalkers.h b/OSX/include/security_cdsa_utilities/cssmwalkers.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/cssmwalkers.h rename to OSX/include/security_cdsa_utilities/cssmwalkers.h diff --git a/Security/libsecurity_cdsa_utilities/lib/db++.cpp b/OSX/include/security_cdsa_utilities/db++.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/db++.cpp rename to OSX/include/security_cdsa_utilities/db++.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/db++.h b/OSX/include/security_cdsa_utilities/db++.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/db++.h rename to OSX/include/security_cdsa_utilities/db++.h diff --git a/Security/libsecurity_cdsa_utilities/lib/digestobject.h b/OSX/include/security_cdsa_utilities/digestobject.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/digestobject.h rename to OSX/include/security_cdsa_utilities/digestobject.h diff --git a/Security/libsecurity_cdsa_utilities/lib/generator.mk b/OSX/include/security_cdsa_utilities/generator.mk similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/generator.mk rename to OSX/include/security_cdsa_utilities/generator.mk diff --git a/Security/libsecurity_cdsa_utilities/lib/generator.pl b/OSX/include/security_cdsa_utilities/generator.pl similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/generator.pl rename to OSX/include/security_cdsa_utilities/generator.pl diff --git a/Security/libsecurity_cdsa_utilities/lib/handleobject.cpp b/OSX/include/security_cdsa_utilities/handleobject.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/handleobject.cpp rename to OSX/include/security_cdsa_utilities/handleobject.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/handleobject.h b/OSX/include/security_cdsa_utilities/handleobject.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/handleobject.h rename to OSX/include/security_cdsa_utilities/handleobject.h diff --git a/Security/libsecurity_cdsa_utilities/lib/handletemplates.cpp b/OSX/include/security_cdsa_utilities/handletemplates.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/handletemplates.cpp rename to OSX/include/security_cdsa_utilities/handletemplates.cpp diff --git a/OSX/include/security_cdsa_utilities/handletemplates.h b/OSX/include/security_cdsa_utilities/handletemplates.h new file mode 100644 index 00000000..9791072a --- /dev/null +++ b/OSX/include/security_cdsa_utilities/handletemplates.h @@ -0,0 +1,290 @@ +/* + * Copyright (c) 2008,2011-2012 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +// +// Templates to support HandleObject-like objects +// +#ifndef _H_HANDLETEMPLATES +#define _H_HANDLETEMPLATES + +#include +#include +#include +#include +#include + +#include + +namespace Security +{ + +// +// A TypedHandle is a trivial mixin class whose only feature is that +// it has a *handle* whose type is of the caller's choosing. Subclasses +// need to assign such a handle during creation. +// +template +struct TypedHandle +{ +public: + typedef _Handle Handle; + + static const _Handle invalidHandle = 0; + + _Handle handle() const { return mMyHandle; } + bool validHandle() const { return mValid; } + +protected: + TypedHandle(_Handle h); + TypedHandle(); + + void setHandle(_Handle h) + { + assert(!mValid); // guard against redefinition + mMyHandle = h; + mValid = true; + } + void clearHandle() + { + assert(mValid); + mValid = false; + } + +private: + _Handle mMyHandle; // our handle value + bool mValid; // is the handle (still) valid? +}; + +// +// MappingHandle wraps a map indexed by handles of the chosen type. +// A MappingHandle makes up its own handle based on some mechanism that you +// know nothing about. +// +// Please be very careful about the limits of the object contract here. +// We promise to invent a suitable, unique handle for each MappingHandle in +// existence within one address space. We promise that if you hand that +// handle to the various MappingHandle<>::find() variants, we will give you +// back the MappingHandle that created it. We promise to throw if you pass +// a bad handle to those MappingHandle<>::find() variants. This is the +// entire contract. +// +template +class MappingHandle : public TypedHandle<_Handle> +{ +protected: + class State; + +public: + typedef typename TypedHandle<_Handle>::Handle Handle; + virtual ~MappingHandle() + { + State &st = state(); + StLock _(st); + st.erase(this); + } + + template + static SubType &find(_Handle handle, CSSM_RETURN error); + + template + static Subtype &findAndLock(_Handle handle, CSSM_RETURN error); + + template + static Subtype &findAndKill(_Handle handle, CSSM_RETURN error); + + template + static RefPointer findRef(_Handle handle, CSSM_RETURN error); + + template + static RefPointer findRefAndLock(_Handle handle, CSSM_RETURN error); + + template + static RefPointer findRefAndKill(_Handle handle, CSSM_RETURN error); + + // @@@ Remove when 4003540 is fixed + template + static void findAllRefs(std::vector<_Handle> &refs) { + state().template findAllRefs(refs); + } + +protected: + virtual void lock(); + virtual bool tryLock(); + + typedef std::unordered_map<_Handle, MappingHandle<_Handle> *> HandleMap; + + MappingHandle(); + + class State : public Mutex, public HandleMap + { + public: + State(); + uint32_t nextSeq() { return ++sequence; } + + bool handleInUse(_Handle h); + MappingHandle<_Handle> *find(_Handle h, CSSM_RETURN error); + typename HandleMap::iterator locate(_Handle h, CSSM_RETURN error); + void add(_Handle h, MappingHandle<_Handle> *obj); + void erase(MappingHandle<_Handle> *obj); + void erase(typename HandleMap::iterator &it); + // @@@ Remove when 4003540 is fixed + template void findAllRefs(std::vector<_Handle> &refs); + + private: + uint32_t sequence; + }; + +private: + // + // Create the handle to be used by the map + // + void make(); + + static ModuleNexus::State> state; +}; + +// +// MappingHandle class methods +// Type-specific ways to access the map in various ways +// +template +template +inline Subclass &MappingHandle<_Handle>::find(_Handle handle, CSSM_RETURN error) +{ + Subclass *sub; + if (!(sub = dynamic_cast(state().find(handle, error)))) + CssmError::throwMe(error); + return *sub; +} + +template +template +inline Subclass &MappingHandle<_Handle>::findAndLock(_Handle handle, + CSSM_RETURN error) +{ + for (;;) { + typename HandleMap::iterator it = state().locate(handle, error); + StLock _(state(), true); // locate() locked it + Subclass *sub; + if (!(sub = dynamic_cast(it->second))) + CssmError::throwMe(error); // bad type + if (it->second->tryLock()) // try to lock it + return *sub; // okay, go + Thread::yield(); // object lock failed, backoff and retry + } +} + +template +template +inline Subclass &MappingHandle<_Handle>::findAndKill(_Handle handle, + CSSM_RETURN error) +{ + for (;;) { + typename HandleMap::iterator it = state().locate(handle, error); + StLock _(state(), true); // locate() locked it + Subclass *sub; + if (!(sub = dynamic_cast(it->second))) + CssmError::throwMe(error); // bad type + if (it->second->tryLock()) { // try to lock it + state().erase(it); // kill the handle + return *sub; // okay, go + } + Thread::yield(); // object lock failed, backoff and retry + } +} + +template +template +inline RefPointer MappingHandle<_Handle>::findRef(_Handle handle, + CSSM_RETURN error) +{ + typename HandleMap::iterator it = state().locate(handle, error); + StLock _(state(), true); // locate() locked it + Subclass *sub; + if (!(sub = dynamic_cast(it->second))) + CssmError::throwMe(error); + return sub; +} + +template +template +inline RefPointer MappingHandle<_Handle>::findRefAndLock(_Handle handle, + CSSM_RETURN error) +{ + for (;;) { + typename HandleMap::iterator it = state().locate(handle, error); + StLock _(state(), true); // locate() locked it + Subclass *sub; + if (!(sub = dynamic_cast(it->second))) + CssmError::throwMe(error); // bad type + if (it->second->tryLock()) // try to lock it + return sub; // okay, go + Thread::yield(); // object lock failed, backoff and retry + } +} + +template +template +inline RefPointer MappingHandle<_Handle>::findRefAndKill(_Handle handle, + CSSM_RETURN error) +{ + for (;;) { + typename HandleMap::iterator it = state().locate(handle, error); + StLock _(state(), true); // locate() locked it + Subclass *sub; + if (!(sub = dynamic_cast(it->second))) + CssmError::throwMe(error); // bad type + if (it->second->tryLock()) { // try to lock it + state().erase(it); // kill the handle + return sub; // okay, go + } + Thread::yield(); // object lock failed, backoff and retry + } +} + +// +// @@@ Remove when 4003540 is fixed +// +// This is a hack to fix 3981388 and should NOT be used elsewhere. +// Also, do not follow this code's example: State methods should not +// implement type-specific behavior. +// +template +template +void MappingHandle<_Handle>::State::findAllRefs(std::vector<_Handle> &refs) +{ + StLock _(*this); + typename HandleMap::iterator it = (*this).begin(); + for (; it != (*this).end(); ++it) + { + Subtype *obj = dynamic_cast(it->second); + if (obj) + refs.push_back(it->first); + } +} + + +} // end namespace Security + +#endif //_H_HANDLETEMPLATES diff --git a/Security/libsecurity_cdsa_utilities/lib/handletemplates_defs.h b/OSX/include/security_cdsa_utilities/handletemplates_defs.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/handletemplates_defs.h rename to OSX/include/security_cdsa_utilities/handletemplates_defs.h diff --git a/Security/libsecurity_cdsa_utilities/lib/objectacl.cpp b/OSX/include/security_cdsa_utilities/objectacl.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/objectacl.cpp rename to OSX/include/security_cdsa_utilities/objectacl.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/objectacl.h b/OSX/include/security_cdsa_utilities/objectacl.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/objectacl.h rename to OSX/include/security_cdsa_utilities/objectacl.h diff --git a/Security/libsecurity_cdsa_utilities/lib/osxverifier.cpp b/OSX/include/security_cdsa_utilities/osxverifier.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/osxverifier.cpp rename to OSX/include/security_cdsa_utilities/osxverifier.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/osxverifier.h b/OSX/include/security_cdsa_utilities/osxverifier.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/osxverifier.h rename to OSX/include/security_cdsa_utilities/osxverifier.h diff --git a/Security/libsecurity_cdsa_utilities/lib/u32handleobject.cpp b/OSX/include/security_cdsa_utilities/u32handleobject.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/u32handleobject.cpp rename to OSX/include/security_cdsa_utilities/u32handleobject.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/u32handleobject.h b/OSX/include/security_cdsa_utilities/u32handleobject.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/u32handleobject.h rename to OSX/include/security_cdsa_utilities/u32handleobject.h diff --git a/Security/libsecurity_cdsa_utilities/lib/uniformrandom.cpp b/OSX/include/security_cdsa_utilities/uniformrandom.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/uniformrandom.cpp rename to OSX/include/security_cdsa_utilities/uniformrandom.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/uniformrandom.h b/OSX/include/security_cdsa_utilities/uniformrandom.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/uniformrandom.h rename to OSX/include/security_cdsa_utilities/uniformrandom.h diff --git a/Security/libsecurity_cdsa_utilities/lib/walkers.cpp b/OSX/include/security_cdsa_utilities/walkers.cpp similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/walkers.cpp rename to OSX/include/security_cdsa_utilities/walkers.cpp diff --git a/Security/libsecurity_cdsa_utilities/lib/walkers.h b/OSX/include/security_cdsa_utilities/walkers.h similarity index 100% rename from Security/libsecurity_cdsa_utilities/lib/walkers.h rename to OSX/include/security_cdsa_utilities/walkers.h diff --git a/Security/libsecurity_cdsa_utils/lib/cuCdsaUtils.cpp b/OSX/include/security_cdsa_utils/cuCdsaUtils.cpp similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuCdsaUtils.cpp rename to OSX/include/security_cdsa_utils/cuCdsaUtils.cpp diff --git a/Security/libsecurity_cdsa_utils/lib/cuCdsaUtils.h b/OSX/include/security_cdsa_utils/cuCdsaUtils.h similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuCdsaUtils.h rename to OSX/include/security_cdsa_utils/cuCdsaUtils.h diff --git a/Security/libsecurity_cdsa_utils/lib/cuDbUtils.cpp b/OSX/include/security_cdsa_utils/cuDbUtils.cpp similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuDbUtils.cpp rename to OSX/include/security_cdsa_utils/cuDbUtils.cpp diff --git a/Security/libsecurity_cdsa_utils/lib/cuDbUtils.h b/OSX/include/security_cdsa_utils/cuDbUtils.h similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuDbUtils.h rename to OSX/include/security_cdsa_utils/cuDbUtils.h diff --git a/Security/libsecurity_cdsa_utils/lib/cuEnc64.c b/OSX/include/security_cdsa_utils/cuEnc64.c similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuEnc64.c rename to OSX/include/security_cdsa_utils/cuEnc64.c diff --git a/Security/libsecurity_cdsa_utils/lib/cuEnc64.h b/OSX/include/security_cdsa_utils/cuEnc64.h similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuEnc64.h rename to OSX/include/security_cdsa_utils/cuEnc64.h diff --git a/Security/libsecurity_cdsa_utils/lib/cuFileIo.c b/OSX/include/security_cdsa_utils/cuFileIo.c similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuFileIo.c rename to OSX/include/security_cdsa_utils/cuFileIo.c diff --git a/Security/libsecurity_cdsa_utils/lib/cuFileIo.h b/OSX/include/security_cdsa_utils/cuFileIo.h similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuFileIo.h rename to OSX/include/security_cdsa_utils/cuFileIo.h diff --git a/Security/libsecurity_cdsa_utils/lib/cuOidParser.cpp b/OSX/include/security_cdsa_utils/cuOidParser.cpp similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuOidParser.cpp rename to OSX/include/security_cdsa_utils/cuOidParser.cpp diff --git a/Security/libsecurity_cdsa_utils/lib/cuOidParser.h b/OSX/include/security_cdsa_utils/cuOidParser.h similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuOidParser.h rename to OSX/include/security_cdsa_utils/cuOidParser.h diff --git a/Security/libsecurity_cdsa_utils/lib/cuPem.cpp b/OSX/include/security_cdsa_utils/cuPem.cpp similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuPem.cpp rename to OSX/include/security_cdsa_utils/cuPem.cpp diff --git a/Security/libsecurity_cdsa_utils/lib/cuPem.h b/OSX/include/security_cdsa_utils/cuPem.h similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuPem.h rename to OSX/include/security_cdsa_utils/cuPem.h diff --git a/Security/libsecurity_cdsa_utils/lib/cuPrintCert.cpp b/OSX/include/security_cdsa_utils/cuPrintCert.cpp similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuPrintCert.cpp rename to OSX/include/security_cdsa_utils/cuPrintCert.cpp diff --git a/Security/libsecurity_cdsa_utils/lib/cuPrintCert.h b/OSX/include/security_cdsa_utils/cuPrintCert.h similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuPrintCert.h rename to OSX/include/security_cdsa_utils/cuPrintCert.h diff --git a/Security/libsecurity_cdsa_utils/lib/cuTimeStr.cpp b/OSX/include/security_cdsa_utils/cuTimeStr.cpp similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuTimeStr.cpp rename to OSX/include/security_cdsa_utils/cuTimeStr.cpp diff --git a/Security/libsecurity_cdsa_utils/lib/cuTimeStr.h b/OSX/include/security_cdsa_utils/cuTimeStr.h similarity index 100% rename from Security/libsecurity_cdsa_utils/lib/cuTimeStr.h rename to OSX/include/security_cdsa_utils/cuTimeStr.h diff --git a/OSX/include/security_codesigning/CSCommon.h b/OSX/include/security_codesigning/CSCommon.h new file mode 100644 index 00000000..70058cf1 --- /dev/null +++ b/OSX/include/security_codesigning/CSCommon.h @@ -0,0 +1,318 @@ +/* + * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header CSCommon + CSCommon is the common header of all Code Signing API headers. + It defines types, constants, and error codes. +*/ +#ifndef _H_CSCOMMON +#define _H_CSCOMMON + +#ifdef __cplusplus +extern "C" { +#endif + +#include +#include + +CF_ASSUME_NONNULL_BEGIN + +/* + Code Signing specific OSStatus codes. + [Assigned range 0xFFFE_FAxx]. +*/ +CF_ENUM(OSStatus) { + errSecCSUnimplemented = -67072, /* unimplemented code signing feature */ + errSecCSInvalidObjectRef = -67071, /* invalid API object reference */ + errSecCSInvalidFlags = -67070, /* invalid or inappropriate API flag(s) specified */ + errSecCSObjectRequired = -67069, /* a required pointer argument was NULL */ + errSecCSStaticCodeNotFound = -67068, /* cannot find code object on disk */ + errSecCSUnsupportedGuestAttributes = -67067, /* cannot locate guests using this attribute set */ + errSecCSInvalidAttributeValues = -67066, /* given attribute values are invalid */ + errSecCSNoSuchCode = -67065, /* host has no guest with the requested attributes */ + errSecCSMultipleGuests = -67064, /* ambiguous guest specification (host has multiple guests with these attribute values) */ + errSecCSGuestInvalid = -67063, /* code identity has been invalidated */ + errSecCSUnsigned = -67062, /* code object is not signed at all */ + errSecCSSignatureFailed = -67061, /* invalid signature (code or signature have been modified) */ + errSecCSSignatureNotVerifiable = -67060, /* the code cannot be read by the verifier (file system permissions etc.) */ + errSecCSSignatureUnsupported = -67059, /* unsupported type or version of signature */ + errSecCSBadDictionaryFormat = -67058, /* a required plist file or resource is malformed */ + errSecCSResourcesNotSealed = -67057, /* resources are present but not sealed by signature */ + errSecCSResourcesNotFound = -67056, /* code has no resources but signature indicates they must be present */ + errSecCSResourcesInvalid = -67055, /* the sealed resource directory is invalid */ + errSecCSBadResource = -67054, /* a sealed resource is missing or invalid */ + errSecCSResourceRulesInvalid = -67053, /* invalid resource specification rule(s) */ + errSecCSReqInvalid = -67052, /* invalid or corrupted code requirement(s) */ + errSecCSReqUnsupported = -67051, /* unsupported type or version of code requirement(s) */ + errSecCSReqFailed = -67050, /* code failed to satisfy specified code requirement(s) */ + errSecCSBadObjectFormat = -67049, /* object file format unrecognized, invalid, or unsuitable */ + errSecCSInternalError = -67048, /* internal error in Code Signing subsystem */ + errSecCSHostReject = -67047, /* code rejected its host */ + errSecCSNotAHost = -67046, /* attempt to specify guest of code that is not a host */ + errSecCSSignatureInvalid = -67045, /* invalid or unsupported format for signature */ + errSecCSHostProtocolRelativePath = -67044, /* host protocol violation - absolute guest path required */ + errSecCSHostProtocolContradiction = -67043, /* host protocol violation - contradictory hosting modes */ + errSecCSHostProtocolDedicationError = -67042, /* host protocol violation - operation not allowed with/for a dedicated guest */ + errSecCSHostProtocolNotProxy = -67041, /* host protocol violation - proxy hosting not engaged */ + errSecCSHostProtocolStateError = -67040, /* host protocol violation - invalid guest state change request */ + errSecCSHostProtocolUnrelated = -67039, /* host protocol violation - the given guest is not a guest of the given host */ + /* -67038 obsolete (no longer issued) */ + errSecCSNotSupported = -67037, /* operation inapplicable or not supported for this type of code */ + errSecCSCMSTooLarge = -67036, /* signature too large to embed (size limitation of on-disk representation) */ + errSecCSHostProtocolInvalidHash = -67035, /* host protocol violation - invalid guest hash */ + errSecCSStaticCodeChanged = -67034, /* the code on disk does not match what is running */ + errSecCSDBDenied = -67033, /* permission to use a database denied */ + errSecCSDBAccess = -67032, /* cannot access a database */ + errSecCSSigDBDenied = errSecCSDBDenied, + errSecCSSigDBAccess = errSecCSDBAccess, + errSecCSHostProtocolInvalidAttribute = -67031, /* host returned invalid or inconsistent guest attributes */ + errSecCSInfoPlistFailed = -67030, /* invalid Info.plist (plist or signature have been modified) */ + errSecCSNoMainExecutable = -67029, /* the code has no main executable file */ + errSecCSBadBundleFormat = -67028, /* bundle format unrecognized, invalid, or unsuitable */ + errSecCSNoMatches = -67027, /* no matches for search or update operation */ + errSecCSFileHardQuarantined = -67026, /* File created by an AppSandbox, exec/open not allowed */ + errSecCSOutdated = -67025, /* presented data is out of date */ + errSecCSDbCorrupt = -67024, /* a system database or file is corrupt */ + errSecCSResourceDirectoryFailed = -67023, /* invalid resource directory (directory or signature have been modified) */ + errSecCSUnsignedNestedCode = -67022, /* nested code is unsigned */ + errSecCSBadNestedCode = -67021, /* nested code is modified or invalid */ + errSecCSBadCallbackValue = -67020, /* monitor callback returned invalid value */ + errSecCSHelperFailed = -67019, /* the codesign_allocate helper tool cannot be found or used */ + errSecCSVetoed = -67018, + errSecCSBadLVArch = -67017, /* library validation flag cannot be used with an i386 binary */ + errSecCSResourceNotSupported = -67016, /* unsupported resource found (something not a directory, file or symlink) */ + errSecCSRegularFile = -67015, /* the main executable or Info.plist must be a regular file (no symlinks, etc.) */ + errSecCSUnsealedAppRoot = -67014, /* unsealed contents present in the bundle root */ + errSecCSWeakResourceRules = -67013, /* resource envelope is obsolete (custom omit rules) */ + errSecCSDSStoreSymlink = -67012, /* .DS_Store files cannot be a symlink */ + errSecCSAmbiguousBundleFormat = -67011, /* bundle format is ambiguous (could be app or framework) */ + errSecCSBadMainExecutable = -67010, /* main executable failed strict validation */ + errSecCSBadFrameworkVersion = -67009, /* embedded framework contains modified or invalid version */ + errSecCSUnsealedFrameworkRoot = -67008, /* unsealed contents present in the root directory of an embedded framework */ + errSecCSWeakResourceEnvelope = -67007, /* resource envelope is obsolete (version 1 signature) */ + errSecCSCancelled = -67006, /* operation was terminated by explicit cancellation */ + errSecCSInvalidPlatform = -67005, /* invalid platform identifier or platform mismatch */ + errSecCSTooBig = -67004, /* code is too big for current signing format */ + errSecCSInvalidSymlink = -67003, /* invalid destination for symbolic link in bundle */ +}; + +/* + * Code Signing specific CFError "user info" keys. + * In calls that can return CFErrorRef indications, if a CFErrorRef is actually + * returned, its "user info" dictionary may contain some of the following keys + * to more closely describe the circumstances of the failure. + * Do not rely on the presence of any particular key to categorize a problem; + * always use the primary OSStatus return for that. The data contained under + * these keys is always supplemental and optional. + */ +extern const CFStringRef kSecCFErrorArchitecture; /* CFStringRef: name of architecture causing the problem */ +extern const CFStringRef kSecCFErrorPattern; /* CFStringRef: invalid resource selection pattern encountered */ +extern const CFStringRef kSecCFErrorResourceSeal; /* CFTypeRef: invalid component in resource seal (CodeResources) */ +extern const CFStringRef kSecCFErrorResourceAdded; /* CFURLRef: unsealed resource found */ +extern const CFStringRef kSecCFErrorResourceAltered; /* CFURLRef: modified resource found */ +extern const CFStringRef kSecCFErrorResourceMissing; /* CFURLRef: sealed (non-optional) resource missing */ +extern const CFStringRef kSecCFErrorInfoPlist; /* CFTypeRef: Info.plist dictionary or component thereof found invalid */ +extern const CFStringRef kSecCFErrorGuestAttributes; /* CFTypeRef: Guest attribute set of element not accepted */ +extern const CFStringRef kSecCFErrorRequirementSyntax; /* CFStringRef: compilation error for Requirement source */ +extern const CFStringRef kSecCFErrorPath; /* CFURLRef: subcomponent containing the error */ + +/*! + @typedef SecCodeRef + This is the type of a reference to running code. + + In many (but not all) calls, this can be passed to a SecStaticCodeRef + argument, which performs an implicit SecCodeCopyStaticCode call and + operates on the result. +*/ +typedef struct CF_BRIDGED_TYPE(id) __SecCode *SecCodeRef; /* running code */ + +/*! + @typedef SecStaticCodeRef + This is the type of a reference to static code on disk. +*/ +typedef struct CF_BRIDGED_TYPE(id) __SecCode const *SecStaticCodeRef; /* code on disk */ + +/*! + @typedef SecRequirementRef + This is the type of a reference to a code requirement. +*/ +typedef struct CF_BRIDGED_TYPE(id) __SecRequirement *SecRequirementRef; /* code requirement */ + + +/*! + @typedef SecGuestRef + An abstract handle to identify a particular Guest in the context of its Host. + + Guest handles are assigned by the host at will, with kSecNoGuest (zero) being + reserved as the null value. They can be reused for new children if desired. +*/ +typedef u_int32_t SecGuestRef; + +CF_ENUM(SecGuestRef) { + kSecNoGuest = 0, /* not a valid SecGuestRef */ +}; + + +/*! + @typedef SecCSFlags + This is the type of flags arguments to Code Signing API calls. + It provides a bit mask of request and option flags. All of the bits in these + masks are reserved to Apple; if you set any bits not defined in these headers, + the behavior is generally undefined. + + This list describes the flags that are shared among several Code Signing API calls. + Flags that only apply to one call are defined and documented with that call. + Global flags are assigned from high order down (31 -> 0); call-specific flags + are assigned from the bottom up (0 -> 31). + + @constant kSecCSDefaultFlags + When passed to a flags argument throughout, indicates that default behavior + is desired. Do not mix with other flags values. + @constant kSecCSConsiderExpiration + When passed to a call that performs code validation, requests that code signatures + made by expired certificates be rejected. By default, expiration of participating + certificates is not automatic grounds for rejection. +*/ +typedef CF_OPTIONS(uint32_t, SecCSFlags) { + kSecCSDefaultFlags = 0, /* no particular flags (default behavior) */ + + kSecCSConsiderExpiration = 1 << 31, /* consider expired certificates invalid */ + kSecCSEnforceRevocationChecks = 1 << 30, /* force revocation checks regardless of preference settings */ + kSecCSNoNetworkAccess = 1 << 29, /* do not use the network, cancels "kSecCSEnforceRevocationChecks" */ + kSecCSReportProgress = 1 << 28, /* make progress report call-backs when configured */ + kSecCSCheckTrustedAnchors = 1 << 27, /* build certificate chain to system trust anchors, not to any self-signed certificate */ +}; + + +/*! + @typedef SecCodeSignatureFlags + This is the type of option flags that can be embedded in a code signature + during signing, and that govern the use of the signature thereafter. + Some of these flags can be set through the codesign(1) command's --options + argument; some are set implicitly based on signing circumstances; and all + can be set with the kSecCodeSignerFlags item of a signing information dictionary. + + @constant kSecCodeSignatureHost + Indicates that the code may act as a host that controls and supervises guest + code. If this flag is not set in a code signature, the code is never considered + eligible to be a host, and any attempt to act like one will be ignored or rejected. + @constant kSecCodeSignatureAdhoc + The code has been sealed without a signing identity. No identity may be retrieved + from it, and any code requirement placing restrictions on the signing identity + will fail. This flag is set by the code signing API and cannot be set explicitly. + @constant kSecCodeSignatureForceHard + Implicitly set the "hard" status bit for the code when it starts running. + This bit indicates that the code prefers to be denied access to a resource + if gaining such access would cause its invalidation. Since the hard bit is + sticky, setting this option bit guarantees that the code will always have + it set. + @constant kSecCodeSignatureForceKill + Implicitly set the "kill" status bit for the code when it starts running. + This bit indicates that the code wishes to be terminated with prejudice if + it is ever invalidated. Since the kill bit is sticky, setting this option bit + guarantees that the code will always be dynamically valid, since it will die + immediately if it becomes invalid. + @constant kSecCodeSignatureForceExpiration + Forces the kSecCSConsiderExpiration flag on all validations of the code. + */ +typedef CF_OPTIONS(uint32_t, SecCodeSignatureFlags) { + kSecCodeSignatureHost = 0x0001, /* may host guest code */ + kSecCodeSignatureAdhoc = 0x0002, /* must be used without signer */ + kSecCodeSignatureForceHard = 0x0100, /* always set HARD mode on launch */ + kSecCodeSignatureForceKill = 0x0200, /* always set KILL mode on launch */ + kSecCodeSignatureForceExpiration = 0x0400, /* force certificate expiration checks */ + kSecCodeSignatureRestrict = 0x0800, /* restrict dyld loading */ + kSecCodeSignatureEnforcement = 0x1000, /* enforce code signing */ + kSecCodeSignatureLibraryValidation = 0x2000, /* library validation required */ +}; + + +/*! + @typedef SecCodeStatus + The code signing system attaches a set of status flags to each running code. + These flags are maintained by the code's host, and can be read by anyone. + A code may change its own flags, a host may change its guests' flags, + and root may change anyone's flags. However, these flags are sticky in that + each can change in only one direction (and never back, for the lifetime of the code). + Not even root can violate this restriction. + + There are other flags in SecCodeStatus that are not publicly documented. + Do not rely on them, and do not ever attempt to explicitly set them. + + @constant kSecCodeStatusValid + Indicates that the code is dynamically valid, i.e. it started correctly + and has not been invalidated since then. The valid bit can only be cleared. + + Warning: This bit is not your one-stop shortcut to determining the validity of code. + It represents the dynamic component of the full validity function; if this + bit is unset, the code is definitely invalid, but the converse is not always true. + In fact, code hosts may represent the outcome of some delayed static validation work in this bit, + and thus it strictly represents a blend of (all of) dynamic and (some of) static validity, + depending on the implementation of the particular host managing the code. You can (only) + rely that (1) dynamic invalidation will clear this bit; and (2) the combination + of static validation and dynamic validity (as performed by the SecCodeCheckValidity* APIs) + will give a correct answer. + + @constant kSecCodeStatusHard + Indicates that the code prefers to be denied access to resources if gaining access + would invalidate it. This bit can only be set. + It is undefined whether code that is marked hard and is already invalid will still + be denied access to a resource that would invalidate it if it were still valid. That is, + the code may or may not get access to such a resource while being invalid, and that choice + may appear random. + + @constant kSecCodeStatusKill + Indicates that the code wants to be killed (terminated) if it ever loses its validity. + This bit can only be set. Code that has the kill flag set will never be dynamically invalid + (and live). Note however that a change in static validity does not necessarily trigger instant + death. +*/ +typedef CF_OPTIONS(uint32_t, SecCodeStatus) { + kSecCodeStatusValid = 0x0001, + kSecCodeStatusHard = 0x0100, + kSecCodeStatusKill = 0x0200, +}; + + +/*! + @typedef SecRequirementType + An enumeration indicating different types of internal requirements for code. + */ +typedef CF_ENUM(uint32_t, SecRequirementType) { + kSecHostRequirementType = 1, /* what hosts may run us */ + kSecGuestRequirementType = 2, /* what guests we may run */ + kSecDesignatedRequirementType = 3, /* designated requirement */ + kSecLibraryRequirementType = 4, /* what libraries we may link against */ + kSecPluginRequirementType = 5, /* what plug-ins we may load */ + kSecInvalidRequirementType, /* invalid type of Requirement (must be last) */ + kSecRequirementTypeCount = kSecInvalidRequirementType /* number of valid requirement types */ +}; + +CF_ASSUME_NONNULL_END + +#ifdef __cplusplus +} +#endif + +#endif //_H_CSCOMMON diff --git a/OSX/include/security_codesigning/CSCommonPriv.h b/OSX/include/security_codesigning/CSCommonPriv.h new file mode 100644 index 00000000..a03ac61d --- /dev/null +++ b/OSX/include/security_codesigning/CSCommonPriv.h @@ -0,0 +1,131 @@ +/* + * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header CSCommonPriv + SecStaticCodePriv is the private counter-part to CSCommon. Its contents are not + official API, and are subject to change without notice. +*/ +#ifndef _H_CSCOMMONPRIV +#define _H_CSCOMMONPRIV + +#include + +#ifdef __cplusplus +extern "C" { +#endif + + +/*! + @typedef SecCodeDirectoryFlagTable + This constant array can be used to translate between names and values + of CodeDirectory flag bits. The table ends with an entry with NULL name. + The elements are in no particular order. + @field name The official text name of the flag. + @field value The binary value of the flag. + @field signable True if the flag can be specified during signing. False if it is set + internally and can only be read from a signature. + */ +typedef struct { + const char *name; + uint32_t value; + bool signable; +} SecCodeDirectoryFlagTable; + +extern const SecCodeDirectoryFlagTable kSecCodeDirectoryFlagTable[]; + + +/*! + Blob types (magic numbers) for blobs used by Code Signing. + + @constant kSecCodeMagicRequirement Magic number for individual code requirements. + @constant kSecCodeMagicRequirementSet Magic number for a collection of + individual code requirements, indexed by requirement type. This is used + for internal requirement sets. + @constant kSecCodeMagicCodeDirectory Magic number for a CodeDirectory. + @constant kSecCodeMagicEmbeddedSignature Magic number for a SuperBlob + containing all the signing components that are usually embedded within + a main executable. + @constant kSecCodeMagicDetachedSignature Magic number for a SuperBlob that + contains all the data for all architectures of a signature, including any + data that is usually written to separate files. This is the format of + detached signatures if the program is capable of having multiple architectures. + @constant kSecCodeMagicEntitlement Magic number for a standard entitlement blob. + @constant kSecCodeMagicByte The first byte (in NBO) shared by all these magic + numbers. This is not a valid ASCII character; test for this to distinguish + between text and binary data if you expect a code signing-related binary blob. + */ + +enum { + kSecCodeMagicRequirement = 0xfade0c00, /* single requirement */ + kSecCodeMagicRequirementSet = 0xfade0c01, /* requirement set */ + kSecCodeMagicCodeDirectory = 0xfade0c02, /* CodeDirectory */ + kSecCodeMagicEmbeddedSignature = 0xfade0cc0, /* single-architecture embedded signature */ + kSecCodeMagicDetachedSignature = 0xfade0cc1, /* detached multi-architecture signature */ + kSecCodeMagicEntitlement = 0xfade7171, /* entitlement blob */ + + kSecCodeMagicByte = 0xfa /* shared first byte */ +}; + + +/*! + Types of cryptographic digests (hashes) used to hold code signatures + together. + + Each combination of type, length, and other parameters is a separate + hash type; we don't understand "families" here. + + These type codes govern the digest links that connect a CodeDirectory + to its subordinate data structures (code pages, resources, etc.) + They do not directly control other uses of hashes (such as the + hash-of-CodeDirectory identifiers used in requirements). + */ +enum { + kSecCodeSignatureNoHash = 0, /* null value */ + kSecCodeSignatureHashSHA1 = 1, /* SHA-1 */ + kSecCodeSignatureHashSHA256 = 2, /* SHA-256 */ + kSecCodeSignatureHashSHA256Truncated = 3, /* SHA-256 truncated to first 20 bytes */ + + kSecCodeSignatureDefaultDigestAlgorithm = kSecCodeSignatureHashSHA1 +}; + + +/* + The current (fixed) size of a cdhash in the system. + */ +enum { + kSecCodeCDHashLength = 20 +}; + + +/*! + A callback block type for monitoring certain code signing operations + */ +typedef CFTypeRef (^SecCodeCallback)(SecStaticCodeRef code, CFStringRef stage, CFDictionaryRef info); + + +#ifdef __cplusplus +} +#endif + +#endif //_H_CSCOMMON diff --git a/Security/libsecurity_codesigning/lib/Code.cpp b/OSX/include/security_codesigning/Code.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/Code.cpp rename to OSX/include/security_codesigning/Code.cpp diff --git a/Security/libsecurity_codesigning/lib/Code.h b/OSX/include/security_codesigning/Code.h similarity index 100% rename from Security/libsecurity_codesigning/lib/Code.h rename to OSX/include/security_codesigning/Code.h diff --git a/OSX/include/security_codesigning/CodeSigner.cpp b/OSX/include/security_codesigning/CodeSigner.cpp new file mode 100644 index 00000000..3d80482c --- /dev/null +++ b/OSX/include/security_codesigning/CodeSigner.cpp @@ -0,0 +1,308 @@ +/* + * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// CodeSigner - SecCodeSigner API objects +// +#include "CodeSigner.h" +#include "signer.h" +#include "csdatabase.h" +#include "drmaker.h" +#include "csutilities.h" +#include +#include +#include +#include +#include + +namespace Security { + +__SEC_CFTYPE(SecIdentity) + +namespace CodeSigning { + +using namespace UnixPlusPlus; + + +// +// A helper for parsing out a CFDictionary signing-data specification +// +class SecCodeSigner::Parser : CFDictionary { +public: + Parser(SecCodeSigner &signer, CFDictionaryRef parameters); + + bool getBool(CFStringRef key) const + { + if (CFBooleanRef flag = get(key)) + return flag == kCFBooleanTrue; + else + return false; + } +}; + + +// +// Construct a SecCodeSigner +// +SecCodeSigner::SecCodeSigner(SecCSFlags flags) + : mOpFlags(flags), mDigestAlgorithm(kSecCodeSignatureDefaultDigestAlgorithm), mLimitedAsync(NULL) +{ +} + + +// +// Clean up a SecCodeSigner +// +SecCodeSigner::~SecCodeSigner() throw() +try { + delete mLimitedAsync; +} catch (...) { + return; +} + + +// +// Parse an input parameter dictionary and set ready-to-use parameters +// +void SecCodeSigner::parameters(CFDictionaryRef paramDict) +{ + Parser(*this, paramDict); + if (!valid()) + MacOSError::throwMe(errSecCSInvalidObjectRef); +} + +// +// Retrieve the team ID from the signing certificate if and only if +// it is an apple developer signing cert +// +std::string SecCodeSigner::getTeamIDFromSigner(CFArrayRef certs) +{ + if (mSigner && mSigner != SecIdentityRef(kCFNull)) { + CFRef signerCert; + MacOSError::check(SecIdentityCopyCertificate(mSigner, &signerCert.aref())); + + /* Make sure the certificate looks like an Apple certificate, because we do not + extract the team ID from a non Apple certificate */ + if (SecStaticCode::isAppleDeveloperCert(certs)) { + CFRef teamIDFromCert; + + MacOSError::check(SecCertificateCopySubjectComponent(signerCert.get(), &CSSMOID_OrganizationalUnitName, &teamIDFromCert.aref())); + + if (teamIDFromCert) + return cfString(teamIDFromCert); + } + } + + return ""; +} + +// +// Roughly check for validity. +// This isn't thorough; it just sees if if looks like we've set up the object appropriately. +// +bool SecCodeSigner::valid() const +{ + if (mOpFlags & kSecCSRemoveSignature) + return true; + return mSigner; +} + + +// +// Sign code +// +void SecCodeSigner::sign(SecStaticCode *code, SecCSFlags flags) +{ + code->setValidationFlags(flags); + if (code->isSigned() && (flags & kSecCSSignPreserveSignature)) + return; + Signer operation(*this, code); + if ((flags | mOpFlags) & kSecCSRemoveSignature) { + secdebug("signer", "%p will remove signature from %p", this, code); + operation.remove(flags); + } else { + if (!valid()) + MacOSError::throwMe(errSecCSInvalidObjectRef); + secdebug("signer", "%p will sign %p (flags 0x%x)", this, code, flags); + operation.sign(flags); + } + code->resetValidity(); +} + + +// +// ReturnDetachedSignature is called by writers or editors that try to return +// detached signature data (rather than annotate the target). +// +void SecCodeSigner::returnDetachedSignature(BlobCore *blob, Signer &signer) +{ + assert(mDetached); + if (CFGetTypeID(mDetached) == CFURLGetTypeID()) { + // URL to destination file + AutoFileDesc fd(cfString(CFURLRef(mDetached.get())), O_WRONLY | O_CREAT | O_TRUNC); + fd.writeAll(*blob); + } else if (CFGetTypeID(mDetached) == CFDataGetTypeID()) { + CFDataAppendBytes(CFMutableDataRef(mDetached.get()), + (const UInt8 *)blob, blob->length()); + } else if (CFGetTypeID(mDetached) == CFNullGetTypeID()) { + SignatureDatabaseWriter db; + db.storeCode(blob, signer.path().c_str()); + } else + assert(false); +} + + +// +// Our DiskRep::signingContext methods communicate with the signing subsystem +// in terms those callers can easily understand. +// +string SecCodeSigner::sdkPath(const std::string &path) const +{ + assert(path[0] == '/'); // need absolute path here + if (mSDKRoot) + return cfString(mSDKRoot) + path; + else + return path; +} + +bool SecCodeSigner::isAdhoc() const +{ + return mSigner == SecIdentityRef(kCFNull); +} + +SecCSFlags SecCodeSigner::signingFlags() const +{ + return mOpFlags; +} + + +// +// The actual parsing operation is done in the Parser class. +// +// Note that we need to copy or retain all incoming data. The caller has no requirement +// to keep the parameters dictionary around. +// +SecCodeSigner::Parser::Parser(SecCodeSigner &state, CFDictionaryRef parameters) + : CFDictionary(parameters, errSecCSBadDictionaryFormat) +{ + // the signer may be an identity or null + state.mSigner = SecIdentityRef(get(kSecCodeSignerIdentity)); + if (state.mSigner) + if (CFGetTypeID(state.mSigner) != SecIdentityGetTypeID() && !CFEqual(state.mSigner, kCFNull)) + MacOSError::throwMe(errSecCSInvalidObjectRef); + + // the flags need some augmentation + if (CFNumberRef flags = get(kSecCodeSignerFlags)) { + state.mCdFlagsGiven = true; + state.mCdFlags = cfNumber(flags); + } else + state.mCdFlagsGiven = false; + + // digest algorithms are specified as a numeric code + if (CFNumberRef digestAlgorithm = get(kSecCodeSignerDigestAlgorithm)) + state.mDigestAlgorithm = cfNumber(digestAlgorithm); + + if (CFNumberRef cmsSize = get(CFSTR("cmssize"))) + state.mCMSSize = cfNumber(cmsSize); + else + state.mCMSSize = 9000; // likely big enough + + // metadata preservation options + if (CFNumberRef preserve = get(kSecCodeSignerPreserveMetadata)) { + state.mPreserveMetadata = cfNumber(preserve); + } else + state.mPreserveMetadata = 0; + + // signing time can be a CFDateRef or null + if (CFTypeRef time = get(kSecCodeSignerSigningTime)) { + if (CFGetTypeID(time) == CFDateGetTypeID() || time == kCFNull) + state.mSigningTime = CFDateRef(time); + else + MacOSError::throwMe(errSecCSInvalidObjectRef); + } + + if (CFStringRef ident = get(kSecCodeSignerIdentifier)) + state.mIdentifier = cfString(ident); + + if (CFStringRef teamid = get(kSecCodeSignerTeamIdentifier)) + state.mTeamID = cfString(teamid); + + if (CFNumberRef platform = get(kSecCodeSignerPlatformIdentifier)) { + int64_t ident = cfNumber(platform); + if (ident < 0 || ident > maxPlatform) // overflow + MacOSError::throwMe(errSecCSInvalidPlatform); + state.mPlatform = ident; + } + + if (CFStringRef prefix = get(kSecCodeSignerIdentifierPrefix)) + state.mIdentifierPrefix = cfString(prefix); + + // Requirements can be binary or string (to be compiled). + // We must pass them along to the signer for possible text substitution + if (CFTypeRef reqs = get(kSecCodeSignerRequirements)) { + if (CFGetTypeID(reqs) == CFDataGetTypeID() || CFGetTypeID(reqs) == CFStringGetTypeID()) + state.mRequirements = reqs; + else + MacOSError::throwMe(errSecCSInvalidObjectRef); + } else + state.mRequirements = NULL; + + state.mNoMachO = getBool(CFSTR("no-macho")); + + state.mPageSize = get(kSecCodeSignerPageSize); + + // detached can be (destination) file URL or (mutable) Data to be appended-to + if ((state.mDetached = get(kSecCodeSignerDetached))) { + CFTypeID type = CFGetTypeID(state.mDetached); + if (type != CFURLGetTypeID() && type != CFDataGetTypeID() && type != CFNullGetTypeID()) + MacOSError::throwMe(errSecCSInvalidObjectRef); + } + + state.mDryRun = getBool(kSecCodeSignerDryRun); + + state.mResourceRules = get(kSecCodeSignerResourceRules); + + state.mApplicationData = get(kSecCodeSignerApplicationData); + state.mEntitlementData = get(kSecCodeSignerEntitlements); + + state.mSDKRoot = get(kSecCodeSignerSDKRoot); + + if (CFBooleanRef timestampRequest = get(kSecCodeSignerRequireTimestamp)) { + state.mWantTimeStamp = timestampRequest == kCFBooleanTrue; + } else { // pick default + state.mWantTimeStamp = false; + if (state.mSigner && state.mSigner != SecIdentityRef(kCFNull)) { + CFRef signerCert; + MacOSError::check(SecIdentityCopyCertificate(state.mSigner, &signerCert.aref())); + if (certificateHasField(signerCert, devIdLeafMarkerOID)) + state.mWantTimeStamp = true; + } + } + state.mTimestampAuthentication = get(kSecCodeSignerTimestampAuthentication); + state.mTimestampService = get(kSecCodeSignerTimestampServer); + state.mNoTimeStampCerts = getBool(kSecCodeSignerTimestampOmitCertificates); +} + + +} // end namespace CodeSigning +} // end namespace Security diff --git a/OSX/include/security_codesigning/CodeSigner.h b/OSX/include/security_codesigning/CodeSigner.h new file mode 100644 index 00000000..c17c5801 --- /dev/null +++ b/OSX/include/security_codesigning/CodeSigner.h @@ -0,0 +1,106 @@ +/* + * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// CodeSigner - SecCodeSigner API objects +// +#ifndef _H_CODESIGNER +#define _H_CODESIGNER + +#include "cs.h" +#include "StaticCode.h" +#include "cdbuilder.h" +#include +#include + +namespace Security { +namespace CodeSigning { + + +// +// A SecCode object represents running code in the system. It must be subclassed +// to implement a particular notion of code. +// +class SecCodeSigner : public SecCFObject, public DiskRep::SigningContext { + NOCOPY(SecCodeSigner) +public: + class Parser; + class Signer; + +public: + SECCFFUNCTIONS(SecCodeSigner, SecCodeSignerRef, errSecCSInvalidObjectRef, gCFObjects().CodeSigner) + + SecCodeSigner(SecCSFlags flags); + virtual ~SecCodeSigner() throw(); + + void parameters(CFDictionaryRef args); // parse and set parameters + bool valid() const; + + std::string getTeamIDFromSigner(CFArrayRef certs); + + void sign(SecStaticCode *code, SecCSFlags flags); + void remove(SecStaticCode *code, SecCSFlags flags); + + void returnDetachedSignature(BlobCore *blob, Signer &signer); + +protected: + std::string sdkPath(const std::string &path) const; + bool isAdhoc() const; + SecCSFlags signingFlags() const; + +private: + // parsed parameter set + SecCSFlags mOpFlags; // operation flags + CFRef mSigner; // signing identity + CFRef mDetached; // detached-signing information (NULL => attached) + CFRef mResourceRules; // explicit resource collection rules (override) + CFRef mSigningTime; // signing time desired (kCFNull for none) + CFRef mApplicationData; // contents of application slot + CFRef mEntitlementData; // entitlement configuration data + CFRef mSDKRoot; // substitute filesystem root for sub-component lookup + CFRef mRequirements; // internal code requirements + size_t mCMSSize; // size estimate for CMS blob + uint32_t mCdFlags; // CodeDirectory flags + uint32_t mPreserveMetadata; // metadata preservation options + bool mCdFlagsGiven; // CodeDirectory flags were specified + CodeDirectory::HashAlgorithm mDigestAlgorithm; // interior digest (hash) algorithm + std::string mIdentifier; // unique identifier override + std::string mIdentifierPrefix; // prefix for un-dotted default identifiers + std::string mTeamID; // teamID + PlatformIdentifier mPlatform; // platform identifier (zero if not platform binary) + bool mNoMachO; // override to perform non-Mach-O signing + bool mDryRun; // dry run (do not change target) + CFRef mPageSize; // main executable page size + CFRef mTimestampAuthentication; // identity for client-side authentication to the Timestamp server + CFRef mTimestampService; // URL for Timestamp server + bool mWantTimeStamp; // use a Timestamp server + bool mNoTimeStampCerts; // don't request certificates with timestamping request + LimitedAsync *mLimitedAsync; // limited async workers for verification + +}; + + +} // end namespace CodeSigning +} // end namespace Security + +#endif // !_H_CODESIGNER diff --git a/Security/libsecurity_codesigning/lib/CodeSigning.h b/OSX/include/security_codesigning/CodeSigning.h similarity index 100% rename from Security/libsecurity_codesigning/lib/CodeSigning.h rename to OSX/include/security_codesigning/CodeSigning.h diff --git a/OSX/include/security_codesigning/RequirementKeywords.h b/OSX/include/security_codesigning/RequirementKeywords.h new file mode 100644 index 00000000..dde80999 --- /dev/null +++ b/OSX/include/security_codesigning/RequirementKeywords.h @@ -0,0 +1,25 @@ + "guest", + "host", + "designated", + "library", + "plugin", + "or", + "and", + "always", + "true", + "never", + "false", + "identifier", + "cdhash", + "platform", + "anchor", + "apple", + "generic", + "certificate", + "cert", + "trusted", + "info", + "entitlement", + "exists", + "leaf", + "root", diff --git a/OSX/include/security_codesigning/RequirementLexer.cpp b/OSX/include/security_codesigning/RequirementLexer.cpp new file mode 100644 index 00000000..5ed5abea --- /dev/null +++ b/OSX/include/security_codesigning/RequirementLexer.cpp @@ -0,0 +1,1269 @@ +/* $ANTLR 2.7.7 (20121221): "requirements.grammar" -> "RequirementLexer.cpp"$ */ +#include "RequirementLexer.hpp" +#include +#include +#include +#include +#include +#include +#include + + +#include "requirement.h" +#include "reqmaker.h" +#include "csutilities.h" +#include +#include +#include // OID coding +using namespace CodeSigning; +typedef Requirement::Maker Maker; + +ANTLR_BEGIN_NAMESPACE(Security_CodeSigning) +RequirementLexer::RequirementLexer(std::istream& in) + : antlr::CharScanner(new antlr::CharBuffer(in),true) +{ + initLiterals(); +} + +RequirementLexer::RequirementLexer(antlr::InputBuffer& ib) + : antlr::CharScanner(ib,true) +{ + initLiterals(); +} + +RequirementLexer::RequirementLexer(const antlr::LexerSharedInputState& state) + : antlr::CharScanner(state,true) +{ + initLiterals(); +} + +void RequirementLexer::initLiterals() +{ + literals["certificate"] = 25; + literals["always"] = 15; + literals["host"] = 6; + literals["guest"] = 5; + literals["cdhash"] = 20; + literals["entitlement"] = 29; + literals["library"] = 8; + literals["never"] = 17; + literals["cert"] = 26; + literals["plugin"] = 9; + literals["or"] = 10; + literals["leaf"] = 42; + literals["info"] = 28; + literals["designated"] = 7; + literals["apple"] = 23; + literals["trusted"] = 27; + literals["true"] = 16; + literals["and"] = 11; + literals["root"] = 43; + literals["platform"] = 21; + literals["anchor"] = 22; + literals["false"] = 18; + literals["generic"] = 24; + literals["identifier"] = 19; + literals["exists"] = 30; +} + +antlr::RefToken RequirementLexer::nextToken() +{ + antlr::RefToken theRetToken; + for (;;) { + antlr::RefToken theRetToken; + int _ttype = antlr::Token::INVALID_TYPE; + resetText(); + try { // for lexical and char stream error handling + switch ( LA(1)) { + case 0x22 /* '\"' */ : + { + mSTRING(true); + theRetToken=_returnToken; + break; + } + case 0x3b /* ';' */ : + { + mSEMI(true); + theRetToken=_returnToken; + break; + } + case 0x28 /* '(' */ : + { + mLPAREN(true); + theRetToken=_returnToken; + break; + } + case 0x29 /* ')' */ : + { + mRPAREN(true); + theRetToken=_returnToken; + break; + } + case 0x5b /* '[' */ : + { + mLBRACK(true); + theRetToken=_returnToken; + break; + } + case 0x5d /* ']' */ : + { + mRBRACK(true); + theRetToken=_returnToken; + break; + } + case 0x2c /* ',' */ : + { + mCOMMA(true); + theRetToken=_returnToken; + break; + } + case 0x7e /* '~' */ : + { + mSUBS(true); + theRetToken=_returnToken; + break; + } + case 0x2d /* '-' */ : + { + mNEG(true); + theRetToken=_returnToken; + break; + } + case 0x21 /* '!' */ : + { + mNOT(true); + theRetToken=_returnToken; + break; + } + case 0x2a /* '*' */ : + { + mSTAR(true); + theRetToken=_returnToken; + break; + } + case 0x9 /* '\t' */ : + case 0xa /* '\n' */ : + case 0x20 /* ' ' */ : + { + mWS(true); + theRetToken=_returnToken; + break; + } + case 0x23 /* '#' */ : + { + mSHELLCOMMENT(true); + theRetToken=_returnToken; + break; + } + default: + if ((LA(1) == 0x2f /* '/' */ ) && (_tokenSet_0.member(LA(2)))) { + mPATHNAME(true); + theRetToken=_returnToken; + } + else if ((LA(1) == 0x48 /* 'H' */ ) && (LA(2) == 0x22 /* '\"' */ )) { + mHASHCONSTANT(true); + theRetToken=_returnToken; + } + else if ((LA(1) == 0x30 /* '0' */ ) && (LA(2) == 0x78 /* 'x' */ )) { + mHEXCONSTANT(true); + theRetToken=_returnToken; + } + else if ((LA(1) == 0x3d /* '=' */ ) && (LA(2) == 0x3e /* '>' */ )) { + mARROW(true); + theRetToken=_returnToken; + } + else if ((LA(1) == 0x3c /* '<' */ ) && (LA(2) == 0x3d /* '=' */ )) { + mLE(true); + theRetToken=_returnToken; + } + else if ((LA(1) == 0x3e /* '>' */ ) && (LA(2) == 0x3d /* '=' */ )) { + mGE(true); + theRetToken=_returnToken; + } + else if ((LA(1) == 0x3d /* '=' */ ) && (LA(2) == 0x3d /* '=' */ )) { + mEQQL(true); + theRetToken=_returnToken; + } + else if ((LA(1) == 0x2f /* '/' */ ) && (LA(2) == 0x2a /* '*' */ )) { + mC_COMMENT(true); + theRetToken=_returnToken; + } + else if ((LA(1) == 0x2f /* '/' */ ) && (LA(2) == 0x2f /* '/' */ )) { + mCPP_COMMENT(true); + theRetToken=_returnToken; + } + else if ((_tokenSet_0.member(LA(1))) && (true)) { + mDOTKEY(true); + theRetToken=_returnToken; + } + else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true)) { + mINTEGER(true); + theRetToken=_returnToken; + } + else if ((LA(1) == 0x3c /* '<' */ ) && (true)) { + mLESS(true); + theRetToken=_returnToken; + } + else if ((LA(1) == 0x3e /* '>' */ ) && (true)) { + mGT(true); + theRetToken=_returnToken; + } + else if ((LA(1) == 0x3d /* '=' */ ) && (true)) { + mEQL(true); + theRetToken=_returnToken; + } + else { + if (LA(1)==EOF_CHAR) + { + uponEOF(); + _returnToken = makeToken(antlr::Token::EOF_TYPE); + } + else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + } + } + if ( !_returnToken ) + goto tryAgain; // found SKIP token + + _ttype = _returnToken->getType(); + _returnToken->setType(_ttype); + return _returnToken; + } + catch (antlr::RecognitionException& e) { + throw antlr::TokenStreamRecognitionException(e); + } + catch (antlr::CharStreamIOException& csie) { + throw antlr::TokenStreamIOException(csie.io); + } + catch (antlr::CharStreamException& cse) { + throw antlr::TokenStreamException(cse.getMessage()); + } +tryAgain:; + } +} + +void RequirementLexer::mIDENT(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = IDENT; + std::string::size_type _saveIndex; + + { + switch ( LA(1)) { + case 0x41 /* 'A' */ : + case 0x42 /* 'B' */ : + case 0x43 /* 'C' */ : + case 0x44 /* 'D' */ : + case 0x45 /* 'E' */ : + case 0x46 /* 'F' */ : + case 0x47 /* 'G' */ : + case 0x48 /* 'H' */ : + case 0x49 /* 'I' */ : + case 0x4a /* 'J' */ : + case 0x4b /* 'K' */ : + case 0x4c /* 'L' */ : + case 0x4d /* 'M' */ : + case 0x4e /* 'N' */ : + case 0x4f /* 'O' */ : + case 0x50 /* 'P' */ : + case 0x51 /* 'Q' */ : + case 0x52 /* 'R' */ : + case 0x53 /* 'S' */ : + case 0x54 /* 'T' */ : + case 0x55 /* 'U' */ : + case 0x56 /* 'V' */ : + case 0x57 /* 'W' */ : + case 0x58 /* 'X' */ : + case 0x59 /* 'Y' */ : + case 0x5a /* 'Z' */ : + { + matchRange('A','Z'); + break; + } + case 0x61 /* 'a' */ : + case 0x62 /* 'b' */ : + case 0x63 /* 'c' */ : + case 0x64 /* 'd' */ : + case 0x65 /* 'e' */ : + case 0x66 /* 'f' */ : + case 0x67 /* 'g' */ : + case 0x68 /* 'h' */ : + case 0x69 /* 'i' */ : + case 0x6a /* 'j' */ : + case 0x6b /* 'k' */ : + case 0x6c /* 'l' */ : + case 0x6d /* 'm' */ : + case 0x6e /* 'n' */ : + case 0x6f /* 'o' */ : + case 0x70 /* 'p' */ : + case 0x71 /* 'q' */ : + case 0x72 /* 'r' */ : + case 0x73 /* 's' */ : + case 0x74 /* 't' */ : + case 0x75 /* 'u' */ : + case 0x76 /* 'v' */ : + case 0x77 /* 'w' */ : + case 0x78 /* 'x' */ : + case 0x79 /* 'y' */ : + case 0x7a /* 'z' */ : + { + matchRange('a','z'); + break; + } + default: + { + throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); + } + } + } + { // ( ... )* + for (;;) { + switch ( LA(1)) { + case 0x41 /* 'A' */ : + case 0x42 /* 'B' */ : + case 0x43 /* 'C' */ : + case 0x44 /* 'D' */ : + case 0x45 /* 'E' */ : + case 0x46 /* 'F' */ : + case 0x47 /* 'G' */ : + case 0x48 /* 'H' */ : + case 0x49 /* 'I' */ : + case 0x4a /* 'J' */ : + case 0x4b /* 'K' */ : + case 0x4c /* 'L' */ : + case 0x4d /* 'M' */ : + case 0x4e /* 'N' */ : + case 0x4f /* 'O' */ : + case 0x50 /* 'P' */ : + case 0x51 /* 'Q' */ : + case 0x52 /* 'R' */ : + case 0x53 /* 'S' */ : + case 0x54 /* 'T' */ : + case 0x55 /* 'U' */ : + case 0x56 /* 'V' */ : + case 0x57 /* 'W' */ : + case 0x58 /* 'X' */ : + case 0x59 /* 'Y' */ : + case 0x5a /* 'Z' */ : + { + matchRange('A','Z'); + break; + } + case 0x61 /* 'a' */ : + case 0x62 /* 'b' */ : + case 0x63 /* 'c' */ : + case 0x64 /* 'd' */ : + case 0x65 /* 'e' */ : + case 0x66 /* 'f' */ : + case 0x67 /* 'g' */ : + case 0x68 /* 'h' */ : + case 0x69 /* 'i' */ : + case 0x6a /* 'j' */ : + case 0x6b /* 'k' */ : + case 0x6c /* 'l' */ : + case 0x6d /* 'm' */ : + case 0x6e /* 'n' */ : + case 0x6f /* 'o' */ : + case 0x70 /* 'p' */ : + case 0x71 /* 'q' */ : + case 0x72 /* 'r' */ : + case 0x73 /* 's' */ : + case 0x74 /* 't' */ : + case 0x75 /* 'u' */ : + case 0x76 /* 'v' */ : + case 0x77 /* 'w' */ : + case 0x78 /* 'x' */ : + case 0x79 /* 'y' */ : + case 0x7a /* 'z' */ : + { + matchRange('a','z'); + break; + } + case 0x30 /* '0' */ : + case 0x31 /* '1' */ : + case 0x32 /* '2' */ : + case 0x33 /* '3' */ : + case 0x34 /* '4' */ : + case 0x35 /* '5' */ : + case 0x36 /* '6' */ : + case 0x37 /* '7' */ : + case 0x38 /* '8' */ : + case 0x39 /* '9' */ : + { + matchRange('0','9'); + break; + } + default: + { + goto _loop47; + } + } + } + _loop47:; + } // ( ... )* + _ttype = testLiteralsTable(text.substr(_begin, text.length()-_begin),_ttype); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mDOTKEY(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = DOTKEY; + std::string::size_type _saveIndex; + + mIDENT(false); + { // ( ... )* + for (;;) { + if ((LA(1) == 0x2e /* '.' */ )) { + match("."); + { + switch ( LA(1)) { + case 0x41 /* 'A' */ : + case 0x42 /* 'B' */ : + case 0x43 /* 'C' */ : + case 0x44 /* 'D' */ : + case 0x45 /* 'E' */ : + case 0x46 /* 'F' */ : + case 0x47 /* 'G' */ : + case 0x48 /* 'H' */ : + case 0x49 /* 'I' */ : + case 0x4a /* 'J' */ : + case 0x4b /* 'K' */ : + case 0x4c /* 'L' */ : + case 0x4d /* 'M' */ : + case 0x4e /* 'N' */ : + case 0x4f /* 'O' */ : + case 0x50 /* 'P' */ : + case 0x51 /* 'Q' */ : + case 0x52 /* 'R' */ : + case 0x53 /* 'S' */ : + case 0x54 /* 'T' */ : + case 0x55 /* 'U' */ : + case 0x56 /* 'V' */ : + case 0x57 /* 'W' */ : + case 0x58 /* 'X' */ : + case 0x59 /* 'Y' */ : + case 0x5a /* 'Z' */ : + case 0x61 /* 'a' */ : + case 0x62 /* 'b' */ : + case 0x63 /* 'c' */ : + case 0x64 /* 'd' */ : + case 0x65 /* 'e' */ : + case 0x66 /* 'f' */ : + case 0x67 /* 'g' */ : + case 0x68 /* 'h' */ : + case 0x69 /* 'i' */ : + case 0x6a /* 'j' */ : + case 0x6b /* 'k' */ : + case 0x6c /* 'l' */ : + case 0x6d /* 'm' */ : + case 0x6e /* 'n' */ : + case 0x6f /* 'o' */ : + case 0x70 /* 'p' */ : + case 0x71 /* 'q' */ : + case 0x72 /* 'r' */ : + case 0x73 /* 's' */ : + case 0x74 /* 't' */ : + case 0x75 /* 'u' */ : + case 0x76 /* 'v' */ : + case 0x77 /* 'w' */ : + case 0x78 /* 'x' */ : + case 0x79 /* 'y' */ : + case 0x7a /* 'z' */ : + { + mIDENT(false); + break; + } + case 0x30 /* '0' */ : + case 0x31 /* '1' */ : + case 0x32 /* '2' */ : + case 0x33 /* '3' */ : + case 0x34 /* '4' */ : + case 0x35 /* '5' */ : + case 0x36 /* '6' */ : + case 0x37 /* '7' */ : + case 0x38 /* '8' */ : + case 0x39 /* '9' */ : + { + mINTEGER(false); + break; + } + default: + { + throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); + } + } + } + } + else { + goto _loop51; + } + + } + _loop51:; + } // ( ... )* + _ttype = testLiteralsTable(_ttype); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mINTEGER(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = INTEGER; + std::string::size_type _saveIndex; + + { // ( ... )+ + int _cnt69=0; + for (;;) { + if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) { + matchRange('0','9'); + } + else { + if ( _cnt69>=1 ) { goto _loop69; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + } + + _cnt69++; + } + _loop69:; + } // ( ... )+ + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mPATHNAME(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = PATHNAME; + std::string::size_type _saveIndex; + + match("/"); + mIDENT(false); + { // ( ... )+ + int _cnt54=0; + for (;;) { + if ((LA(1) == 0x2f /* '/' */ )) { + match("/"); + mIDENT(false); + } + else { + if ( _cnt54>=1 ) { goto _loop54; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + } + + _cnt54++; + } + _loop54:; + } // ( ... )+ + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mHASHCONSTANT(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = HASHCONSTANT; + std::string::size_type _saveIndex; + + _saveIndex = text.length(); + match('H' /* charlit */ ); + text.erase(_saveIndex); + _saveIndex = text.length(); + match('\"' /* charlit */ ); + text.erase(_saveIndex); + { // ( ... )+ + int _cnt57=0; + for (;;) { + if ((_tokenSet_1.member(LA(1)))) { + mHEX(false); + } + else { + if ( _cnt57>=1 ) { goto _loop57; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + } + + _cnt57++; + } + _loop57:; + } // ( ... )+ + _saveIndex = text.length(); + match('\"' /* charlit */ ); + text.erase(_saveIndex); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mHEX(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = HEX; + std::string::size_type _saveIndex; + + switch ( LA(1)) { + case 0x30 /* '0' */ : + case 0x31 /* '1' */ : + case 0x32 /* '2' */ : + case 0x33 /* '3' */ : + case 0x34 /* '4' */ : + case 0x35 /* '5' */ : + case 0x36 /* '6' */ : + case 0x37 /* '7' */ : + case 0x38 /* '8' */ : + case 0x39 /* '9' */ : + { + matchRange('0','9'); + break; + } + case 0x61 /* 'a' */ : + case 0x62 /* 'b' */ : + case 0x63 /* 'c' */ : + case 0x64 /* 'd' */ : + case 0x65 /* 'e' */ : + case 0x66 /* 'f' */ : + { + matchRange('a','f'); + break; + } + case 0x41 /* 'A' */ : + case 0x42 /* 'B' */ : + case 0x43 /* 'C' */ : + case 0x44 /* 'D' */ : + case 0x45 /* 'E' */ : + case 0x46 /* 'F' */ : + { + matchRange('A','F'); + break; + } + default: + { + throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn()); + } + } + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mHEXCONSTANT(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = HEXCONSTANT; + std::string::size_type _saveIndex; + + _saveIndex = text.length(); + match('0' /* charlit */ ); + text.erase(_saveIndex); + _saveIndex = text.length(); + match('x' /* charlit */ ); + text.erase(_saveIndex); + { // ( ... )+ + int _cnt60=0; + for (;;) { + if ((_tokenSet_1.member(LA(1)))) { + mHEX(false); + } + else { + if ( _cnt60>=1 ) { goto _loop60; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + } + + _cnt60++; + } + _loop60:; + } // ( ... )+ + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mSTRING(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = STRING; + std::string::size_type _saveIndex; + + _saveIndex = text.length(); + match('\"' /* charlit */ ); + text.erase(_saveIndex); + { // ( ... )* + for (;;) { + switch ( LA(1)) { + case 0x5c /* '\\' */ : + { + { + _saveIndex = text.length(); + match('\\' /* charlit */ ); + text.erase(_saveIndex); + match('\"' /* charlit */ ); + } + break; + } + case 0x0 /* '\0' */ : + case 0x1 /* '\1' */ : + case 0x2 /* '\2' */ : + case 0x3 /* '\3' */ : + case 0x4 /* '\4' */ : + case 0x5 /* '\5' */ : + case 0x6 /* '\6' */ : + case 0x7 /* '\7' */ : + case 0x8 /* '\10' */ : + case 0x9 /* '\t' */ : + case 0xa /* '\n' */ : + case 0xb /* '\13' */ : + case 0xc /* '\14' */ : + case 0xd /* '\r' */ : + case 0xe /* '\16' */ : + case 0xf /* '\17' */ : + case 0x10 /* '\20' */ : + case 0x11 /* '\21' */ : + case 0x12 /* '\22' */ : + case 0x13 /* '\23' */ : + case 0x14 /* '\24' */ : + case 0x15 /* '\25' */ : + case 0x16 /* '\26' */ : + case 0x17 /* '\27' */ : + case 0x18 /* '\30' */ : + case 0x19 /* '\31' */ : + case 0x1a /* '\32' */ : + case 0x1b /* '\33' */ : + case 0x1c /* '\34' */ : + case 0x1d /* '\35' */ : + case 0x1e /* '\36' */ : + case 0x1f /* '\37' */ : + case 0x20 /* ' ' */ : + case 0x21 /* '!' */ : + case 0x23 /* '#' */ : + case 0x24 /* '$' */ : + case 0x25 /* '%' */ : + case 0x26 /* '&' */ : + case 0x27 /* '\'' */ : + case 0x28 /* '(' */ : + case 0x29 /* ')' */ : + case 0x2a /* '*' */ : + case 0x2b /* '+' */ : + case 0x2c /* ',' */ : + case 0x2d /* '-' */ : + case 0x2e /* '.' */ : + case 0x2f /* '/' */ : + case 0x30 /* '0' */ : + case 0x31 /* '1' */ : + case 0x32 /* '2' */ : + case 0x33 /* '3' */ : + case 0x34 /* '4' */ : + case 0x35 /* '5' */ : + case 0x36 /* '6' */ : + case 0x37 /* '7' */ : + case 0x38 /* '8' */ : + case 0x39 /* '9' */ : + case 0x3a /* ':' */ : + case 0x3b /* ';' */ : + case 0x3c /* '<' */ : + case 0x3d /* '=' */ : + case 0x3e /* '>' */ : + case 0x3f /* '?' */ : + case 0x40 /* '@' */ : + case 0x41 /* 'A' */ : + case 0x42 /* 'B' */ : + case 0x43 /* 'C' */ : + case 0x44 /* 'D' */ : + case 0x45 /* 'E' */ : + case 0x46 /* 'F' */ : + case 0x47 /* 'G' */ : + case 0x48 /* 'H' */ : + case 0x49 /* 'I' */ : + case 0x4a /* 'J' */ : + case 0x4b /* 'K' */ : + case 0x4c /* 'L' */ : + case 0x4d /* 'M' */ : + case 0x4e /* 'N' */ : + case 0x4f /* 'O' */ : + case 0x50 /* 'P' */ : + case 0x51 /* 'Q' */ : + case 0x52 /* 'R' */ : + case 0x53 /* 'S' */ : + case 0x54 /* 'T' */ : + case 0x55 /* 'U' */ : + case 0x56 /* 'V' */ : + case 0x57 /* 'W' */ : + case 0x58 /* 'X' */ : + case 0x59 /* 'Y' */ : + case 0x5a /* 'Z' */ : + case 0x5b /* '[' */ : + case 0x5d /* ']' */ : + case 0x5e /* '^' */ : + case 0x5f /* '_' */ : + case 0x60 /* '`' */ : + case 0x61 /* 'a' */ : + case 0x62 /* 'b' */ : + case 0x63 /* 'c' */ : + case 0x64 /* 'd' */ : + case 0x65 /* 'e' */ : + case 0x66 /* 'f' */ : + case 0x67 /* 'g' */ : + case 0x68 /* 'h' */ : + case 0x69 /* 'i' */ : + case 0x6a /* 'j' */ : + case 0x6b /* 'k' */ : + case 0x6c /* 'l' */ : + case 0x6d /* 'm' */ : + case 0x6e /* 'n' */ : + case 0x6f /* 'o' */ : + case 0x70 /* 'p' */ : + case 0x71 /* 'q' */ : + case 0x72 /* 'r' */ : + case 0x73 /* 's' */ : + case 0x74 /* 't' */ : + case 0x75 /* 'u' */ : + case 0x76 /* 'v' */ : + case 0x77 /* 'w' */ : + case 0x78 /* 'x' */ : + case 0x79 /* 'y' */ : + case 0x7a /* 'z' */ : + case 0x7b /* '{' */ : + case 0x7c /* '|' */ : + case 0x7d /* '}' */ : + case 0x7e /* '~' */ : + case 0x7f: + { + { + { + match(_tokenSet_2); + } + } + break; + } + default: + { + goto _loop66; + } + } + } + _loop66:; + } // ( ... )* + _saveIndex = text.length(); + match('\"' /* charlit */ ); + text.erase(_saveIndex); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mARROW(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = ARROW; + std::string::size_type _saveIndex; + + match("=>"); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mSEMI(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = SEMI; + std::string::size_type _saveIndex; + + match(';' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mLPAREN(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = LPAREN; + std::string::size_type _saveIndex; + + match('(' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mRPAREN(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = RPAREN; + std::string::size_type _saveIndex; + + match(')' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mLBRACK(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = LBRACK; + std::string::size_type _saveIndex; + + match('[' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mRBRACK(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = RBRACK; + std::string::size_type _saveIndex; + + match(']' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mLESS(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = LESS; + std::string::size_type _saveIndex; + + match('<' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mGT(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = GT; + std::string::size_type _saveIndex; + + match('>' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mLE(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = LE; + std::string::size_type _saveIndex; + + match("<="); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mGE(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = GE; + std::string::size_type _saveIndex; + + match(">="); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mCOMMA(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = COMMA; + std::string::size_type _saveIndex; + + match(',' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mEQL(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = EQL; + std::string::size_type _saveIndex; + + match('=' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mEQQL(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = EQQL; + std::string::size_type _saveIndex; + + match("=="); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mSUBS(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = SUBS; + std::string::size_type _saveIndex; + + match('~' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mNEG(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = NEG; + std::string::size_type _saveIndex; + + match('-' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mNOT(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = NOT; + std::string::size_type _saveIndex; + + match('!' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mSTAR(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = STAR; + std::string::size_type _saveIndex; + + match('*' /* charlit */ ); + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mWS(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = WS; + std::string::size_type _saveIndex; + + { // ( ... )+ + int _cnt90=0; + for (;;) { + switch ( LA(1)) { + case 0x20 /* ' ' */ : + { + match(' ' /* charlit */ ); + break; + } + case 0xa /* '\n' */ : + { + match('\n' /* charlit */ ); + newline(); + break; + } + case 0x9 /* '\t' */ : + { + match('\t' /* charlit */ ); + break; + } + default: + { + if ( _cnt90>=1 ) { goto _loop90; } else {throw antlr::NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());} + } + } + _cnt90++; + } + _loop90:; + } // ( ... )+ + _ttype = antlr::Token::SKIP; + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mSHELLCOMMENT(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = SHELLCOMMENT; + std::string::size_type _saveIndex; + + match('#' /* charlit */ ); + { // ( ... )* + for (;;) { + if ((_tokenSet_3.member(LA(1)))) { + matchNot('\n' /* charlit */ ); + } + else { + goto _loop93; + } + + } + _loop93:; + } // ( ... )* + _ttype = antlr::Token::SKIP; + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mC_COMMENT(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = C_COMMENT; + std::string::size_type _saveIndex; + + match("/*"); + { // ( ... )* + for (;;) { + if ((LA(1) == 0x2a /* '*' */ ) && (_tokenSet_4.member(LA(2)))) { + { + match('*' /* charlit */ ); + { + matchNot('/' /* charlit */ ); + } + } + } + else if ((_tokenSet_5.member(LA(1)))) { + { + matchNot('*' /* charlit */ ); + } + } + else { + goto _loop99; + } + + } + _loop99:; + } // ( ... )* + match("*/"); + _ttype = antlr::Token::SKIP; + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + +void RequirementLexer::mCPP_COMMENT(bool _createToken) { + int _ttype; antlr::RefToken _token; std::string::size_type _begin = text.length(); + _ttype = CPP_COMMENT; + std::string::size_type _saveIndex; + + match("//"); + { // ( ... )* + for (;;) { + if ((_tokenSet_3.member(LA(1)))) { + matchNot('\n' /* charlit */ ); + } + else { + goto _loop102; + } + + } + _loop102:; + } // ( ... )* + _ttype = antlr::Token::SKIP; + if ( _createToken && _token==antlr::nullToken && _ttype!=antlr::Token::SKIP ) { + _token = makeToken(_ttype); + _token->setText(text.substr(_begin, text.length()-_begin)); + } + _returnToken = _token; + _saveIndex=0; +} + + +const unsigned long RequirementLexer::_tokenSet_0_data_[] = { 0UL, 0UL, 134217726UL, 134217726UL, 0UL, 0UL, 0UL, 0UL }; +const antlr::BitSet RequirementLexer::_tokenSet_0(_tokenSet_0_data_,8); +const unsigned long RequirementLexer::_tokenSet_1_data_[] = { 0UL, 67043328UL, 126UL, 126UL, 0UL, 0UL, 0UL, 0UL }; +// 0 1 2 3 4 5 6 7 8 9 +const antlr::BitSet RequirementLexer::_tokenSet_1(_tokenSet_1_data_,8); +const unsigned long RequirementLexer::_tokenSet_2_data_[] = { 4294967295UL, 4294967291UL, 4026531839UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL }; +// 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 +// 0x11 0x12 0x13 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e +// 0x1f ! # $ % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 +const antlr::BitSet RequirementLexer::_tokenSet_2(_tokenSet_2_data_,8); +const unsigned long RequirementLexer::_tokenSet_3_data_[] = { 4294966271UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL }; +// 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xd 0xe 0xf 0x10 0x11 +// 0x12 0x13 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f +// ! \" # $ % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 +const antlr::BitSet RequirementLexer::_tokenSet_3(_tokenSet_3_data_,8); +const unsigned long RequirementLexer::_tokenSet_4_data_[] = { 4294967295UL, 4294934527UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL }; +// 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 +// 0x11 0x12 0x13 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e +// 0x1f ! \" # $ % & \' ( ) * + , - . 0 1 2 3 4 5 6 7 8 9 +const antlr::BitSet RequirementLexer::_tokenSet_4(_tokenSet_4_data_,8); +const unsigned long RequirementLexer::_tokenSet_5_data_[] = { 4294967295UL, 4294966271UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL }; +// 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xa 0xb 0xc 0xd 0xe 0xf 0x10 +// 0x11 0x12 0x13 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e +// 0x1f ! \" # $ % & \' ( ) + , - . / 0 1 2 3 4 5 6 7 8 9 +const antlr::BitSet RequirementLexer::_tokenSet_5(_tokenSet_5_data_,8); + +ANTLR_END_NAMESPACE diff --git a/OSX/include/security_codesigning/RequirementLexer.hpp b/OSX/include/security_codesigning/RequirementLexer.hpp new file mode 100644 index 00000000..ef27c4c3 --- /dev/null +++ b/OSX/include/security_codesigning/RequirementLexer.hpp @@ -0,0 +1,77 @@ +#ifndef INC_RequirementLexer_hpp_ +#define INC_RequirementLexer_hpp_ + +#include +/* $ANTLR 2.7.7 (20121221): "requirements.grammar" -> "RequirementLexer.hpp"$ */ +#include +#include +#include +#include "RequirementParserTokenTypes.hpp" +#include + +#include "requirement.h" +using namespace CodeSigning; +typedef Requirement::Maker Maker; + +ANTLR_BEGIN_NAMESPACE(Security_CodeSigning) +class CUSTOM_API RequirementLexer : public antlr::CharScanner, public RequirementParserTokenTypes +{ +private: + void initLiterals(); +public: + bool getCaseSensitiveLiterals() const + { + return true; + } +public: + RequirementLexer(std::istream& in); + RequirementLexer(antlr::InputBuffer& ib); + RequirementLexer(const antlr::LexerSharedInputState& state); + antlr::RefToken nextToken(); + protected: void mIDENT(bool _createToken); + public: void mDOTKEY(bool _createToken); + public: void mINTEGER(bool _createToken); + public: void mPATHNAME(bool _createToken); + public: void mHASHCONSTANT(bool _createToken); + protected: void mHEX(bool _createToken); + public: void mHEXCONSTANT(bool _createToken); + public: void mSTRING(bool _createToken); + public: void mARROW(bool _createToken); + public: void mSEMI(bool _createToken); + public: void mLPAREN(bool _createToken); + public: void mRPAREN(bool _createToken); + public: void mLBRACK(bool _createToken); + public: void mRBRACK(bool _createToken); + public: void mLESS(bool _createToken); + public: void mGT(bool _createToken); + public: void mLE(bool _createToken); + public: void mGE(bool _createToken); + public: void mCOMMA(bool _createToken); + public: void mEQL(bool _createToken); + public: void mEQQL(bool _createToken); + public: void mSUBS(bool _createToken); + public: void mNEG(bool _createToken); + public: void mNOT(bool _createToken); + public: void mSTAR(bool _createToken); + public: void mWS(bool _createToken); + public: void mSHELLCOMMENT(bool _createToken); + public: void mC_COMMENT(bool _createToken); + public: void mCPP_COMMENT(bool _createToken); +private: + + static const unsigned long _tokenSet_0_data_[]; + static const antlr::BitSet _tokenSet_0; + static const unsigned long _tokenSet_1_data_[]; + static const antlr::BitSet _tokenSet_1; + static const unsigned long _tokenSet_2_data_[]; + static const antlr::BitSet _tokenSet_2; + static const unsigned long _tokenSet_3_data_[]; + static const antlr::BitSet _tokenSet_3; + static const unsigned long _tokenSet_4_data_[]; + static const antlr::BitSet _tokenSet_4; + static const unsigned long _tokenSet_5_data_[]; + static const antlr::BitSet _tokenSet_5; +}; + +ANTLR_END_NAMESPACE +#endif /*INC_RequirementLexer_hpp_*/ diff --git a/OSX/include/security_codesigning/RequirementParser.cpp b/OSX/include/security_codesigning/RequirementParser.cpp new file mode 100644 index 00000000..dfaa3450 --- /dev/null +++ b/OSX/include/security_codesigning/RequirementParser.cpp @@ -0,0 +1,1331 @@ +/* $ANTLR 2.7.7 (20121221): "requirements.grammar" -> "RequirementParser.cpp"$ */ +#include "RequirementParser.hpp" +#include +#include +#include + +#include "requirement.h" +#include "reqmaker.h" +#include "csutilities.h" +#include +#include +#include // OID coding +using namespace CodeSigning; +typedef Requirement::Maker Maker; + +ANTLR_BEGIN_NAMESPACE(Security_CodeSigning) + + // + // Collect error messages. + // Note that the immediate caller takes the absence of collected error messages + // to indicate compilation success. + // + void RequirementParser::reportError(const antlr::RecognitionException &ex) + { + errors += ex.toString() + "\n"; + } + + void RequirementParser::reportError(const std::string &s) + { + errors += s + "\n"; + } + + + // + // Parser helper functions + // + string RequirementParser::hexString(const string &s) + { + if (s.size() % 2) + throw antlr::SemanticException("odd number of digits"); + const char *p = s.data(); + string result; + for (unsigned n = 0; n < s.length(); n += 2) { + char c; + sscanf(p+n, "%2hhx", &c); + result.push_back(c); + } + return result; + } + + void RequirementParser::hashString(const string &s, SHA1::Digest hash) + { + if (s.size() != 2 * SHA1::digestLength) + throw antlr::SemanticException("invalid hash length"); + memcpy(hash, hexString(s).data(), SHA1::digestLength); + } + + static const char *matchPrefix(const string &key, const char *prefix) + { + size_t pLength = strlen(prefix); + if (!key.compare(0, pLength, prefix, 0, pLength)) + return key.c_str() + pLength; + else + return NULL; + } + + void RequirementParser::certMatchOperation(Maker &maker, int32_t slot, string key) + { + if (matchPrefix(key, "subject.")) { + maker.put(opCertField); + maker.put(slot); + maker.put(key); + } else if (const char *oids = matchPrefix(key, "field.")) { + maker.put(opCertGeneric); + maker.put(slot); + CssmAutoData oid(Allocator::standard()); oid.fromOid(oids); + maker.putData(oid.data(), oid.length()); + } else if (const char *oids = matchPrefix(key, "extension.")) { + maker.put(opCertGeneric); + maker.put(slot); + CssmAutoData oid(Allocator::standard()); oid.fromOid(oids); + maker.putData(oid.data(), oid.length()); + } else if (const char *oids = matchPrefix(key, "policy.")) { + maker.put(opCertPolicy); + maker.put(slot); + CssmAutoData oid(Allocator::standard()); oid.fromOid(oids); + maker.putData(oid.data(), oid.length()); + } else { + throw antlr::SemanticException(key + ": unrecognized certificate field"); + } + } + +RequirementParser::RequirementParser(antlr::TokenBuffer& tokenBuf, int k) +: antlr::LLkParser(tokenBuf,k) +{ +} + +RequirementParser::RequirementParser(antlr::TokenBuffer& tokenBuf) +: antlr::LLkParser(tokenBuf,2) +{ +} + +RequirementParser::RequirementParser(antlr::TokenStream& lexer, int k) +: antlr::LLkParser(lexer,k) +{ +} + +RequirementParser::RequirementParser(antlr::TokenStream& lexer) +: antlr::LLkParser(lexer,2) +{ +} + +RequirementParser::RequirementParser(const antlr::ParserSharedInputState& state) +: antlr::LLkParser(state,2) +{ +} + +BlobCore * RequirementParser::autosense() { + BlobCore *result = NULL; + + try { // for error handling + switch ( LA(1)) { + case LPAREN: + case NOT: + case LITERAL_always: + case LITERAL_true: + case LITERAL_never: + case LITERAL_false: + case LITERAL_identifier: + case LITERAL_cdhash: + case LITERAL_platform: + case LITERAL_anchor: + case LITERAL_certificate: + case LITERAL_cert: + case LITERAL_info: + case LITERAL_entitlement: + { + result=requirement(); + break; + } + case LITERAL_guest: + case LITERAL_host: + case LITERAL_designated: + case LITERAL_library: + case LITERAL_plugin: + case INTEGER: + { + result=requirementSet(); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_0); + } + return result; +} + +Requirement * RequirementParser::requirement() { + Requirement *result = NULL; + + try { // for error handling + result=requirementElement(); + match(antlr::Token::EOF_TYPE); + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_0); + } + return result; +} + +Requirements * RequirementParser::requirementSet() { + Requirements *result = NULL; + Requirements::Maker maker; + + try { // for error handling + { // ( ... )+ + int _cnt4=0; + for (;;) { + if ((_tokenSet_1.member(LA(1)))) { + uint32_t t; Requirement *req; + t=requirementType(); + match(ARROW); + req=requirementElement(); + maker.add(t, req); + } + else { + if ( _cnt4>=1 ) { goto _loop4; } else {throw antlr::NoViableAltException(LT(1), getFilename());} + } + + _cnt4++; + } + _loop4:; + } // ( ... )+ + result = errors.empty() ? maker() : NULL; + match(antlr::Token::EOF_TYPE); + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_0); + } + return result; +} + +uint32_t RequirementParser::requirementType() { + uint32_t type = kSecInvalidRequirementType; + + try { // for error handling + switch ( LA(1)) { + case LITERAL_guest: + { + match(LITERAL_guest); + type = kSecGuestRequirementType; + break; + } + case LITERAL_host: + { + match(LITERAL_host); + type = kSecHostRequirementType; + break; + } + case LITERAL_designated: + { + match(LITERAL_designated); + type = kSecDesignatedRequirementType; + break; + } + case LITERAL_library: + { + match(LITERAL_library); + type = kSecLibraryRequirementType; + break; + } + case LITERAL_plugin: + { + match(LITERAL_plugin); + type = kSecPluginRequirementType; + break; + } + case INTEGER: + { + type=integer(); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_2); + } + return type; +} + +Requirement * RequirementParser::requirementElement() { + Requirement *result = NULL; + Requirement::Maker maker; + + try { // for error handling + expr(maker); + result = maker(); + { // ( ... )* + for (;;) { + if ((LA(1) == SEMI)) { + fluff(); + } + else { + goto _loop9; + } + + } + _loop9:; + } // ( ... )* + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_3); + } + return result; +} + +int32_t RequirementParser::integer() { + int32_t result; + antlr::RefToken s = antlr::nullToken; + + try { // for error handling + s = LT(1); + match(INTEGER); + result = int32_t(atol(s->getText().c_str())); + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_4); + } + return result; +} + +void RequirementParser::expr( + Maker &maker +) { + Maker::Label label(maker); + + try { // for error handling + term(maker); + { // ( ... )* + for (;;) { + if ((LA(1) == LITERAL_or)) { + match(LITERAL_or); + maker.insert(label) = opOr; + term(maker); + } + else { + goto _loop12; + } + + } + _loop12:; + } // ( ... )* + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_5); + } +} + +void RequirementParser::fluff() { + + try { // for error handling + match(SEMI); + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_6); + } +} + +void RequirementParser::term( + Maker &maker +) { + Maker::Label label(maker); + + try { // for error handling + primary(maker); + { // ( ... )* + for (;;) { + if ((LA(1) == LITERAL_and)) { + match(LITERAL_and); + maker.insert(label) = opAnd; + primary(maker); + } + else { + goto _loop15; + } + + } + _loop15:; + } // ( ... )* + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_7); + } +} + +void RequirementParser::primary( + Maker &maker +) { + + try { // for error handling + switch ( LA(1)) { + case NOT: + { + match(NOT); + maker.put(opNot); + primary(maker); + break; + } + case LITERAL_always: + case LITERAL_true: + { + { + switch ( LA(1)) { + case LITERAL_always: + { + match(LITERAL_always); + break; + } + case LITERAL_true: + { + match(LITERAL_true); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + maker.put(opTrue); + break; + } + case LITERAL_never: + case LITERAL_false: + { + { + switch ( LA(1)) { + case LITERAL_never: + { + match(LITERAL_never); + break; + } + case LITERAL_false: + { + match(LITERAL_false); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + maker.put(opFalse); + break; + } + case LITERAL_anchor: + case LITERAL_certificate: + case LITERAL_cert: + { + certspec(maker); + break; + } + case LITERAL_info: + { + infospec(maker); + break; + } + case LITERAL_entitlement: + { + entitlementspec(maker); + break; + } + case LITERAL_identifier: + { + match(LITERAL_identifier); + string code; + eql(); + code=identifierString(); + maker.ident(code); + break; + } + case LITERAL_cdhash: + { + match(LITERAL_cdhash); + SHA1::Digest digest; + eql(); + hash(digest); + maker.cdhash(digest); + break; + } + case LITERAL_platform: + { + match(LITERAL_platform); + int32_t ident; + eql(); + ident=integer(); + maker.platform(ident); + break; + } + default: + if ((LA(1) == LPAREN) && (_tokenSet_8.member(LA(2)))) { + match(LPAREN); + expr(maker); + match(RPAREN); + } + else if ((LA(1) == LPAREN) && (LA(2) == DOTKEY || LA(2) == STRING)) { + match(LPAREN); + string name; + name=identifierString(); + match(RPAREN); + maker.put(opNamedCode); maker.put(name); + } + else { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); + } +} + +void RequirementParser::certspec( + Maker &maker +) { + + try { // for error handling + if ((LA(1) == LITERAL_anchor) && (LA(2) == LITERAL_apple)) { + match(LITERAL_anchor); + match(LITERAL_apple); + appleanchor(maker); + } + else if ((LA(1) == LITERAL_anchor) && (LA(2) == LITERAL_generic)) { + match(LITERAL_anchor); + match(LITERAL_generic); + match(LITERAL_apple); + maker.put(opAppleGenericAnchor); + } + else if ((LA(1) == LITERAL_anchor || LA(1) == LITERAL_certificate || LA(1) == LITERAL_cert) && (LA(2) == LITERAL_trusted)) { + { + switch ( LA(1)) { + case LITERAL_certificate: + { + match(LITERAL_certificate); + break; + } + case LITERAL_cert: + { + match(LITERAL_cert); + break; + } + case LITERAL_anchor: + { + match(LITERAL_anchor); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + match(LITERAL_trusted); + maker.trustedAnchor(); + } + else if ((LA(1) == LITERAL_certificate || LA(1) == LITERAL_cert) && (_tokenSet_10.member(LA(2)))) { + { + switch ( LA(1)) { + case LITERAL_certificate: + { + match(LITERAL_certificate); + break; + } + case LITERAL_cert: + { + match(LITERAL_cert); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + int32_t slot; + slot=certSlot(); + { + switch ( LA(1)) { + case EQL: + case EQQL: + case LBRACK: + case HASHCONSTANT: + case DOTKEY: + case STRING: + case PATHNAME: + { + certslotspec(maker, slot); + break; + } + case LITERAL_trusted: + { + match(LITERAL_trusted); + maker.trustedAnchor(slot); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + } + else if ((LA(1) == LITERAL_anchor) && (_tokenSet_11.member(LA(2)))) { + match(LITERAL_anchor); + certslotspec(maker, Requirement::anchorCert); + } + else { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); + } +} + +void RequirementParser::infospec( + Maker &maker +) { + string key; + + try { // for error handling + match(LITERAL_info); + key=bracketKey(); + maker.put(opInfoKeyField); maker.put(key); + match_suffix(maker); + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); + } +} + +void RequirementParser::entitlementspec( + Maker &maker +) { + string key; + + try { // for error handling + match(LITERAL_entitlement); + key=bracketKey(); + maker.put(opEntitlementField); maker.put(key); + match_suffix(maker); + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); + } +} + +void RequirementParser::eql() { + + try { // for error handling + switch ( LA(1)) { + case EQL: + { + match(EQL); + break; + } + case EQQL: + { + match(EQQL); + break; + } + case HASHCONSTANT: + case DOTKEY: + case STRING: + case PATHNAME: + case INTEGER: + { + empty(); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_12); + } +} + +string RequirementParser::identifierString() { + string result; + antlr::RefToken dk = antlr::nullToken; + antlr::RefToken s = antlr::nullToken; + + try { // for error handling + switch ( LA(1)) { + case DOTKEY: + { + dk = LT(1); + match(DOTKEY); + result = dk->getText(); + break; + } + case STRING: + { + s = LT(1); + match(STRING); + result = s->getText(); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); + } + return result; +} + +void RequirementParser::hash( + SHA1::Digest digest +) { + antlr::RefToken hash = antlr::nullToken; + + try { // for error handling + hash = LT(1); + match(HASHCONSTANT); + hashString(hash->getText(), digest); + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); + } +} + +void RequirementParser::appleanchor( + Maker &maker +) { + + try { // for error handling + switch ( LA(1)) { + case antlr::Token::EOF_TYPE: + case LITERAL_guest: + case LITERAL_host: + case LITERAL_designated: + case LITERAL_library: + case LITERAL_plugin: + case LITERAL_or: + case LITERAL_and: + case RPAREN: + case INTEGER: + case SEMI: + { + empty(); + maker.put(opAppleAnchor); + break; + } + case LITERAL_generic: + { + match(LITERAL_generic); + maker.put(opAppleGenericAnchor); + break; + } + case DOTKEY: + case STRING: + { + string name; + name=identifierString(); + maker.put(opNamedAnchor); maker.put(name); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); + } +} + +int32_t RequirementParser::certSlot() { + int32_t slot = 0; + + try { // for error handling + switch ( LA(1)) { + case INTEGER: + { + slot=integer(); + break; + } + case NEG: + { + match(NEG); + slot=integer(); + slot = -slot; + break; + } + case LITERAL_leaf: + { + match(LITERAL_leaf); + slot = Requirement::leafCert; + break; + } + case LITERAL_root: + { + match(LITERAL_root); + slot = Requirement::anchorCert; + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_13); + } + return slot; +} + +void RequirementParser::certslotspec( + Maker &maker, int32_t slot +) { + string key; + + try { // for error handling + switch ( LA(1)) { + case EQL: + case EQQL: + case HASHCONSTANT: + case DOTKEY: + case STRING: + case PATHNAME: + { + eql(); + SHA1::Digest digest; + certificateDigest(digest); + maker.anchor(slot, digest); + break; + } + case LBRACK: + { + key=bracketKey(); + certMatchOperation(maker, slot, key); + match_suffix(maker); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); + } +} + +void RequirementParser::empty() { + + try { // for error handling + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_14); + } +} + +void RequirementParser::certificateDigest( + SHA1::Digest digest +) { + + try { // for error handling + switch ( LA(1)) { + case HASHCONSTANT: + { + hash(digest); + break; + } + case DOTKEY: + case STRING: + case PATHNAME: + { + string path; + path=pathstring(); + if (CFRef certData = cfLoadFile(path)) + hashOfCertificate(CFDataGetBytePtr(certData), CFDataGetLength(certData), digest); + else + throw antlr::SemanticException(path + ": not found"); + + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); + } +} + +string RequirementParser::bracketKey() { + string key; + + try { // for error handling + match(LBRACK); + key=stringvalue(); + match(RBRACK); + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_15); + } + return key; +} + +void RequirementParser::match_suffix( + Maker &maker +) { + + try { // for error handling + switch ( LA(1)) { + case antlr::Token::EOF_TYPE: + case LITERAL_guest: + case LITERAL_host: + case LITERAL_designated: + case LITERAL_library: + case LITERAL_plugin: + case LITERAL_or: + case LITERAL_and: + case RPAREN: + case LITERAL_exists: + case INTEGER: + case SEMI: + { + empty(); + { + switch ( LA(1)) { + case LITERAL_exists: + { + match(LITERAL_exists); + break; + } + case antlr::Token::EOF_TYPE: + case LITERAL_guest: + case LITERAL_host: + case LITERAL_designated: + case LITERAL_library: + case LITERAL_plugin: + case LITERAL_or: + case LITERAL_and: + case RPAREN: + case INTEGER: + case SEMI: + { + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + maker.put(matchExists); + break; + } + case EQL: + case EQQL: + { + { + switch ( LA(1)) { + case EQL: + { + match(EQL); + break; + } + case EQQL: + { + match(EQQL); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + MatchOperation mop = matchEqual; string value; + { + switch ( LA(1)) { + case STAR: + { + match(STAR); + mop = matchEndsWith; + break; + } + case HEXCONSTANT: + case DOTKEY: + case STRING: + { + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + value=datavalue(); + { + switch ( LA(1)) { + case STAR: + { + match(STAR); + mop = (mop == matchEndsWith) ? matchContains : matchBeginsWith; + break; + } + case antlr::Token::EOF_TYPE: + case LITERAL_guest: + case LITERAL_host: + case LITERAL_designated: + case LITERAL_library: + case LITERAL_plugin: + case LITERAL_or: + case LITERAL_and: + case RPAREN: + case INTEGER: + case SEMI: + { + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + maker.put(mop); maker.put(value); + break; + } + case SUBS: + { + match(SUBS); + string value; + value=datavalue(); + maker.put(matchContains); maker.put(value); + break; + } + case LESS: + { + match(LESS); + string value; + value=datavalue(); + maker.put(matchLessThan); maker.put(value); + break; + } + case GT: + { + match(GT); + string value; + value=datavalue(); + maker.put(matchGreaterThan); maker.put(value); + break; + } + case LE: + { + match(LE); + string value; + value=datavalue(); + maker.put(matchLessEqual); maker.put(value); + break; + } + case GE: + { + match(GE); + string value; + value=datavalue(); + maker.put(matchGreaterEqual); maker.put(value); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); + } +} + +string RequirementParser::datavalue() { + string result; + antlr::RefToken hex = antlr::nullToken; + + try { // for error handling + switch ( LA(1)) { + case DOTKEY: + case STRING: + { + result=stringvalue(); + break; + } + case HEXCONSTANT: + { + hex = LT(1); + match(HEXCONSTANT); + result = hexString(hex->getText()); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_16); + } + return result; +} + +string RequirementParser::stringvalue() { + string result; + antlr::RefToken dk = antlr::nullToken; + antlr::RefToken s = antlr::nullToken; + + try { // for error handling + switch ( LA(1)) { + case DOTKEY: + { + dk = LT(1); + match(DOTKEY); + result = dk->getText(); + break; + } + case STRING: + { + s = LT(1); + match(STRING); + result = s->getText(); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_17); + } + return result; +} + +string RequirementParser::pathstring() { + string result; + antlr::RefToken dk = antlr::nullToken; + antlr::RefToken s = antlr::nullToken; + antlr::RefToken pn = antlr::nullToken; + + try { // for error handling + switch ( LA(1)) { + case DOTKEY: + { + dk = LT(1); + match(DOTKEY); + result = dk->getText(); + break; + } + case STRING: + { + s = LT(1); + match(STRING); + result = s->getText(); + break; + } + case PATHNAME: + { + pn = LT(1); + match(PATHNAME); + result = pn->getText(); + break; + } + default: + { + throw antlr::NoViableAltException(LT(1), getFilename()); + } + } + } + catch (antlr::RecognitionException& ex) { + reportError(ex); + recover(ex,_tokenSet_9); + } + return result; +} + +void RequirementParser::initializeASTFactory( antlr::ASTFactory& ) +{ +} +const char* RequirementParser::tokenNames[] = { + "<0>", + "EOF", + "<2>", + "NULL_TREE_LOOKAHEAD", + "ARROW", + "\"guest\"", + "\"host\"", + "\"designated\"", + "\"library\"", + "\"plugin\"", + "\"or\"", + "\"and\"", + "LPAREN", + "RPAREN", + "NOT", + "\"always\"", + "\"true\"", + "\"never\"", + "\"false\"", + "\"identifier\"", + "\"cdhash\"", + "\"platform\"", + "\"anchor\"", + "\"apple\"", + "\"generic\"", + "\"certificate\"", + "\"cert\"", + "\"trusted\"", + "\"info\"", + "\"entitlement\"", + "\"exists\"", + "EQL", + "EQQL", + "STAR", + "SUBS", + "LESS", + "GT", + "LE", + "GE", + "LBRACK", + "RBRACK", + "NEG", + "\"leaf\"", + "\"root\"", + "HASHCONSTANT", + "HEXCONSTANT", + "DOTKEY", + "STRING", + "PATHNAME", + "INTEGER", + "SEMI", + "IDENT", + "HEX", + "COMMA", + "WS", + "SHELLCOMMENT", + "C_COMMENT", + "CPP_COMMENT", + 0 +}; + +const unsigned long RequirementParser::_tokenSet_0_data_[] = { 2UL, 0UL, 0UL, 0UL }; +// EOF +const antlr::BitSet RequirementParser::_tokenSet_0(_tokenSet_0_data_,4); +const unsigned long RequirementParser::_tokenSet_1_data_[] = { 992UL, 131072UL, 0UL, 0UL }; +// "guest" "host" "designated" "library" "plugin" INTEGER +const antlr::BitSet RequirementParser::_tokenSet_1(_tokenSet_1_data_,4); +const unsigned long RequirementParser::_tokenSet_2_data_[] = { 16UL, 0UL, 0UL, 0UL }; +// ARROW +const antlr::BitSet RequirementParser::_tokenSet_2(_tokenSet_2_data_,4); +const unsigned long RequirementParser::_tokenSet_3_data_[] = { 994UL, 131072UL, 0UL, 0UL }; +// EOF "guest" "host" "designated" "library" "plugin" INTEGER +const antlr::BitSet RequirementParser::_tokenSet_3(_tokenSet_3_data_,4); +const unsigned long RequirementParser::_tokenSet_4_data_[] = { 2281713650UL, 512129UL, 0UL, 0UL }; +// EOF ARROW "guest" "host" "designated" "library" "plugin" "or" "and" +// RPAREN "trusted" EQL EQQL LBRACK HASHCONSTANT DOTKEY STRING PATHNAME +// INTEGER SEMI +const antlr::BitSet RequirementParser::_tokenSet_4(_tokenSet_4_data_,4); +const unsigned long RequirementParser::_tokenSet_5_data_[] = { 9186UL, 393216UL, 0UL, 0UL }; +// EOF "guest" "host" "designated" "library" "plugin" RPAREN INTEGER SEMI +const antlr::BitSet RequirementParser::_tokenSet_5(_tokenSet_5_data_,4); +const unsigned long RequirementParser::_tokenSet_6_data_[] = { 994UL, 393216UL, 0UL, 0UL }; +// EOF "guest" "host" "designated" "library" "plugin" INTEGER SEMI +const antlr::BitSet RequirementParser::_tokenSet_6(_tokenSet_6_data_,4); +const unsigned long RequirementParser::_tokenSet_7_data_[] = { 10210UL, 393216UL, 0UL, 0UL }; +// EOF "guest" "host" "designated" "library" "plugin" "or" RPAREN INTEGER +// SEMI +const antlr::BitSet RequirementParser::_tokenSet_7(_tokenSet_7_data_,4); +const unsigned long RequirementParser::_tokenSet_8_data_[] = { 914345984UL, 0UL, 0UL, 0UL }; +// LPAREN NOT "always" "true" "never" "false" "identifier" "cdhash" "platform" +// "anchor" "certificate" "cert" "info" "entitlement" +const antlr::BitSet RequirementParser::_tokenSet_8(_tokenSet_8_data_,4); +const unsigned long RequirementParser::_tokenSet_9_data_[] = { 12258UL, 393216UL, 0UL, 0UL }; +// EOF "guest" "host" "designated" "library" "plugin" "or" "and" RPAREN +// INTEGER SEMI +const antlr::BitSet RequirementParser::_tokenSet_9(_tokenSet_9_data_,4); +const unsigned long RequirementParser::_tokenSet_10_data_[] = { 0UL, 134656UL, 0UL, 0UL }; +// NEG "leaf" "root" INTEGER +const antlr::BitSet RequirementParser::_tokenSet_10(_tokenSet_10_data_,4); +const unsigned long RequirementParser::_tokenSet_11_data_[] = { 2147483648UL, 118913UL, 0UL, 0UL }; +// EQL EQQL LBRACK HASHCONSTANT DOTKEY STRING PATHNAME +const antlr::BitSet RequirementParser::_tokenSet_11(_tokenSet_11_data_,4); +const unsigned long RequirementParser::_tokenSet_12_data_[] = { 0UL, 249856UL, 0UL, 0UL }; +// HASHCONSTANT DOTKEY STRING PATHNAME INTEGER +const antlr::BitSet RequirementParser::_tokenSet_12(_tokenSet_12_data_,4); +const unsigned long RequirementParser::_tokenSet_13_data_[] = { 2281701376UL, 118913UL, 0UL, 0UL }; +// "trusted" EQL EQQL LBRACK HASHCONSTANT DOTKEY STRING PATHNAME +const antlr::BitSet RequirementParser::_tokenSet_13(_tokenSet_13_data_,4); +const unsigned long RequirementParser::_tokenSet_14_data_[] = { 1073754082UL, 512000UL, 0UL, 0UL }; +// EOF "guest" "host" "designated" "library" "plugin" "or" "and" RPAREN +// "exists" HASHCONSTANT DOTKEY STRING PATHNAME INTEGER SEMI +const antlr::BitSet RequirementParser::_tokenSet_14(_tokenSet_14_data_,4); +const unsigned long RequirementParser::_tokenSet_15_data_[] = { 3221237730UL, 393341UL, 0UL, 0UL }; +// EOF "guest" "host" "designated" "library" "plugin" "or" "and" RPAREN +// "exists" EQL EQQL SUBS LESS GT LE GE INTEGER SEMI +const antlr::BitSet RequirementParser::_tokenSet_15(_tokenSet_15_data_,4); +const unsigned long RequirementParser::_tokenSet_16_data_[] = { 12258UL, 393218UL, 0UL, 0UL }; +// EOF "guest" "host" "designated" "library" "plugin" "or" "and" RPAREN +// STAR INTEGER SEMI +const antlr::BitSet RequirementParser::_tokenSet_16(_tokenSet_16_data_,4); +const unsigned long RequirementParser::_tokenSet_17_data_[] = { 12258UL, 393474UL, 0UL, 0UL }; +// EOF "guest" "host" "designated" "library" "plugin" "or" "and" RPAREN +// STAR RBRACK INTEGER SEMI +const antlr::BitSet RequirementParser::_tokenSet_17(_tokenSet_17_data_,4); + + +ANTLR_END_NAMESPACE diff --git a/OSX/include/security_codesigning/RequirementParser.hpp b/OSX/include/security_codesigning/RequirementParser.hpp new file mode 100644 index 00000000..81857c65 --- /dev/null +++ b/OSX/include/security_codesigning/RequirementParser.hpp @@ -0,0 +1,158 @@ +#ifndef INC_RequirementParser_hpp_ +#define INC_RequirementParser_hpp_ + +#include +/* $ANTLR 2.7.7 (20121221): "requirements.grammar" -> "RequirementParser.hpp"$ */ +#include +#include +#include "RequirementParserTokenTypes.hpp" +#include + + +#include "requirement.h" +using namespace CodeSigning; +typedef Requirement::Maker Maker; + +ANTLR_BEGIN_NAMESPACE(Security_CodeSigning) +class CUSTOM_API RequirementParser : public antlr::LLkParser, public RequirementParserTokenTypes +{ + +public: + std::string errors; + void reportError(const antlr::RecognitionException &ex); + void reportError(const std::string &s); + +private: + static string hexString(const string &s); + static void hashString(const string &s, SHA1::Digest hash); + void certMatchOperation(Maker &maker, int32_t slot, string key); +public: + void initializeASTFactory( antlr::ASTFactory& factory ); +protected: + RequirementParser(antlr::TokenBuffer& tokenBuf, int k); +public: + RequirementParser(antlr::TokenBuffer& tokenBuf); +protected: + RequirementParser(antlr::TokenStream& lexer, int k); +public: + RequirementParser(antlr::TokenStream& lexer); + RequirementParser(const antlr::ParserSharedInputState& state); + int getNumTokens() const + { + return RequirementParser::NUM_TOKENS; + } + const char* getTokenName( int type ) const + { + if( type > getNumTokens() ) return 0; + return RequirementParser::tokenNames[type]; + } + const char* const* getTokenNames() const + { + return RequirementParser::tokenNames; + } + public: BlobCore * autosense(); + public: Requirement * requirement(); + public: Requirements * requirementSet(); + public: uint32_t requirementType(); + public: Requirement * requirementElement(); + public: int32_t integer(); + public: void expr( + Maker &maker + ); + public: void fluff(); + public: void term( + Maker &maker + ); + public: void primary( + Maker &maker + ); + public: void certspec( + Maker &maker + ); + public: void infospec( + Maker &maker + ); + public: void entitlementspec( + Maker &maker + ); + public: void eql(); + public: string identifierString(); + public: void hash( + SHA1::Digest digest + ); + public: void appleanchor( + Maker &maker + ); + public: int32_t certSlot(); + public: void certslotspec( + Maker &maker, int32_t slot + ); + public: void empty(); + public: void certificateDigest( + SHA1::Digest digest + ); + public: string bracketKey(); + public: void match_suffix( + Maker &maker + ); + public: string datavalue(); + public: string stringvalue(); + public: string pathstring(); +public: + antlr::RefAST getAST() + { + return returnAST; + } + +protected: + antlr::RefAST returnAST; +private: + static const char* tokenNames[]; +#ifndef NO_STATIC_CONSTS + static const int NUM_TOKENS = 58; +#else + enum { + NUM_TOKENS = 58 + }; +#endif + + static const unsigned long _tokenSet_0_data_[]; + static const antlr::BitSet _tokenSet_0; + static const unsigned long _tokenSet_1_data_[]; + static const antlr::BitSet _tokenSet_1; + static const unsigned long _tokenSet_2_data_[]; + static const antlr::BitSet _tokenSet_2; + static const unsigned long _tokenSet_3_data_[]; + static const antlr::BitSet _tokenSet_3; + static const unsigned long _tokenSet_4_data_[]; + static const antlr::BitSet _tokenSet_4; + static const unsigned long _tokenSet_5_data_[]; + static const antlr::BitSet _tokenSet_5; + static const unsigned long _tokenSet_6_data_[]; + static const antlr::BitSet _tokenSet_6; + static const unsigned long _tokenSet_7_data_[]; + static const antlr::BitSet _tokenSet_7; + static const unsigned long _tokenSet_8_data_[]; + static const antlr::BitSet _tokenSet_8; + static const unsigned long _tokenSet_9_data_[]; + static const antlr::BitSet _tokenSet_9; + static const unsigned long _tokenSet_10_data_[]; + static const antlr::BitSet _tokenSet_10; + static const unsigned long _tokenSet_11_data_[]; + static const antlr::BitSet _tokenSet_11; + static const unsigned long _tokenSet_12_data_[]; + static const antlr::BitSet _tokenSet_12; + static const unsigned long _tokenSet_13_data_[]; + static const antlr::BitSet _tokenSet_13; + static const unsigned long _tokenSet_14_data_[]; + static const antlr::BitSet _tokenSet_14; + static const unsigned long _tokenSet_15_data_[]; + static const antlr::BitSet _tokenSet_15; + static const unsigned long _tokenSet_16_data_[]; + static const antlr::BitSet _tokenSet_16; + static const unsigned long _tokenSet_17_data_[]; + static const antlr::BitSet _tokenSet_17; +}; + +ANTLR_END_NAMESPACE +#endif /*INC_RequirementParser_hpp_*/ diff --git a/OSX/include/security_codesigning/RequirementParserTokenTypes.hpp b/OSX/include/security_codesigning/RequirementParserTokenTypes.hpp new file mode 100644 index 00000000..3654840c --- /dev/null +++ b/OSX/include/security_codesigning/RequirementParserTokenTypes.hpp @@ -0,0 +1,76 @@ +#ifndef INC_RequirementParserTokenTypes_hpp_ +#define INC_RequirementParserTokenTypes_hpp_ + +ANTLR_BEGIN_NAMESPACE(Security_CodeSigning) +/* $ANTLR 2.7.7 (20121221): "requirements.grammar" -> "RequirementParserTokenTypes.hpp"$ */ + +#ifndef CUSTOM_API +# define CUSTOM_API +#endif + +#ifdef __cplusplus +struct CUSTOM_API RequirementParserTokenTypes { +#endif + enum { + EOF_ = 1, + ARROW = 4, + LITERAL_guest = 5, + LITERAL_host = 6, + LITERAL_designated = 7, + LITERAL_library = 8, + LITERAL_plugin = 9, + LITERAL_or = 10, + LITERAL_and = 11, + LPAREN = 12, + RPAREN = 13, + NOT = 14, + LITERAL_always = 15, + LITERAL_true = 16, + LITERAL_never = 17, + LITERAL_false = 18, + LITERAL_identifier = 19, + LITERAL_cdhash = 20, + LITERAL_platform = 21, + LITERAL_anchor = 22, + LITERAL_apple = 23, + LITERAL_generic = 24, + LITERAL_certificate = 25, + LITERAL_cert = 26, + LITERAL_trusted = 27, + LITERAL_info = 28, + LITERAL_entitlement = 29, + LITERAL_exists = 30, + EQL = 31, + EQQL = 32, + STAR = 33, + SUBS = 34, + LESS = 35, + GT = 36, + LE = 37, + GE = 38, + LBRACK = 39, + RBRACK = 40, + NEG = 41, + LITERAL_leaf = 42, + LITERAL_root = 43, + HASHCONSTANT = 44, + HEXCONSTANT = 45, + DOTKEY = 46, + STRING = 47, + PATHNAME = 48, + INTEGER = 49, + SEMI = 50, + IDENT = 51, + HEX = 52, + COMMA = 53, + WS = 54, + SHELLCOMMENT = 55, + C_COMMENT = 56, + CPP_COMMENT = 57, + NULL_TREE_LOOKAHEAD = 3 + }; +#ifdef __cplusplus +}; +#endif +ANTLR_END_NAMESPACE +#endif /*INC_RequirementParserTokenTypes_hpp_*/ diff --git a/OSX/include/security_codesigning/RequirementParserTokenTypes.txt b/OSX/include/security_codesigning/RequirementParserTokenTypes.txt new file mode 100644 index 00000000..781f4f52 --- /dev/null +++ b/OSX/include/security_codesigning/RequirementParserTokenTypes.txt @@ -0,0 +1,56 @@ +// $ANTLR 2.7.7 (20121221): requirements.grammar -> RequirementParserTokenTypes.txt$ +RequirementParser // output token vocab name +ARROW=4 +LITERAL_guest="guest"=5 +LITERAL_host="host"=6 +LITERAL_designated="designated"=7 +LITERAL_library="library"=8 +LITERAL_plugin="plugin"=9 +LITERAL_or="or"=10 +LITERAL_and="and"=11 +LPAREN=12 +RPAREN=13 +NOT=14 +LITERAL_always="always"=15 +LITERAL_true="true"=16 +LITERAL_never="never"=17 +LITERAL_false="false"=18 +LITERAL_identifier="identifier"=19 +LITERAL_cdhash="cdhash"=20 +LITERAL_platform="platform"=21 +LITERAL_anchor="anchor"=22 +LITERAL_apple="apple"=23 +LITERAL_generic="generic"=24 +LITERAL_certificate="certificate"=25 +LITERAL_cert="cert"=26 +LITERAL_trusted="trusted"=27 +LITERAL_info="info"=28 +LITERAL_entitlement="entitlement"=29 +LITERAL_exists="exists"=30 +EQL=31 +EQQL=32 +STAR=33 +SUBS=34 +LESS=35 +GT=36 +LE=37 +GE=38 +LBRACK=39 +RBRACK=40 +NEG=41 +LITERAL_leaf="leaf"=42 +LITERAL_root="root"=43 +HASHCONSTANT=44 +HEXCONSTANT=45 +DOTKEY=46 +STRING=47 +PATHNAME=48 +INTEGER=49 +SEMI=50 +IDENT=51 +HEX=52 +COMMA=53 +WS=54 +SHELLCOMMENT=55 +C_COMMENT=56 +CPP_COMMENT=57 diff --git a/Security/libsecurity_codesigning/lib/Requirements.cpp b/OSX/include/security_codesigning/Requirements.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/Requirements.cpp rename to OSX/include/security_codesigning/Requirements.cpp diff --git a/Security/libsecurity_codesigning/lib/Requirements.h b/OSX/include/security_codesigning/Requirements.h similarity index 100% rename from Security/libsecurity_codesigning/lib/Requirements.h rename to OSX/include/security_codesigning/Requirements.h diff --git a/OSX/include/security_codesigning/SecAssessment.cpp b/OSX/include/security_codesigning/SecAssessment.cpp new file mode 100644 index 00000000..c6129c79 --- /dev/null +++ b/OSX/include/security_codesigning/SecAssessment.cpp @@ -0,0 +1,544 @@ +/* + * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#include "cs.h" +#include "SecAssessment.h" +#include "policydb.h" +#include "policyengine.h" +#include "xpcengine.h" +#include "csutilities.h" +#include +#include +#include +#include +#include +#include + +using namespace CodeSigning; + + +static void esp_do_check(const char *op, CFDictionaryRef dict) +{ + OSStatus result = __esp_check_ns(op, (void *)(CFDictionaryRef)dict); + if (result != noErr) + MacOSError::throwMe(result); +} + +// +// CF Objects +// +struct _SecAssessment : private CFRuntimeBase { +public: + _SecAssessment(CFURLRef p, AuthorityType typ, CFDictionaryRef r) : path(p), type(typ), result(r) { } + + CFCopyRef path; + AuthorityType type; + CFRef result; + +public: + static _SecAssessment &ref(SecAssessmentRef r) + { return *(_SecAssessment *)r; } + + // CF Boiler-plate + void *operator new (size_t size) + { + return (void *)_CFRuntimeCreateInstance(NULL, SecAssessmentGetTypeID(), + sizeof(_SecAssessment) - sizeof(CFRuntimeBase), NULL); + } + + static void finalize(CFTypeRef obj) + { ((_SecAssessment *)obj)->~_SecAssessment(); } +}; + +typedef _SecAssessment SecAssessment; + + +static const CFRuntimeClass assessmentClass = { + 0, // version + "SecAssessment", // name + NULL, // init + NULL, // copy + SecAssessment::finalize, // finalize + NULL, // equal + NULL, // hash + NULL, // formatting + NULL // debug string +}; + + +static dispatch_once_t assessmentOnce; +CFTypeID assessmentType = _kCFRuntimeNotATypeID; + +CFTypeID SecAssessmentGetTypeID() +{ + dispatch_once(&assessmentOnce, ^void() { + if ((assessmentType = _CFRuntimeRegisterClass(&assessmentClass)) == _kCFRuntimeNotATypeID) + abort(); + }); + return assessmentType; +} + + +// +// Common dictionary constants +// +CFStringRef kSecAssessmentContextKeyOperation = CFSTR("operation"); +CFStringRef kSecAssessmentOperationTypeExecute = CFSTR("operation:execute"); +CFStringRef kSecAssessmentOperationTypeInstall = CFSTR("operation:install"); +CFStringRef kSecAssessmentOperationTypeOpenDocument = CFSTR("operation:lsopen"); + + +// +// Read-only in-process access to the policy database +// +class ReadPolicy : public PolicyDatabase { +public: + ReadPolicy() : PolicyDatabase(defaultDatabase) { } +}; +ModuleNexus gDatabase; + + +// +// An on-demand instance of the policy engine +// +ModuleNexus gEngine; + + +// +// Policy evaluation ("assessment") operations +// +CFStringRef kSecAssessmentContextKeyFeedback = CFSTR("context:feedback"); +CFStringRef kSecAssessmentFeedbackProgress = CFSTR("feedback:progress"); +CFStringRef kSecAssessmentFeedbackInfoCurrent = CFSTR("current"); +CFStringRef kSecAssessmentFeedbackInfoTotal = CFSTR("total"); + +CFStringRef kSecAssessmentAssessmentVerdict = CFSTR("assessment:verdict"); +CFStringRef kSecAssessmentAssessmentOriginator = CFSTR("assessment:originator"); +CFStringRef kSecAssessmentAssessmentAuthority = CFSTR("assessment:authority"); +CFStringRef kSecAssessmentAssessmentSource = CFSTR("assessment:authority:source"); +CFStringRef kSecAssessmentAssessmentAuthorityRow = CFSTR("assessment:authority:row"); +CFStringRef kSecAssessmentAssessmentAuthorityOverride = CFSTR("assessment:authority:override"); +CFStringRef kSecAssessmentAssessmentAuthorityOriginalVerdict = CFSTR("assessment:authority:verdict"); +CFStringRef kSecAssessmentAssessmentFromCache = CFSTR("assessment:authority:cached"); +CFStringRef kSecAssessmentAssessmentWeakSignature = CFSTR("assessment:authority:weak"); +CFStringRef kSecAssessmentAssessmentCodeSigningError = CFSTR("assessment:cserror"); + +CFStringRef kDisabledOverride = CFSTR("security disabled"); + +SecAssessmentRef SecAssessmentCreate(CFURLRef path, + SecAssessmentFlags flags, + CFDictionaryRef context, + CFErrorRef *errors) +{ + BEGIN_CSAPI + + if (flags & kSecAssessmentFlagAsynchronous) + MacOSError::throwMe(errSecCSUnimplemented); + + AuthorityType type = typeFor(context, kAuthorityExecute); + CFRef result = makeCFMutableDictionary(); + + SYSPOLICY_ASSESS_API(cfString(path).c_str(), int(type), flags); + + try { + if (__esp_enabled() && (flags & kSecAssessmentFlagDirect)) { + CFTemp dict("{path=%O, flags=%d, context=%O, override=%d}", path, flags, context, overrideAssessment()); + esp_do_check("cs-assessment-evaluate", dict); + } + + if (flags & kSecAssessmentFlagDirect) { + // ask the engine right here to do its thing + SYSPOLICY_ASSESS_LOCAL(); + gEngine().evaluate(path, type, flags, context, result); + } else { + // relay the question to our daemon for consideration + SYSPOLICY_ASSESS_REMOTE(); + xpcEngineAssess(path, flags, context, result); + } + } catch (CommonError &error) { + switch (error.osStatus()) { + case CSSMERR_TP_CERT_REVOKED: + throw; + default: + if (!overrideAssessment(flags)) + throw; // let it go as an error + break; + } + // record the error we would have returned + cfadd(result, "{%O=#F,'assessment:error'=%d}}", kSecAssessmentAssessmentVerdict, error.osStatus()); + } catch (...) { + // catch stray errors not conforming to the CommonError scheme + if (!overrideAssessment(flags)) + throw; // let it go as an error + cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict); + } + + if (__esp_enabled() && (flags & kSecAssessmentFlagDirect)) { + CFTemp dict("{path=%O, flags=%d, context=%O, override=%d, result=%O}", path, flags, context, overrideAssessment(), (CFDictionaryRef)result); + __esp_notify_ns("cs-assessment-evaluate", (void *)(CFDictionaryRef)dict); + } + + return new SecAssessment(path, type, result.yield()); + + END_CSAPI_ERRORS1(NULL) +} + + +static void traceResult(CFURLRef target, MessageTrace &trace, std::string &sanitized) +{ + static const char *interestingBundles[] = { + "UNBUNDLED", + "com.apple.", + "com.install4j.", + "com.MindVision.", + "com.yourcompany.", + + "com.adobe.flashplayer.installmanager", + "com.adobe.Installers.Setup", + "com.adobe.PDApp.setup", + "com.bittorrent.uTorrent", + "com.divx.divx6formacinstaller", + "com.getdropbox.dropbox", + "com.google.Chrome", + "com.Google.GoogleEarthPlugin.plugin", + "com.Google.GoogleEarthPlus", + "com.hp.Installer", + "com.macpaw.CleanMyMac", + "com.microsoft.SilverlightInstaller", + "com.paragon-software.filesystems.NTFS.pkg", + "com.RealNetworks.RealPlayer", + "com.skype.skype", + "it.alfanet.squared5.MPEGStreamclip", + "org.mozilla.firefox", + "org.videolan.vlc", + + NULL // sentinel + }; + + string identifier = "UNBUNDLED"; + string version = "UNKNOWN"; + if (CFRef bundle = CFBundleCreate(NULL, target)) { + if (CFStringRef ident = CFBundleGetIdentifier(bundle)) + identifier = cfString(ident); + if (CFStringRef vers = CFStringRef(CFBundleGetValueForInfoDictionaryKey(bundle, CFSTR("CFBundleShortVersionString")))) + version = cfString(vers); + } + + CFRef url = CFURLCopyAbsoluteURL(target); + sanitized = cfString(url); + string::size_type rslash = sanitized.rfind('/'); + if (rslash != string::npos) + sanitized = sanitized.substr(rslash+1); + bool keepFilename = false; + for (const char **pfx = interestingBundles; *pfx; pfx++) { + size_t pfxlen = strlen(*pfx); + if (identifier.compare(0, pfxlen, *pfx, pfxlen) == 0) + if (pfxlen == identifier.size() || (*pfx)[pfxlen-1] == '.') { + keepFilename = true; + break; + } + } + if (!keepFilename) { + string::size_type dot = sanitized.rfind('.'); + if (dot != string::npos) + sanitized = sanitized.substr(dot); + else + sanitized = "(none)"; + } + + trace.add("signature2", "bundle:%s", identifier.c_str()); + trace.add("signature3", "%s", sanitized.c_str()); + trace.add("signature5", "%s", version.c_str()); +} + +static void traceAssessment(SecAssessment &assessment, AuthorityType type, CFDictionaryRef result) +{ + if (CFDictionaryGetValue(result, CFSTR("assessment:remote"))) + return; // just traced in syspolicyd + + string authority = "UNSPECIFIED"; + bool overridden = false; + bool old_overridden = false; + if (CFDictionaryRef authdict = CFDictionaryRef(CFDictionaryGetValue(result, kSecAssessmentAssessmentAuthority))) { + if (CFStringRef auth = CFStringRef(CFDictionaryGetValue(authdict, kSecAssessmentAssessmentSource))) + authority = cfString(auth); + else + authority = "no authority"; + if (CFTypeRef override = CFDictionaryGetValue(authdict, kSecAssessmentAssessmentAuthorityOverride)) + if (CFEqual(override, kDisabledOverride)) { + old_overridden = true; + if (CFDictionaryGetValue(authdict, kSecAssessmentAssessmentAuthorityOriginalVerdict) == kCFBooleanFalse) + overridden = true; + } + } + + MessageTrace trace("com.apple.security.assessment.outcome2", NULL); + std::string sanitized; + traceResult(assessment.path, trace, sanitized); + trace.add("signature4", "%d", type); + + if (CFDictionaryGetValue(result, kSecAssessmentAssessmentVerdict) == kCFBooleanFalse) { + trace.add("signature", "denied:%s", authority.c_str()); + trace.send("assessment denied for %s", sanitized.c_str()); + } else if (overridden) { // would have failed except for override + trace.add("signature", "defeated:%s", authority.c_str()); + trace.send("assessment denied for %s but overridden", sanitized.c_str()); + } else if (old_overridden) { // would have succeeded even without override + trace.add("signature", "override:%s", authority.c_str()); + trace.send("assessment granted for %s and overridden", sanitized.c_str()); + } else { + trace.add("signature", "granted:%s", authority.c_str()); + trace.send("assessment granted for %s by %s", sanitized.c_str(), authority.c_str()); + } +} + +static void traceUpdate(CFTypeRef target, CFDictionaryRef context, CFDictionaryRef result) +{ + // only trace add operations on URL targets + if (target == NULL || CFGetTypeID(target) != CFURLGetTypeID()) + return; + CFStringRef edit = CFStringRef(CFDictionaryGetValue(context, kSecAssessmentContextKeyUpdate)); + if (!CFEqual(edit, kSecAssessmentUpdateOperationAdd)) + return; + MessageTrace trace("com.apple.security.assessment.update", NULL); + std::string sanitized; + traceResult(CFURLRef(target), trace, sanitized); + trace.send("added rule for %s", sanitized.c_str()); +} + + +// +// At present, CopyResult simply retrieves the result already formed by Create. +// In the future, this will be more lazy. +// +CFDictionaryRef SecAssessmentCopyResult(SecAssessmentRef assessmentRef, + SecAssessmentFlags flags, + CFErrorRef *errors) +{ + BEGIN_CSAPI + + SecAssessment &assessment = SecAssessment::ref(assessmentRef); + CFCopyRef result = assessment.result; + if (overrideAssessment(flags)) { + // turn rejections into approvals, but note that we did that + CFTypeRef verdict = CFDictionaryGetValue(result, kSecAssessmentAssessmentVerdict); + if (verdict == kCFBooleanFalse) { + CFRef adulterated = makeCFMutableDictionary(result.get()); + CFDictionarySetValue(adulterated, kSecAssessmentAssessmentVerdict, kCFBooleanTrue); + if (CFDictionaryRef authority = CFDictionaryRef(CFDictionaryGetValue(adulterated, kSecAssessmentAssessmentAuthority))) { + CFRef authority2 = makeCFMutableDictionary(authority); + CFDictionarySetValue(authority2, kSecAssessmentAssessmentAuthorityOverride, kDisabledOverride); + CFDictionarySetValue(authority2, kSecAssessmentAssessmentAuthorityOriginalVerdict, verdict); + CFDictionarySetValue(adulterated, kSecAssessmentAssessmentAuthority, authority2); + } else { + cfadd(adulterated, "{%O={%O=%O}}", + kSecAssessmentAssessmentAuthority, kSecAssessmentAssessmentAuthorityOverride, kDisabledOverride); + } + result = adulterated.get(); + } + } + traceAssessment(assessment, assessment.type, result); + return result.yield(); + + END_CSAPI_ERRORS1(NULL) +} + + +// +// Policy editing operations. +// These all make permanent changes to the system-wide authority records. +// +CFStringRef kSecAssessmentContextKeyUpdate = CFSTR("update"); +CFStringRef kSecAssessmentUpdateOperationAdd = CFSTR("update:add"); +CFStringRef kSecAssessmentUpdateOperationRemove = CFSTR("update:remove"); +CFStringRef kSecAssessmentUpdateOperationEnable = CFSTR("update:enable"); +CFStringRef kSecAssessmentUpdateOperationDisable = CFSTR("update:disable"); +CFStringRef kSecAssessmentUpdateOperationFind = CFSTR("update:find"); + +CFStringRef kSecAssessmentUpdateKeyAuthorization = CFSTR("update:authorization"); +CFStringRef kSecAssessmentUpdateKeyPriority = CFSTR("update:priority"); +CFStringRef kSecAssessmentUpdateKeyLabel = CFSTR("update:label"); +CFStringRef kSecAssessmentUpdateKeyExpires = CFSTR("update:expires"); +CFStringRef kSecAssessmentUpdateKeyAllow = CFSTR("update:allow"); +CFStringRef kSecAssessmentUpdateKeyRemarks = CFSTR("update:remarks"); + +CFStringRef kSecAssessmentUpdateKeyRow = CFSTR("update:row"); +CFStringRef kSecAssessmentUpdateKeyCount = CFSTR("update:count"); +CFStringRef kSecAssessmentUpdateKeyFound = CFSTR("update:found"); + +CFStringRef kSecAssessmentRuleKeyID = CFSTR("rule:id"); +CFStringRef kSecAssessmentRuleKeyPriority = CFSTR("rule:priority"); +CFStringRef kSecAssessmentRuleKeyAllow = CFSTR("rule:allow"); +CFStringRef kSecAssessmentRuleKeyLabel = CFSTR("rule:label"); +CFStringRef kSecAssessmentRuleKeyRemarks = CFSTR("rule:remarks"); +CFStringRef kSecAssessmentRuleKeyRequirement = CFSTR("rule:requirement"); +CFStringRef kSecAssessmentRuleKeyType = CFSTR("rule:type"); +CFStringRef kSecAssessmentRuleKeyExpires = CFSTR("rule:expires"); +CFStringRef kSecAssessmentRuleKeyDisabled = CFSTR("rule:disabled"); +CFStringRef kSecAssessmentRuleKeyBookmark = CFSTR("rule:bookmark"); + + +Boolean SecAssessmentUpdate(CFTypeRef target, + SecAssessmentFlags flags, + CFDictionaryRef context, + CFErrorRef *errors) +{ + if (CFDictionaryRef outcome = SecAssessmentCopyUpdate(target, flags, context, errors)) { + CFRelease(outcome); + return true; + } else { + return false; + } +} + +CFDictionaryRef SecAssessmentCopyUpdate(CFTypeRef target, + SecAssessmentFlags flags, + CFDictionaryRef context, + CFErrorRef *errors) +{ + BEGIN_CSAPI + + CFDictionary ctx(context, errSecCSInvalidAttributeValues); + CFRef result; + + // make context exist and writable + CFMutableDictionaryRef mcontext; + if (context == NULL) { + mcontext = makeCFMutableDictionary(); + } else { + mcontext = makeCFMutableDictionary(context); + } + + if (CFDictionaryGetValue(mcontext, kSecAssessmentUpdateKeyAuthorization) == NULL) { + // no authorization passed in. Make an empty one in this context + AuthorizationRef authorization; + MacOSError::check(AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &authorization)); + AuthorizationExternalForm extform; + MacOSError::check(AuthorizationMakeExternalForm(authorization, &extform)); + CFDictionaryAddValue(mcontext, kSecAssessmentUpdateKeyAuthorization, CFTempData(&extform, sizeof(extform))); + if (!(flags & kSecAssessmentFlagDirect)) + AuthorizationFree(authorization, kAuthorizationFlagDefaults); + } + + if (flags & kSecAssessmentFlagDirect) { + if (__esp_enabled()) { + CFTemp dict("{target=%O, flags=%d, context=%O}", target, flags, context); + OSStatus esp_result = __esp_check_ns("cs-assessment-update", (void *)(CFDictionaryRef)dict); + if (esp_result != noErr) + return NULL; + } + + // ask the engine right here to do its thing + result = gEngine().update(target, flags, ctx); + } else { + // relay the question to our daemon for consideration + result = xpcEngineUpdate(target, flags, ctx); + } + + if (__esp_enabled() && (flags & kSecAssessmentFlagDirect)) { + CFTemp dict("{target=%O, flags=%d, context=%O, outcome=%O}", target, flags, context, (CFDictionaryRef)result); + __esp_notify_ns("cs-assessment-update", (void *)(CFDictionaryRef)dict); + } + + traceUpdate(target, context, result); + return result.yield(); + + END_CSAPI_ERRORS1(false) +} + + +// +// The fcntl of System Policies. +// For those very special requests. +// +Boolean SecAssessmentControl(CFStringRef control, void *arguments, CFErrorRef *errors) +{ + BEGIN_CSAPI + + CFTemp dict("{control=%O}", control); + esp_do_check("cs-assessment-control", dict); + + if (CFEqual(control, CFSTR("ui-enable"))) { + setAssessment(true); + MessageTrace trace("com.apple.security.assessment.state", "enable"); + trace.send("enable assessment outcomes"); + return true; + } else if (CFEqual(control, CFSTR("ui-disable"))) { + setAssessment(false); + MessageTrace trace("com.apple.security.assessment.state", "disable"); + trace.send("disable assessment outcomes"); + return true; + } else if (CFEqual(control, CFSTR("ui-status"))) { + CFBooleanRef &result = *(CFBooleanRef*)(arguments); + if (overrideAssessment()) + result = kCFBooleanFalse; + else + result = kCFBooleanTrue; + return true; + } else if (CFEqual(control, CFSTR("ui-enable-devid"))) { + CFTemp ctx("{%O=%s}", kSecAssessmentUpdateKeyLabel, "Developer ID"); + if (CFDictionaryRef result = gEngine().enable(NULL, kAuthorityInvalid, kSecCSDefaultFlags, ctx, false)) + CFRelease(result); + MessageTrace trace("com.apple.security.assessment.state", "enable-devid"); + trace.send("enable Developer ID approval"); + return true; + } else if (CFEqual(control, CFSTR("ui-disable-devid"))) { + CFTemp ctx("{%O=%s}", kSecAssessmentUpdateKeyLabel, "Developer ID"); + if (CFDictionaryRef result = gEngine().disable(NULL, kAuthorityInvalid, kSecCSDefaultFlags, ctx, false)) + CFRelease(result); + MessageTrace trace("com.apple.security.assessment.state", "disable-devid"); + trace.send("disable Developer ID approval"); + return true; + } else if (CFEqual(control, CFSTR("ui-get-devid"))) { + CFBooleanRef &result = *(CFBooleanRef*)(arguments); + if (gEngine().value("SELECT disabled FROM authority WHERE label = 'Developer ID';", true)) + result = kCFBooleanFalse; + else + result = kCFBooleanTrue; + return true; + } else if (CFEqual(control, CFSTR("ui-record-reject"))) { + // send this through syspolicyd for update validation + xpcEngineRecord(CFDictionaryRef(arguments)); + return true; + } else if (CFEqual(control, CFSTR("ui-record-reject-local"))) { + // perform the local operation (requires root) + gEngine().recordFailure(CFDictionaryRef(arguments)); + return true; + } else if (CFEqual(control, CFSTR("ui-recall-reject"))) { + // no special privileges required for this, so read directly + CFDictionaryRef &result = *(CFDictionaryRef*)(arguments); + CFRef infoData = cfLoadFile(lastRejectFile); + if (infoData) + result = makeCFDictionaryFrom(infoData); + else + result = NULL; + return true; + } else if (CFEqual(control, CFSTR("rearm-status"))) { + CFTimeInterval &result = *(CFTimeInterval*)(arguments); + if (!queryRearmTimer(result)) + result = 0; + return true; + } else + MacOSError::throwMe(errSecCSInvalidAttributeValues); + + END_CSAPI_ERRORS1(false) +} diff --git a/OSX/include/security_codesigning/SecAssessment.h b/OSX/include/security_codesigning/SecAssessment.h new file mode 100644 index 00000000..78d96832 --- /dev/null +++ b/OSX/include/security_codesigning/SecAssessment.h @@ -0,0 +1,316 @@ +/* + * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#ifndef _H_SECASSESSMENT +#define _H_SECASSESSMENT + +#include + +#ifdef __cplusplus +extern "C" { +#endif + + +/*! + * @type SecAccessmentRef An assessment being performed. + */ +typedef struct _SecAssessment *SecAssessmentRef; + + +/*! + * CF-standard type function + */ +CFTypeID SecAssessmentGetTypeID(); + + +/* + * Notifications sent when the policy authority database changes. + * (Should move to /usr/include/notify_keys.h eventually.) + */ +#define kNotifySecAssessmentMasterSwitch "com.apple.security.assessment.masterswitch" +#define kNotifySecAssessmentUpdate "com.apple.security.assessment.update" +#define kNotifySecAssessmentRecordingChange "com.apple.security.assessment.UIRecordRejectDidChangeNotification" + + +/*! + * Primary operation types. These are operations the system policy can express + * opinions on. They are not operations *on* the system configuration itself. + * (For those, see SecAssessmentUpdate below.) + * + * @constant kSecAssessmentContextKeyOperation Context key describing the type of operation + * being contemplated. The default varies depending on the API call used. + * @constant kSecAssessmentOperationTypeExecute Value denoting the operation of running or executing + * code on the system. + * @constant kSecAssessmentOperationTypeInstall Value denoting the operation of installing + * software into the system. + * @constant kSecAssessmentOperationTypeOpenDocument Value denoting the operation of opening + * (in the LaunchServices sense) of documents. + */ +extern CFStringRef kSecAssessmentContextKeyOperation; // proposed operation +extern CFStringRef kSecAssessmentOperationTypeExecute; // .. execute code +extern CFStringRef kSecAssessmentOperationTypeInstall; // .. install software +extern CFStringRef kSecAssessmentOperationTypeOpenDocument; // .. LaunchServices-level document open + + +/*! + Operational flags for SecAssessment calls + + @type SecAssessmentFlags A mask of flag bits passed to SecAssessment calls to influence their + operation. + + @constant kSecAssessmentDefaultFlags Pass this to indicate that default behavior is desired. + @constant kSecAssessmentFlagIgnoreCache Do not use cached information; always perform a full + evaluation of system policy. This may be substantially slower. + @constant kSecAssessmentFlagNoCache Do not save any evaluation outcome in the system caches. + Any content already there is left undisturbed. Independent of kSecAssessmentFlagIgnoreCache. + @constant kSecAssessmentFlagEnforce Perform normal operations even if assessments have been + globally bypassed (which would usually approve anything). + @constant kSecAssessmentAllowWeak Allow signatures that contain known weaknesses, such as an + insecure resource envelope. + @constant kSecAssessmentIgnoreWhitelist Do not search the weak signature whitelist. + @constant kSecAssessmentFlagDequarantine Set the ASSESSMENT_OK flag if successful. + @constant kSecAssessmentFlagIgnoreActiveAssessments Permit parallel re-assessment of the same target. + @constant kSecAssessmentFlagLowPriority Run the assessment in low priority. + + Flags common to multiple calls are assigned from high-bit down. Flags for particular calls + are assigned low-bit up, and are documented with that call. + */ +typedef uint64_t SecAssessmentFlags; +enum { + kSecAssessmentDefaultFlags = 0, // default behavior + + kSecAssessmentFlagDirect = 1 << 30, // in-process evaluation + kSecAssessmentFlagAsynchronous = 1 << 29, // request asynchronous operation + kSecAssessmentFlagIgnoreCache = 1 << 28, // do not search cache + kSecAssessmentFlagNoCache = 1 << 27, // do not populate cache + kSecAssessmentFlagEnforce = 1 << 26, // force on (disable bypass switches) + kSecAssessmentFlagAllowWeak = 1 << 25, // allow weak signatures + kSecAssessmentFlagIgnoreWhitelist = 1 << 24, // do not search weak signature whitelist + kSecAssessmentFlagDequarantine = 1 << 23, // set the ASSESSMENT_OK flag if successful + kSecAssessmentFlagIgnoreActiveAssessments = 1 << 22, // permit parallel re-assessment of the same target + kSecAssessmentFlagLowPriority = 1 << 21, // run the assessment in low priority +}; + + +/*! + @function SecAssessmentCreate + Ask the system for its assessment of a proposed operation. + + @param path CFURL describing the file central to the operation - the program + to be executed, archive to be installed, plugin to be loaded, etc. + @param flags Operation flags and options. Pass kSecAssessmentDefaultFlags for default + behavior. + @param context Optional CFDictionaryRef containing additional information bearing + on the requested assessment. + @param errors Standard CFError argument for reporting errors. Note that declining to permit + the proposed operation is not an error. Inability to arrive at a judgment is. + @result On success, a SecAssessment object that can be queried for its outcome. + On error, NULL (with *errors set). + + Option flags: + + @constant kSecAssessmentFlagRequestOrigin Request additional work to produce information on + the originator (signer) of the object being discussed. + + Context keys: + + @constant kSecAssessmentContextKeyOperation Type of operation (see overview above). This defaults + to the kSecAssessmentOperationTypeExecute. + */ +extern CFStringRef kSecAssessmentContextKeyFeedback; // feedback reporting block +typedef Boolean (^SecAssessmentFeedback)(CFStringRef type, CFDictionaryRef information); +extern CFStringRef kSecAssessmentFeedbackProgress; // progress reporting feedback +extern CFStringRef kSecAssessmentFeedbackInfoCurrent; // info key: current work progress +extern CFStringRef kSecAssessmentFeedbackInfoTotal; // info key: total expected work + +extern CFStringRef kSecAssessmentAssessmentVerdict; // CFBooleanRef: master result - allow or deny +extern CFStringRef kSecAssessmentAssessmentOriginator; // CFStringRef: describing the signature originator +extern CFStringRef kSecAssessmentAssessmentAuthority; // CFDictionaryRef: authority used to arrive at result +extern CFStringRef kSecAssessmentAssessmentSource; // CFStringRef: primary source of authority +extern CFStringRef kSecAssessmentAssessmentFromCache; // present if result is from cache +extern CFStringRef kSecAssessmentAssessmentWeakSignature; // present if result attributable to signature weakness +extern CFStringRef kSecAssessmentAssessmentCodeSigningError; // error code returned by code signing API +extern CFStringRef kSecAssessmentAssessmentAuthorityRow; // (internal) +extern CFStringRef kSecAssessmentAssessmentAuthorityOverride; // (internal) +extern CFStringRef kSecAssessmentAssessmentAuthorityOriginalVerdict; // (internal) + +extern CFStringRef kDisabledOverride; // AuthorityOverride value for "Gatekeeper is disabled" + +enum { + kSecAssessmentFlagRequestOrigin = 1 << 0, // request origin information (slower) +}; + +SecAssessmentRef SecAssessmentCreate(CFURLRef path, + SecAssessmentFlags flags, + CFDictionaryRef context, + CFErrorRef *errors); + + +/*! + @function SecAssessmentCopyResult + + Extract results from a completed assessment and return them as a CFDictionary. + + @param assessment A SecAssessmentRef created with SecAssessmentCreate. + @param flags Operation flags and options. Pass kSecAssessmentDefaultFlags for default + behavior. + @errors Standard CFError argument for reporting errors. Note that declining to permit + the proposed operation is not an error. Inability to form a judgment is. + @result On success, a CFDictionary describing the outcome and various corroborating + data as requested by flags. The caller owns this dictionary and should release it + when done with it. On error, NULL (with *errors set). + + Assessment result keys (dictionary keys returned on success): + + @constant kSecAssessmentAssessmentVerdict A CFBoolean value indicating whether the system policy + allows (kCFBooleanTrue) or denies (kCFBooleanFalse) the proposed operation. + @constant kSecAssessmentAssessmentAuthority A CFDictionary describing what sources of authority + were used to arrive at this result. + @constant kSecAssessmentAssessmentOriginator A human-readable CFString describing the originator + of the signature securing the subject of the verdict. Requires kSecAssessmentFlagRequireOrigin. + May be missing anyway if no reliable source of origin can be determined. + */ +CFDictionaryRef SecAssessmentCopyResult(SecAssessmentRef assessment, + SecAssessmentFlags flags, + CFErrorRef *errors); + + +/*! + @function SecAssessmentCopyUpdate + Make changes to the system policy configuration. + + @param path CFTypeRef describing the subject of the operation. Depending on the operation, + this may be a CFURL denoting a (single) file or bundle; a SecRequirement describing + a group of files; a CFNumber denoting an existing rule by rule number, or NULL to perform + global changes. + @param flags Operation flags and options. Pass kSecAssessmentDefaultFlags for default + behavior. + @param context Required CFDictionaryRef containing information bearing + on the requested assessment. Must at least contain the kSecAssessmentContextKeyEdit key. + @param errors Standard CFError argument for reporting errors. Note that declining to permit + the proposed operation is not an error. Inability to form a judgment is. + @result Returns On success, a CFDictionary containing information pertaining to the completed operation. + Caller must CFRelease it when done. On failure, NULL, with *errors set if provided. + + Note: The SecAssessmentUpdate variant does not return data. It returns True on success, or False on error. + + Context keys and values: + + @constant kSecAssessmentContextKeyEdit Required context key describing the kind of change + requested to the system policy configuration. Currently understood values: + @constant kSecAssessmentUpdateOperationAdd Add a new rule to the assessment rule database. + @constant kSecAssessmentUpdateOperationRemove Remove rules from the rule database. + @constant kSecAssessmentUpdateOperationEnable (Re)enable rules in the rule database. + @constant kSecAssessmentUpdateOperationDisable Disable rules in the rule database. + @constant kSecAssessmentUpdateOperationFind Locate and return rules from the rule database. + This operation does not change the database, and does not require authorization or privileges. + + @constant kSecAssessmentUpdateKeyAuthorization A CFData containing the external form of a + system AuthorizationRef used to authorize the change. The call will automatically generate + a suitable authorization if this is missing; however, if the request is on behalf of + another client, an AuthorizationRef should be created there and passed along here. + @constant kSecAssessmentUpdateKeyPriority CFNumber denoting a (floating point) priority + for the rule(s) being processed. + @constant kSecAssessmentUpdateKeyLabel CFString denoting a label string applied to the rule(s) + being processed. + @constant kSecAssessmentUpdateKeyExpires CFDate denoting an (absolute, future) expiration date + for rule(s) being processed. + @constant kSecAssessmentUpdateKeyAllow CFBoolean denoting whether a new rule allows or denies + assessment. The default is to allow; set to kCFBooleanFalse to create a negative (denial) rule. + @constant kSecAssessmentUpdateKeyRemarks CFString containing a colloquial description or comment + about a newly created rule. This is mean to be human readable and is not used when evaluating rules. + + Keys returned as the result of a successful kSecAssessmentUpdateOperationFind operation: + + @constant kSecAssessmentRuleKeyID A CFNumber uniquely identifying a rule. + @constant kSecAssessmentRuleKeyPriority A CFNumber indicating the rule's priority. + This is a floating point number. Higher values indicate higher priority. + @constant kSecAssessmentRuleKeyAllow A CFBoolean indicating whether the rule allows (true) or denies (false) the operation. + @constant kSecAssessmentRuleKeyLabel An optional CFString labeling the rule. Multiple rules may have the same label; + this can be used to group rules. Labels are not presented to the user. The label has no effect on evaluation. + @constant kSecAssessmentRuleKeyRemarks An optional CFString containing user-readable text characterizing the rule's meaning. + The remark has no effect on the evaluation. + @constant kSecAssessmentRuleKeyRequirement A CFString containing the (text form of) the code requirement governing the rule's match. + @constant kSecAssessmentRuleKeyType A CFString denoting the type of operation governed by the rule. + One of the kSecAssessmentOperationType* constants. + @constant kSecAssessmentRuleKeyExpires A CFDate indicating when the rule expires. Absent if the rule does not expire. Expired rules are never returned. + @constant kSecAssessmentRuleKeyDisabled A CFNumber; non zero if temporarily disabled. Optional. + @constant kSecAssessmentRuleKeyBookmark A CFData with the bookmark to the rule. Optional. + */ +extern CFStringRef kSecAssessmentContextKeyUpdate; // proposed operation +extern CFStringRef kSecAssessmentUpdateOperationAdd; // add rule to policy database +extern CFStringRef kSecAssessmentUpdateOperationRemove; // remove rule from policy database +extern CFStringRef kSecAssessmentUpdateOperationEnable; // enable rule(s) in policy database +extern CFStringRef kSecAssessmentUpdateOperationDisable; // disable rule(s) in policy database +extern CFStringRef kSecAssessmentUpdateOperationFind; // extract rule(s) from the policy database + +extern CFStringRef kSecAssessmentUpdateKeyAuthorization; // [CFData] external form of governing authorization + +extern CFStringRef kSecAssessmentUpdateKeyPriority; // rule priority +extern CFStringRef kSecAssessmentUpdateKeyLabel; // rule label +extern CFStringRef kSecAssessmentUpdateKeyExpires; // rule expiration +extern CFStringRef kSecAssessmentUpdateKeyAllow; // rule outcome (allow/deny) +extern CFStringRef kSecAssessmentUpdateKeyRemarks; // rule remarks (human readable) + +extern CFStringRef kSecAssessmentUpdateKeyRow; // rule identifier (CFNumber; add only) +extern CFStringRef kSecAssessmentUpdateKeyCount; // count of changed rules (CFNumber) +extern CFStringRef kSecAssessmentUpdateKeyFound; // set of found rules (CFArray of CFDictionaries) + +extern CFStringRef kSecAssessmentRuleKeyID; // rule content returned: rule ID +extern CFStringRef kSecAssessmentRuleKeyPriority; // rule content returned: rule priority (floating point) +extern CFStringRef kSecAssessmentRuleKeyAllow; // rule content returned: rule allows (boolean) +extern CFStringRef kSecAssessmentRuleKeyLabel; // rule content returned: rule label (string; optional) +extern CFStringRef kSecAssessmentRuleKeyRemarks; // rule content returned: rule remarks (string; optional) +extern CFStringRef kSecAssessmentRuleKeyRequirement; // rule content returned: rule code requirement (string) +extern CFStringRef kSecAssessmentRuleKeyType; // rule content returned: rule type (string) +extern CFStringRef kSecAssessmentRuleKeyExpires; // rule content returned: rule expiration (CFDate; optional) +extern CFStringRef kSecAssessmentRuleKeyDisabled; // rule content returned: rule disabled (CFNumber; nonzero means temporarily disabled) +extern CFStringRef kSecAssessmentRuleKeyBookmark; // rule content returned: bookmark data (CFBookmark; optional) + +CFDictionaryRef SecAssessmentCopyUpdate(CFTypeRef target, + SecAssessmentFlags flags, + CFDictionaryRef context, + CFErrorRef *errors); + +Boolean SecAssessmentUpdate(CFTypeRef target, + SecAssessmentFlags flags, + CFDictionaryRef context, + CFErrorRef *errors); + + +/*! + @function SecAssessmentControl + Miscellaneous system policy operations. + + @param control A CFString indicating which operation is requested. + @param arguments Arguments to the operation as documented for control. + @param errors Standard CFErrorRef * argument to report errors. + @result Returns True on success. Returns False on failure (and sets *errors). + */ +Boolean SecAssessmentControl(CFStringRef control, void *arguments, CFErrorRef *errors); + + +#ifdef __cplusplus +} +#endif + +#endif //_H_SECASSESSMENT diff --git a/OSX/include/security_codesigning/SecCode.cpp b/OSX/include/security_codesigning/SecCode.cpp new file mode 100644 index 00000000..2544d654 --- /dev/null +++ b/OSX/include/security_codesigning/SecCode.cpp @@ -0,0 +1,316 @@ +/* + * Copyright (c) 2006-2015 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// SecCode - API frame for SecCode objects. +// +// Note that some SecCode* functions take SecStaticCodeRef arguments in order to +// accept either static or dynamic code references, operating on the respective +// StaticCode. Those functions are in SecStaticCode.cpp, not here, despite their name. +// +#include "cs.h" +#include "Code.h" +#include "cskernel.h" +#include +#include + +using namespace CodeSigning; + + +// +// CFError user info keys +// +const CFStringRef kSecCFErrorArchitecture = CFSTR("SecCSArchitecture"); +const CFStringRef kSecCFErrorPattern = CFSTR("SecCSPattern"); +const CFStringRef kSecCFErrorResourceSeal = CFSTR("SecCSResourceSeal"); +const CFStringRef kSecCFErrorResourceAdded = CFSTR("SecCSResourceAdded"); +const CFStringRef kSecCFErrorResourceAltered = CFSTR("SecCSResourceAltered"); +const CFStringRef kSecCFErrorResourceMissing = CFSTR("SecCSResourceMissing"); +const CFStringRef kSecCFErrorInfoPlist = CFSTR("SecCSInfoPlist"); +const CFStringRef kSecCFErrorGuestAttributes = CFSTR("SecCSGuestAttributes"); +const CFStringRef kSecCFErrorRequirementSyntax = CFSTR("SecRequirementSyntax"); +const CFStringRef kSecCFErrorPath = CFSTR("SecComponentPath"); + + +// +// CF-standard type code functions +// +CFTypeID SecCodeGetTypeID(void) +{ + BEGIN_CSAPI + return gCFObjects().Code.typeID; + END_CSAPI1(_kCFRuntimeNotATypeID) +} + + +// +// Get a reference to the calling code. +// +OSStatus SecCodeCopySelf(SecCSFlags flags, SecCodeRef *selfRef) +{ + BEGIN_CSAPI + + checkFlags(flags); + CFRef attributes = makeCFMutableDictionary(1, + kSecGuestAttributePid, CFTempNumber(getpid()).get()); + CodeSigning::Required(selfRef) = SecCode::autoLocateGuest(attributes, flags)->handle(false); + + END_CSAPI +} + + +// +// Get the dynamic status of a code. +// +OSStatus SecCodeGetStatus(SecCodeRef codeRef, SecCSFlags flags, SecCodeStatus *status) +{ + BEGIN_CSAPI + + checkFlags(flags); + CodeSigning::Required(status) = SecCode::required(codeRef)->status(); + + END_CSAPI +} + + +// +// Change the dynamic status of a code +// +OSStatus SecCodeSetStatus(SecCodeRef codeRef, SecCodeStatusOperation operation, + CFDictionaryRef arguments, SecCSFlags flags) +{ + BEGIN_CSAPI + + checkFlags(flags); + SecCode::required(codeRef)->status(operation, arguments); + + END_CSAPI +} + + +// +// Get the StaticCode for an Code +// +OSStatus SecCodeCopyStaticCode(SecCodeRef codeRef, SecCSFlags flags, SecStaticCodeRef *staticCodeRef) +{ + BEGIN_CSAPI + + checkFlags(flags, kSecCSUseAllArchitectures); + SecPointer staticCode = SecCode::required(codeRef)->staticCode(); + if (flags & kSecCSUseAllArchitectures) + if (Universal* macho = staticCode->diskRep()->mainExecutableImage()) // Mach-O main executable + if (macho->narrowed()) { + // create a new StaticCode comprising the whole fat file + RefPointer rep = DiskRep::bestGuess(staticCode->diskRep()->mainExecutablePath()); + staticCode = new SecStaticCode(rep); + } + CodeSigning::Required(staticCodeRef) = staticCode ? staticCode->handle() : NULL; + + END_CSAPI +} + + +// +// Get the host for an Code +// +OSStatus SecCodeCopyHost(SecCodeRef guestRef, SecCSFlags flags, SecCodeRef *hostRef) +{ + BEGIN_CSAPI + + checkFlags(flags); + SecPointer host = SecCode::required(guestRef)->host(); + CodeSigning::Required(hostRef) = host ? host->handle() : NULL; + + END_CSAPI +} + + +// +// Find a guest by attribute(s) +// +const CFStringRef kSecGuestAttributeCanonical = CFSTR("canonical"); +const CFStringRef kSecGuestAttributeHash = CFSTR("codedirectory-hash"); +const CFStringRef kSecGuestAttributeMachPort = CFSTR("mach-port"); +const CFStringRef kSecGuestAttributePid = CFSTR("pid"); +const CFStringRef kSecGuestAttributeDynamicCode = CFSTR("dynamicCode"); +const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist = CFSTR("dynamicCodeInfoPlist"); +const CFStringRef kSecGuestAttributeArchitecture = CFSTR("architecture"); +const CFStringRef kSecGuestAttributeSubarchitecture = CFSTR("subarchitecture"); + +OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef hostRef, + CFDictionaryRef attributes, SecCSFlags flags, SecCodeRef *guestRef) +{ + BEGIN_CSAPI + + checkFlags(flags); + if (hostRef) { + if (SecCode *guest = SecCode::required(hostRef)->locateGuest(attributes)) + CodeSigning::Required(guestRef) = guest->handle(false); + else + return errSecCSNoSuchCode; + } else + CodeSigning::Required(guestRef) = SecCode::autoLocateGuest(attributes, flags)->handle(false); + + END_CSAPI +} + + +// +// Shorthand for getting the SecCodeRef for a UNIX process +// +OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *processRef) +{ + BEGIN_CSAPI + + checkFlags(flags); + if (SecCode *guest = KernelCode::active()->locateGuest(CFTemp("{%O=%d}", kSecGuestAttributePid, pid))) + CodeSigning::Required(processRef) = guest->handle(false); + else + return errSecCSNoSuchCode; + + END_CSAPI +} + + +// +// Check validity of an Code +// +OSStatus SecCodeCheckValidity(SecCodeRef codeRef, SecCSFlags flags, + SecRequirementRef requirementRef) +{ + return SecCodeCheckValidityWithErrors(codeRef, flags, requirementRef, NULL); +} + +OSStatus SecCodeCheckValidityWithErrors(SecCodeRef codeRef, SecCSFlags flags, + SecRequirementRef requirementRef, CFErrorRef *errors) +{ +#if !SECTRUST_OSX + BEGIN_CSAPI + + checkFlags(flags, + kSecCSConsiderExpiration + | kSecCSEnforceRevocationChecks); + SecPointer code = SecCode::required(codeRef); + code->checkValidity(flags); + if (const SecRequirement *req = SecRequirement::optional(requirementRef)) + code->staticCode()->validateRequirement(req->requirement(), errSecCSReqFailed); + + END_CSAPI_ERRORS +#else +#warning resolve before enabling SECTRUST_OSX: + OSStatus result = errSecSuccess; + const char *func = "SecCodeCheckValidity"; + CFErrorRef localErrors = NULL; + if (!errors) { errors = &localErrors; } + try { + checkFlags(flags, + kSecCSConsiderExpiration + | kSecCSEnforceRevocationChecks); + SecPointer code = SecCode::required(codeRef); + code->checkValidity(flags); + if (const SecRequirement *req = SecRequirement::optional(requirementRef)) + code->staticCode()->validateRequirement(req->requirement(), errSecCSReqFailed); + } + catch (...) { + // the actual error being thrown is not being caught by any of the + // type-specific blocks contained in the END_CSAPI_ERRORS macro, + // so we only have the catch-all block here for now. + result = errSecCSInternalError; + } + + if (errors && *errors) { + CFShow(errors); + CFRelease(errors); + *errors = NULL; + } + if (result == errSecCSInternalError) { + #if !NDEBUG + Security::Syslog::error("WARNING: %s ignored error %d", func, (int)result); + #endif + result = errSecSuccess; + } + return result; +#endif +} + + +// +// Collect suitably laundered information about the code signature of a SecStaticCode +// and return it as a CFDictionary. +// +// This API contracts to return a few pieces of information even for unsigned +// code. This means that a SecStaticCodeRef is usable as a basic indentifier +// (i.e. handle) for any code out there. +// +const CFStringRef kSecCodeInfoCertificates = CFSTR("certificates"); +const CFStringRef kSecCodeInfoChangedFiles = CFSTR("changed-files"); +const CFStringRef kSecCodeInfoCMS = CFSTR("cms"); +const CFStringRef kSecCodeInfoDesignatedRequirement = CFSTR("designated-requirement"); +const CFStringRef kSecCodeInfoEntitlements = CFSTR("entitlements"); +const CFStringRef kSecCodeInfoEntitlementsDict = CFSTR("entitlements-dict"); +const CFStringRef kSecCodeInfoFlags = CFSTR("flags"); +const CFStringRef kSecCodeInfoFormat = CFSTR("format"); +const CFStringRef kSecCodeInfoDigestAlgorithm = CFSTR("digest-algorithm"); +const CFStringRef kSecCodeInfoPlatformIdentifier = CFSTR("platform-identifier"); +const CFStringRef kSecCodeInfoIdentifier = CFSTR("identifier"); +const CFStringRef kSecCodeInfoImplicitDesignatedRequirement = CFSTR("implicit-requirement"); +const CFStringRef kSecCodeInfoMainExecutable = CFSTR("main-executable"); +const CFStringRef kSecCodeInfoPList = CFSTR("info-plist"); +const CFStringRef kSecCodeInfoRequirements = CFSTR("requirements"); +const CFStringRef kSecCodeInfoRequirementData = CFSTR("requirement-data"); +const CFStringRef kSecCodeInfoSource = CFSTR("source"); +const CFStringRef kSecCodeInfoStatus = CFSTR("status"); +const CFStringRef kSecCodeInfoTeamIdentifier = CFSTR("teamid"); +const CFStringRef kSecCodeInfoTime = CFSTR("signing-time"); +const CFStringRef kSecCodeInfoTimestamp = CFSTR("signing-timestamp"); +const CFStringRef kSecCodeInfoTrust = CFSTR("trust"); +const CFStringRef kSecCodeInfoUnique = CFSTR("unique"); + +const CFStringRef kSecCodeInfoCodeDirectory = CFSTR("CodeDirectory"); +const CFStringRef kSecCodeInfoCodeOffset = CFSTR("CodeOffset"); +const CFStringRef kSecCodeInfoResourceDirectory = CFSTR("ResourceDirectory"); + + +OSStatus SecCodeCopySigningInformation(SecStaticCodeRef codeRef, SecCSFlags flags, + CFDictionaryRef *infoRef) +{ + BEGIN_CSAPI + + checkFlags(flags, + kSecCSInternalInformation + | kSecCSSigningInformation + | kSecCSRequirementInformation + | kSecCSDynamicInformation + | kSecCSContentInformation); + + SecPointer code = SecStaticCode::requiredStatic(codeRef); + CFRef info = code->signingInformation(flags); + + if (flags & kSecCSDynamicInformation) + if (SecPointer dcode = SecStaticCode::optionalDynamic(codeRef)) + info.take(cfmake("{+%O,%O=%u}", info.get(), kSecCodeInfoStatus, dcode->status())); + + CodeSigning::Required(infoRef) = info.yield(); + + END_CSAPI +} diff --git a/OSX/include/security_codesigning/SecCode.h b/OSX/include/security_codesigning/SecCode.h new file mode 100644 index 00000000..415506b4 --- /dev/null +++ b/OSX/include/security_codesigning/SecCode.h @@ -0,0 +1,447 @@ +/* + * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecCode + SecCode represents separately indentified running code in the system. + In addition to UNIX processes, this can also include (with suitable support) + scripts, applets, widgets, etc. +*/ +#ifndef _H_SECCODE +#define _H_SECCODE + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN + +/*! + @function SecCodeGetTypeID + Returns the type identifier of all SecCode instances. +*/ +CFTypeID SecCodeGetTypeID(void); + + +/*! + @function SecCodeCopySelf + Obtains a SecCode object for the code making the call. + The calling code is determined in a way that is subject to modification over + time, but obeys the following rules. If it is a UNIX process, its process id (pid) + is always used. If it is an active code host that has a dedicated guest, such a guest + is always preferred. If it is a host that has called SecHostSelectGuest, such selection + is considered until revoked. + + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param self Upon successful return, contains a SecCodeRef representing the caller. + + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. + */ +OSStatus SecCodeCopySelf(SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED self); + + +/*! + @function SecCodeCopyStaticCode + Given a SecCode object, locate its origin in the file system and return + a SecStaticCode object representing it. + + The link established by this call is generally reliable but is NOT guaranteed + to be secure. + + Many API functions taking SecStaticCodeRef arguments will also directly + accept a SecCodeRef and apply this translation implicitly, operating on + its result or returning its error code if any. Each of these functions + calls out that behavior in its documentation. + + If the code was obtained from a universal (aka "fat") program file, + the resulting SecStaticCodeRef will refer only to the architecture actually + being used. This means that multiple running codes started from the same file + may conceivably result in different static code references if they ended up + using different execution architectures. (This is unusual but possible.) + + @param code A valid SecCode object reference representing code running + on the system. + + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @constant kSecCSUseAllArchitectures + If code refers to a single architecture of a universal binary, return a SecStaticCodeRef + that refers to the entire universal code with all its architectures. By default, the + returned static reference identifies only the actual architecture of the running program. + + @param staticCode On successful return, a SecStaticCode object reference representing + the file system origin of the given SecCode. On error, unchanged. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +CF_ENUM(uint32_t) { + kSecCSUseAllArchitectures = 1 << 0, +}; + +OSStatus SecCodeCopyStaticCode(SecCodeRef code, SecCSFlags flags, SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode); + + +/*! + @function SecCodeCopyHost + Given a SecCode object, identify the (different) SecCode object that acts + as its host. A SecCode's host acts as a supervisor and controller, + and is the ultimate authority on the its dynamic validity and status. + The host relationship is securely established (absent reported errors). + + @param code A valid SecCode object reference representing code running + on the system. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param host On successful return, a SecCode object reference identifying + the code's host. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecCodeCopyHost(SecCodeRef guest, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED host); + +/*! + @function SecCodeCopyGuestWithAttributes + This is the omnibus API function for obtaining dynamic code references. + In general, it asks a particular code acting as a code host to locate + and return a guest with given attributes. Different hosts support + different combinations of attributes and values for guest selection. + + Asking the NULL host invokes system default procedures for obtaining + any running code in the system with the attributes given. The returned + code may be anywhere in the system. + + The methods a host uses to identify, separate, and control its guests + are specific to each type of host. This call provides a generic abstraction layer + that allows uniform interrogation of all hosts. A SecCode that does not + act as a host will always return errSecCSNoSuchCode. A SecCode that does + support hosting may return itself to signify that the attribute refers to + itself rather than one of its hosts. + + @param host A valid SecCode object reference representing code running + on the system that acts as a Code Signing host. As a special case, passing + NULL indicates that the Code Signing root of trust should be used as a starting + point. Currently, that is the system kernel. + @param attributes A CFDictionary containing zero or more attribute selector + values. Each selector has a CFString key and associated CFTypeRef value. + The key name identifies the attribute being specified; the associated value, + whose type depends on the the key name, selects a particular value or other + constraint on that attribute. Each host only supports particular combinations + of keys and values, and errors will be returned if any unsupported set is requested. + As a special case, NULL is taken to mean an empty attribute set. + Note that some hosts that support hosting chains (guests being hosts) + may return sub-guests in this call. In other words, do not assume that + a SecCodeRef returned by this call is a direct guest of the queried host + (though it will be a proximate guest, i.e. a guest's guest some way down). + Asking the NULL host for NULL attributes returns a code reference for the system root + of trust (at present, the running Darwin kernel). + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param guest On successful return, a SecCode object reference identifying + the particular guest of the host that owns the attribute value(s) specified. + This argument will not be changed if the call fails (does not return errSecSuccess). + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. In particular: + @error errSecCSUnsupportedGuestAttributes The host does not support the attribute + type given by attributeType. + @error errSecCSInvalidAttributeValues The type of value given for a guest + attribute is not supported by the host. + @error errSecCSNoSuchCode The host has no guest with the attribute value given + by attributeValue, even though the value is of a supported type. This may also + be returned if the host code does not currently act as a Code Signing host. + @error errSecCSNotAHost The specified host cannot, in fact, act as a code + host. (It is missing the kSecCodeSignatureHost option flag in its code + signature.) + @error errSecCSMultipleGuests The attributes specified do not uniquely identify + a guest (the specification is ambiguous). +*/ +extern const CFStringRef kSecGuestAttributeCanonical; +extern const CFStringRef kSecGuestAttributeHash; +extern const CFStringRef kSecGuestAttributeMachPort; +extern const CFStringRef kSecGuestAttributePid; +extern const CFStringRef kSecGuestAttributeDynamicCode; +extern const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist; +extern const CFStringRef kSecGuestAttributeArchitecture; +extern const CFStringRef kSecGuestAttributeSubarchitecture; + +OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef __nullable host, + CFDictionaryRef __nullable attributes, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED guest); + + +/*! + @function SecCodeCheckValidity + Performs dynamic validation of the given SecCode object. The call obtains and + verifies the signature on the code object. It checks the validity of only those + sealed components required to establish identity. It checks the SecCode's + dynamic validity status as reported by its host. It ensures that the SecCode's + host is in turn valid. Finally, it validates the code against a SecRequirement + if one is given. The call succeeds if all these conditions are satisfactory. + It fails otherwise. + + This call is secure against attempts to modify the file system source of the + SecCode. + + @param code The code object to be validated. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param requirement An optional code requirement specifying additional conditions + the code object must satisfy to be considered valid. If NULL, no additional + requirements are imposed. + @param errors An optional pointer to a CFErrorRef variable. If the call fails + (and something other than errSecSuccess is returned), and this argument is non-NULL, + a CFErrorRef is stored there further describing the nature and circumstances + of the failure. The caller must CFRelease() this error object when done with it. + @result If validation passes, errSecSuccess. If validation fails, an OSStatus value + documented in CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecCodeCheckValidity(SecCodeRef code, SecCSFlags flags, + SecRequirementRef __nullable requirement); + +OSStatus SecCodeCheckValidityWithErrors(SecCodeRef code, SecCSFlags flags, + SecRequirementRef __nullable requirement, CFErrorRef *errors); + + +/*! + @function SecCodeCopyPath + For a given Code or StaticCode object, returns a URL to a location on disk where the + code object can be found. For single files, the URL points to that file. + For bundles, it points to the directory containing the entire bundle. + + This returns the same URL as the kSecCodeInfoMainExecutable key returned + by SecCodeCopySigningInformation. + + @param code The Code or StaticCode object to be located. For a Code + argument, its StaticCode is processed as per SecCodeCopyStaticCode. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param path On successful return, contains a CFURL identifying the location + on disk of the staticCode object. + @result On success, errSecSuccess. On error, an OSStatus value + documented in CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecCodeCopyPath(SecStaticCodeRef staticCode, SecCSFlags flags, + CFURLRef * __nonnull CF_RETURNS_RETAINED path); + + +/*! + @function SecCodeCopyDesignatedRequirement + For a given Code or StaticCode object, determines its Designated Code Requirement. + The Designated Requirement is the SecRequirement that the code believes + should be used to properly identify it in the future. + + If the SecCode contains an explicit Designated Requirement, a copy of that + is returned. If it does not, a SecRequirement is implicitly constructed from + its signing authority and its embedded unique identifier. No Designated + Requirement can be obtained from code that is unsigned. Code that is modified + after signature, improperly signed, or has become invalid, may or may not yield + a Designated Requirement. This call does not validate the SecStaticCode argument. + + @param code The Code or StaticCode object to be interrogated. For a Code + argument, its StaticCode is processed as per SecCodeCopyStaticCode. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param requirement On successful return, contains a copy of a SecRequirement + object representing the code's Designated Requirement. On error, unchanged. + @result On success, errSecSuccess. On error, an OSStatus value + documented in CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecCodeCopyDesignatedRequirement(SecStaticCodeRef code, SecCSFlags flags, + SecRequirementRef * __nonnull CF_RETURNS_RETAINED requirement); + + +/* + @function SecCodeCopySigningInformation + For a given Code or StaticCode object, extract various pieces of information + from its code signature and return them in the form of a CFDictionary. The amount + and detail level of the data is controlled by the flags passed to the call. + + If the code exists but is not signed at all, this call will succeed and return + a dictionary that does NOT contain the kSecCodeInfoIdentifier key. This is the + recommended way to check quickly whether a code is signed. + + If the signing data for the code is corrupt or invalid, this call may fail or it + may return partial data. To ensure that only valid data is returned (and errors + are raised for invalid data), you must successfully call one of the CheckValidity + functions on the code before calling CopySigningInformation. + + @param code The Code or StaticCode object to be interrogated. For a Code + argument, its StaticCode is processed as per SecCodeCopyStaticCode. + Note that dynamic information (kSecCSDynamicInformation) cannot be obtained + for a StaticCode argument. + @param flags Optional flags. Use any or all of the kSecCS*Information flags + to select what information to return. A generic set of entries is returned + regardless; you may specify kSecCSDefaultFlags for just those. + @param information A CFDictionary containing information about the code is stored + here on successful completion. The contents of the dictionary depend on + the flags passed. Regardless of flags, the kSecCodeInfoIdentifier key is + always present if the code is signed, and always absent if the code is + unsigned. + Note that some of the objects returned are (retained) "live" API objects + used by the code signing infrastructure. Making changes to these objects + is unsupported and may cause subsequent code signing operations on the + affected code to behave in undefined ways. + @result On success, errSecSuccess. On error, an OSStatus value + documented in CSCommon.h or certain other Security framework headers. + + Flags: + + @constant kSecCSSigningInformation Return cryptographic signing information, + including the certificate chain and CMS data (if any). For ad-hoc signed + code, there are no certificates and the CMS data is empty. + @constant kSecCSRequirementInformation Return information about internal code + requirements embedded in the code. This includes the Designated Requirement. + @constant kSecCSInternalInformation Return internal code signing information. + This information is for use by Apple, and is subject to change without notice. + It will not be further documented here. + @constant kSecCSDynamicInformation Return dynamic validity information about + the Code. The subject code must be a SecCodeRef (not a SecStaticCodeRef). + @constant kSecCSContentInformation Return more information about the file system + contents making up the signed code on disk. It is not generally advisable to + make use of this information, but some utilities (such as software-update + tools) may find it useful. + + Dictionary keys: + + @constant kSecCodeInfoCertificates A CFArray of SecCertificates identifying the + certificate chain of the signing certificate as seen by the system. Absent + for ad-hoc signed code. May be partial or absent in error cases. + @constant kSecCodeInfoChangedFiles A CFArray of CFURLs identifying all files in + the code that may have been modified by the process of signing it. (In other + words, files not in this list will not have been touched by the signing operation.) + @constant kSecCodeInfoCMS A CFData containing the CMS cryptographic object that + secures the code signature. Empty for ad-hoc signed code. + @constant kSecCodeInfoDesignatedRequirement A SecRequirement describing the + actual Designated Requirement of the code. + @constant kSecCodeInfoEntitlements A CFData containing the embedded entitlement + blob of the code, if any. + @constant kSecCodeInfoEntitlementsDict A CFDictionary containing the embedded entitlements + of the code if it has entitlements and they are in standard dictionary form. + Absent if the code has no entitlements, or they are in a different format (in which + case, see kSecCodeInfoEntitlements). + @constant kSecCodeInfoFlags A CFNumber with the static (on-disk) state of the object. + Contants are defined by the type SecCodeSignatureFlags. + @constant kSecCodeInfoFormat A CFString characterizing the type and format of + the code. Suitable for display to a (knowledeable) user. + @constant kSecCodeInfoDigestAlgorithm A CFNumber indicating the kind of cryptographic + hash function used within the signature to seal its pieces together. + @constant kSecCodeInfoPlatformIdentifier If this code was signed as part of an operating + system release, this value identifies that release. + @constant kSecCodeInfoIdentifier A CFString with the actual signing identifier + sealed into the signature. Absent for unsigned code. + @constant kSecCodeInfoImplicitDesignatedRequirement A SecRequirement describing + the designated requirement that the system did generate, or would have generated, + for the code. If the Designated Requirement was implicitly generated, this is + the same object as kSecCodeInfoDesignatedRequirement; this can be used to test + for an explicit Designated Requirement. + @constant kSecCodeInfoMainExecutable A CFURL identifying the main executable file + of the code. For single files, that is the file itself. For bundles, it is the + main executable as identified by its Info.plist. + @constant kSecCodeInfoPList A retained CFDictionary referring to the secured Info.plist + as seen by code signing. Absent if no Info.plist is known to the code signing + subsystem. Note that this is not the same dictionary as the one CFBundle would + give you (CFBundle is free to add entries to the on-disk plist). + @constant kSecCodeInfoRequirements A CFString describing the internal requirements + of the code in canonical syntax. + @constant kSecCodeInfoRequirementsData A CFData containing the internal requirements + of the code as a binary blob. + @constant kSecCodeInfoSource A CFString describing the source of the code signature + used for the code object. The values are meant to be shown in informational + displays; do not rely on the precise value returned. + @constant kSecCodeInfoStatus A CFNumber containing the dynamic status word of the + (running) code. This is a snapshot at the time the API is executed and may be + out of date by the time you examine it. Do note however that most of the bits + are sticky and thus some values are permanently reliable. Be careful. + @constant kSecCodeInfoTime A CFDate describing the signing date (securely) embedded + in the code signature. Note that a signer is able to omit this date or pre-date + it. Nobody certifies that this was really the date the code was signed; however, + you do know that this is the date the signer wanted you to see. + Ad-hoc signatures have no CMS and thus never have secured signing dates. + @constant kSecCodeInfoTimestamp A CFDate describing the signing date as (securely) + certified by a timestamp authority service. This time cannot be falsified by the + signer; you trust the timestamp authority's word on this. + Ad-hoc signatures have no CMS and thus never have secured signing dates. + @constant kSecCodeInfoTrust The (retained) SecTrust object the system uses to + evaluate the validity of the code's signature. You may use the SecTrust API + to extract detailed information, particularly for reasons why certificate + validation may have failed. This object may continue to be used for further + evaluations of this code; if you make any changes to it, behavior is undefined. + @constant kSecCodeInfoUnique A CFData binary identifier that uniquely identifies + the static code in question. It can be used to recognize this particular code + (and none other) now or in the future. Compare to kSecCodeInfoIdentifier, which + remains stable across (developer-approved) updates. + The algorithm used may change from time to time. However, for any existing signature, + the value is stable. + */ +CF_ENUM(uint32_t) { + kSecCSInternalInformation = 1 << 0, + kSecCSSigningInformation = 1 << 1, + kSecCSRequirementInformation = 1 << 2, + kSecCSDynamicInformation = 1 << 3, + kSecCSContentInformation = 1 << 4 +}; + /* flag required to get this value */ +extern const CFStringRef kSecCodeInfoCertificates; /* Signing */ +extern const CFStringRef kSecCodeInfoChangedFiles; /* Content */ +extern const CFStringRef kSecCodeInfoCMS; /* Signing */ +extern const CFStringRef kSecCodeInfoDesignatedRequirement; /* Requirement */ +extern const CFStringRef kSecCodeInfoEntitlements; /* Requirement */ +extern const CFStringRef kSecCodeInfoEntitlementsDict; /* Requirement */ +extern const CFStringRef kSecCodeInfoFlags; /* generic */ +extern const CFStringRef kSecCodeInfoFormat; /* generic */ +extern const CFStringRef kSecCodeInfoDigestAlgorithm; /* generic */ +extern const CFStringRef kSecCodeInfoPlatformIdentifier; /* generic */ +extern const CFStringRef kSecCodeInfoIdentifier; /* generic */ +extern const CFStringRef kSecCodeInfoImplicitDesignatedRequirement; /* Requirement */ +extern const CFStringRef kSecCodeInfoMainExecutable; /* generic */ +extern const CFStringRef kSecCodeInfoPList; /* generic */ +extern const CFStringRef kSecCodeInfoRequirements; /* Requirement */ +extern const CFStringRef kSecCodeInfoRequirementData; /* Requirement */ +extern const CFStringRef kSecCodeInfoSource; /* generic */ +extern const CFStringRef kSecCodeInfoStatus; /* Dynamic */ +extern const CFStringRef kSecCodeInfoTeamIdentifier; /* Signing */ +extern const CFStringRef kSecCodeInfoTime; /* Signing */ +extern const CFStringRef kSecCodeInfoTimestamp; /* Signing */ +extern const CFStringRef kSecCodeInfoTrust; /* Signing */ +extern const CFStringRef kSecCodeInfoUnique; /* generic */ + +OSStatus SecCodeCopySigningInformation(SecStaticCodeRef code, SecCSFlags flags, + CFDictionaryRef * __nonnull CF_RETURNS_RETAINED information); + + +/* + @function SecCodeMapMemory + For a given Code or StaticCode object, ask the kernel to accept the signing information + currently attached to it in the caller and use it to validate memory page-ins against it, + updating dynamic validity state accordingly. This change affects all processes that have + the main executable of this code mapped. + + @param code A Code or StaticCode object representing the signed code whose main executable + should be subject to page-in validation. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + */ +OSStatus SecCodeMapMemory(SecStaticCodeRef code, SecCSFlags flags); + +CF_ASSUME_NONNULL_END + +#ifdef __cplusplus +} +#endif + +#endif //_H_SECCODE diff --git a/Security/libsecurity_codesigning/lib/SecCodeHost.cpp b/OSX/include/security_codesigning/SecCodeHost.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/SecCodeHost.cpp rename to OSX/include/security_codesigning/SecCodeHost.cpp diff --git a/OSX/include/security_codesigning/SecCodeHost.h b/OSX/include/security_codesigning/SecCodeHost.h new file mode 100644 index 00000000..7e462af4 --- /dev/null +++ b/OSX/include/security_codesigning/SecCodeHost.h @@ -0,0 +1,244 @@ +/* + * Copyright (c) 2006-2007,2011,2013 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecCodeHost + This header provides the hosting API for Code Signing. These are calls + that are (only) made by code that is hosting guests. + In the context of Code Signing, a Host is code that creates and manages other + codes from which it defends its own integrity. As part of that duty, it maintains + state for each of its children, and answers questions about them. + + A Host is externally represented by a SecCodeRef (it is a SecCode object). + So is a Guest. There is no specific API object to represent Hosts or Guests. + Within the Hosting API, guests are identified by simple numeric handles that + are unique and valid only in the context of their specific host. + + The functions in this API always apply to the Host making the API calls. + They cannot be used to (directly) interrogate another host. +*/ +#ifndef _H_SECCODEHOST +#define _H_SECCODEHOST + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN + +/*! + @header SecCodeHost + This header describes the Code Signing Hosting API. These are calls made + by code that wishes to become a Host in the Code Signing Host/Guest infrastructure. + Hosting allows the caller to establish separate, independent code identities + (SecCodeRefs) for parts of itself, usually because it is loading and managing + code in the form of scripts, plugins, etc. + + The Hosting API does not directly connect to the Code Signing Client APIs. + Certain calls in the client API will cause internal queries to hosts about their + guests. The Host side of these queries is managed through this API. The results + will eventually be delivered to client API callers in appropriate form. + + If code never calls any of the Hosting API functions, it is deemed to not have + guests and not act as a Host. This is the default and requires no action. + + Hosting operates in one of two modes, dynamic or proxy. Whichever mode is first + engaged prevails for the lifetime of the caller. There is no way to switch between + the two, and calling an API belonging to the opposite mode will fail. + + In dynamic hosting mode, the caller provides a Mach port that receives direct + queries about its guests. Dynamic mode is engaged by calling SecHostSetHostingPort. + + In proxy hosting mode, the caller provides information about its guests as + guests are created, removed, or change status. The system caches this information + and answers queries about guests from this pool of information. The caller is not + directly involved in answering such queries, and has no way to intervene. +*/ + + +/*! + @function SecHostCreateGuest + Create a new Guest and describe its initial properties. + + This call activates Hosting Proxy Mode. From here on, the system will record + guest information provided through SecHostCreateGuest, SecHostSetGuestStatus, and + SecHostRemoveGuest, and report hosting status to callers directly. This mode + is incompatible with dynamic host mode as established by a call to SecHostSetHostingPort. + + @param host Pass kSecNoGuest to create a guest of the process itself. + To create a guest of another guest (extending the hosting chain), pass the SecGuestRef + of the guest to act as the new guest's host. If host has a dedicated guest, + it will be deemed to be be the actual host, recursively. + @param status The Code Signing status word for the new guest. These are combinations + of the kSecCodeStatus* flags in . Note that the proxy will enforce + the rules for the stickiness of these bits. In particular, if you don't pass the + kSecCodeStatusValid bit during creation, your new guest will be born invalid and will + never have a valid identity. + @param path The canonical path to the guest's code on disk. This is the path you would + pass to SecStaticCodeCreateWithPath to make a static code object reference. You must + use an absolute path. + @param attributes An optional CFDictionaryRef containing attributes that can be used + to locate this particular guest among all of the caller's guests. The "canonical" + attribute is automatically added for the value of guestRef. If you pass NULL, + no other attributes are established for the guest. + While any key can be used in the attributes dictionary, the kSecGuestAttribute* constants + (in SecCode.h) are conventionally used here. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior, or + a combination of the flags defined below for special features. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. + @param newGuest Upon successful creation of the new guest, the new SecGuestRef + that should be used to identify the new guest from here on. + + @constant kSecCSDedicatedHost Declares dedicated hosting for the given host. + In dedicated hosting, the host has exactly one guest (the one this call is + introducing), and the host will spend all of its time from here on running + that guest (or on its behalf). This declaration is irreversable for the lifetime + of the host. Note that this is a declaration about the given host, and is not + binding upon other hosts on either side of the hosting chain, though they in turn + may declare dedicated hosting if desired. + It is invalid to declare dedicated hosting if other guests have already been + introduced for this host, and it is invalid to introduce additional guests + for this host after this call. + @constant kSecCSGenerateGuestHash Ask the proxy to generate the binary identifier + (hash of CodeDirectory) from the copy on disk at the path given. This is not optimal + since an attacker with write access may be able to substitute a different copy just + in time, but it is convenient. For optimal security, the host should calculate the + hash from the loaded in-memory signature of its guest and pass the result as an + attribute with key kSecGuestAttributeHash. +*/ +CF_ENUM(uint32_t) { + kSecCSDedicatedHost = 1 << 0, + kSecCSGenerateGuestHash = 1 << 1, +}; + +OSStatus SecHostCreateGuest(SecGuestRef host, + uint32_t status, CFURLRef path, CFDictionaryRef __nullable attributes, + SecCSFlags flags, SecGuestRef * __nonnull newGuest); + + +/*! + @function SecHostRemoveGuest + Announce that the guest with the given guestRef has permanently disappeared. + It removes all memory of the guest from the hosting system. You cannot remove + a dedicated guest. + + @param host The SecGuestRef that was used to create guest. You cannot specify + a proximate host (host of a host) here. However, the substitution for dedicated + guests described for SecHostCreateGuest also takes place here. + @param guest The handle for a Guest previously created with SecHostCreateGuest + that has not previously been destroyed. This guest is to be destroyed now. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecHostRemoveGuest(SecGuestRef host, SecGuestRef guest, SecCSFlags flags); + + +/*! + @function SecHostSelectGuest + Tell the Code Signing host subsystem that the calling thread will now act + on behalf of the given Guest. This must be a valid Guest previously created + with SecHostCreateGuest. + + @param guestRef The handle for a Guest previously created with SecHostCreateGuest + on whose behalf this thread will act from now on. This setting will be remembered + until it is changed (or the thread terminates). + To indicate that the thread will act on behalf of the Host itself (rather than + any Guest), pass kSecNoGuest. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecHostSelectGuest(SecGuestRef guestRef, SecCSFlags flags); + + +/*! + @function SecHostSelectedGuest + Retrieve the handle for the Guest currently selected for the calling thread. + + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param guestRef Will be assigned the SecGuestRef currently in effect for + the calling thread. If no Guest is active on this thread (i.e. the thread + is acting for the Host), the return value is kSecNoGuest. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecHostSelectedGuest(SecCSFlags flags, SecGuestRef * __nonnull guestRef); + + +/*! + @function SecHostSetGuestStatus + Updates the status of a particular guest. + + @param guestRef The handle for a Guest previously created with SecHostCreateGuest + on whose behalf this thread will act from now on. This setting will be remembered + until it is changed (or the thread terminates). + @param status The new Code Signing status word for the guest. The proxy enforces + the restrictions on changes to guest status; in particular, the kSecCodeStatusValid bit can only + be cleared, and the kSecCodeStatusHard and kSecCodeStatusKill flags can only be set. Pass the previous + guest status to indicate that no change is desired. + @param attributes An optional dictionary containing attributes to be used to distinguish + this guest from all guests of the caller. If given, it completely replaces the attributes + specified earlier. If NULL, previously established attributes are retained. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. + */ +OSStatus SecHostSetGuestStatus(SecGuestRef guestRef, + uint32_t status, CFDictionaryRef __nullable attributes, + SecCSFlags flags); + + +/*! + @function SecHostSetHostingPort + Tells the Code Signing Hosting subsystem that the calling code will directly respond + to hosting inquiries over the given port. + + This API should be the first hosting API call made. With it, the calling code takes + direct responsibility for answering questions about its guests using the hosting IPC + services. The SecHostCreateGuest, SecHostDestroyGuest and SecHostSetGuestStatus calls + are not valid after this. The SecHostSelectGuest and SecHostSelectedGuest calls will + still work, and will use whatever SecGuestRefs the caller has assigned in its internal + data structures. + + This call cannot be undone; once it is made, record-and-forward facilities are + disabled for the lifetime of the calling code. + + @param hostingPort A Mach message port with send rights. This port will be recorded + and handed to parties interested in querying the host about its children. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. + */ +OSStatus SecHostSetHostingPort(mach_port_t hostingPort, SecCSFlags flags); + +CF_ASSUME_NONNULL_END + +#ifdef __cplusplus +} +#endif + +#endif //_H_SECCODEHOST diff --git a/Security/libsecurity_codesigning/lib/SecCodeHostLib.c b/OSX/include/security_codesigning/SecCodeHostLib.c similarity index 100% rename from Security/libsecurity_codesigning/lib/SecCodeHostLib.c rename to OSX/include/security_codesigning/SecCodeHostLib.c diff --git a/Security/libsecurity_codesigning/lib/SecCodeHostLib.h b/OSX/include/security_codesigning/SecCodeHostLib.h similarity index 100% rename from Security/libsecurity_codesigning/lib/SecCodeHostLib.h rename to OSX/include/security_codesigning/SecCodeHostLib.h diff --git a/Security/libsecurity_codesigning/lib/SecCodePriv.h b/OSX/include/security_codesigning/SecCodePriv.h similarity index 100% rename from Security/libsecurity_codesigning/lib/SecCodePriv.h rename to OSX/include/security_codesigning/SecCodePriv.h diff --git a/OSX/include/security_codesigning/SecCodeSigner.cpp b/OSX/include/security_codesigning/SecCodeSigner.cpp new file mode 100644 index 00000000..e9965556 --- /dev/null +++ b/OSX/include/security_codesigning/SecCodeSigner.cpp @@ -0,0 +1,124 @@ +/* + * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// SecCode - API frame for SecCode objects. +// +// Note that some SecCode* functions take SecStaticCodeRef arguments in order to +// accept either static or dynamic code references, operating on the respective +// StaticCode. Those functions are in SecStaticCode.cpp, not here, despite their name. +// +#include "cs.h" +#include "CodeSigner.h" +#include "cskernel.h" + +using namespace CodeSigning; + + +// +// Parameter keys +// +const CFStringRef kSecCodeSignerApplicationData = CFSTR("application-specific"); +const CFStringRef kSecCodeSignerDetached = CFSTR("detached"); +const CFStringRef kSecCodeSignerDigestAlgorithm = CFSTR("digest-algorithm"); +const CFStringRef kSecCodeSignerDryRun = CFSTR("dryrun"); +const CFStringRef kSecCodeSignerEntitlements = CFSTR("entitlements"); +const CFStringRef kSecCodeSignerFlags = CFSTR("flags"); +const CFStringRef kSecCodeSignerIdentifier = CFSTR("identifier"); +const CFStringRef kSecCodeSignerIdentifierPrefix = CFSTR("identifier-prefix"); +const CFStringRef kSecCodeSignerIdentity = CFSTR("signer"); +const CFStringRef kSecCodeSignerPageSize = CFSTR("pagesize"); +const CFStringRef kSecCodeSignerRequirements = CFSTR("requirements"); +const CFStringRef kSecCodeSignerResourceRules = CFSTR("resource-rules"); +const CFStringRef kSecCodeSignerSDKRoot = CFSTR("sdkroot"); +const CFStringRef kSecCodeSignerSigningTime = CFSTR("signing-time"); +const CFStringRef kSecCodeSignerRequireTimestamp = CFSTR("timestamp-required"); +const CFStringRef kSecCodeSignerTimestampServer = CFSTR("timestamp-url"); +const CFStringRef kSecCodeSignerTimestampAuthentication = CFSTR("timestamp-authentication"); +const CFStringRef kSecCodeSignerTimestampOmitCertificates = CFSTR("timestamp-omit-certificates"); +const CFStringRef kSecCodeSignerPreserveMetadata = CFSTR("preserve-metadata"); +const CFStringRef kSecCodeSignerTeamIdentifier = CFSTR("teamidentifier"); +const CFStringRef kSecCodeSignerPlatformIdentifier = CFSTR("platform-identifier"); + +// temporary add-back to bridge B&I build dependencies -- remove soon +const CFStringRef kSecCodeSignerTSAUse = CFSTR("timestamp-required"); +const CFStringRef kSecCodeSignerTSAURL = CFSTR("timestamp-url"); +const CFStringRef kSecCodeSignerTSAClientAuth = CFSTR("timestamp-authentication"); +const CFStringRef kSecCodeSignerTSANoCerts = CFSTR("timestamp-omit-certificates"); + + +// +// CF-standard type code functions +// +CFTypeID SecCodeSignerGetTypeID(void) +{ + BEGIN_CSAPI + return gCFObjects().CodeSigner.typeID; + END_CSAPI1(_kCFRuntimeNotATypeID) +} + + +// +// Create a signer object +// +OSStatus SecCodeSignerCreate(CFDictionaryRef parameters, SecCSFlags flags, + SecCodeSignerRef *signerRef) +{ + BEGIN_CSAPI + + checkFlags(flags, + kSecCSRemoveSignature + | kSecCSSignPreserveSignature + | kSecCSSignNestedCode + | kSecCSSignOpaque + | kSecCSSignV1 + | kSecCSSignNoV1 + | kSecCSSignBundleRoot + | kSecCSSignStrictPreflight); + SecPointer signer = new SecCodeSigner(flags); + signer->parameters(parameters); + CodeSigning::Required(signerRef) = signer->handle(); + + END_CSAPI +} + + +// +// Generate a signature +// +OSStatus SecCodeSignerAddSignature(SecCodeSignerRef signerRef, + SecStaticCodeRef codeRef, SecCSFlags flags) +{ + return SecCodeSignerAddSignatureWithErrors(signerRef, codeRef, flags, NULL); +} + +OSStatus SecCodeSignerAddSignatureWithErrors(SecCodeSignerRef signerRef, + SecStaticCodeRef codeRef, SecCSFlags flags, CFErrorRef *errors) +{ + BEGIN_CSAPI + checkFlags(flags, + kSecCSReportProgress + ); + SecCodeSigner::required(signerRef)->sign(SecStaticCode::required(codeRef), flags); + END_CSAPI_ERRORS +} diff --git a/OSX/include/security_codesigning/SecCodeSigner.h b/OSX/include/security_codesigning/SecCodeSigner.h new file mode 100644 index 00000000..4dead60d --- /dev/null +++ b/OSX/include/security_codesigning/SecCodeSigner.h @@ -0,0 +1,231 @@ +/* + * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecCodeSigner + SecCodeSigner represents an object that can sign code. +*/ +#ifndef _H_SECCODESIGNER +#define _H_SECCODESIGNER + +#ifdef __cplusplus +extern "C" { +#endif + +#include + +/*! + @typedef SecCodeSignerRef + This is the type of a reference to a code requirement. +*/ +typedef struct __SecCodeSigner *SecCodeSignerRef; /* code signing object */ + + +/*! + @function SecCodeGetTypeID + Returns the type identifier of all SecCodeSigner instances. +*/ +CFTypeID SecCodeSignerGetTypeID(void); + + +/*! + The following CFString constants can be used as keys in the parameters argument + of SecCodeSignerCreate to specify various modes and options of the signing operation. + Passing any keys not specified here may lead to undefined behavior and is not supported. + The same applies to passing objects of types not explicitly allowed here. + + @constant kSecCodeSignerDetached Determines where the signature is written. + If this key is absent, the code being signed is modified to contain the signature, + replacing any signature already embedded there. + If the value is kCFNull, the signature is written to the system-wide detached + signature database. (You must have root privileges to write there.) + If the value of this key is a CFURL, the signature is written to a file at that location, + replacing any data there. + If the value is a CFMutableData, the signature is appended to that data. + @constant kSecCodeSignerDryRun A boolean value. If present and true, the actual writing + of the signature is inhibited, and the code is not modified, but all operations + leading up to this are performed normally, including the cryptographic access to + the signing identity (if any). + @constant kSecCodeSignerFlags A CFNumber specifying which flags to set in the code signature. + Note that depending on circumstances, this value may be augmented or modified + as part of the signing operation. + @constant kSecCodeSignerIdentifier If present, a CFString that explicitly specifies + the unique identifier string sealed into the code signature. If absent, the identifier + is derived implicitly from the code being signed. + @constant kSecCodeSignerIdentifierPrefix If the unique identifier string of the code signature + is implicitly generated, and the resulting string does not contain any "." (dot) + characters, then the (string) value of this parameter is prepended to the identifier. + By convention, the prefix is usually of the form "com.yourcompany.", but any value + is acceptable. If the kSecCodeSignerIdentifier parameter is specified, this parameter + is ineffective (but still allowed). + @constant kSecCodeSignerIdentity A SecIdentityRef describing the signing identity + to use for signing code. This is a mandatory parameter for signing operations. + Its value must be either a SecIdentityRef specifying a cryptographic identity + valid for Code Signing, or the special value kCFNull to indicate ad-hoc signing. + @constant kSecCodeSignerOperation The type of operation to be performed. Valid values + are kSecCodeSignerOperationSign to sign code, and kSecCodeSignerOperationRemove + to remove any existing signature from code. The default operation is to sign code. + @constant kSecCodeSignerPageSize An integer value explicitly specifying the page size + used to sign the main executable. This must be a power of two. A value of zero indicates + infinite size (no paging). + Only certain page sizes are allowed in most circumstances, and specifying an inappropriate + size will lead to spurious verification failures. This is for expert use only. + @constant kSecCodeSignerRequirements Specifies the internal requirements to be sealed into + the code signature. Must be either a CFData containing the binary (compiled) form of + a requirements set (SuperBlob), or a CFString containing a valid text form to be + compiled into binary form. Default requirements are automatically generated if this + parameter is omitted, and defaults may be applied to particular requirement types + that are not specified; but any requirement type you specify is sealed exactly as + specified. + @constant kSecCodeSignerResourceRules A CFDictionary containing resource scanning rules + determining what resource files are sealed into the signature (and in what way). + A situation-dependent default is applied if this parameter is not specified. + @constant kSecCodeSignerSDKRoot A CFURLRef indicating an alterate directory root + where signing operations should find subcomponents (libraries, frameworks, modules, etc.). + The default is the host system root "/". + @constant kSecCodeSignerSigningTime Specifies what date and time is sealed into the + code signature's CMS data. Can be either a CFDate object specifying a date, or + the value kCFNull indicating that no date should be included in the signature. + If not specified, the current date is chosen and sealed. + Since an ad-hoc signature has no CMS data, this argument is ineffective + for ad-hoc signing operations. + @constant kSecCodeSignerRequireTimestamp A CFBoolean indicating (if kCFBooleanTrue) that + the code signature should be certified by a timestamp authority service. This option + requires access to a timestamp server (usually over the Internet). If requested and + the timestamp server cannot be contacted or refuses service, the signing operation fails. + The timestamp value is not under the caller's control. + If the value is kCFBooleanFalse, no timestamp service is contacted and the resulting signature + has no certified timestamp. + If this key is omitted, a default is used that may vary from release to release. + Note that when signing multi-architectural ("fat") programs, each architecture will + be signed separately, and thus each architecture will have a slightly different timestamp. + @constant kSecCodeSignerTimestampServer A CFURL specifying which timestamp authority service + to contact for timestamping if requested by the kSecCodeSignerRequireTimestamp argument. + If omitted (and timestamping is performed), a system-defined default value is used, referring + to an Apple-operated timestamp service. Note that this service may not freely serve all requests. + @constant kSecCodeSignerTimestampAuthentication A SecIdentityRef describing the identity + used to authenticate to the timestamp authority server, if the server requires client-side + (SSL/TLS) authentication. This will not generally be the identity used to sign the actual + code, depending on the requirements of the timestamp authority service used. + If omitted, the timestamp server is contacted using unauthenticated HTTP requests. + @constant kSecCodeSignerTimestampOmitCertificates A CFBoolean indicating (if kCFBooleanTrue) + that the timestamp embedded in the signature, if requested, not contain the full certificate chain + of the timestamp service used. This will make for a marginally smaller signature, but may not + verify correctly unless all such certificates are available (through the keychain system) + on the verifying system. + The default is to embed enough certificates to ensure proper verification of Apple-generated + timestamp signatures. + */ +extern const CFStringRef kSecCodeSignerApplicationData; +extern const CFStringRef kSecCodeSignerDetached; +extern const CFStringRef kSecCodeSignerDigestAlgorithm; +extern const CFStringRef kSecCodeSignerDryRun; +extern const CFStringRef kSecCodeSignerEntitlements; +extern const CFStringRef kSecCodeSignerFlags; +extern const CFStringRef kSecCodeSignerIdentifier; +extern const CFStringRef kSecCodeSignerIdentifierPrefix; +extern const CFStringRef kSecCodeSignerIdentity; +extern const CFStringRef kSecCodeSignerPageSize; +extern const CFStringRef kSecCodeSignerRequirements; +extern const CFStringRef kSecCodeSignerResourceRules; +extern const CFStringRef kSecCodeSignerSDKRoot; +extern const CFStringRef kSecCodeSignerSigningTime; +extern const CFStringRef kSecCodeSignerTimestampAuthentication; +extern const CFStringRef kSecCodeSignerRequireTimestamp; +extern const CFStringRef kSecCodeSignerTimestampServer; +extern const CFStringRef kSecCodeSignerTimestampOmitCertificates; +extern const CFStringRef kSecCodeSignerPreserveMetadata; +extern const CFStringRef kSecCodeSignerTeamIdentifier; +extern const CFStringRef kSecCodeSignerPlatformIdentifier; + +enum { + kSecCodeSignerPreserveIdentifier = 1 << 0, // preserve signing identifier + kSecCodeSignerPreserveRequirements = 1 << 1, // preserve internal requirements (including DR) + kSecCodeSignerPreserveEntitlements = 1 << 2, // preserve entitlements + kSecCodeSignerPreserveResourceRules = 1 << 3, // preserve resource rules (and thus resources) + kSecCodeSignerPreserveFlags = 1 << 4, // preserve signing flags + kSecCodeSignerPreserveTeamIdentifier = 1 << 5, // preserve team identifier flags +}; + + +/*! + @function SecCodeSignerCreate + Create a (new) SecCodeSigner object to be used for signing code. + + @param parameters An optional CFDictionary containing parameters that influence + signing operations with the newly created SecCodeSigner. If NULL, defaults + are applied to all parameters; note however that some parameters do not have + useful defaults, and will need to be set before signing is attempted. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + The kSecCSRemoveSignature flag requests that any existing signature be stripped + from the target code instead of signing. + @param staticCode On successful return, a SecStaticCode object reference representing + the file system origin of the given SecCode. On error, unchanged. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +enum { + kSecCSRemoveSignature = 1 << 0, // strip existing signature + kSecCSSignPreserveSignature = 1 << 1, // do not (re)sign if an embedded signature is already present + kSecCSSignNestedCode = 1 << 2, // recursive (deep) signing + kSecCSSignOpaque = 1 << 3, // treat all files as resources (no nest scan, no flexibility) + kSecCSSignV1 = 1 << 4, // sign ONLY in V1 form + kSecCSSignNoV1 = 1 << 5, // do not include V1 form + kSecCSSignBundleRoot = 1 << 6, // include files in bundle root + kSecCSSignStrictPreflight = 1 << 7, // fail signing operation if signature would fail strict validation +}; + + +OSStatus SecCodeSignerCreate(CFDictionaryRef parameters, SecCSFlags flags, + SecCodeSignerRef *signer); + + +/*! + @function SecCodeSignerAddSignature + Create a code signature and add it to the StaticCode object being signed. + + @param signer A SecCodeSigner object containing all the information required + to sign code. + @param code A valid SecStaticCode object reference representing code files + on disk. This code will be signed, and will ordinarily be modified to contain + the resulting signature data. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param errors An optional pointer to a CFErrorRef variable. If the call fails + (and something other than errSecSuccess is returned), and this argument is non-NULL, + a CFErrorRef is stored there further describing the nature and circumstances + of the failure. The caller must CFRelease() this error object when done with it. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecCodeSignerAddSignature(SecCodeSignerRef signer, + SecStaticCodeRef code, SecCSFlags flags); + +OSStatus SecCodeSignerAddSignatureWithErrors(SecCodeSignerRef signer, + SecStaticCodeRef code, SecCSFlags flags, CFErrorRef *errors); + + +#ifdef __cplusplus +} +#endif + +#endif //_H_SECCODESIGNER diff --git a/Security/libsecurity_codesigning/lib/SecIntegrity.cpp b/OSX/include/security_codesigning/SecIntegrity.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/SecIntegrity.cpp rename to OSX/include/security_codesigning/SecIntegrity.cpp diff --git a/Security/libsecurity_codesigning/lib/SecIntegrity.h b/OSX/include/security_codesigning/SecIntegrity.h similarity index 100% rename from Security/libsecurity_codesigning/lib/SecIntegrity.h rename to OSX/include/security_codesigning/SecIntegrity.h diff --git a/Security/libsecurity_codesigning/lib/SecIntegrityLib.c b/OSX/include/security_codesigning/SecIntegrityLib.c similarity index 100% rename from Security/libsecurity_codesigning/lib/SecIntegrityLib.c rename to OSX/include/security_codesigning/SecIntegrityLib.c diff --git a/Security/libsecurity_codesigning/lib/SecIntegrityLib.h b/OSX/include/security_codesigning/SecIntegrityLib.h similarity index 100% rename from Security/libsecurity_codesigning/lib/SecIntegrityLib.h rename to OSX/include/security_codesigning/SecIntegrityLib.h diff --git a/Security/libsecurity_codesigning/lib/SecRequirement.cpp b/OSX/include/security_codesigning/SecRequirement.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/SecRequirement.cpp rename to OSX/include/security_codesigning/SecRequirement.cpp diff --git a/OSX/include/security_codesigning/SecRequirement.h b/OSX/include/security_codesigning/SecRequirement.h new file mode 100644 index 00000000..11cf0265 --- /dev/null +++ b/OSX/include/security_codesigning/SecRequirement.h @@ -0,0 +1,142 @@ +/* + * Copyright (c) 2006,2011,2013-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecRequirement + SecRequirement represents a condition or constraint (a "Code Requirement") + that code must satisfy to be considered valid for some purpose. + SecRequirement itself does not understand or care WHY such a constraint + is appropriate or useful; it is purely a tool for formulating, recording, + and evaluating it. + + Code Requirements are usually stored and retrieved in the form of a variable-length + binary Blob that can be encapsulated as a CFDataRef and safely stored in various + data structures. They can be formulated in a text form that can be compiled + into binary form and decompiled back into text form without loss of functionality + (though comments and formatting are not preserved). +*/ +#ifndef _H_SECREQUIREMENT +#define _H_SECREQUIREMENT + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN + +/*! + @function SecRequirementGetTypeID + Returns the type identifier of all SecRequirement instances. +*/ +CFTypeID SecRequirementGetTypeID(void); + + +/*! + @function SecRequirementCreateWithData + Create a SecRequirement object from binary form. + This is the effective inverse of SecRequirementCopyData. + + @param data A binary blob obtained earlier from a valid SecRequirement object + using the SecRequirementCopyData call. This is the only publicly supported + way to get such a data blob. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param requirement On successful return, contains a reference to a SecRequirement + object that behaves identically to the one the data blob was obtained from. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecRequirementCreateWithData(CFDataRef data, SecCSFlags flags, + SecRequirementRef * __nonnull CF_RETURNS_RETAINED requirement); + + +/*! + @function SecRequirementCreateWithString + Create a SecRequirement object by compiling a valid text representation + of a requirement. + + @param text A CFString containing the text form of a (single) Code Requirement. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param requirement On successful return, contains a reference to a SecRequirement + object that implements the conditions described in text. + @param errors An optional pointer to a CFErrorRef variable. If the call fails + (and something other than errSecSuccess is returned), and this argument is non-NULL, + a CFErrorRef is stored there further describing the nature and circumstances + of the failure. The caller must CFRelease() this error object when done with it. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecRequirementCreateWithString(CFStringRef text, SecCSFlags flags, + SecRequirementRef * __nonnull CF_RETURNS_RETAINED requirement); + +OSStatus SecRequirementCreateWithStringAndErrors(CFStringRef text, SecCSFlags flags, + CFErrorRef *errors, SecRequirementRef * __nonnull CF_RETURNS_RETAINED requirement); + + +/*! + @function SecRequirementCopyData + Extracts a stable, persistent binary form of a SecRequirement. + This is the effective inverse of SecRequirementCreateWithData. + + @param requirement A valid SecRequirement object. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param data On successful return, contains a reference to a CFData object + containing a binary blob that can be fed to SecRequirementCreateWithData + to recreate a SecRequirement object with identical behavior. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecRequirementCopyData(SecRequirementRef requirement, SecCSFlags flags, + CFDataRef * __nonnull CF_RETURNS_RETAINED data); + + +/*! + @function SecRequirementCopyString + Converts a SecRequirement object into text form. + This is the effective inverse of SecRequirementCreateWithString. + + Repeated application of this function may produce text that differs in + formatting, may contain different source comments, and may perform its + validation functions in different order. However, it is guaranteed that + recompiling the text using SecRequirementCreateWithString will produce a + SecRequirement object that behaves identically to the one you start with. + + @param requirement A valid SecRequirement object. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param text On successful return, contains a reference to a CFString object + containing a text representation of the requirement. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. +*/ +OSStatus SecRequirementCopyString(SecRequirementRef requirement, SecCSFlags flags, + CFStringRef * __nonnull CF_RETURNS_RETAINED text); + +CF_ASSUME_NONNULL_END + +#ifdef __cplusplus +} +#endif + +#endif //_H_SECREQUIREMENT diff --git a/Security/libsecurity_codesigning/lib/SecRequirementPriv.h b/OSX/include/security_codesigning/SecRequirementPriv.h similarity index 100% rename from Security/libsecurity_codesigning/lib/SecRequirementPriv.h rename to OSX/include/security_codesigning/SecRequirementPriv.h diff --git a/OSX/include/security_codesigning/SecStaticCode.cpp b/OSX/include/security_codesigning/SecStaticCode.cpp new file mode 100644 index 00000000..0d3ed8b1 --- /dev/null +++ b/OSX/include/security_codesigning/SecStaticCode.cpp @@ -0,0 +1,324 @@ +/* + * Copyright (c) 2006-2007,2011-2015 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// SecStaticCode - API frame for SecStaticCode objects +// +#include "cs.h" +#include "StaticCode.h" +#include +#include +#include +#include + +using namespace CodeSigning; + + +// +// CF-standard type code function +// +CFTypeID SecStaticCodeGetTypeID(void) +{ + BEGIN_CSAPI + return gCFObjects().StaticCode.typeID; + END_CSAPI1(_kCFRuntimeNotATypeID) +} + + +// +// Create an StaticCode directly from disk path. +// +OSStatus SecStaticCodeCreateWithPath(CFURLRef path, SecCSFlags flags, SecStaticCodeRef *staticCodeRef) +{ + BEGIN_CSAPI + + checkFlags(flags); + CodeSigning::Required(staticCodeRef) = (new SecStaticCode(DiskRep::bestGuess(cfString(path).c_str())))->handle(); + + END_CSAPI +} + +const CFStringRef kSecCodeAttributeArchitecture = CFSTR("architecture"); +const CFStringRef kSecCodeAttributeSubarchitecture =CFSTR("subarchitecture"); +const CFStringRef kSecCodeAttributeBundleVersion = CFSTR("bundleversion"); +const CFStringRef kSecCodeAttributeUniversalFileOffset = CFSTR("UniversalFileOffset"); + +OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flags, CFDictionaryRef attributes, + SecStaticCodeRef *staticCodeRef) +{ + BEGIN_CSAPI + + checkFlags(flags); + DiskRep::Context ctx; + std::string version; // holds memory placed into ctx + if (attributes) { + std::string archName; + int archNumber, subarchNumber, offset; + if (cfscan(attributes, "{%O=%d}", kSecCodeAttributeUniversalFileOffset, &offset)) { + ctx.offset = offset; + } else if (cfscan(attributes, "{%O=%s}", kSecCodeAttributeArchitecture, &archName)) { + ctx.arch = Architecture(archName.c_str()); + } else if (cfscan(attributes, "{%O=%d,%O=%d}", + kSecCodeAttributeArchitecture, &archNumber, kSecCodeAttributeSubarchitecture, &subarchNumber)) + ctx.arch = Architecture(archNumber, subarchNumber); + else if (cfscan(attributes, "{%O=%d}", kSecCodeAttributeArchitecture, &archNumber)) + ctx.arch = Architecture(archNumber); + if (cfscan(attributes, "{%O=%s}", kSecCodeAttributeBundleVersion, &version)) + ctx.version = version.c_str(); + } + + CodeSigning::Required(staticCodeRef) = (new SecStaticCode(DiskRep::bestGuess(cfString(path).c_str(), &ctx)))->handle(); + + END_CSAPI +} + + +// +// Check static validity of a StaticCode +// +OSStatus SecStaticCodeCheckValidity(SecStaticCodeRef staticCodeRef, SecCSFlags flags, + SecRequirementRef requirementRef) +{ + return SecStaticCodeCheckValidityWithErrors(staticCodeRef, flags, requirementRef, NULL); +} + +OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCodeRef, SecCSFlags flags, + SecRequirementRef requirementRef, CFErrorRef *errors) +{ +#if !SECTRUST_OSX + BEGIN_CSAPI + + checkFlags(flags, + kSecCSReportProgress + | kSecCSCheckAllArchitectures + | kSecCSDoNotValidateExecutable + | kSecCSDoNotValidateResources + | kSecCSConsiderExpiration + | kSecCSEnforceRevocationChecks + | kSecCSNoNetworkAccess + | kSecCSCheckNestedCode + | kSecCSStrictValidate + | kSecCSCheckGatekeeperArchitectures + | kSecCSRestrictSymlinks + ); + + if (errors) + flags |= kSecCSFullReport; // internal-use flag + + SecPointer code = SecStaticCode::requiredStatic(staticCodeRef); + code->setValidationFlags(flags); + const SecRequirement *req = SecRequirement::optional(requirementRef); + DTRACK(CODESIGN_EVAL_STATIC, code, (char*)code->mainExecutablePath().c_str()); + code->staticValidate(flags, req); + + END_CSAPI_ERRORS +#else +#warning resolve before enabling SECTRUST_OSX: + OSStatus result = errSecSuccess; + const char *func = "SecStaticCodeCheckValidity"; + CFErrorRef localErrors = NULL; + if (!errors) { errors = &localErrors; } + try { + checkFlags(flags, + kSecCSReportProgress + | kSecCSCheckAllArchitectures + | kSecCSDoNotValidateExecutable + | kSecCSDoNotValidateResources + | kSecCSConsiderExpiration + | kSecCSEnforceRevocationChecks + | kSecCSNoNetworkAccess + | kSecCSCheckNestedCode + | kSecCSStrictValidate + | kSecCSCheckGatekeeperArchitectures + ); + + if (errors) + flags |= kSecCSFullReport; // internal-use flag + + SecPointer code = SecStaticCode::requiredStatic(staticCodeRef); + code->setValidationFlags(flags); + const SecRequirement *req = SecRequirement::optional(requirementRef); + DTRACK(CODESIGN_EVAL_STATIC, code, (char*)code->mainExecutablePath().c_str()); + code->staticValidate(flags, req); + } + catch (...) { + // the actual error being thrown is not being caught by any of the + // type-specific blocks contained in the END_CSAPI_ERRORS macro, + // so we only have the catch-all block here for now. + result = errSecCSInternalError; + } + + if (errors && *errors) { + CFShow(errors); + CFRelease(errors); + *errors = NULL; + } + if (result == errSecCSInternalError) { + #if !NDEBUG + Security::Syslog::error("WARNING: %s ignored error %d", func, (int)result); + #endif + result = errSecSuccess; + } + return result; + +#endif +} + + +// +// ==================================================================================== +// +// The following API functions are called SecCode* but accept both SecCodeRef and +// SecStaticCodeRef arguments, operating on the implied SecStaticCodeRef as appropriate. +// Hence they're here, rather than in SecCode.cpp. +// + + +// +// Retrieve location information for an StaticCode. +// +OSStatus SecCodeCopyPath(SecStaticCodeRef staticCodeRef, SecCSFlags flags, CFURLRef *path) +{ + BEGIN_CSAPI + + checkFlags(flags); + SecPointer staticCode = SecStaticCode::requiredStatic(staticCodeRef); + CodeSigning::Required(path) = staticCode->copyCanonicalPath(); + + END_CSAPI +} + + +// +// Fetch or make up a designated requirement +// +OSStatus SecCodeCopyDesignatedRequirement(SecStaticCodeRef staticCodeRef, SecCSFlags flags, + SecRequirementRef *requirementRef) +{ + BEGIN_CSAPI + + checkFlags(flags); + const Requirement *req = + SecStaticCode::requiredStatic(staticCodeRef)->designatedRequirement(); + CodeSigning::Required(requirementRef) = (new SecRequirement(req))->handle(); + + END_CSAPI +} + + +// +// Fetch a particular internal requirement, if present +// +OSStatus SecCodeCopyInternalRequirement(SecStaticCodeRef staticCodeRef, SecRequirementType type, + SecCSFlags flags, SecRequirementRef *requirementRef) +{ + BEGIN_CSAPI + + checkFlags(flags); + const Requirement *req = + SecStaticCode::requiredStatic(staticCodeRef)->internalRequirement(type); + CodeSigning::Required(requirementRef) = req ? (new SecRequirement(req))->handle() : NULL; + + END_CSAPI +} + + +// +// Record for future use a detached code signature. +// +OSStatus SecCodeSetDetachedSignature(SecStaticCodeRef codeRef, CFDataRef signature, + SecCSFlags flags) +{ + BEGIN_CSAPI + + checkFlags(flags); + SecPointer code = SecStaticCode::requiredStatic(codeRef); + + code->detachedSignature(signature); // ... and pass it to the code + code->resetValidity(); + + END_CSAPI +} + + +// +// Attach a code signature to a kernel memory mapping for page-in validation. +// +OSStatus SecCodeMapMemory(SecStaticCodeRef codeRef, SecCSFlags flags) +{ + BEGIN_CSAPI + + checkFlags(flags); + SecPointer code = SecStaticCode::requiredStatic(codeRef); + if (const CodeDirectory *cd = code->codeDirectory(false)) { + fsignatures args = { code->diskRep()->signingBase(), (void *)cd, cd->length() }; + UnixError::check(::fcntl(code->diskRep()->fd(), F_ADDSIGS, &args)); + } else + MacOSError::throwMe(errSecCSUnsigned); + + END_CSAPI +} + + +// +// Attach a callback block to a code object +// +OSStatus SecStaticCodeSetCallback(SecStaticCodeRef codeRef, SecCSFlags flags, SecCodeCallback *old, SecCodeCallback monitor) +{ + BEGIN_CSAPI + + checkFlags(flags); + SecStaticCode *code = SecStaticCode::requiredStatic(codeRef); + if (old) + *old = code->monitor(); + code->setMonitor(monitor); + + END_CSAPI +} + + +OSStatus SecStaticCodeSetValidationConditions(SecStaticCodeRef codeRef, CFDictionaryRef conditions) +{ + BEGIN_CSAPI + + checkFlags(0); + SecStaticCode *code = SecStaticCode::requiredStatic(codeRef); + code->setValidationModifiers(conditions); + + END_CSAPI +} + + +// +// Set cancellation flag on a static code object. +// +OSStatus SecStaticCodeCancelValidation(SecStaticCodeRef codeRef, SecCSFlags flags) +{ + BEGIN_CSAPI + + checkFlags(0); + SecStaticCode *code = SecStaticCode::requiredStatic(codeRef); + code->cancelValidation(); + + END_CSAPI +} diff --git a/OSX/include/security_codesigning/SecStaticCode.h b/OSX/include/security_codesigning/SecStaticCode.h new file mode 100644 index 00000000..a5e17ebb --- /dev/null +++ b/OSX/include/security_codesigning/SecStaticCode.h @@ -0,0 +1,168 @@ +/* + * Copyright (c) 2006,2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecStaticCode + SecStaticCode represents the Code Signing identity of code in the file system. + This includes applications, tools, frameworks, plugins, scripts, and so on. + Note that arbitrary files will be considered scripts of unknown provenance; + and thus it is possible to handle most files as if they were code, though that is + not necessarily a good idea. + + Normally, each SecCode has a specific SecStaticCode that holds its static signing + data. Informally, that is the SecStaticCode the SecCode "was made from" (by its host). + There is however no viable link in the other direction - given a SecStaticCode, + it is not possible to find, enumerate, or control any SecCode that originated from it. + There might not be any at a given point in time; or there might be many. +*/ +#ifndef _H_SECSTATICCODE +#define _H_SECSTATICCODE + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN + +/*! + @function SecStaticCodeGetTypeID + Returns the type identifier of all SecStaticCode instances. +*/ +CFTypeID SecStaticCodeGetTypeID(void); + + +/*! + @function SecStaticCodeCreateWithPath + Given a path to a file system object, create a SecStaticCode object representing + the code at that location, if possible. Such a SecStaticCode is not inherently + linked to running code in the system. + + It is possible to create a SecStaticCode object from an unsigned code object. + Most uses of such an object will return the errSecCSUnsigned error. However, + SecCodeCopyPath and SecCodeCopySigningInformation can be safely applied to such objects. + + @param path A path to a location in the file system. Only file:// URLs are + currently supported. For bundles, pass a URL to the root directory of the + bundle. For single files, pass a URL to the file. If you pass a URL to the + main executable of a bundle, the bundle as a whole will be generally recognized. + Caution: Paths containing embedded // or /../ within a bundle's directory + may cause the bundle to be misconstrued. If you expect to submit such paths, + first clean them with realpath(3) or equivalent. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + @param attributes A CFDictionary containing additional attributes of the code sought. + @param staticCode On successful return, contains a reference to the StaticCode object + representing the code at path. Unchanged on error. + @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in + CSCommon.h or certain other Security framework headers. + + @constant kSecCodeAttributeArchitecture Specifies the Mach-O architecture of code desired. + This can be a CFString containing a canonical architecture name ("i386" etc.), or a CFNumber + specifying an architecture numerically (see mach/machine.h). This key is ignored if the code + is not in Mach-O binary form. If the code is Mach-O but not universal ("thin"), the architecture + specified must agree with the actual file contents. + @constant kSecCodeAttributeSubarchitecture If the architecture is specified numerically + (using the kSecCodeAttributeArchitecture key), specifies any sub-architecture by number. + This key is ignored if no main architecture is specified; if it is specified by name; or + if the code is not in Mach-O form. + @constant kSecCodeAttributeUniversalFileOffset The offset of a Mach-O specific slice of a universal Mach-O file. +*/ +extern const CFStringRef kSecCodeAttributeArchitecture; +extern const CFStringRef kSecCodeAttributeSubarchitecture; +extern const CFStringRef kSecCodeAttributeUniversalFileOffset; +extern const CFStringRef kSecCodeAttributeBundleVersion; + +OSStatus SecStaticCodeCreateWithPath(CFURLRef path, SecCSFlags flags, SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode); + +OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flags, CFDictionaryRef attributes, + SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode); + + +/*! + @function SecStaticCodeCheckValidity + Performs static validation on the given SecStaticCode object. The call obtains and + verifies the signature on the code object. It checks the validity of all + sealed components (including resources, if any). It validates the code against + a SecRequirement if one is given. The call succeeds if all these conditions + are satisfactory. It fails otherwise. + + This call is only secure if the code is not subject to concurrent modification, + and the outcome is only valid as long as the code is unmodified thereafter. + Consider this carefully if the underlying file system has dynamic characteristics, + such as a network file system, union mount, FUSE, etc. + + @param staticCode The code object to be validated. + @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. + + @constant kSecCSCheckAllArchitectures + For multi-architecture (universal) Mach-O programs, validate all architectures + included. By default, only the native architecture is validated. + @constant kSecCSNoDnotValidateExecutable + Do not validate the contents of the main executable. This is normally done. + @constant kSecCSNoNotValidateResources + Do not validate the presence and contents of all bundle resources (if any). + By default, a mismatch in any bundle resource causes validation to fail. + @constant kSecCSCheckNestedCode + For code in bundle form, locate and recursively check embedded code. Only code + in standard locations is considered. + @constant kSecCSStrictValidate + For code in bundle form, perform additional checks to verify that the bundle + is not structured in a way that would allow tampering, and reject any resource + envelope that introduces weaknesses into the signature. + + @param requirement On optional code requirement specifying additional conditions + the staticCode object must satisfy to be considered valid. If NULL, no additional + requirements are imposed. + @param errors An optional pointer to a CFErrorRef variable. If the call fails + (something other than errSecSuccess is returned), and this argument is non-NULL, + a CFErrorRef is stored there further describing the nature and circumstances + of the failure. The caller must CFRelease() this error object when done with it. + @result If validation succeeds, errSecSuccess. If validation fails, an OSStatus value + documented in CSCommon.h or certain other Security framework headers. +*/ +CF_ENUM(uint32_t) { + kSecCSCheckAllArchitectures = 1 << 0, + kSecCSDoNotValidateExecutable = 1 << 1, + kSecCSDoNotValidateResources = 1 << 2, + kSecCSBasicValidateOnly = kSecCSDoNotValidateExecutable | kSecCSDoNotValidateResources, + kSecCSCheckNestedCode = 1 << 3, + kSecCSStrictValidate = 1 << 4, + kSecCSFullReport = 1 << 5, + kSecCSCheckGatekeeperArchitectures = (1 << 6) | kSecCSCheckAllArchitectures, + kSecCSRestrictSymlinks = 1 << 7, +}; + +OSStatus SecStaticCodeCheckValidity(SecStaticCodeRef staticCode, SecCSFlags flags, + SecRequirementRef __nullable requirement); + +OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCode, SecCSFlags flags, + SecRequirementRef __nullable requirement, CFErrorRef *errors); + +CF_ASSUME_NONNULL_END + +#ifdef __cplusplus +} +#endif + +#endif //_H_SECSTATICCODE diff --git a/Security/libsecurity_codesigning/lib/SecStaticCodePriv.h b/OSX/include/security_codesigning/SecStaticCodePriv.h similarity index 100% rename from Security/libsecurity_codesigning/lib/SecStaticCodePriv.h rename to OSX/include/security_codesigning/SecStaticCodePriv.h diff --git a/OSX/include/security_codesigning/SecTask.c b/OSX/include/security_codesigning/SecTask.c new file mode 100644 index 00000000..c2b358e8 --- /dev/null +++ b/OSX/include/security_codesigning/SecTask.c @@ -0,0 +1,316 @@ +/* + * Copyright (c) 2009-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "SecCode.h" +#include "SecCodePriv.h" +#include "SecRequirement.h" + +#include "SecTask.h" +#include "SecTaskPriv.h" + + +struct __SecTask { + CFRuntimeBase base; + + pid_t pid; + + audit_token_t *token; + audit_token_t token_storage; + + /* Track whether we've loaded entitlements independently since after the + * load, entitlements may legitimately be NULL */ + Boolean entitlementsLoaded; + CFDictionaryRef entitlements; +}; + +enum { + kSecCodeMagicEntitlement = 0xfade7171, /* entitlement blob */ +}; + + +CFTypeID _kSecTaskTypeID = _kCFRuntimeNotATypeID; + +static void SecTaskFinalize(CFTypeRef cfTask) +{ + SecTaskRef task = (SecTaskRef) cfTask; + + if (task->entitlements != NULL) { + CFRelease(task->entitlements); + task->entitlements = NULL; + } +} + + +// Define PRIdPID (proper printf format string for pid_t) +#define PRIdPID PRId32 + +static CFStringRef SecTaskCopyDebugDescription(CFTypeRef cfTask) +{ + SecTaskRef task = (SecTaskRef) cfTask; + const char *task_name; + int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, task->pid}; + struct kinfo_proc kp; + size_t len = sizeof(kp); + if (sysctl(mib, 4, &kp, &len, NULL, 0) == -1 || len == 0) + task_name = strerror(errno); + else + task_name = kp.kp_proc.p_comm; + + return CFStringCreateWithFormat(CFGetAllocator(task), NULL, CFSTR("%s[%" PRIdPID "]"), task_name, task->pid); +} + +static void SecTaskRegisterClass(void) +{ + static const CFRuntimeClass SecTaskClass = { + .version = 0, + .className = "SecTask", + .init = NULL, + .copy = NULL, + .finalize = SecTaskFinalize, + .equal = NULL, + .hash = NULL, + .copyFormattingDesc = NULL, + .copyDebugDesc = SecTaskCopyDebugDescription, + }; + + _kSecTaskTypeID = _CFRuntimeRegisterClass(&SecTaskClass); +} + +CFTypeID SecTaskGetTypeID(void) +{ + static pthread_once_t secTaskRegisterClassOnce = PTHREAD_ONCE_INIT; + + /* Register the class with the CF runtime the first time through */ + pthread_once(&secTaskRegisterClassOnce, SecTaskRegisterClass); + + return _kSecTaskTypeID; +} + +static SecTaskRef SecTaskCreateWithPID(CFAllocatorRef allocator, pid_t pid) +{ + CFIndex extra = sizeof(struct __SecTask) - sizeof(CFRuntimeBase); + SecTaskRef task = (SecTaskRef) _CFRuntimeCreateInstance(allocator, SecTaskGetTypeID(), extra, NULL); + if (task != NULL) { + task->pid = pid; + task->entitlementsLoaded = false; + task->entitlements = NULL; + } + + return task; +} + +SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token) +{ + SecTaskRef task; + + task = SecTaskCreateWithPID(allocator, audit_token_to_pid(token)); + if (task != NULL) { +#if 0 + task->token_storage = token; + task->token = &task->token_storage; +#endif + } + + return task; +} + +SecTaskRef SecTaskCreateFromSelf(CFAllocatorRef allocator) +{ + return SecTaskCreateWithPID(allocator, getpid()); +} + +/* + * Determine if the given task meets a specified requirement. + */ +OSStatus +SecTaskValidateForRequirement(SecTaskRef task, CFStringRef requirement) +{ + OSStatus status; + SecCodeRef code = NULL; + SecRequirementRef req = NULL; + pid_t pid = task->pid; + if (pid <= 0) { + return errSecParam; + } + status = SecCodeCreateWithPID(pid, kSecCSDefaultFlags, &code); + //syslog(LOG_NOTICE, "SecTaskValidateForRequirement: SecCodeCreateWithPID=%d", status); + if (!status) { + status = SecRequirementCreateWithString(requirement, + kSecCSDefaultFlags, &req); + //syslog(LOG_NOTICE, "SecTaskValidateForRequirement: SecRequirementCreateWithString=%d", status); + } + if (!status) { + status = SecCodeCheckValidity(code, kSecCSDefaultFlags, req); + //syslog(LOG_NOTICE, "SecTaskValidateForRequirement: SecCodeCheckValidity=%d", status); + } + if (req) + CFRelease(req); + if (code) + CFRelease(code); + + return status; +} + +static CFRange myMakeRange(CFIndex loc, CFIndex len) { + CFRange r = {.location = loc, .length = len }; + return r; +} +struct csheader { + uint32_t magic; + uint32_t length; +}; + +static int +csops_task(SecTaskRef task, int ops, void *blob, size_t size) +{ +#if 0 + if (task->token) + return csops_audittoken(task->pid, ops, blob, size, task->token); + else +#endif + return csops(task->pid, ops, blob, size); +} + +static int SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error) +{ + CFMutableDataRef data = NULL; + struct csheader header; + uint32_t bufferlen; + int ret; + + ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, &header, sizeof(header)); + if (ret == 0) { + // we only gave a header's worth of buffer. If this succeeded, we have no entitlements + task->entitlementsLoaded = true; + return 0; + } + if (errno != ERANGE) { + // ERANGE means "your buffer is too small, it now tells you how much you need + // Everything else is a real error, so yell + syslog(LOG_NOTICE, "SecTaskLoadEntitlements failed error=%d", errno); // to ease diagnostics + // EINVAL is what the kernel says for unsigned code, so we'll have to let that pass + if (errno == EINVAL) { + task->entitlementsLoaded = true; + return 0; + } + ret = errno; + goto out; + } + // kernel told us the needed buffer size in header.length; proceed + + bufferlen = ntohl(header.length); + /* check for insane values */ + if (bufferlen > 1024 * 1024 || bufferlen < 8) { + ret = EINVAL; + goto out; + } + data = CFDataCreateMutable(NULL, bufferlen); + if (data == NULL) { + ret = ENOMEM; + goto out; + } + CFDataSetLength(data, bufferlen); + ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, CFDataGetMutableBytePtr(data), bufferlen); + if (ret) { + ret = errno; + goto out; + } + CFDataDeleteBytes(data, myMakeRange(0, 8)); + task->entitlements = CFPropertyListCreateWithData(NULL, data, 0, NULL, error); + task->entitlementsLoaded = true; + out: + if (data) + CFRelease(data); + if (ret && error) + *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ret, NULL); + + return ret; +} + +CFTypeRef SecTaskCopyValueForEntitlement(SecTaskRef task, CFStringRef entitlement, CFErrorRef *error) +{ + /* Load entitlements if necessary */ + if (task->entitlementsLoaded == false) { + SecTaskLoadEntitlements(task, error); + } + + CFTypeRef value = NULL; + if (task->entitlements != NULL) { + value = CFDictionaryGetValue(task->entitlements, entitlement); + + /* Return something the caller must release */ + if (value != NULL) { + CFRetain(value); + } + } + + return value; +} + +CFDictionaryRef SecTaskCopyValuesForEntitlements(SecTaskRef task, CFArrayRef entitlements, CFErrorRef *error) +{ + /* Load entitlements if necessary */ + if (task->entitlementsLoaded == false) { + SecTaskLoadEntitlements(task, error); + } + + /* Iterate over the passed in entitlements, populating the dictionary + * If entitlements were loaded but none were present, return an empty + * dictionary */ + CFMutableDictionaryRef values = NULL; + if (task->entitlementsLoaded == true) { + + CFIndex i, count = CFArrayGetCount(entitlements); + values = CFDictionaryCreateMutable(CFGetAllocator(task), count, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if (task->entitlements != NULL) { + for (i = 0; i < count; i++) { + CFStringRef entitlement = CFArrayGetValueAtIndex(entitlements, i); + CFTypeRef value = CFDictionaryGetValue(task->entitlements, entitlement); + if (value != NULL) { + CFDictionarySetValue(values, entitlement, value); + } + } + } + } + + return values; +} + +Boolean SecTaskEntitlementsValidated(SecTaskRef task) { + // TODO: Cache the result + uint32_t csflags = 0; + const uint32_t mask = CS_VALID | CS_KILL | CS_ENTITLEMENTS_VALIDATED; + int rc = csops_task(task, CS_OPS_STATUS, &csflags, sizeof(csflags)); + return rc != -1 && ((csflags & mask) == mask); +} diff --git a/OSX/include/security_codesigning/SecTask.h b/OSX/include/security_codesigning/SecTask.h new file mode 100644 index 00000000..90674a35 --- /dev/null +++ b/OSX/include/security_codesigning/SecTask.h @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2008-2009,2011 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef _SECURITY_SECTASK_H_ +#define _SECURITY_SECTASK_H_ + +#include +#include +#include + +#if defined(__cplusplus) +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN +CF_IMPLICIT_BRIDGING_ENABLED + +/*! + @typedef SecTaskRef + @abstract CFType used for representing a task +*/ +typedef struct CF_BRIDGED_TYPE(id) __SecTask *SecTaskRef; + +/*! + @function SecTaskGetTypeID + @abstract Returns the type ID for CF instances of SecTask. + @result A CFTypeID for SecTask +*/ +CFTypeID SecTaskGetTypeID(void); + +/*! + @function SecTaskCreateWithAuditToken + @abstract Create a SecTask object for the task that sent the mach message + represented by the audit token. + @param token The audit token of a mach message + @result The newly created SecTask object or NULL on error. The caller must + CFRelease the returned object. +*/ +__nullable +SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef __nullable allocator, audit_token_t token); + +/*! + @function SecTaskCreateFromSelf + @abstract Create a SecTask object for the current task. + @result The newly created SecTask object or NULL on error. The caller must + CFRelease the returned object. +*/ +__nullable +SecTaskRef SecTaskCreateFromSelf(CFAllocatorRef __nullable allocator); + +/*! + @function SecTaskCopyValueForEntitlement + @abstract Returns the value of a single entitlement for the represented + task. + @param task A previously created SecTask object + @param entitlement The name of the entitlement to be fetched + @param error On a NULL return, this may be contain a CFError describing + the problem. This argument may be NULL if the caller is not interested in + detailed errors. + @result The value of the specified entitlement for the process or NULL if + the entitlement value could not be retrieved. The type of the returned + value will depend on the entitlement specified. The caller must release + the returned object. + @discussion A NULL return may indicate an error, or it may indicate that + the entitlement is simply not present. In the latter case, no CFError is + returned. +*/ +__nullable +CFTypeRef SecTaskCopyValueForEntitlement(SecTaskRef task, CFStringRef entitlement, CFErrorRef *error); + +/*! + @function SecTaskCopyValuesForEntitlements + @abstract Returns the values of multiple entitlements for the represented + task. + @param task A previously created SecTask object + @param entitlements An array of entitlement names to be fetched + @param error On a NULL return, this will contain a CFError describing + the problem. This argument may be NULL if the caller is not interested in + detailed errors. If a requested entitlement is not present for the + returned dictionary, the entitlement is not set on the task. The caller + must CFRelease the returned value +*/ +__nullable +CFDictionaryRef SecTaskCopyValuesForEntitlements(SecTaskRef task, CFArrayRef entitlements, CFErrorRef *error); + +CF_IMPLICIT_BRIDGING_DISABLED +CF_ASSUME_NONNULL_END + +#if defined(__cplusplus) +} +#endif + +#endif /* !_SECURITY_SECTASK_H_ */ diff --git a/Security/libsecurity_codesigning/lib/SecTaskPriv.h b/OSX/include/security_codesigning/SecTaskPriv.h similarity index 100% rename from Security/libsecurity_codesigning/lib/SecTaskPriv.h rename to OSX/include/security_codesigning/SecTaskPriv.h diff --git a/OSX/include/security_codesigning/StaticCode.cpp b/OSX/include/security_codesigning/StaticCode.cpp new file mode 100644 index 00000000..6bcfb500 --- /dev/null +++ b/OSX/include/security_codesigning/StaticCode.cpp @@ -0,0 +1,1798 @@ +/* + * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// StaticCode - SecStaticCode API objects +// +#include "StaticCode.h" +#include "Code.h" +#include "reqmaker.h" +#include "drmaker.h" +#include "reqdumper.h" +#include "reqparser.h" +#include "sigblob.h" +#include "resources.h" +#include "detachedrep.h" +#include "csdatabase.h" +#include "dirscanner.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +namespace Security { +namespace CodeSigning { + +using namespace UnixPlusPlus; + +// A requirement representing a Mac or iOS dev cert, a Mac or iOS distribution cert, or a developer ID +static const char WWDRRequirement[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.2] exists"; +static const char MACWWDRRequirement[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.12] exists"; +static const char developerID[] = "anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists" + " and certificate leaf[field.1.2.840.113635.100.6.1.13] exists"; +static const char distributionCertificate[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.7] exists"; +static const char iPhoneDistributionCert[] = "anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.4] exists"; + +// +// Map a component slot number to a suitable error code for a failure +// +static inline OSStatus errorForSlot(CodeDirectory::SpecialSlot slot) +{ + switch (slot) { + case cdInfoSlot: + return errSecCSInfoPlistFailed; + case cdResourceDirSlot: + return errSecCSResourceDirectoryFailed; + default: + return errSecCSSignatureFailed; + } +} + + +// +// Construct a SecStaticCode object given a disk representation object +// +SecStaticCode::SecStaticCode(DiskRep *rep) + : mRep(rep), + mValidated(false), mExecutableValidated(false), mResourcesValidated(false), mResourcesValidContext(NULL), + mProgressQueue("com.apple.security.validation-progress", false, DISPATCH_QUEUE_PRIORITY_DEFAULT), + mOuterScope(NULL), mResourceScope(NULL), + mDesignatedReq(NULL), mGotResourceBase(false), mMonitor(NULL), mLimitedAsync(NULL), mEvalDetails(NULL) +{ + CODESIGN_STATIC_CREATE(this, rep); + CFRef codeDirectory = rep->codeDirectory(); + if (codeDirectory && CFDataGetLength(codeDirectory) <= 0) + MacOSError::throwMe(errSecCSSignatureInvalid); + checkForSystemSignature(); +} + + +// +// Clean up a SecStaticCode object +// +SecStaticCode::~SecStaticCode() throw() +try { + ::free(const_cast(mDesignatedReq)); + delete mResourcesValidContext; + delete mLimitedAsync; +} catch (...) { + return; +} + +// +// Initialize a nested SecStaticCode object from its parent +// +void SecStaticCode::initializeFromParent(const SecStaticCode& parent) { + mOuterScope = &parent; + setMonitor(parent.monitor()); + if (parent.mLimitedAsync) + mLimitedAsync = new LimitedAsync(*parent.mLimitedAsync); +} + +// +// CF-level comparison of SecStaticCode objects compares CodeDirectory hashes if signed, +// and falls back on comparing canonical paths if (both are) not. +// +bool SecStaticCode::equal(SecCFObject &secOther) +{ + SecStaticCode *other = static_cast(&secOther); + CFDataRef mine = this->cdHash(); + CFDataRef his = other->cdHash(); + if (mine || his) + return mine && his && CFEqual(mine, his); + else + return CFEqual(CFRef(this->copyCanonicalPath()), CFRef(other->copyCanonicalPath())); +} + +CFHashCode SecStaticCode::hash() +{ + if (CFDataRef h = this->cdHash()) + return CFHash(h); + else + return CFHash(CFRef(this->copyCanonicalPath())); +} + + +// +// Invoke a stage monitor if registered +// +CFTypeRef SecStaticCode::reportEvent(CFStringRef stage, CFDictionaryRef info) +{ + if (mMonitor) + return mMonitor(this->handle(false), stage, info); + else + return NULL; +} + +void SecStaticCode::prepareProgress(unsigned int workload) +{ + dispatch_sync(mProgressQueue, ^{ + mCancelPending = false; // not cancelled + }); + if (mValidationFlags & kSecCSReportProgress) { + mCurrentWork = 0; // nothing done yet + mTotalWork = workload; // totally fake - we don't know how many files we'll get to chew + } +} + +void SecStaticCode::reportProgress(unsigned amount /* = 1 */) +{ + if (mMonitor && (mValidationFlags & kSecCSReportProgress)) { + // update progress and report + __block bool cancel = false; + dispatch_sync(mProgressQueue, ^{ + if (mCancelPending) + cancel = true; + mCurrentWork += amount; + mMonitor(this->handle(false), CFSTR("progress"), CFTemp("{current=%d,total=%d}", mCurrentWork, mTotalWork)); + }); + // if cancellation is pending, abort now + if (cancel) + MacOSError::throwMe(errSecCSCancelled); + } +} + + +// +// Set validation conditions for fine-tuning legacy tolerance +// +static void addError(CFTypeRef cfError, void* context) +{ + if (CFGetTypeID(cfError) == CFNumberGetTypeID()) { + int64_t error; + CFNumberGetValue(CFNumberRef(cfError), kCFNumberSInt64Type, (void*)&error); + MacOSErrorSet* errors = (MacOSErrorSet*)context; + errors->insert(OSStatus(error)); + } +} + +void SecStaticCode::setValidationModifiers(CFDictionaryRef conditions) +{ + if (conditions) { + CFDictionary source(conditions, errSecCSDbCorrupt); + mAllowOmissions = source.get("omissions"); + if (CFArrayRef errors = source.get("errors")) + CFArrayApplyFunction(errors, CFRangeMake(0, CFArrayGetCount(errors)), addError, &this->mTolerateErrors); + } +} + + +// +// Request cancellation of a validation in progress. +// We do this by posting an abort flag that is checked periodically. +// +void SecStaticCode::cancelValidation() +{ + if (!(mValidationFlags & kSecCSReportProgress)) // not using progress reporting; cancel won't make it through + MacOSError::throwMe(errSecCSInvalidFlags); + dispatch_assert_queue(mProgressQueue); + mCancelPending = true; +} + + +// +// Attach a detached signature. +// +void SecStaticCode::detachedSignature(CFDataRef sigData) +{ + if (sigData) { + mDetachedSig = sigData; + mRep = new DetachedRep(sigData, mRep->base(), "explicit detached"); + CODESIGN_STATIC_ATTACH_EXPLICIT(this, mRep); + } else { + mDetachedSig = NULL; + mRep = mRep->base(); + CODESIGN_STATIC_ATTACH_EXPLICIT(this, NULL); + } +} + + +// +// Consult the system detached signature database to see if it contains +// a detached signature for this StaticCode. If it does, fetch and attach it. +// We do this only if the code has no signature already attached. +// +void SecStaticCode::checkForSystemSignature() +{ + if (!this->isSigned()) { + SignatureDatabase db; + if (db.isOpen()) + try { + if (RefPointer dsig = db.findCode(mRep)) { + CODESIGN_STATIC_ATTACH_SYSTEM(this, dsig); + mRep = dsig; + } + } catch (...) { + } + } +} + + +// +// Return a descriptive string identifying the source of the code signature +// +string SecStaticCode::signatureSource() +{ + if (!isSigned()) + return "unsigned"; + if (DetachedRep *rep = dynamic_cast(mRep.get())) + return rep->source(); + return "embedded"; +} + + +// +// Do ::required, but convert incoming SecCodeRefs to their SecStaticCodeRefs +// (if possible). +// +SecStaticCode *SecStaticCode::requiredStatic(SecStaticCodeRef ref) +{ + SecCFObject *object = SecCFObject::required(ref, errSecCSInvalidObjectRef); + if (SecStaticCode *scode = dynamic_cast(object)) + return scode; + else if (SecCode *code = dynamic_cast(object)) + return code->staticCode(); + else // neither (a SecSomethingElse) + MacOSError::throwMe(errSecCSInvalidObjectRef); +} + +SecCode *SecStaticCode::optionalDynamic(SecStaticCodeRef ref) +{ + SecCFObject *object = SecCFObject::required(ref, errSecCSInvalidObjectRef); + if (dynamic_cast(object)) + return NULL; + else if (SecCode *code = dynamic_cast(object)) + return code; + else // neither (a SecSomethingElse) + MacOSError::throwMe(errSecCSInvalidObjectRef); +} + + +// +// Void all cached validity data. +// +// We also throw out cached components, because the new signature data may have +// a different idea of what components should be present. We could reconcile the +// cached data instead, if performance seems to be impacted. +// +void SecStaticCode::resetValidity() +{ + CODESIGN_EVAL_STATIC_RESET(this); + mValidated = false; + mExecutableValidated = mResourcesValidated = false; + if (mResourcesValidContext) { + delete mResourcesValidContext; + mResourcesValidContext = NULL; + } + mDir = NULL; + mSignature = NULL; + for (unsigned n = 0; n < cdSlotCount; n++) + mCache[n] = NULL; + mInfoDict = NULL; + mEntitlements = NULL; + mResourceDict = NULL; + mDesignatedReq = NULL; + mCDHash = NULL; + mGotResourceBase = false; + mTrust = NULL; + mCertChain = NULL; + mEvalDetails = NULL; + mRep->flush(); + + // we may just have updated the system database, so check again + checkForSystemSignature(); +} + + +// +// Retrieve a sealed component by special slot index. +// If the CodeDirectory has already been validated, validate against that. +// Otherwise, retrieve the component without validation (but cache it). Validation +// will go through the cache and validate all cached components. +// +CFDataRef SecStaticCode::component(CodeDirectory::SpecialSlot slot, OSStatus fail /* = errSecCSSignatureFailed */) +{ + assert(slot <= cdSlotMax); + + CFRef &cache = mCache[slot]; + if (!cache) { + if (CFRef data = mRep->component(slot)) { + if (validated()) { // if the directory has been validated... + if (!codeDirectory()->slotIsPresent(-slot)) + return NULL; + + if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), // ... and it's no good + CFDataGetLength(data), -slot)) + MacOSError::throwMe(errorForSlot(slot)); // ... then bail + } + cache = data; // it's okay, cache it + } else { // absent, mark so + if (validated()) // if directory has been validated... + if (codeDirectory()->slotIsPresent(-slot)) // ... and the slot is NOT missing + MacOSError::throwMe(errorForSlot(slot)); // was supposed to be there + cache = CFDataRef(kCFNull); // white lie + } + } + return (cache == CFDataRef(kCFNull)) ? NULL : cache.get(); +} + + +// +// Get the CodeDirectory. +// Throws (if check==true) or returns NULL (check==false) if there is none. +// Always throws if the CodeDirectory exists but is invalid. +// NEVER validates against the signature. +// +const CodeDirectory *SecStaticCode::codeDirectory(bool check /* = true */) +{ + if (!mDir) { + if (mDir.take(mRep->codeDirectory())) { + const CodeDirectory *dir = reinterpret_cast(CFDataGetBytePtr(mDir)); + if (!dir->validateBlob(CFDataGetLength(mDir))) + MacOSError::throwMe(errSecCSSignatureInvalid); + dir->checkIntegrity(); + } + } + if (mDir) + return reinterpret_cast(CFDataGetBytePtr(mDir)); + if (check) + MacOSError::throwMe(errSecCSUnsigned); + return NULL; +} + + +// +// Get the hash of the CodeDirectory. +// Returns NULL if there is none. +// +CFDataRef SecStaticCode::cdHash() +{ + if (!mCDHash) { + if (const CodeDirectory *cd = codeDirectory(false)) { + mCDHash.take(cd->cdhash()); + CODESIGN_STATIC_CDHASH(this, CFDataGetBytePtr(mCDHash), (unsigned int)CFDataGetLength(mCDHash)); + } + } + return mCDHash; +} + + +// +// Return the CMS signature blob; NULL if none found. +// +CFDataRef SecStaticCode::signature() +{ + if (!mSignature) + mSignature.take(mRep->signature()); + if (mSignature) + return mSignature; + MacOSError::throwMe(errSecCSUnsigned); +} + + +// +// Verify the signature on the CodeDirectory. +// If this succeeds (doesn't throw), the CodeDirectory is statically trustworthy. +// Any outcome (successful or not) is cached for the lifetime of the StaticCode. +// +void SecStaticCode::validateDirectory() +{ + // echo previous outcome, if any + // track revocation separately, as it may not have been checked + // during the initial validation + if (!validated() || ((mValidationFlags & kSecCSEnforceRevocationChecks) && !revocationChecked())) + try { + // perform validation (or die trying) + CODESIGN_EVAL_STATIC_DIRECTORY(this); + mValidationExpired = verifySignature(); + if (mValidationFlags & kSecCSEnforceRevocationChecks) + mRevocationChecked = true; + + for (CodeDirectory::SpecialSlot slot = codeDirectory()->maxSpecialSlot(); slot >= 1; --slot) + if (mCache[slot]) // if we already loaded that resource... + validateComponent(slot, errorForSlot(slot)); // ... then check it now + mValidated = true; // we've done the deed... + mValidationResult = errSecSuccess; // ... and it was good + } catch (const CommonError &err) { + mValidated = true; + mValidationResult = err.osStatus(); + throw; + } catch (...) { + secdebug("staticCode", "%p validation threw non-common exception", this); + mValidated = true; + mValidationResult = errSecCSInternalError; + throw; + } + assert(validated()); + if (mValidationResult == errSecSuccess) { + if (mValidationExpired) + if ((mValidationFlags & kSecCSConsiderExpiration) + || (codeDirectory()->flags & kSecCodeSignatureForceExpiration)) + MacOSError::throwMe(CSSMERR_TP_CERT_EXPIRED); + } else + MacOSError::throwMe(mValidationResult); +} + + +// +// Load and validate the CodeDirectory and all components *except* those related to the resource envelope. +// Those latter components are checked by validateResources(). +// +void SecStaticCode::validateNonResourceComponents() +{ + this->validateDirectory(); + for (CodeDirectory::SpecialSlot slot = codeDirectory()->maxSpecialSlot(); slot >= 1; --slot) + switch (slot) { + case cdResourceDirSlot: // validated by validateResources + break; + default: + this->component(slot); // loads and validates + break; + } +} + + +// +// Get the (signed) signing date from the code signature. +// Sadly, we need to validate the signature to get the date (as a side benefit). +// This means that you can't get the signing time for invalidly signed code. +// +// We could run the decoder "almost to" verification to avoid this, but there seems +// little practical point to such a duplication of effort. +// +CFAbsoluteTime SecStaticCode::signingTime() +{ + validateDirectory(); + return mSigningTime; +} + +CFAbsoluteTime SecStaticCode::signingTimestamp() +{ + validateDirectory(); + return mSigningTimestamp; +} + + +// +// Verify the CMS signature on the CodeDirectory. +// This performs the cryptographic tango. It returns if the signature is valid, +// or throws if it is not. As a side effect, a successful return sets up the +// cached certificate chain for future use. +// Returns true if the signature is expired (the X.509 sense), false if it's not. +// Expiration is fatal (throws) if a secure timestamp is included, but not otherwise. +// +bool SecStaticCode::verifySignature() +{ + // ad-hoc signed code is considered validly signed by definition + if (flag(kSecCodeSignatureAdhoc)) { + CODESIGN_EVAL_STATIC_SIGNATURE_ADHOC(this); + return false; + } + + DTRACK(CODESIGN_EVAL_STATIC_SIGNATURE, this, (char*)this->mainExecutablePath().c_str()); + + // decode CMS and extract SecTrust for verification + CFRef cms; + MacOSError::check(CMSDecoderCreate(&cms.aref())); // create decoder + CFDataRef sig = this->signature(); + MacOSError::check(CMSDecoderUpdateMessage(cms, CFDataGetBytePtr(sig), CFDataGetLength(sig))); + this->codeDirectory(); // load CodeDirectory (sets mDir) + MacOSError::check(CMSDecoderSetDetachedContent(cms, mDir)); + MacOSError::check(CMSDecoderFinalizeMessage(cms)); + MacOSError::check(CMSDecoderSetSearchKeychain(cms, cfEmptyArray())); + CFRef vf_policies = verificationPolicies(); + CFRef ts_policies = SecPolicyCreateAppleTimeStampingAndRevocationPolicies(vf_policies); + CMSSignerStatus status; + MacOSError::check(CMSDecoderCopySignerStatus(cms, 0, vf_policies, + false, &status, &mTrust.aref(), NULL)); + + if (status != kCMSSignerValid) { + const char *reason; + switch (status) { + case kCMSSignerUnsigned: reason="kCMSSignerUnsigned"; break; + case kCMSSignerNeedsDetachedContent: reason="kCMSSignerNeedsDetachedContent"; break; + case kCMSSignerInvalidSignature: reason="kCMSSignerInvalidSignature"; break; + case kCMSSignerInvalidCert: reason="kCMSSignerInvalidCert"; break; + case kCMSSignerInvalidIndex: reason="kCMSSignerInvalidIndex"; break; + default: reason="unknown"; break; + } + Security::Syslog::error("CMSDecoderCopySignerStatus failed with %s error (%d)", + reason, (int)status); + MacOSError::throwMe(errSecCSSignatureFailed); + } + + // internal signing time (as specified by the signer; optional) + mSigningTime = 0; // "not present" marker (nobody could code sign on Jan 1, 2001 :-) + switch (OSStatus rc = CMSDecoderCopySignerSigningTime(cms, 0, &mSigningTime)) { + case errSecSuccess: + case errSecSigningTimeMissing: + break; + default: + Security::Syslog::error("Could not get signing time (error %d)", (int)rc); + MacOSError::throwMe(rc); + } + + // certified signing time (as specified by a TSA; optional) + mSigningTimestamp = 0; + switch (OSStatus rc = CMSDecoderCopySignerTimestampWithPolicy(cms, ts_policies, 0, &mSigningTimestamp)) { + case errSecSuccess: + case errSecTimestampMissing: + break; + default: + Security::Syslog::error("Could not get timestamp (error %d)", (int)rc); + MacOSError::throwMe(rc); + } + + // set up the environment for SecTrust + if (mValidationFlags & kSecCSNoNetworkAccess) { + MacOSError::check(SecTrustSetNetworkFetchAllowed(mTrust,false)); // no network? + } + MacOSError::check(SecTrustSetKeychains(mTrust, cfEmptyArray())); // no keychains + + CSSM_APPLE_TP_ACTION_DATA actionData = { + CSSM_APPLE_TP_ACTION_VERSION, // version of data structure + 0 // action flags + }; + + if (!(mValidationFlags & kSecCSCheckTrustedAnchors)) { + /* no need to evaluate anchor trust when building cert chain */ + MacOSError::check(SecTrustSetAnchorCertificates(mTrust, cfEmptyArray())); // no anchors + actionData.ActionFlags |= CSSM_TP_ACTION_IMPLICIT_ANCHORS; // action flags + } + + for (;;) { // at most twice + MacOSError::check(SecTrustSetParameters(mTrust, + CSSM_TP_ACTION_DEFAULT, CFTempData(&actionData, sizeof(actionData)))); + + // evaluate trust and extract results + SecTrustResultType trustResult; + MacOSError::check(SecTrustEvaluate(mTrust, &trustResult)); + MacOSError::check(SecTrustGetResult(mTrust, &trustResult, &mCertChain.aref(), &mEvalDetails)); + + // if this is an Apple developer cert.... + if (teamID() && SecStaticCode::isAppleDeveloperCert(mCertChain)) { + CFRef teamIDFromCert; + if (CFArrayGetCount(mCertChain) > 0) { + /* Note that SecCertificateCopySubjectComponent sets the out parameter to NULL if there is no field present */ + MacOSError::check(SecCertificateCopySubjectComponent((SecCertificateRef)CFArrayGetValueAtIndex(mCertChain, Requirement::leafCert), + &CSSMOID_OrganizationalUnitName, + &teamIDFromCert.aref())); + + if (teamIDFromCert) { + CFRef teamIDFromCD = CFStringCreateWithCString(NULL, teamID(), kCFStringEncodingUTF8); + if (!teamIDFromCD) { + Security::Syslog::error("Could not get team identifier (%s)", teamID()); + MacOSError::throwMe(errSecCSInternalError); + } + + if (CFStringCompare(teamIDFromCert, teamIDFromCD, 0) != kCFCompareEqualTo) { + Security::Syslog::error("Team identifier in the signing certificate (%s) does not match the team identifier (%s) in the code directory", cfString(teamIDFromCert).c_str(), teamID()); + MacOSError::throwMe(errSecCSSignatureInvalid); + } + } + } + } + + CODESIGN_EVAL_STATIC_SIGNATURE_RESULT(this, trustResult, mCertChain ? (int)CFArrayGetCount(mCertChain) : 0); + switch (trustResult) { + case kSecTrustResultProceed: + case kSecTrustResultUnspecified: + break; // success + case kSecTrustResultDeny: + MacOSError::throwMe(CSSMERR_APPLETP_TRUST_SETTING_DENY); // user reject + case kSecTrustResultInvalid: + assert(false); // should never happen + MacOSError::throwMe(CSSMERR_TP_NOT_TRUSTED); + default: + { + OSStatus result; + MacOSError::check(SecTrustGetCssmResultCode(mTrust, &result)); + // if we have a valid timestamp, CMS validates against (that) signing time and all is well. + // If we don't have one, may validate against *now*, and must be able to tolerate expiration. + if (mSigningTimestamp == 0) { // no timestamp available + if (((result == CSSMERR_TP_CERT_EXPIRED) || (result == CSSMERR_TP_CERT_NOT_VALID_YET)) + && !(actionData.ActionFlags & CSSM_TP_ACTION_ALLOW_EXPIRED)) { + CODESIGN_EVAL_STATIC_SIGNATURE_EXPIRED(this); + actionData.ActionFlags |= CSSM_TP_ACTION_ALLOW_EXPIRED; // (this also allows postdated certs) + continue; // retry validation while tolerating expiration + } + } + Security::Syslog::error("SecStaticCode: verification failed (trust result %d, error %d)", trustResult, (int)result); + MacOSError::throwMe(result); + } + } + + if (mSigningTimestamp) { + CFIndex rootix = CFArrayGetCount(mCertChain); + if (SecCertificateRef mainRoot = SecCertificateRef(CFArrayGetValueAtIndex(mCertChain, rootix-1))) + if (isAppleCA(mainRoot)) { + // impose policy: if the signature itself draws to Apple, then so must the timestamp signature + CFRef tsCerts; + OSStatus result = CMSDecoderCopySignerTimestampCertificates(cms, 0, &tsCerts.aref()); + if (result) { + Security::Syslog::error("SecStaticCode: could not get timestamp certificates (error %d)", (int)result); + MacOSError::check(result); + } + CFIndex tsn = CFArrayGetCount(tsCerts); + bool good = tsn > 0 && isAppleCA(SecCertificateRef(CFArrayGetValueAtIndex(tsCerts, tsn-1))); + if (!good) { + result = CSSMERR_TP_NOT_TRUSTED; + Security::Syslog::error("SecStaticCode: timestamp policy verification failed (error %d)", (int)result); + MacOSError::throwMe(result); + } + } + } + + return actionData.ActionFlags & CSSM_TP_ACTION_ALLOW_EXPIRED; + } +} + + +// +// Return the TP policy used for signature verification. +// This may be a simple SecPolicyRef or a CFArray of policies. +// The caller owns the return value. +// +static SecPolicyRef makeCRLPolicy() +{ + CFRef policy; + MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_CRL, &policy.aref())); + CSSM_APPLE_TP_CRL_OPTIONS options; + memset(&options, 0, sizeof(options)); + options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION; + options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET | CSSM_TP_ACTION_CRL_SUFFICIENT; + CSSM_DATA optData = { sizeof(options), (uint8 *)&options }; + MacOSError::check(SecPolicySetValue(policy, &optData)); + return policy.yield(); +} + +static SecPolicyRef makeOCSPPolicy() +{ + CFRef policy; + MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_OCSP, &policy.aref())); + CSSM_APPLE_TP_OCSP_OPTIONS options; + memset(&options, 0, sizeof(options)); + options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION; + options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT; + CSSM_DATA optData = { sizeof(options), (uint8 *)&options }; + MacOSError::check(SecPolicySetValue(policy, &optData)); + return policy.yield(); +} + +CFArrayRef SecStaticCode::verificationPolicies() +{ + CFRef core; + MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, + &CSSMOID_APPLE_TP_CODE_SIGNING, &core.aref())); + if (mValidationFlags & kSecCSNoNetworkAccess) { + // Skips all revocation since they require network connectivity + // therefore annihilates kSecCSEnforceRevocationChecks if present + CFRef no_revoc = SecPolicyCreateRevocation(kSecRevocationNetworkAccessDisabled); + return makeCFArray(2, core.get(), no_revoc.get()); + } + else if (mValidationFlags & kSecCSEnforceRevocationChecks) { + // Add CRL and OCSPPolicies + CFRef crl = makeCRLPolicy(); + CFRef ocsp = makeOCSPPolicy(); + return makeCFArray(3, core.get(), crl.get(), ocsp.get()); + } else { + return makeCFArray(1, core.get()); + } +} + + +// +// Validate a particular sealed, cached resource against its (special) CodeDirectory slot. +// The resource must already have been placed in the cache. +// This does NOT perform basic validation. +// +void SecStaticCode::validateComponent(CodeDirectory::SpecialSlot slot, OSStatus fail /* = errSecCSSignatureFailed */) +{ + assert(slot <= cdSlotMax); + CFDataRef data = mCache[slot]; + assert(data); // must be cached + if (data == CFDataRef(kCFNull)) { + if (codeDirectory()->slotIsPresent(-slot)) // was supposed to be there... + MacOSError::throwMe(fail); // ... and is missing + } else { + if (!codeDirectory()->validateSlot(CFDataGetBytePtr(data), CFDataGetLength(data), -slot)) + MacOSError::throwMe(fail); + } +} + + +// +// Perform static validation of the main executable. +// This reads the main executable from disk and validates it against the +// CodeDirectory code slot array. +// Note that this is NOT an in-memory validation, and is thus potentially +// subject to timing attacks. +// +void SecStaticCode::validateExecutable() +{ + if (!validatedExecutable()) { + try { + DTRACK(CODESIGN_EVAL_STATIC_EXECUTABLE, this, + (char*)this->mainExecutablePath().c_str(), codeDirectory()->nCodeSlots); + const CodeDirectory *cd = this->codeDirectory(); + if (!cd) + MacOSError::throwMe(errSecCSUnsigned); + AutoFileDesc fd(mainExecutablePath(), O_RDONLY); + fd.fcntl(F_NOCACHE, true); // turn off page caching (one-pass) + if (Universal *fat = mRep->mainExecutableImage()) + fd.seek(fat->archOffset()); + size_t pageSize = cd->pageSize ? (1 << cd->pageSize) : 0; + size_t remaining = cd->codeLimit; + for (uint32_t slot = 0; slot < cd->nCodeSlots; ++slot) { + size_t size = min(remaining, pageSize); + if (!cd->validateSlot(fd, size, slot)) { + CODESIGN_EVAL_STATIC_EXECUTABLE_FAIL(this, (int)slot); + MacOSError::throwMe(errSecCSSignatureFailed); + } + remaining -= size; + } + mExecutableValidated = true; + mExecutableValidResult = errSecSuccess; + } catch (const CommonError &err) { + mExecutableValidated = true; + mExecutableValidResult = err.osStatus(); + throw; + } catch (...) { + secdebug("staticCode", "%p executable validation threw non-common exception", this); + mExecutableValidated = true; + mExecutableValidResult = errSecCSInternalError; + throw; + } + } + assert(validatedExecutable()); + if (mExecutableValidResult != errSecSuccess) + MacOSError::throwMe(mExecutableValidResult); +} + + +// +// Perform static validation of sealed resources and nested code. +// +// This performs a whole-code static resource scan and effectively +// computes a concordance between what's on disk and what's in the ResourceDirectory. +// Any unsanctioned difference causes an error. +// +unsigned SecStaticCode::estimateResourceWorkload() +{ + // workload estimate = number of sealed files + CFDictionaryRef sealedResources = resourceDictionary(); + CFDictionaryRef files = cfget(sealedResources, "files2"); + if (files == NULL) + files = cfget(sealedResources, "files"); + return files ? unsigned(CFDictionaryGetCount(files)) : 0; +} + +void SecStaticCode::validateResources(SecCSFlags flags) +{ + // do we have a superset of this requested validation cached? + bool doit = true; + if (mResourcesValidated) { // have cached outcome + if (!(flags & kSecCSCheckNestedCode) || mResourcesDeep) // was deep or need no deep scan + doit = false; + } + + if (doit) { + if (mLimitedAsync == NULL) { + mLimitedAsync = new LimitedAsync(diskRep()->fd().mediumType() == kIOPropertyMediumTypeSolidStateKey); + } + + try { + // sanity first + CFDictionaryRef sealedResources = resourceDictionary(); + if (this->resourceBase()) // disk has resources + if (sealedResources) + /* go to work below */; + else + MacOSError::throwMe(errSecCSResourcesNotFound); + else // disk has no resources + if (sealedResources) + MacOSError::throwMe(errSecCSResourcesNotFound); + else + return; // no resources, not sealed - fine (no work) + + // found resources, and they are sealed + DTRACK(CODESIGN_EVAL_STATIC_RESOURCES, this, + (char*)this->mainExecutablePath().c_str(), 0); + + // scan through the resources on disk, checking each against the resourceDirectory + mResourcesValidContext = new CollectingContext(*this); // collect all failures in here + + // use V2 resource seal if available, otherwise fall back to V1 + CFDictionaryRef rules; + CFDictionaryRef files; + uint32_t version; + if (CFDictionaryGetValue(sealedResources, CFSTR("files2"))) { // have V2 signature + rules = cfget(sealedResources, "rules2"); + files = cfget(sealedResources, "files2"); + version = 2; + } else { // only V1 available + rules = cfget(sealedResources, "rules"); + files = cfget(sealedResources, "files"); + version = 1; + } + if (!rules || !files) + MacOSError::throwMe(errSecCSResourcesInvalid); + + // check for weak resource rules + bool strict = flags & kSecCSStrictValidate; + if (strict) { + if (hasWeakResourceRules(rules, version, mAllowOmissions)) + if (mTolerateErrors.find(errSecCSWeakResourceRules) == mTolerateErrors.end()) + MacOSError::throwMe(errSecCSWeakResourceRules); + if (version == 1) + if (mTolerateErrors.find(errSecCSWeakResourceEnvelope) == mTolerateErrors.end()) + MacOSError::throwMe(errSecCSWeakResourceEnvelope); + } + + Dispatch::Group group; + Dispatch::Group &groupRef = group; // (into block) + + // scan through the resources on disk, checking each against the resourceDirectory + __block CFRef resourceMap = makeCFMutableDictionary(files); + string base = cfString(this->resourceBase()); + ResourceBuilder resources(base, base, rules, codeDirectory()->hashType, strict, mTolerateErrors); + this->mResourceScope = &resources; + diskRep()->adjustResources(resources); + + resources.scan(^(FTSENT *ent, uint32_t ruleFlags, const string relpath, ResourceBuilder::Rule *rule) { + CFDictionaryRemoveValue(resourceMap, CFTempString(relpath)); + bool isSymlink = (ent->fts_info == FTS_SL); + + void (^validate)() = ^{ + validateResource(files, relpath, isSymlink, *mResourcesValidContext, flags, version); + reportProgress(); + }; + + mLimitedAsync->perform(groupRef, validate); + }); + group.wait(); // wait until all async resources have been validated as well + + unsigned leftovers = unsigned(CFDictionaryGetCount(resourceMap)); + if (leftovers > 0) { + secdebug("staticCode", "%d sealed resource(s) not found in code", int(leftovers)); + CFDictionaryApplyFunction(resourceMap, SecStaticCode::checkOptionalResource, mResourcesValidContext); + } + + // now check for any errors found in the reporting context + mResourcesValidated = true; + mResourcesDeep = flags & kSecCSCheckNestedCode; + if (mResourcesValidContext->osStatus() != errSecSuccess) + mResourcesValidContext->throwMe(); + } catch (const CommonError &err) { + mResourcesValidated = true; + mResourcesDeep = flags & kSecCSCheckNestedCode; + mResourcesValidResult = err.osStatus(); + throw; + } catch (...) { + secdebug("staticCode", "%p executable validation threw non-common exception", this); + mResourcesValidated = true; + mResourcesDeep = flags & kSecCSCheckNestedCode; + mResourcesValidResult = errSecCSInternalError; + throw; + } + } + assert(validatedResources()); + if (mResourcesValidResult) + MacOSError::throwMe(mResourcesValidResult); + if (mResourcesValidContext->osStatus() != errSecSuccess) + mResourcesValidContext->throwMe(); +} + + +void SecStaticCode::checkOptionalResource(CFTypeRef key, CFTypeRef value, void *context) +{ + ValidationContext *ctx = static_cast(context); + ResourceSeal seal(value); + if (!seal.optional()) { + if (key && CFGetTypeID(key) == CFStringGetTypeID()) { + CFTempURL tempURL(CFStringRef(key), false, ctx->code.resourceBase()); + if (!tempURL.get()) { + ctx->reportProblem(errSecCSBadDictionaryFormat, kSecCFErrorResourceSeal, key); + } else { + ctx->reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, tempURL); + } + } else { + ctx->reportProblem(errSecCSBadResource, kSecCFErrorResourceSeal, key); + } + } +} + + +static bool isOmitRule(CFTypeRef value) +{ + if (CFGetTypeID(value) == CFBooleanGetTypeID()) + return value == kCFBooleanFalse; + CFDictionary rule(value, errSecCSResourceRulesInvalid); + return rule.get("omit") == kCFBooleanTrue; +} + +bool SecStaticCode::hasWeakResourceRules(CFDictionaryRef rulesDict, uint32_t version, CFArrayRef allowedOmissions) +{ + // compute allowed omissions + CFRef defaultOmissions = this->diskRep()->allowedResourceOmissions(); + if (!defaultOmissions) + MacOSError::throwMe(errSecCSInternalError); + CFRef allowed = CFArrayCreateMutableCopy(NULL, 0, defaultOmissions); + if (allowedOmissions) + CFArrayAppendArray(allowed, allowedOmissions, CFRangeMake(0, CFArrayGetCount(allowedOmissions))); + CFRange range = CFRangeMake(0, CFArrayGetCount(allowed)); + + // check all resource rules for weakness + string catchAllRule = (version == 1) ? "^Resources/" : "^.*"; + __block bool coversAll = false; + __block bool forbiddenOmission = false; + CFArrayRef allowedRef = allowed.get(); // (into block) + CFDictionary rules(rulesDict, errSecCSResourceRulesInvalid); + rules.apply(^(CFStringRef key, CFTypeRef value) { + string pattern = cfString(key, errSecCSResourceRulesInvalid); + if (pattern == catchAllRule && value == kCFBooleanTrue) { + coversAll = true; + return; + } + if (isOmitRule(value)) + forbiddenOmission |= !CFArrayContainsValue(allowedRef, range, key); + }); + + return !coversAll || forbiddenOmission; +} + + +// +// Load, validate, cache, and return CFDictionary forms of sealed resources. +// +CFDictionaryRef SecStaticCode::infoDictionary() +{ + if (!mInfoDict) { + mInfoDict.take(getDictionary(cdInfoSlot, errSecCSInfoPlistFailed)); + secdebug("staticCode", "%p loaded InfoDict %p", this, mInfoDict.get()); + } + return mInfoDict; +} + +CFDictionaryRef SecStaticCode::entitlements() +{ + if (!mEntitlements) { + validateDirectory(); + if (CFDataRef entitlementData = component(cdEntitlementSlot)) { + validateComponent(cdEntitlementSlot); + const EntitlementBlob *blob = reinterpret_cast(CFDataGetBytePtr(entitlementData)); + if (blob->validateBlob()) { + mEntitlements.take(blob->entitlements()); + secdebug("staticCode", "%p loaded Entitlements %p", this, mEntitlements.get()); + } + // we do not consider a different blob type to be an error. We think it's a new format we don't understand + } + } + return mEntitlements; +} + +CFDictionaryRef SecStaticCode::resourceDictionary(bool check /* = true */) +{ + if (mResourceDict) // cached + return mResourceDict; + if (CFRef dict = getDictionary(cdResourceDirSlot, check)) + if (cfscan(dict, "{rules=%Dn,files=%Dn}")) { + secdebug("staticCode", "%p loaded ResourceDict %p", + this, mResourceDict.get()); + return mResourceDict = dict; + } + // bad format + return NULL; +} + + +// +// Load and cache the resource directory base. +// Note that the base is optional for each DiskRep. +// +CFURLRef SecStaticCode::resourceBase() +{ + if (!mGotResourceBase) { + string base = mRep->resourcesRootPath(); + if (!base.empty()) + mResourceBase.take(makeCFURL(base, true)); + mGotResourceBase = true; + } + return mResourceBase; +} + + +// +// Load a component, validate it, convert it to a CFDictionary, and return that. +// This will force load and validation, which means that it will perform basic +// validation if it hasn't been done yet. +// +CFDictionaryRef SecStaticCode::getDictionary(CodeDirectory::SpecialSlot slot, bool check /* = true */) +{ + if (check) + validateDirectory(); + if (CFDataRef infoData = component(slot)) { + validateComponent(slot); + if (CFDictionaryRef dict = makeCFDictionaryFrom(infoData)) + return dict; + else + MacOSError::throwMe(errSecCSBadDictionaryFormat); + } + return NULL; +} + + +// +// Load, validate, and return a sealed resource. +// The resource data (loaded in to memory as a blob) is returned and becomes +// the responsibility of the caller; it is NOT cached by SecStaticCode. +// +// A resource that is not sealed will not be returned, and an error will be thrown. +// A missing resource will cause an error unless it's marked optional in the Directory. +// Under no circumstances will a corrupt resource be returned. +// NULL will only be returned for a resource that is neither sealed nor present +// (or that is sealed, absent, and marked optional). +// If the ResourceDictionary itself is not sealed, this function will always fail. +// +// There is currently no interface for partial retrieval of the resource data. +// (Since the ResourceDirectory does not currently support segmentation, all the +// data would have to be read anyway, but it could be read into a reusable buffer.) +// +CFDataRef SecStaticCode::resource(string path, ValidationContext &ctx) +{ + if (CFDictionaryRef rdict = resourceDictionary()) { + if (CFTypeRef file = cfget(rdict, "files.%s", path.c_str())) { + ResourceSeal seal = file; + if (!resourceBase()) // no resources in DiskRep + MacOSError::throwMe(errSecCSResourcesNotFound); + if (seal.nested()) + MacOSError::throwMe(errSecCSResourcesNotSealed); // (it's nested code) + CFRef fullpath = makeCFURL(path, false, resourceBase()); + if (CFRef data = cfLoadFile(fullpath)) { + MakeHash hasher(this->codeDirectory()); + hasher->update(CFDataGetBytePtr(data), CFDataGetLength(data)); + if (hasher->verify(seal.hash())) + return data.yield(); // good + else + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered + } else { + if (!seal.optional()) + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, fullpath); // was sealed but is now missing + else + return NULL; // validly missing + } + } else + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAdded, CFTempURL(path, false, resourceBase())); + return NULL; + } else + MacOSError::throwMe(errSecCSResourcesNotSealed); +} + +CFDataRef SecStaticCode::resource(string path) +{ + ValidationContext ctx(*this); + return resource(path, ctx); +} + +void SecStaticCode::validateResource(CFDictionaryRef files, string path, bool isSymlink, ValidationContext &ctx, SecCSFlags flags, uint32_t version) +{ + if (!resourceBase()) // no resources in DiskRep + MacOSError::throwMe(errSecCSResourcesNotFound); + CFRef fullpath = makeCFURL(path, false, resourceBase()); + if (CFTypeRef file = CFDictionaryGetValue(files, CFTempString(path))) { + ResourceSeal seal = file; + if (seal.nested()) { + if (isSymlink) + return ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type + string suffix = ".framework"; + bool isFramework = (path.length() > suffix.length()) + && (path.compare(path.length()-suffix.length(), suffix.length(), suffix) == 0); + validateNestedCode(fullpath, seal, flags, isFramework); + } else if (seal.link()) { + if (!isSymlink) + return ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type + validateSymlinkResource(cfString(fullpath), cfString(seal.link()), ctx, flags); + } else if (seal.hash()) { // genuine file + if (isSymlink) + return ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type + AutoFileDesc fd(cfString(fullpath), O_RDONLY, FileDesc::modeMissingOk); // open optional file + if (fd) { + MakeHash hasher(this->codeDirectory()); + hashFileData(fd, hasher.get()); + if (hasher->verify(seal.hash())) + return; // verify good + else + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // altered + } else { + if (!seal.optional()) + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceMissing, fullpath); // was sealed but is now missing + else + return; // validly missing + } + } else + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, fullpath); // changed type + return; + } + if (version == 1) { // version 1 ignores symlinks altogether + char target[PATH_MAX]; + if (::readlink(cfString(fullpath).c_str(), target, sizeof(target)) > 0) + return; + } + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAdded, CFTempURL(path, false, resourceBase())); +} + +void SecStaticCode::validateSymlinkResource(std::string fullpath, std::string seal, ValidationContext &ctx, SecCSFlags flags) +{ + static const char* const allowedDestinations[] = { + "/System/", + "/Library/", + NULL + }; + char target[PATH_MAX]; + ssize_t len = ::readlink(fullpath.c_str(), target, sizeof(target)-1); + if (len < 0) + UnixError::check(-1); + target[len] = '\0'; + std::string fulltarget = target; + if (target[0] != '/') { + size_t lastSlash = fullpath.rfind('/'); + fulltarget = fullpath.substr(0, lastSlash) + '/' + target; + } + if (seal != target) { + ctx.reportProblem(errSecCSBadResource, kSecCFErrorResourceAltered, CFTempString(fullpath)); + return; + } + if ((mValidationFlags & (kSecCSStrictValidate|kSecCSRestrictSymlinks)) == (kSecCSStrictValidate|kSecCSRestrictSymlinks)) { + char resolved[PATH_MAX]; + if (realpath(fulltarget.c_str(), resolved)) { + assert(resolved[0] == '/'); + size_t rlen = strlen(resolved); + if (target[0] == '/') { + // absolute symlink; only allow absolute links to system locations + for (const char* const* pathp = allowedDestinations; *pathp; pathp++) { + size_t dlen = strlen(*pathp); + if (rlen > dlen && strncmp(resolved, *pathp, dlen) == 0) + return; // target inside /System, deemed okay + } + } else { + // everything else must be inside the bundle(s) + for (const SecStaticCode* code = this; code; code = code->mOuterScope) { + string root = code->mResourceScope->root(); + if (strncmp(resolved, root.c_str(), root.size()) == 0) { + if (code->mResourceScope->includes(resolved + root.length() + 1)) + return; // located in resource stack && included in envelope + else + break; // located but excluded from envelope (deny) + } + } + } + } + // if we fell through, flag a symlink error + if (mTolerateErrors.find(errSecCSInvalidSymlink) == mTolerateErrors.end()) + ctx.reportProblem(errSecCSInvalidSymlink, kSecCFErrorResourceAltered, CFTempString(fullpath)); + } +} + +void SecStaticCode::validateNestedCode(CFURLRef path, const ResourceSeal &seal, SecCSFlags flags, bool isFramework) +{ + CFRef req; + if (SecRequirementCreateWithString(seal.requirement(), kSecCSDefaultFlags, &req.aref())) + MacOSError::throwMe(errSecCSResourcesInvalid); + + // recursively verify this nested code + try { + if (!(flags & kSecCSCheckNestedCode)) + flags |= kSecCSBasicValidateOnly; + SecPointer code = new SecStaticCode(DiskRep::bestGuess(cfString(path))); + code->initializeFromParent(*this); + code->staticValidate(flags, SecRequirement::required(req)); + + if (isFramework && (flags & kSecCSStrictValidate)) + try { + validateOtherVersions(path, flags, req, code); + } catch (const CSError &err) { + MacOSError::throwMe(errSecCSBadFrameworkVersion); + } catch (const MacOSError &err) { + MacOSError::throwMe(errSecCSBadFrameworkVersion); + } + + } catch (CSError &err) { + if (err.error == errSecCSReqFailed) { + mResourcesValidContext->reportProblem(errSecCSBadNestedCode, kSecCFErrorResourceAltered, path); + return; + } + err.augment(kSecCFErrorPath, path); + throw; + } catch (const MacOSError &err) { + if (err.error == errSecCSReqFailed) { + mResourcesValidContext->reportProblem(errSecCSBadNestedCode, kSecCFErrorResourceAltered, path); + return; + } + CSError::throwMe(err.error, kSecCFErrorPath, path); + } +} + +void SecStaticCode::validateOtherVersions(CFURLRef path, SecCSFlags flags, SecRequirementRef req, SecStaticCode *code) +{ + // Find out what current points to and do not revalidate + std::string mainPath = cfStringRelease(code->diskRep()->copyCanonicalPath()); + + char main_path[PATH_MAX]; + bool foundTarget = false; + + /* If it failed to get the target of the symlink, do not fail. It is a performance loss, + not a security hole */ + if (realpath(mainPath.c_str(), main_path) != NULL) + foundTarget = true; + + std::ostringstream versionsPath; + versionsPath << cfString(path) << "/Versions/"; + + DirScanner scanner(versionsPath.str()); + + if (scanner.initialized()) { + struct dirent *entry = NULL; + while ((entry = scanner.getNext()) != NULL) { + std::ostringstream fullPath; + + if (entry->d_type != DT_DIR || + strcmp(entry->d_name, ".") == 0 || + strcmp(entry->d_name, "..") == 0 || + strcmp(entry->d_name, "Current") == 0) + continue; + + fullPath << versionsPath.str() << entry->d_name; + + char real_full_path[PATH_MAX]; + if (realpath(fullPath.str().c_str(), real_full_path) == NULL) + UnixError::check(-1); + + // Do case insensitive comparions because realpath() was called for both paths + if (foundTarget && strcmp(main_path, real_full_path) == 0) + continue; + + SecPointer frameworkVersion = new SecStaticCode(DiskRep::bestGuess(real_full_path)); + frameworkVersion->initializeFromParent(*this); + frameworkVersion->staticValidate(flags, SecRequirement::required(req)); + } + } +} + + +// +// Test a CodeDirectory flag. +// Returns false if there is no CodeDirectory. +// May throw if the CodeDirectory is present but somehow invalid. +// +bool SecStaticCode::flag(uint32_t tested) +{ + if (const CodeDirectory *cd = this->codeDirectory(false)) + return cd->flags & tested; + else + return false; +} + + +// +// Retrieve the full SuperBlob containing all internal requirements. +// +const Requirements *SecStaticCode::internalRequirements() +{ + if (CFDataRef reqData = component(cdRequirementsSlot)) { + const Requirements *req = (const Requirements *)CFDataGetBytePtr(reqData); + if (!req->validateBlob()) + MacOSError::throwMe(errSecCSReqInvalid); + return req; + } else + return NULL; +} + + +// +// Retrieve a particular internal requirement by type. +// +const Requirement *SecStaticCode::internalRequirement(SecRequirementType type) +{ + if (const Requirements *reqs = internalRequirements()) + return reqs->find(type); + else + return NULL; +} + + +// +// Return the Designated Requirement (DR). This can be either explicit in the +// Internal Requirements component, or implicitly generated on demand here. +// Note that an explicit DR may have been implicitly generated at signing time; +// we don't distinguish this case. +// +const Requirement *SecStaticCode::designatedRequirement() +{ + if (const Requirement *req = internalRequirement(kSecDesignatedRequirementType)) { + return req; // explicit in signing data + } else { + if (!mDesignatedReq) + mDesignatedReq = defaultDesignatedRequirement(); + return mDesignatedReq; + } +} + + +// +// Generate the default Designated Requirement (DR) for this StaticCode. +// Ignore any explicit DR it may contain. +// +const Requirement *SecStaticCode::defaultDesignatedRequirement() +{ + if (flag(kSecCodeSignatureAdhoc)) { + // adhoc signature: return a cdhash requirement for all architectures + __block Requirement::Maker maker; + Requirement::Maker::Chain chain(maker, opOr); + + // insert cdhash requirement for all architectures + chain.add(); + maker.cdhash(this->cdHash()); + handleOtherArchitectures(^(SecStaticCode *subcode) { + if (CFDataRef cdhash = subcode->cdHash()) { + chain.add(); + maker.cdhash(cdhash); + } + }); + return maker.make(); + } else { + // full signature: Gin up full context and let DRMaker do its thing + validateDirectory(); // need the cert chain + Requirement::Context context(this->certificates(), + this->infoDictionary(), + this->entitlements(), + this->identifier(), + this->codeDirectory() + ); + return DRMaker(context).make(); + } +} + + +// +// Validate a SecStaticCode against the internal requirement of a particular type. +// +void SecStaticCode::validateRequirements(SecRequirementType type, SecStaticCode *target, + OSStatus nullError /* = errSecSuccess */) +{ + DTRACK(CODESIGN_EVAL_STATIC_INTREQ, this, type, target, nullError); + if (const Requirement *req = internalRequirement(type)) + target->validateRequirement(req, nullError ? nullError : errSecCSReqFailed); + else if (nullError) + MacOSError::throwMe(nullError); + else + /* accept it */; +} + +/* Public Key Hash for root:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority */ +static const UInt8 retryRootBytes[] = {0x00,0xd8,0x5a,0x4c,0x25,0xc1,0x22,0xe5,0x8b,0x31,0xef,0x6d,0xba,0xf3,0xcc,0x5f,0x29,0xf1,0x0d,0x61}; + +// +// Validate this StaticCode against an external Requirement +// +bool SecStaticCode::satisfiesRequirement(const Requirement *req, OSStatus failure) +{ + bool result = false; + assert(req); + validateDirectory(); + result = req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()->identifier(), codeDirectory()), failure); + if (result == false) { + /* Fix for rdar://problem/21437632: Work around untrusted root in validation chain */ + CFArrayRef certs = certificates(); + if (!certs || ((int)CFArrayGetCount(certs) < 1)) { + return false; + } + SecCertificateRef root = cert((int)CFArrayGetCount(certs) - 1); + if (!root) { + return false; + } + CFDataRef rootHash = SecCertificateCopyPublicKeySHA1Digest(root); + if (!rootHash) { + return false; + } + + if ((CFDataGetLength(rootHash) == sizeof(retryRootBytes)) && + !memcmp(CFDataGetBytePtr(rootHash), retryRootBytes, sizeof(retryRootBytes))) { + // retry with a rebuilt certificate chain, this time evaluating anchor trust + Security::Syslog::debug("Requirements validation failed: retrying"); + mResourcesValidated = mValidated = false; + setValidationFlags(mValidationFlags | kSecCSCheckTrustedAnchors); + + validateDirectory(); + result = req->validates(Requirement::Context(mCertChain, infoDictionary(), entitlements(), codeDirectory()->identifier(), codeDirectory()), failure); + } + CFRelease(rootHash); + } + + return result; +} + +void SecStaticCode::validateRequirement(const Requirement *req, OSStatus failure) +{ + if (!this->satisfiesRequirement(req, failure)) + MacOSError::throwMe(failure); +} + +// +// Retrieve one certificate from the cert chain. +// Positive and negative indices can be used: +// [ leaf, intermed-1, ..., intermed-n, anchor ] +// 0 1 ... -2 -1 +// Returns NULL if unavailable for any reason. +// +SecCertificateRef SecStaticCode::cert(int ix) +{ + validateDirectory(); // need cert chain + if (mCertChain) { + CFIndex length = CFArrayGetCount(mCertChain); + if (ix < 0) + ix += length; + if (ix >= 0 && ix < length) + return SecCertificateRef(CFArrayGetValueAtIndex(mCertChain, ix)); + } + return NULL; +} + +CFArrayRef SecStaticCode::certificates() +{ + validateDirectory(); // need cert chain + return mCertChain; +} + + +// +// Gather (mostly) API-official information about this StaticCode. +// +// This method lives in the twilight between the API and internal layers, +// since it generates API objects (Sec*Refs) for return. +// +CFDictionaryRef SecStaticCode::signingInformation(SecCSFlags flags) +{ + // + // Start with the pieces that we return even for unsigned code. + // This makes Sec[Static]CodeRefs useful as API-level replacements + // of our internal OSXCode objects. + // + CFRef dict = makeCFMutableDictionary(1, + kSecCodeInfoMainExecutable, CFTempURL(this->mainExecutablePath()).get() + ); + + // + // If we're not signed, this is all you get + // + if (!this->isSigned()) + return dict.yield(); + + // + // Add the generic attributes that we always include + // + CFDictionaryAddValue(dict, kSecCodeInfoIdentifier, CFTempString(this->identifier())); + CFDictionaryAddValue(dict, kSecCodeInfoFlags, CFTempNumber(this->codeDirectory(false)->flags.get())); + CFDictionaryAddValue(dict, kSecCodeInfoFormat, CFTempString(this->format())); + CFDictionaryAddValue(dict, kSecCodeInfoSource, CFTempString(this->signatureSource())); + CFDictionaryAddValue(dict, kSecCodeInfoUnique, this->cdHash()); + const CodeDirectory* cd = this->codeDirectory(false); + CFDictionaryAddValue(dict, kSecCodeInfoDigestAlgorithm, CFTempNumber(cd->hashType)); + if (cd->platform) + CFDictionaryAddValue(dict, kSecCodeInfoPlatformIdentifier, CFTempNumber(cd->platform)); + + // + // Deliver any Info.plist only if it looks intact + // + try { + if (CFDictionaryRef info = this->infoDictionary()) + CFDictionaryAddValue(dict, kSecCodeInfoPList, info); + } catch (...) { } // don't deliver Info.plist if questionable + + // + // kSecCSSigningInformation adds information about signing certificates and chains + // + if (flags & kSecCSSigningInformation) + try { + if (CFArrayRef certs = this->certificates()) + CFDictionaryAddValue(dict, kSecCodeInfoCertificates, certs); + if (CFDataRef sig = this->signature()) + CFDictionaryAddValue(dict, kSecCodeInfoCMS, sig); + if (mTrust) + CFDictionaryAddValue(dict, kSecCodeInfoTrust, mTrust); + if (CFAbsoluteTime time = this->signingTime()) + if (CFRef date = CFDateCreate(NULL, time)) + CFDictionaryAddValue(dict, kSecCodeInfoTime, date); + if (CFAbsoluteTime time = this->signingTimestamp()) + if (CFRef date = CFDateCreate(NULL, time)) + CFDictionaryAddValue(dict, kSecCodeInfoTimestamp, date); + if (const char *teamID = this->teamID()) + CFDictionaryAddValue(dict, kSecCodeInfoTeamIdentifier, CFTempString(teamID)); + } catch (...) { } + + // + // kSecCSRequirementInformation adds information on requirements + // + if (flags & kSecCSRequirementInformation) + try { + if (const Requirements *reqs = this->internalRequirements()) { + CFDictionaryAddValue(dict, kSecCodeInfoRequirements, + CFTempString(Dumper::dump(reqs))); + CFDictionaryAddValue(dict, kSecCodeInfoRequirementData, CFTempData(*reqs)); + } + + const Requirement *dreq = this->designatedRequirement(); + CFRef dreqRef = (new SecRequirement(dreq))->handle(); + CFDictionaryAddValue(dict, kSecCodeInfoDesignatedRequirement, dreqRef); + if (this->internalRequirement(kSecDesignatedRequirementType)) { // explicit + CFRef ddreqRef = (new SecRequirement(this->defaultDesignatedRequirement(), true))->handle(); + CFDictionaryAddValue(dict, kSecCodeInfoImplicitDesignatedRequirement, ddreqRef); + } else { // implicit + CFDictionaryAddValue(dict, kSecCodeInfoImplicitDesignatedRequirement, dreqRef); + } + } catch (...) { } + + try { + if (CFDataRef ent = this->component(cdEntitlementSlot)) { + CFDictionaryAddValue(dict, kSecCodeInfoEntitlements, ent); + if (CFDictionaryRef entdict = this->entitlements()) + CFDictionaryAddValue(dict, kSecCodeInfoEntitlementsDict, entdict); + } + } catch (...) { } + + // + // kSecCSInternalInformation adds internal information meant to be for Apple internal + // use (SPI), and not guaranteed to be stable. Primarily, this is data we want + // to reliably transmit through the API wall so that code outside the Security.framework + // can use it without having to play nasty tricks to get it. + // + if (flags & kSecCSInternalInformation) + try { + if (mDir) + CFDictionaryAddValue(dict, kSecCodeInfoCodeDirectory, mDir); + CFDictionaryAddValue(dict, kSecCodeInfoCodeOffset, CFTempNumber(mRep->signingBase())); + if (CFRef rdict = getDictionary(cdResourceDirSlot, false)) // suppress validation + CFDictionaryAddValue(dict, kSecCodeInfoResourceDirectory, rdict); + } catch (...) { } + + + // + // kSecCSContentInformation adds more information about the physical layout + // of the signed code. This is (only) useful for packaging or patching-oriented + // applications. + // + if (flags & kSecCSContentInformation) + if (CFRef files = mRep->modifiedFiles()) + CFDictionaryAddValue(dict, kSecCodeInfoChangedFiles, files); + + return dict.yield(); +} + + +// +// Resource validation contexts. +// The default context simply throws a CSError, rudely terminating the operation. +// +SecStaticCode::ValidationContext::~ValidationContext() +{ /* virtual */ } + +void SecStaticCode::ValidationContext::reportProblem(OSStatus rc, CFStringRef type, CFTypeRef value) +{ + CSError::throwMe(rc, type, value); +} + +void SecStaticCode::CollectingContext::reportProblem(OSStatus rc, CFStringRef type, CFTypeRef value) +{ + StLock _(mLock); + if (mStatus == errSecSuccess) + mStatus = rc; // record first failure for eventual error return + if (type) { + if (!mCollection) + mCollection.take(makeCFMutableDictionary()); + CFMutableArrayRef element = CFMutableArrayRef(CFDictionaryGetValue(mCollection, type)); + if (!element) { + element = makeCFMutableArray(0); + if (!element) + CFError::throwMe(); + CFDictionaryAddValue(mCollection, type, element); + CFRelease(element); + } + CFArrayAppendValue(element, value); + } +} + +void SecStaticCode::CollectingContext::throwMe() +{ + assert(mStatus != errSecSuccess); + throw CSError(mStatus, mCollection.retain()); +} + + +// +// Master validation driver. +// This is the static validation (only) driver for the API. +// +// SecStaticCode exposes an a la carte menu of topical validators applying +// to a given object. The static validation API pulls them together reliably, +// but it also adds two matrix dimensions: architecture (for "fat" Mach-O binaries) +// and nested code. This function will crawl a suitable cross-section of this +// validation matrix based on which options it is given, creating temporary +// SecStaticCode objects on the fly to complete the task. +// (The point, of course, is to do as little duplicate work as possible.) +// +void SecStaticCode::staticValidate(SecCSFlags flags, const SecRequirement *req) +{ + setValidationFlags(flags); + + // initialize progress/cancellation state + if (flags & kSecCSReportProgress) + prepareProgress(estimateResourceWorkload() + 2); // +1 head, +1 tail + + // core components: once per architecture (if any) + this->staticValidateCore(flags, req); + if (flags & kSecCSCheckAllArchitectures) + handleOtherArchitectures(^(SecStaticCode* subcode) { + if (flags & kSecCSCheckGatekeeperArchitectures) { + Universal *fat = subcode->diskRep()->mainExecutableImage(); + assert(fat && fat->narrowed()); // handleOtherArchitectures gave us a focused architecture slice + Architecture arch = fat->bestNativeArch(); // actually, the ONLY one + if ((arch.cpuType() & ~CPU_ARCH_MASK) == CPU_TYPE_POWERPC) + return; // irrelevant to Gatekeeper + } + subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) architecture + subcode->staticValidateCore(flags, req); + }); + reportProgress(); + + // allow monitor intervention in source validation phase + reportEvent(CFSTR("prepared"), NULL); + + // resources: once for all architectures + if (!(flags & kSecCSDoNotValidateResources)) + this->validateResources(flags); + + // perform strict validation if desired + if (flags & kSecCSStrictValidate) + mRep->strictValidate(codeDirectory(), mTolerateErrors); + reportProgress(); + + // allow monitor intervention + if (CFRef veto = reportEvent(CFSTR("validated"), NULL)) { + if (CFGetTypeID(veto) == CFNumberGetTypeID()) + MacOSError::throwMe(cfNumber(veto.as())); + else + MacOSError::throwMe(errSecCSBadCallbackValue); + } +} + +void SecStaticCode::staticValidateCore(SecCSFlags flags, const SecRequirement *req) +{ + try { + this->validateNonResourceComponents(); // also validates the CodeDirectory + if (!(flags & kSecCSDoNotValidateExecutable)) + this->validateExecutable(); + if (req) + this->validateRequirement(req->requirement(), errSecCSReqFailed); + } catch (CSError &err) { + if (Universal *fat = this->diskRep()->mainExecutableImage()) // Mach-O + if (MachO *mach = fat->architecture()) { + err.augment(kSecCFErrorArchitecture, CFTempString(mach->architecture().displayName())); + delete mach; + } + throw; + } catch (const MacOSError &err) { + // add architecture information if we can get it + if (Universal *fat = this->diskRep()->mainExecutableImage()) + if (MachO *mach = fat->architecture()) { + CFTempString arch(mach->architecture().displayName()); + delete mach; + CSError::throwMe(err.error, kSecCFErrorArchitecture, arch); + } + throw; + } +} + + +// +// A helper that generates SecStaticCode objects for all but the primary architecture +// of a fat binary and calls a block on them. +// If there's only one architecture (or this is an architecture-agnostic code), +// nothing happens quickly. +// +void SecStaticCode::handleOtherArchitectures(void (^handle)(SecStaticCode* other)) +{ + if (Universal *fat = this->diskRep()->mainExecutableImage()) { + Universal::Architectures architectures; + fat->architectures(architectures); + if (architectures.size() > 1) { + DiskRep::Context ctx; + size_t activeOffset = fat->archOffset(); + for (Universal::Architectures::const_iterator arch = architectures.begin(); arch != architectures.end(); ++arch) { + ctx.offset = fat->archOffset(*arch); + if (ctx.offset > SIZE_MAX) + MacOSError::throwMe(errSecCSInternalError); + ctx.size = fat->lengthOfSlice((size_t)ctx.offset); + if (ctx.offset != activeOffset) { // inactive architecture; check it + SecPointer subcode = new SecStaticCode(DiskRep::bestGuess(this->mainExecutablePath(), &ctx)); + subcode->detachedSignature(this->mDetachedSig); // carry over explicit (but not implicit) detached signature + if (this->teamID() == NULL || subcode->teamID() == NULL) { + if (this->teamID() != subcode->teamID()) + MacOSError::throwMe(errSecCSSignatureInvalid); + } else if (strcmp(this->teamID(), subcode->teamID()) != 0) + MacOSError::throwMe(errSecCSSignatureInvalid); + handle(subcode); + } + } + } + } +} + +// +// A method that takes a certificate chain (certs) and evaluates +// if it is a Mac or IPhone developer cert, an app store distribution cert, +// or a developer ID +// +bool SecStaticCode::isAppleDeveloperCert(CFArrayRef certs) +{ + static const std::string appleDeveloperRequirement = "(" + std::string(WWDRRequirement) + ") or (" + MACWWDRRequirement + ") or (" + developerID + ") or (" + distributionCertificate + ") or (" + iPhoneDistributionCert + ")"; + SecPointer req = new SecRequirement(parseRequirement(appleDeveloperRequirement), true); + Requirement::Context ctx(certs, NULL, NULL, "", NULL); + + return req->requirement()->validates(ctx); +} + +} // end namespace CodeSigning +} // end namespace Security diff --git a/OSX/include/security_codesigning/StaticCode.h b/OSX/include/security_codesigning/StaticCode.h new file mode 100644 index 00000000..c74ae3e7 --- /dev/null +++ b/OSX/include/security_codesigning/StaticCode.h @@ -0,0 +1,278 @@ +/* + * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// StaticCode - SecStaticCode API objects +// +#ifndef _H_STATICCODE +#define _H_STATICCODE + +#include "cs.h" +#include "csutilities.h" +#include "Requirements.h" +#include "requirement.h" +#include "diskrep.h" +#include "codedirectory.h" +#include +#include +#include + +namespace Security { +namespace CodeSigning { + + +class SecCode; + + +// +// A SecStaticCode object represents the file system version of some code. +// There's a lot of pieces to this, and we'll bring them all into +// memory here (lazily) and let you fondle them with ease. +// +// Note that concrete knowledge of where stuff is stored resides in the DiskRep +// object we hold. DiskReps allocate, retrieve, and return data to us. We are +// responsible for interpreting, caching, and validating them. (In other words, +// DiskReps know where stuff is and how it is stored, but we know what it means.) +// +// Data accessors (returning CFDataRef, CFDictionaryRef, various pointers, etc.) +// cache those values internally and return unretained(!) references ("Get" style) +// that are valid as long as the SecStaticCode object's lifetime, or until +// resetValidity() is called, whichever is sooner. If you need to keep them longer, +// retain or copy them as needed. +// +class SecStaticCode : public SecCFObject { + NOCOPY(SecStaticCode) + +protected: + // + // A context for resource validation operations, to tailor error response. + // The base class throws an exception immediately and ignores detail data. + // + class ValidationContext { + public: + ValidationContext(SecStaticCode &c) : code(c) { } + virtual ~ValidationContext(); + virtual void reportProblem(OSStatus rc, CFStringRef type, CFTypeRef value); + + virtual OSStatus osStatus() { return noErr; } + virtual void throwMe() { } + + SecStaticCode &code; + }; + + // + // A CollectingContext collects all error details and throws an annotated final error. + // + class CollectingContext : public ValidationContext { + public: + CollectingContext(SecStaticCode &c) : ValidationContext(c), mStatus(errSecSuccess) { } + void reportProblem(OSStatus rc, CFStringRef type, CFTypeRef value); + + OSStatus osStatus() { return mStatus; } + operator OSStatus () const { return mStatus; } + void throwMe() __attribute__((noreturn)); + + private: + CFRef mCollection; + OSStatus mStatus; + Mutex mLock; + }; + +public: + SECCFFUNCTIONS(SecStaticCode, SecStaticCodeRef, + errSecCSInvalidObjectRef, gCFObjects().StaticCode) + + // implicitly convert SecCodeRefs to their SecStaticCodeRefs + static SecStaticCode *requiredStatic(SecStaticCodeRef ref); // convert SecCodeRef + static SecCode *optionalDynamic(SecStaticCodeRef ref); // extract SecCodeRef or NULL if static + + SecStaticCode(DiskRep *rep); + virtual ~SecStaticCode() throw(); + + void initializeFromParent(const SecStaticCode& parent); + + bool equal(SecCFObject &other); + CFHashCode hash(); + + void detachedSignature(CFDataRef sig); // attach an explicitly given detached signature + void checkForSystemSignature(); // check for and attach system-supplied detached signature + + const CodeDirectory *codeDirectory(bool check = true); + CFDataRef cdHash(); + CFDataRef signature(); + CFAbsoluteTime signingTime(); + CFAbsoluteTime signingTimestamp(); + bool isSigned() { return codeDirectory(false) != NULL; } + DiskRep *diskRep() { return mRep; } + bool isDetached() const { return mRep->base() != mRep; } + std::string mainExecutablePath() { return mRep->mainExecutablePath(); } + CFURLRef copyCanonicalPath() const { return mRep->copyCanonicalPath(); } + std::string identifier() { return codeDirectory()->identifier(); } + const char *teamID() { return codeDirectory()->teamID(); } + std::string format() const { return mRep->format(); } + std::string signatureSource(); + virtual CFDataRef component(CodeDirectory::SpecialSlot slot, OSStatus fail = errSecCSSignatureFailed); + virtual CFDictionaryRef infoDictionary(); + + CFDictionaryRef entitlements(); + + CFDictionaryRef resourceDictionary(bool check = true); + CFURLRef resourceBase(); + CFDataRef resource(std::string path); + CFDataRef resource(std::string path, ValidationContext &ctx); + void validateResource(CFDictionaryRef files, std::string path, bool isSymlink, ValidationContext &ctx, SecCSFlags flags, uint32_t version); + void validateSymlinkResource(std::string fullpath, std::string seal, ValidationContext &ctx, SecCSFlags flags); + + bool flag(uint32_t tested); + + SecCodeCallback monitor() const { return mMonitor; } + void setMonitor(SecCodeCallback monitor) { mMonitor = monitor; } + CFTypeRef reportEvent(CFStringRef stage, CFDictionaryRef info); + void reportProgress(unsigned amount = 1); + + void setValidationFlags(SecCSFlags flags) { mValidationFlags = flags; } + void setValidationModifiers(CFDictionaryRef modifiers); + + void resetValidity(); // clear validation caches (if something may have changed) + + bool validated() const { return mValidated; } + bool revocationChecked() const { return mRevocationChecked; } + bool valid() const + { assert(validated()); return mValidated && (mValidationResult == errSecSuccess); } + bool validatedExecutable() const { return mExecutableValidated; } + bool validatedResources() const { return mResourcesValidated; } + + void prepareProgress(unsigned workload); + void cancelValidation(); + + void validateDirectory(); + virtual void validateComponent(CodeDirectory::SpecialSlot slot, OSStatus fail = errSecCSSignatureFailed); + void validateNonResourceComponents(); + unsigned estimateResourceWorkload(); + void validateResources(SecCSFlags flags); + void validateExecutable(); + void validateNestedCode(CFURLRef path, const ResourceSeal &seal, SecCSFlags flags, bool isFramework); + + const Requirements *internalRequirements(); + const Requirement *internalRequirement(SecRequirementType type); + const Requirement *designatedRequirement(); + const Requirement *defaultDesignatedRequirement(); // newly allocated (caller owns) + + void validateRequirements(SecRequirementType type, SecStaticCode *target, + OSStatus nullError = errSecSuccess); // target against my [type], throws + void validateRequirement(const Requirement *req, OSStatus failure); // me against [req], throws + bool satisfiesRequirement(const Requirement *req, OSStatus failure); // me against [req], returns on clean miss + + // certificates are available after signature validation (they are stored in the CMS signature) + SecCertificateRef cert(int ix); // get a cert from the cert chain + CFArrayRef certificates(); // get the entire certificate chain + + CFDictionaryRef signingInformation(SecCSFlags flags); // omnibus information-gathering API (creates new dictionary) + + static bool isAppleDeveloperCert(CFArrayRef certs); // determines if this is an apple developer certificate for libraray validation + +public: + void staticValidate(SecCSFlags flags, const SecRequirement *req); + void staticValidateCore(SecCSFlags flags, const SecRequirement *req); + +protected: + CFDictionaryRef getDictionary(CodeDirectory::SpecialSlot slot, bool check = true); // component value as a dictionary + bool verifySignature(); + CFArrayRef verificationPolicies(); + + static void checkOptionalResource(CFTypeRef key, CFTypeRef value, void *context); + bool hasWeakResourceRules(CFDictionaryRef rulesDict, uint32_t version, CFArrayRef allowedOmissions); + + void handleOtherArchitectures(void (^handle)(SecStaticCode* other)); + +private: + void validateOtherVersions(CFURLRef path, SecCSFlags flags, SecRequirementRef req, SecStaticCode *code); + +private: + RefPointer mRep; // on-disk representation + CFRef mDetachedSig; // currently applied explicit detached signature + + // private validation modifiers (only used by Gatekeeper checkfixes) + MacOSErrorSet mTolerateErrors; // soft error conditions to ignore + CFRef mAllowOmissions; // additionally allowed resource omissions + + // master validation state + bool mValidated; // core validation was attempted + bool mRevocationChecked; // the signature was checked for revocation + OSStatus mValidationResult; // outcome of core validation + bool mValidationExpired; // outcome had expired certificates + + // static executable validation state (nested within mValidated/mValid) + bool mExecutableValidated; // tried to validate executable file + OSStatus mExecutableValidResult; // outcome if mExecutableValidated + + // static resource validation state (nested within mValidated/mValid) + bool mResourcesValidated; // tried to validate resources + bool mResourcesDeep; // cached validation was deep + OSStatus mResourcesValidResult; // outcome if mResourceValidated or... + ValidationContext *mResourcesValidContext; // resource error reporting funnel + + // validation progress state (set when static validation starts) + SecCSFlags mValidationFlags; // API flags passed to static validation + unsigned mTotalWork; // total expected work (arbitrary units) + unsigned mCurrentWork; // currently completed work + bool mCancelPending; // cancellation was requested + Dispatch::Queue mProgressQueue; // progress reporting queue + + // nested validation support + const SecStaticCode *mOuterScope; // containing code (if this is a nested validation; weak) + ResourceBuilder *mResourceScope; // current Resource validation stack (while validating; weak) + + + // cached contents + CFRef mDir; // code directory data + CFRef mSignature; // CMS signature data + CFAbsoluteTime mSigningTime; // (signed) signing time + CFAbsoluteTime mSigningTimestamp; // Timestamp time (from timestamping authority) + CFRef mCache[cdSlotCount]; // NULL => not tried, kCFNull => absent, other => present + + // alternative cache forms (storage may depend on cached contents above) + CFRef mInfoDict; // derived from mCache slot + CFRef mEntitlements; // derived from mCache slot + CFRef mResourceDict; // derived from mCache slot + const Requirement *mDesignatedReq; // cached designated req if we made one up + CFRef mCDHash; // hash of CodeDirectory + + bool mGotResourceBase; // asked mRep for resourceBasePath + CFRef mResourceBase; // URL form of resource base directory + + SecCodeCallback mMonitor; // registered monitor callback + + LimitedAsync *mLimitedAsync; // limited async workers for verification + + // signature verification outcome (mTrust == NULL => not done yet) + CFRef mTrust; // outcome of crypto validation (valid or not) + CFRef mCertChain; + CSSM_TP_APPLE_EVIDENCE_INFO *mEvalDetails; +}; + + +} // end namespace CodeSigning +} // end namespace Security + +#endif // !_H_STATICCODE diff --git a/Security/libsecurity_codesigning/lib/antlrplugin.cpp b/OSX/include/security_codesigning/antlrplugin.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/antlrplugin.cpp rename to OSX/include/security_codesigning/antlrplugin.cpp diff --git a/Security/libsecurity_codesigning/lib/antlrplugin.h b/OSX/include/security_codesigning/antlrplugin.h similarity index 100% rename from Security/libsecurity_codesigning/lib/antlrplugin.h rename to OSX/include/security_codesigning/antlrplugin.h diff --git a/OSX/include/security_codesigning/bundlediskrep.cpp b/OSX/include/security_codesigning/bundlediskrep.cpp new file mode 100644 index 00000000..cf3a41d8 --- /dev/null +++ b/OSX/include/security_codesigning/bundlediskrep.cpp @@ -0,0 +1,691 @@ +/* + * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#include "bundlediskrep.h" +#include "filediskrep.h" +#include "dirscanner.h" +#include +#include +#include +#include +#include +#include +#include + +namespace Security { +namespace CodeSigning { + +using namespace UnixPlusPlus; + + +// +// Local helpers +// +static std::string findDistFile(const std::string &directory); + + +// +// We make a CFBundleRef immediately, but everything else is lazy +// +BundleDiskRep::BundleDiskRep(const char *path, const Context *ctx) + : mBundle(CFBundleCreate(NULL, CFTempURL(path))) +{ + if (!mBundle) + MacOSError::throwMe(errSecCSBadBundleFormat); + setup(ctx); + CODESIGN_DISKREP_CREATE_BUNDLE_PATH(this, (char*)path, (void*)ctx, mExecRep); +} + +BundleDiskRep::BundleDiskRep(CFBundleRef ref, const Context *ctx) +{ + mBundle = ref; // retains + setup(ctx); + CODESIGN_DISKREP_CREATE_BUNDLE_REF(this, ref, (void*)ctx, mExecRep); +} + +BundleDiskRep::~BundleDiskRep() +{ +} + +void BundleDiskRep::checkMoved(CFURLRef oldPath, CFURLRef newPath) +{ + char cOld[PATH_MAX]; + char cNew[PATH_MAX]; + // The realpath call is important because alot of Framework bundles have a symlink + // to their "Current" version binary in the main bundle + if (realpath(cfString(oldPath).c_str(), cOld) == NULL || + realpath(cfString(newPath).c_str(), cNew) == NULL) + MacOSError::throwMe(errSecCSInternalError); + + if (strcmp(cOld, cNew) != 0) + recordStrictError(errSecCSAmbiguousBundleFormat); +} + +// common construction code +void BundleDiskRep::setup(const Context *ctx) +{ + mInstallerPackage = false; // default + + // capture the path of the main executable before descending into a specific version + CFRef mainExecBefore = CFBundleCopyExecutableURL(mBundle); + CFRef infoPlistBefore = _CFBundleCopyInfoPlistURL(mBundle); + + // validate the bundle root; fish around for the desired framework version + string root = cfStringRelease(copyCanonicalPath()); + string contents = root + "/Contents"; + string supportFiles = root + "/Support Files"; + string version = root + "/Versions/" + + ((ctx && ctx->version) ? ctx->version : "Current") + + "/."; + if (::access(contents.c_str(), F_OK) == 0) { // not shallow + DirValidator val; + val.require("^Contents$", DirValidator::directory); // duh + val.allow("^(\\.LSOverride|\\.DS_Store|Icon\r|\\.SoftwareDepot\\.tracking)$", DirValidator::file | DirValidator::noexec); + try { + val.validate(root, errSecCSUnsealedAppRoot); + } catch (const MacOSError &err) { + recordStrictError(err.error); + } + } else if (::access(supportFiles.c_str(), F_OK) == 0) { // ancient legacy boondoggle bundle + // treat like a shallow bundle; do not allow Versions arbitration + } else if (::access(version.c_str(), F_OK) == 0) { // versioned bundle + if (CFBundleRef versionBundle = CFBundleCreate(NULL, CFTempURL(version))) + mBundle.take(versionBundle); // replace top bundle ref + else + MacOSError::throwMe(errSecCSStaticCodeNotFound); + validateFrameworkRoot(root); + } else { + if (ctx && ctx->version) // explicitly specified + MacOSError::throwMe(errSecCSStaticCodeNotFound); + } + + CFDictionaryRef infoDict = CFBundleGetInfoDictionary(mBundle); + assert(infoDict); // CFBundle will always make one up for us + CFTypeRef mainHTML = CFDictionaryGetValue(infoDict, CFSTR("MainHTML")); + CFTypeRef packageVersion = CFDictionaryGetValue(infoDict, CFSTR("IFMajorVersion")); + + // conventional executable bundle: CFBundle identifies an executable for us + if (CFRef mainExec = CFBundleCopyExecutableURL(mBundle)) // if CFBundle claims an executable... + if (mainHTML == NULL) { // ... and it's not a widget + + // Note that this check is skipped if there is a specific framework version checked. + // That's because you know what you are doing if you are looking at a specific version. + // This check is designed to stop someone who did a verification on an app root, from mistakenly + // verifying a framework + if (!ctx || !ctx->version) { + if (mainExecBefore) + checkMoved(mainExecBefore, mainExec); + if (infoPlistBefore) + if (CFRef infoDictPath = _CFBundleCopyInfoPlistURL(mBundle)) + checkMoved(infoPlistBefore, infoDictPath); + } + + mMainExecutableURL = mainExec; + mExecRep = DiskRep::bestFileGuess(this->mainExecutablePath(), ctx); + if (!mExecRep->fd().isPlainFile(this->mainExecutablePath())) + recordStrictError(errSecCSRegularFile); + mFormat = "bundle with " + mExecRep->format(); + return; + } + + // widget + if (mainHTML) { + if (CFGetTypeID(mainHTML) != CFStringGetTypeID()) + MacOSError::throwMe(errSecCSBadBundleFormat); + mMainExecutableURL.take(makeCFURL(cfString(CFStringRef(mainHTML)), false, + CFRef(CFBundleCopySupportFilesDirectoryURL(mBundle)))); + if (!mMainExecutableURL) + MacOSError::throwMe(errSecCSBadBundleFormat); + mExecRep = new FileDiskRep(this->mainExecutablePath().c_str()); + if (!mExecRep->fd().isPlainFile(this->mainExecutablePath())) + recordStrictError(errSecCSRegularFile); + mFormat = "widget bundle"; + return; + } + + // do we have a real Info.plist here? + if (CFRef infoURL = _CFBundleCopyInfoPlistURL(mBundle)) { + // focus on the Info.plist (which we know exists) as the nominal "main executable" file + mMainExecutableURL = infoURL; + mExecRep = new FileDiskRep(this->mainExecutablePath().c_str()); + if (!mExecRep->fd().isPlainFile(this->mainExecutablePath())) + recordStrictError(errSecCSRegularFile); + if (packageVersion) { + mInstallerPackage = true; + mFormat = "installer package bundle"; + } else { + mFormat = "bundle"; + } + return; + } + + // we're getting desperate here. Perhaps an oldish-style installer package? Look for a *.dist file + std::string distFile = findDistFile(this->resourcesRootPath()); + if (!distFile.empty()) { + mMainExecutableURL = makeCFURL(distFile); + mExecRep = new FileDiskRep(this->mainExecutablePath().c_str()); + if (!mExecRep->fd().isPlainFile(this->mainExecutablePath())) + recordStrictError(errSecCSRegularFile); + mInstallerPackage = true; + mFormat = "installer package bundle"; + return; + } + + // this bundle cannot be signed + MacOSError::throwMe(errSecCSBadBundleFormat); +} + + +// +// Return the full path to the one-and-only file named something.dist in a directory. +// Return empty string if none; throw an exception if multiple. Do not descend into subdirectories. +// +static std::string findDistFile(const std::string &directory) +{ + std::string found; + char *paths[] = {(char *)directory.c_str(), NULL}; + FTS *fts = fts_open(paths, FTS_PHYSICAL | FTS_NOCHDIR | FTS_NOSTAT, NULL); + bool root = true; + while (FTSENT *ent = fts_read(fts)) { + switch (ent->fts_info) { + case FTS_F: + case FTS_NSOK: + if (!strcmp(ent->fts_path + ent->fts_pathlen - 5, ".dist")) { // found plain file foo.dist + if (found.empty()) // first found + found = ent->fts_path; + else // multiple *.dist files (bad) + MacOSError::throwMe(errSecCSBadBundleFormat); + } + break; + case FTS_D: + if (!root) + fts_set(fts, ent, FTS_SKIP); // don't descend + root = false; + break; + default: + break; + } + } + fts_close(fts); + return found; +} + + +// +// Create a path to a bundle signing resource, by name. +// If the BUNDLEDISKREP_DIRECTORY directory exists in the bundle's support directory, files +// will be read and written there. Otherwise, they go directly into the support directory. +// +string BundleDiskRep::metaPath(const char *name) +{ + if (mMetaPath.empty()) { + string support = cfStringRelease(CFBundleCopySupportFilesDirectoryURL(mBundle)); + mMetaPath = support + "/" BUNDLEDISKREP_DIRECTORY; + if (::access(mMetaPath.c_str(), F_OK) == 0) { + mMetaExists = true; + } else { + mMetaPath = support; + mMetaExists = false; + } + } + return mMetaPath + "/" + name; +} + + +// +// Try to create the meta-file directory in our bundle. +// Does nothing if the directory already exists. +// Throws if an error occurs. +// +void BundleDiskRep::createMeta() +{ + string meta = metaPath(BUNDLEDISKREP_DIRECTORY); + if (!mMetaExists) { + if (::mkdir(meta.c_str(), 0755) == 0) { + copyfile(cfStringRelease(copyCanonicalPath()).c_str(), meta.c_str(), NULL, COPYFILE_SECURITY); + mMetaPath = meta; + mMetaExists = true; + } else if (errno != EEXIST) + UnixError::throwMe(); + } +} + +// +// Load's a CFURL and makes sure that it is a regular file and not a symlink (or fifo, etc.) +// +CFDataRef BundleDiskRep::loadRegularFile(CFURLRef url) +{ + assert(url); + + CFDataRef data = NULL; + + std::string path(cfString(url)); + + AutoFileDesc fd(path); + + if (!fd.isPlainFile(path)) + recordStrictError(errSecCSRegularFile); + + data = cfLoadFile(fd, fd.fileSize()); + + if (!data) { + secdebug(__PRETTY_FUNCTION__, "failed to load %s", cfString(url).c_str()); + MacOSError::throwMe(errSecCSInternalError); + } + + return data; +} + +// +// Load and return a component, by slot number. +// Info.plist components come from the bundle, always (we don't look +// for Mach-O embedded versions). +// Everything else comes from the embedded blobs of a Mach-O image, or from +// files located in the Contents directory of the bundle. +// +CFDataRef BundleDiskRep::component(CodeDirectory::SpecialSlot slot) +{ + switch (slot) { + // the Info.plist comes from the magic CFBundle-indicated place and ONLY from there + case cdInfoSlot: + if (CFRef info = _CFBundleCopyInfoPlistURL(mBundle)) + return loadRegularFile(info); + else + return NULL; + // by default, we take components from the executable image or files + default: + if (CFDataRef data = mExecRep->component(slot)) + return data; + // falling through + // but the following always come from files + case cdResourceDirSlot: + if (const char *name = CodeDirectory::canonicalSlotName(slot)) + return metaData(name); + else + return NULL; + } +} + + +// +// The binary identifier is taken directly from the main executable. +// +CFDataRef BundleDiskRep::identification() +{ + return mExecRep->identification(); +} + + +// +// Various aspects of our DiskRep personality. +// +CFURLRef BundleDiskRep::copyCanonicalPath() +{ + if (CFURLRef url = CFBundleCopyBundleURL(mBundle)) + return url; + CFError::throwMe(); +} + +string BundleDiskRep::mainExecutablePath() +{ + return cfString(mMainExecutableURL); +} + +string BundleDiskRep::resourcesRootPath() +{ + return cfStringRelease(CFBundleCopySupportFilesDirectoryURL(mBundle)); +} + +void BundleDiskRep::adjustResources(ResourceBuilder &builder) +{ + // exclude entire contents of meta directory + builder.addExclusion("^" BUNDLEDISKREP_DIRECTORY "$"); + builder.addExclusion("^" CODERESOURCES_LINK "$"); // ancient-ish symlink into it + + // exclude the store manifest directory + builder.addExclusion("^" STORE_RECEIPT_DIRECTORY "$"); + + // exclude the main executable file + string resources = resourcesRootPath(); + if (resources.compare(resources.size() - 2, 2, "/.") == 0) // chop trailing /. + resources = resources.substr(0, resources.size()-2); + string executable = mainExecutablePath(); + if (!executable.compare(0, resources.length(), resources, 0, resources.length()) + && executable[resources.length()] == '/') // is proper directory prefix + builder.addExclusion(string("^") + + ResourceBuilder::escapeRE(executable.substr(resources.length()+1)) + "$", ResourceBuilder::softTarget); +} + + + +Universal *BundleDiskRep::mainExecutableImage() +{ + return mExecRep->mainExecutableImage(); +} + +size_t BundleDiskRep::signingBase() +{ + return mExecRep->signingBase(); +} + +size_t BundleDiskRep::signingLimit() +{ + return mExecRep->signingLimit(); +} + +string BundleDiskRep::format() +{ + return mFormat; +} + +CFArrayRef BundleDiskRep::modifiedFiles() +{ + CFMutableArrayRef files = CFArrayCreateMutableCopy(NULL, 0, mExecRep->modifiedFiles()); + checkModifiedFile(files, cdCodeDirectorySlot); + checkModifiedFile(files, cdSignatureSlot); + checkModifiedFile(files, cdResourceDirSlot); + checkModifiedFile(files, cdEntitlementSlot); + return files; +} + +void BundleDiskRep::checkModifiedFile(CFMutableArrayRef files, CodeDirectory::SpecialSlot slot) +{ + if (CFDataRef data = mExecRep->component(slot)) // provided by executable file + CFRelease(data); + else if (const char *resourceName = CodeDirectory::canonicalSlotName(slot)) { + string file = metaPath(resourceName); + if (::access(file.c_str(), F_OK) == 0) + CFArrayAppendValue(files, CFTempURL(file)); + } +} + +FileDesc &BundleDiskRep::fd() +{ + return mExecRep->fd(); +} + +void BundleDiskRep::flush() +{ + mExecRep->flush(); +} + + +// +// Defaults for signing operations +// +string BundleDiskRep::recommendedIdentifier(const SigningContext &) +{ + if (CFStringRef identifier = CFBundleGetIdentifier(mBundle)) + return cfString(identifier); + if (CFDictionaryRef infoDict = CFBundleGetInfoDictionary(mBundle)) + if (CFStringRef identifier = CFStringRef(CFDictionaryGetValue(infoDict, kCFBundleNameKey))) + return cfString(identifier); + + // fall back to using the canonical path + return canonicalIdentifier(cfStringRelease(this->copyCanonicalPath())); +} + +string BundleDiskRep::resourcesRelativePath() +{ + // figure out the resource directory base. Clean up some gunk inserted by CFBundle in frameworks + string rbase = this->resourcesRootPath(); + size_t pos = rbase.find("/./"); // gratuitously inserted by CFBundle in some frameworks + while (pos != std::string::npos) { + rbase = rbase.replace(pos, 2, "", 0); + pos = rbase.find("/./"); + } + if (rbase.substr(rbase.length()-2, 2) == "/.") // produced by versioned bundle implicit "Current" case + rbase = rbase.substr(0, rbase.length()-2); // ... so take it off for this + + // find the resources directory relative to the resource base + string resources = cfStringRelease(CFBundleCopyResourcesDirectoryURL(mBundle)); + if (resources == rbase) + resources = ""; + else if (resources.compare(0, rbase.length(), rbase, 0, rbase.length()) != 0) // Resources not in resource root + MacOSError::throwMe(errSecCSBadBundleFormat); + else + resources = resources.substr(rbase.length() + 1) + "/"; // differential path segment + + return resources; +} + +CFDictionaryRef BundleDiskRep::defaultResourceRules(const SigningContext &ctx) +{ + string resources = this->resourcesRelativePath(); + + // installer package rules + if (mInstallerPackage) + return cfmake("{rules={" + "'^.*' = #T" // include everything, but... + "%s = {optional=#T, weight=1000}" // make localizations optional + "'^.*/.*\\.pkg/' = {omit=#T, weight=10000}" // and exclude all nested packages (by name) + "}}", + (string("^") + resources + ".*\\.lproj/").c_str() + ); + + // old (V1) executable bundle rules - compatible with before + if (ctx.signingFlags() & kSecCSSignV1) // *** must be exactly the same as before *** + return cfmake("{rules={" + "'^version.plist$' = #T" // include version.plist + "%s = #T" // include Resources + "%s = {optional=#T, weight=1000}" // make localizations optional + "%s = {omit=#T, weight=1100}" // exclude all locversion.plist files + "}}", + (string("^") + resources).c_str(), + (string("^") + resources + ".*\\.lproj/").c_str(), + (string("^") + resources + ".*\\.lproj/locversion.plist$").c_str() + ); + + // FMJ (everything is a resource) rules + if (ctx.signingFlags() & kSecCSSignOpaque) // Full Metal Jacket - everything is a resource file + return cfmake("{rules={" + "'^.*' = #T" // everything is a resource + "'^Info\\.plist$' = {omit=#T,weight=10}" // explicitly exclude this for backward compatibility + "}}"); + + // new (V2) executable bundle rules + return cfmake("{" // *** the new (V2) world *** + "rules={" // old (V1; legacy) version + "'^version.plist$' = #T" // include version.plist + "%s = #T" // include Resources + "%s = {optional=#T, weight=1000}" // make localizations optional + "%s = {omit=#T, weight=1100}" // exclude all locversion.plist files + "},rules2={" + "'^.*' = #T" // include everything as a resource, with the following exceptions + "'^[^/]+$' = {nested=#T, weight=10}" // files directly in Contents + "'^(Frameworks|SharedFrameworks|PlugIns|Plug-ins|XPCServices|Helpers|MacOS|Library/(Automator|Spotlight|LoginItems))/' = {nested=#T, weight=10}" // dynamic repositories + "'.*\\.dSYM($|/)' = {weight=11}" // but allow dSYM directories in code locations (parallel to their code) + "'^(.*/)?\\.DS_Store$' = {omit=#T,weight=2000}" // ignore .DS_Store files + "'^Info\\.plist$' = {omit=#T, weight=20}" // excluded automatically now, but old systems need to be told + "'^version\\.plist$' = {weight=20}" // include version.plist as resource + "'^embedded\\.provisionprofile$' = {weight=20}" // include embedded.provisionprofile as resource + "'^PkgInfo$' = {omit=#T, weight=20}" // traditionally not included + "%s = {weight=20}" // Resources override default nested (widgets) + "%s = {optional=#T, weight=1000}" // make localizations optional + "%s = {omit=#T, weight=1100}" // exclude all locversion.plist files + "}}", + + (string("^") + resources).c_str(), + (string("^") + resources + ".*\\.lproj/").c_str(), + (string("^") + resources + ".*\\.lproj/locversion.plist$").c_str(), + + (string("^") + resources).c_str(), + (string("^") + resources + ".*\\.lproj/").c_str(), + (string("^") + resources + ".*\\.lproj/locversion.plist$").c_str() + ); +} + + +CFArrayRef BundleDiskRep::allowedResourceOmissions() +{ + return cfmake("[" + "'^(.*/)?\\.DS_Store$'" + "'^Info\\.plist$'" + "'^PkgInfo$'" + "%s" + "]", + (string("^") + this->resourcesRelativePath() + ".*\\.lproj/locversion.plist$").c_str() + ); +} + + +const Requirements *BundleDiskRep::defaultRequirements(const Architecture *arch, const SigningContext &ctx) +{ + return mExecRep->defaultRequirements(arch, ctx); +} + +size_t BundleDiskRep::pageSize(const SigningContext &ctx) +{ + return mExecRep->pageSize(ctx); +} + + +// +// Strict validation. +// Takes an array of CFNumbers of errors to tolerate. +// +void BundleDiskRep::strictValidate(const CodeDirectory* cd, const ToleratedErrors& tolerated) +{ + std::vector fatalErrors; + set_difference(mStrictErrors.begin(), mStrictErrors.end(), tolerated.begin(), tolerated.end(), back_inserter(fatalErrors)); + if (!fatalErrors.empty()) + MacOSError::throwMe(fatalErrors[0]); + mExecRep->strictValidate(cd, tolerated); +} + +void BundleDiskRep::recordStrictError(OSStatus error) +{ + mStrictErrors.insert(error); +} + + +// +// Check framework root for unsafe symlinks and unsealed content. +// +void BundleDiskRep::validateFrameworkRoot(string root) +{ + // build regex element that matches either the "Current" symlink, or the name of the current version + string current = "Current"; + char currentVersion[PATH_MAX]; + ssize_t len = ::readlink((root + "/Versions/Current").c_str(), currentVersion, sizeof(currentVersion)-1); + if (len > 0) { + currentVersion[len] = '\0'; + current = string("(Current|") + ResourceBuilder::escapeRE(currentVersion) + ")"; + } + + DirValidator val; + val.require("^Versions$", DirValidator::directory | DirValidator::descend); // descend into Versions directory + val.require("^Versions/[^/]+$", DirValidator::directory); // require at least one version + val.require("^Versions/Current$", DirValidator::symlink, // require Current symlink... + "^(\\./)?(\\.\\.[^/]+|\\.?[^\\./][^/]*)$"); // ...must point to a version + val.allow("^(Versions/)?\\.DS_Store$", DirValidator::file | DirValidator::noexec); // allow .DS_Store files + val.allow("^[^/]+$", DirValidator::symlink, ^ string (const string &name, const string &target) { + // top-level symlinks must point to namesake in current version + return string("^(\\./)?Versions/") + current + "/" + ResourceBuilder::escapeRE(name) + "$"; + }); + // module.map must be regular non-executable file, or symlink to module.map in current version + val.allow("^module\\.map$", DirValidator::file | DirValidator::noexec | DirValidator::symlink, + string("^(\\./)?Versions/") + current + "/module\\.map$"); + + try { + val.validate(root, errSecCSUnsealedFrameworkRoot); + } catch (const MacOSError &err) { + recordStrictError(err.error); + } +} + + +// +// Writers +// +DiskRep::Writer *BundleDiskRep::writer() +{ + return new Writer(this); +} + +BundleDiskRep::Writer::Writer(BundleDiskRep *r) + : rep(r), mMadeMetaDirectory(false) +{ + execWriter = rep->mExecRep->writer(); +} + + +// +// Write a component. +// Note that this isn't concerned with Mach-O writing; this is handled at +// a much higher level. If we're called, we write to a file in the Bundle's meta directory. +// +void BundleDiskRep::Writer::component(CodeDirectory::SpecialSlot slot, CFDataRef data) +{ + switch (slot) { + default: + if (!execWriter->attribute(writerLastResort)) // willing to take the data... + return execWriter->component(slot, data); // ... so hand it through + // execWriter doesn't want the data; store it as a resource file (below) + case cdResourceDirSlot: + // the resource directory always goes into a bundle file + if (const char *name = CodeDirectory::canonicalSlotName(slot)) { + rep->createMeta(); + string path = rep->metaPath(name); + AutoFileDesc fd(path, O_WRONLY | O_CREAT | O_TRUNC, 0644); + fd.writeAll(CFDataGetBytePtr(data), CFDataGetLength(data)); + } else + MacOSError::throwMe(errSecCSBadBundleFormat); + } +} + + +// +// Remove all signature data +// +void BundleDiskRep::Writer::remove() +{ + // remove signature from the executable + execWriter->remove(); + + // remove signature files from bundle + for (CodeDirectory::SpecialSlot slot = 0; slot < cdSlotCount; slot++) + remove(slot); + remove(cdSignatureSlot); +} + +void BundleDiskRep::Writer::remove(CodeDirectory::SpecialSlot slot) +{ + if (const char *name = CodeDirectory::canonicalSlotName(slot)) + if (::unlink(rep->metaPath(name).c_str())) + switch (errno) { + case ENOENT: // not found - that's okay + break; + default: + UnixError::throwMe(); + } +} + + +void BundleDiskRep::Writer::flush() +{ + execWriter->flush(); +} + + +} // end namespace CodeSigning +} // end namespace Security diff --git a/Security/libsecurity_codesigning/lib/bundlediskrep.h b/OSX/include/security_codesigning/bundlediskrep.h similarity index 100% rename from Security/libsecurity_codesigning/lib/bundlediskrep.h rename to OSX/include/security_codesigning/bundlediskrep.h diff --git a/OSX/include/security_codesigning/cdbuilder.cpp b/OSX/include/security_codesigning/cdbuilder.cpp new file mode 100644 index 00000000..719a01b3 --- /dev/null +++ b/OSX/include/security_codesigning/cdbuilder.cpp @@ -0,0 +1,259 @@ +/* + * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// cdbuilder - constructor for CodeDirectories +// +#include "cdbuilder.h" +#include +#include + +using namespace UnixPlusPlus; +using LowLevelMemoryUtilities::alignUp; + + +namespace Security { +namespace CodeSigning { + + +// +// Create an (empty) builder +// +CodeDirectory::Builder::Builder(HashAlgorithm digestAlgorithm) + : mFlags(0), + mHashType(digestAlgorithm), + mPlatform(0), + mSpecialSlots(0), + mCodeSlots(0), + mScatter(NULL), + mScatterSize(0), + mDir(NULL) +{ + mDigestLength = (uint32_t)MakeHash(this)->digestLength(); + mSpecial = (unsigned char *)calloc(cdSlotMax, mDigestLength); +} + +CodeDirectory::Builder::~Builder() +{ + ::free(mSpecial); + ::free(mScatter); +} + + +// +// Set the source of the main executable (i.e. the code pages) +// +void CodeDirectory::Builder::executable(string path, + size_t pagesize, size_t offset, size_t length) +{ + mExec.close(); // any previously opened one + mExec.open(path); + mPageSize = pagesize; + mExecOffset = offset; + mExecLength = length; +} + +void CodeDirectory::Builder::reopen(string path, size_t offset, size_t length) +{ + assert(mExec); // already called executable() + mExec.close(); + mExec.open(path); + mExecOffset = offset; + mExecLength = length; +} + + +// +// Set the source for one special slot +// +void CodeDirectory::Builder::specialSlot(SpecialSlot slot, CFDataRef data) +{ + assert(slot <= cdSlotMax); + MakeHash hash(this); + hash->update(CFDataGetBytePtr(data), CFDataGetLength(data)); + hash->finish(specialSlot(slot)); + if (slot >= mSpecialSlots) + mSpecialSlots = slot; +} + + +// +// Allocate a Scatter vector +// +CodeDirectory::Scatter *CodeDirectory::Builder::scatter(unsigned count) +{ + mScatterSize = (count + 1) * sizeof(Scatter); + if (!(mScatter = (Scatter *)::realloc(mScatter, mScatterSize))) + UnixError::throwMe(ENOMEM); + ::memset(mScatter, 0, mScatterSize); + return mScatter; +} + +// This calculates the fixed size of the code directory +// Because of , if the team ID +// field is not used, we leave out the team ID offset +// as well, to keep cd hashes consistent between +// versions. +const size_t CodeDirectory::Builder::fixedSize(const uint32_t version) +{ + size_t cdSize = sizeof(CodeDirectory); + if (version < supportsTeamID) + cdSize -= sizeof(mDir->teamIDOffset); + + return cdSize; +} + +// +// Calculate the size we'll need for the CodeDirectory as described so far +// +size_t CodeDirectory::Builder::size(const uint32_t version) +{ + assert(mExec); // must have called executable() + if (mExecLength == 0) + mExecLength = mExec.fileSize() - mExecOffset; + + // how many code pages? + if (mExecLength <= 0) { // no code, no slots + mCodeSlots = 0; + } else if (mPageSize == 0) { // indefinite - one page + mCodeSlots = 1; + } else { // finite - calculate from file size + mCodeSlots = (mExecLength - 1) / mPageSize + 1; + } + + size_t offset = fixedSize(version); + size_t offset0 = offset; + + offset += mScatterSize; // scatter vector + offset += mIdentifier.size() + 1; // size of identifier (with null byte) + if (mTeamID.size()) + offset += mTeamID.size() + 1; // size of teamID (with null byte) + offset += (mCodeSlots + mSpecialSlots) * mDigestLength; // hash vector + if (offset <= offset0) + UnixError::throwMe(ENOEXEC); + + return offset; +} + + +// +// Take everything added to date and wrap it up in a shiny new CodeDirectory. +// +// Note that this only constructs a CodeDirectory; it does not touch any subsidiary +// structures (resource tables, etc.), nor does it create any signature to secure +// the CodeDirectory. +// The returned CodeDirectory object is yours, and you may modify it as desired. +// But the memory layout is set here, so the various sizes and counts should be good +// when you call build(). +// It's up to us to order the dynamic fields as we wish; but note that we currently +// don't pad them, and so they should be allocated in non-increasing order of required +// alignment. Make sure to keep the code here in sync with the size-calculating code above. +// +CodeDirectory *CodeDirectory::Builder::build() +{ + assert(mExec); // must have (successfully) called executable() + uint32_t version; + + // size and allocate + size_t identLength = mIdentifier.size() + 1; + size_t teamIDLength = mTeamID.size() + 1; + + // Determine the version + if (mTeamID.size()) { + version = currentVersion; + } else { + version = supportsScatter; + } + + size_t total = size(version); + if (!(mDir = (CodeDirectory *)calloc(1, total))) // initialize to zero + UnixError::throwMe(ENOMEM); + + if (mExecLength > UINT32_MAX) + MacOSError::throwMe(errSecCSTooBig); + + // fill header + mDir->initialize(total); + mDir->version = version; + mDir->flags = mFlags; + mDir->nSpecialSlots = (uint32_t)mSpecialSlots; + mDir->nCodeSlots = (uint32_t)mCodeSlots; + mDir->codeLimit = (uint32_t)mExecLength; + mDir->hashType = mHashType; + mDir->platform = mPlatform; + mDir->hashSize = mDigestLength; + if (mPageSize) { + int pglog; + assert(frexp(mPageSize, &pglog) == 0.5); // must be power of 2 + frexp(mPageSize, &pglog); + assert(pglog < 256); + mDir->pageSize = pglog - 1; + } else + mDir->pageSize = 0; // means infinite page size + + // locate and fill flex fields + size_t offset = fixedSize(mDir->version); + + if (mScatter) { + mDir->scatterOffset = (uint32_t)offset; + memcpy(mDir->scatterVector(), mScatter, mScatterSize); + offset += mScatterSize; + } + + mDir->identOffset = (uint32_t)offset; + memcpy(mDir->identifier(), mIdentifier.c_str(), identLength); + offset += identLength; + + if (mTeamID.size()) { + mDir->teamIDOffset = (uint32_t)offset; + memcpy(mDir->teamID(), mTeamID.c_str(), teamIDLength); + offset += teamIDLength; + } + // (add new flexibly-allocated fields here) + + mDir->hashOffset = (uint32_t)(offset + mSpecialSlots * mDigestLength); + offset += (mSpecialSlots + mCodeSlots) * mDigestLength; + assert(offset == total); // matches allocated size + + // fill special slots + memset((*mDir)[(int)-mSpecialSlots], 0, mDigestLength * mSpecialSlots); + for (size_t slot = 1; slot <= mSpecialSlots; ++slot) + memcpy((*mDir)[(int)-slot], specialSlot((SpecialSlot)slot), mDigestLength); + + // fill code slots + mExec.seek(mExecOffset); + size_t remaining = mExecLength; + for (unsigned int slot = 0; slot < mCodeSlots; ++slot) { + size_t thisPage = min(mPageSize, remaining); + MakeHash hasher(this); + generateHash(hasher, mExec, (*mDir)[slot], thisPage); + remaining -= thisPage; + } + + // all done. Pass ownership to caller + return mDir; +} + + +} // CodeSigning +} // Security diff --git a/OSX/include/security_codesigning/cdbuilder.h b/OSX/include/security_codesigning/cdbuilder.h new file mode 100644 index 00000000..21f92405 --- /dev/null +++ b/OSX/include/security_codesigning/cdbuilder.h @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// cdbuilder - constructor for CodeDirectories +// +#ifndef _H_CDBUILDER +#define _H_CDBUILDER + +#include "codedirectory.h" + + +namespace Security { +namespace CodeSigning { + + +// +// Builder can construct CodeDirectories from pieces: +// Builder builder(...); +// builder.variousSetters(withSuitableData); +// CodeDirectory *result = builder.build(); +// Builder is not reusable. +// +class CodeDirectory::Builder { +public: + Builder(HashAlgorithm digestAlgorithm); + ~Builder(); + + void executable(string path, size_t pagesize, size_t offset, size_t length); + void reopen(string path, size_t offset, size_t length); + + void specialSlot(SpecialSlot slot, CFDataRef data); + void identifier(const std::string &code) { mIdentifier = code; } + void teamID(const std::string &team) { mTeamID = team; } + void flags(uint32_t f) { mFlags = f; } + void platform(uint8_t p) { mPlatform = p; } + + Scatter *scatter(unsigned count); // allocate that many scatter elements (w/o sentinel) + Scatter *scatter() { return mScatter; } // return already allocated scatter vector + + size_t size(const uint32_t version); // calculate size + CodeDirectory *build(); // build CodeDirectory and return it + const size_t fixedSize(const uint32_t version); // calculate fixed size of the CodeDirectory + + DynamicHash *getHash() const { return CodeDirectory::hashFor(this->mHashType); } + +private: + Hashing::Byte *specialSlot(SpecialSlot slot) + { assert(slot > 0 && slot <= cdSlotMax); return mSpecial + (slot - 1) * mDigestLength; } + Hashing::Byte *specialSlot(SpecialSlot slot) const + { assert(slot > 0 && slot <= cdSlotMax); return mSpecial + (slot - 1) * mDigestLength; } + +private: + Hashing::Byte *mSpecial; // array of special slot hashes + UnixPlusPlus::AutoFileDesc mExec; // main executable file + size_t mExecOffset; // starting offset in mExec + size_t mExecLength; // total bytes of file to sign + size_t mPageSize; // page size of executable (bytes) + uint32_t mFlags; // CodeDirectory flags + uint32_t mHashType; // digest algorithm code + uint8_t mPlatform; // platform identifier + uint32_t mDigestLength; // number of bytes in a single glue digest + std::string mIdentifier; // canonical identifier + std::string mTeamID; // team identifier + + size_t mSpecialSlots; // highest special slot set + size_t mCodeSlots; // number of code pages (slots) + + Scatter *mScatter; // scatter vector + size_t mScatterSize; // number of scatter elements allocated (incl. sentinel) + + CodeDirectory *mDir; // what we're building +}; + + +} // CodeSigning +} // Security + + +#endif //_H_CDBUILDER diff --git a/OSX/include/security_codesigning/codedirectory.cpp b/OSX/include/security_codesigning/codedirectory.cpp new file mode 100644 index 00000000..7697e273 --- /dev/null +++ b/OSX/include/security_codesigning/codedirectory.cpp @@ -0,0 +1,324 @@ +/* + * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// codedirectory - format and operations for code signing "code directory" structures +// +#include "codedirectory.h" +#include "csutilities.h" +#include "CSCommonPriv.h" + +using namespace UnixPlusPlus; + + +namespace Security { +namespace CodeSigning { + + +// +// Highest understood special slot in this CodeDirectory. +// +CodeDirectory::SpecialSlot CodeDirectory::maxSpecialSlot() const +{ + SpecialSlot slot = this->nSpecialSlots; + if (slot > cdSlotMax) + slot = cdSlotMax; + return slot; +} + + +// +// Canonical filesystem names for select slot numbers. +// These are variously used for filenames, extended attribute names, etc. +// to get some consistency in naming. These are for storing signing-related +// data; they have no bearing on the actual hash slots in the CodeDirectory. +// +const char *CodeDirectory::canonicalSlotName(SpecialSlot slot) +{ + switch (slot) { + case cdRequirementsSlot: + return kSecCS_REQUIREMENTSFILE; + case cdResourceDirSlot: + return kSecCS_RESOURCEDIRFILE; + case cdCodeDirectorySlot: + return kSecCS_CODEDIRECTORYFILE; + case cdSignatureSlot: + return kSecCS_SIGNATUREFILE; + case cdApplicationSlot: + return kSecCS_APPLICATIONFILE; + case cdEntitlementSlot: + return kSecCS_ENTITLEMENTFILE; + default: + return NULL; + } +} + + +// +// Canonical attributes of SpecialSlots. +// +unsigned CodeDirectory::slotAttributes(SpecialSlot slot) +{ + switch (slot) { + case cdRequirementsSlot: + return cdComponentIsBlob; // global + case cdCodeDirectorySlot: + return cdComponentPerArchitecture | cdComponentIsBlob; + case cdSignatureSlot: + return cdComponentPerArchitecture; // raw + case cdEntitlementSlot: + return cdComponentIsBlob; // global + case cdIdentificationSlot: + return cdComponentPerArchitecture; // raw + default: + return 0; // global, raw + } +} + + +// +// Symbolic names for code directory special slots. +// These are only used for debug output. They are not API-official. +// Needs to be coordinated with the cd*Slot enumeration in codedirectory.h. +// +#if !defined(NDEBUG) +const char * const CodeDirectory::debugSlotName[] = { + "codedirectory", + "info", + "requirements", + "resources", + "application", + "entitlement" +}; +#endif //NDEBUG + + +// +// Check a CodeDirectory for basic integrity. This should ensure that the +// version is understood by our code, and that the internal structure +// (offsets etc.) is intact. In particular, it must make sure that no offsets +// point outside the CodeDirectory. +// Throws if the directory is corrupted or out of versioning bounds. +// Returns if the version is usable (perhaps with degraded features due to +// compatibility hacks). +// +// Note: There are some things we don't bother checking because they won't +// cause crashes, and will just be flagged as nonsense later. For example, +// a Bad Guy could overlap the identifier and hash fields, which is nonsense +// but not dangerous. +// +void CodeDirectory::checkIntegrity() const +{ + // check version for support + if (!this->validateBlob()) + MacOSError::throwMe(errSecCSSignatureInvalid); // busted + if (version > compatibilityLimit) + MacOSError::throwMe(errSecCSSignatureUnsupported); // too new - no clue + if (version < earliestVersion) + MacOSError::throwMe(errSecCSSignatureUnsupported); // too old - can't support + if (version > currentVersion) + secdebug("codedir", "%p version 0x%x newer than current 0x%x", + this, uint32_t(version), currentVersion); + + // now check interior offsets for validity + if (!stringAt(identOffset)) + MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range + if (version >= supportsTeamID && teamIDOffset != 0 && !stringAt(teamIDOffset)) + MacOSError::throwMe(errSecCSSignatureFailed); // identifier out of blob range + if (!contains(hashOffset - int64_t(hashSize) * nSpecialSlots, hashSize * (int64_t(nSpecialSlots) + nCodeSlots))) + MacOSError::throwMe(errSecCSSignatureFailed); // hash array out of blob range + if (const Scatter *scatter = this->scatterVector()) { + // the optional scatter vector is terminated with an element having (count == 0) + unsigned int pagesConsumed = 0; + for (;; scatter++) { + if (!contains(scatter, sizeof(Scatter))) + MacOSError::throwMe(errSecCSSignatureFailed); + if (scatter->count == 0) + break; + pagesConsumed += scatter->count; + } + if (!contains((*this)[pagesConsumed-1], hashSize)) // referenced too many main hash slots + MacOSError::throwMe(errSecCSSignatureFailed); + } + + // check consistency between the page-coverage fields + if (pageSize) { + if (codeLimit == 0) // can't have paged signatures with no covered data + MacOSError::throwMe(errSecCSSignatureFailed); + size_t coveredPages = ((codeLimit-1) >> pageSize) + 1; // page slots required to cover codeLimit + if (coveredPages != nCodeSlots) + MacOSError::throwMe(errSecCSSignatureFailed); + } else { + if ((codeLimit > 0) != nCodeSlots) // must have one code slot, or none if no code + MacOSError::throwMe(errSecCSSignatureFailed); + } +} + + +// +// Validate a slot against data in memory. +// +bool CodeDirectory::validateSlot(const void *data, size_t length, Slot slot) const +{ + secdebug("codedir", "%p validating slot %d", this, int(slot)); + MakeHash hasher(this); + Hashing::Byte digest[hasher->digestLength()]; + generateHash(hasher, data, length, digest); + return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0; +} + + +// +// Validate a slot against the contents of an open file. At most 'length' bytes +// will be read from the file. +// +bool CodeDirectory::validateSlot(FileDesc fd, size_t length, Slot slot) const +{ + MakeHash hasher(this); + Hashing::Byte digest[hasher->digestLength()]; + generateHash(hasher, fd, digest, length); + return memcmp(digest, (*this)[slot], hasher->digestLength()) == 0; +} + + +// +// Check whether a particular slot is present. +// Absense is indicated by either a zero hash, or by lying outside +// the slot range. +// +bool CodeDirectory::slotIsPresent(Slot slot) const +{ + if (slot >= -Slot(nSpecialSlots) && slot < Slot(nCodeSlots)) { + const Hashing::Byte *digest = (*this)[slot]; + for (unsigned n = 0; n < hashSize; n++) + if (digest[n]) + return true; // non-zero digest => present + } + return false; // absent +} + + +// +// Given a hash type code, create an appropriate subclass of DynamicHash +// and return it. The caller owns the object and must delete it when done. +// This function never returns NULL. It throws if the hashType is unsuupported, +// or if there's an error creating the hasher. +// +DynamicHash *CodeDirectory::hashFor(HashAlgorithm hashType) +{ + switch (hashType) { + case kSecCodeSignatureHashSHA1: return new CCHashInstance(kCCDigestSHA1); + case kSecCodeSignatureHashSHA256: return new CCHashInstance(kCCDigestSHA256); + case kSecCodeSignatureHashSHA256Truncated: return new CCHashInstance(kCCDigestSHA256, SHA1::digestLength); + default: + MacOSError::throwMe(errSecCSSignatureUnsupported); + } +} + + +// +// Generate the canonical cdhash - the internal hash of the CodeDirectory itself. +// We currently truncate to 20 bytes because that's what the kernel can deal with. +// +CFDataRef CodeDirectory::cdhash() const +{ + MakeHash hash(this); + Hashing::Byte digest[hash->digestLength()]; + hash->update(this, this->length()); + hash->finish(digest); + return makeCFData(digest, min(hash->digestLength(), size_t(kSecCodeCDHashLength))); +} + + +// +// Hash the next limit bytes of a file and return the digest. +// If the file is shorter, hash as much as you can. +// Limit==0 means unlimited (to end of file). +// Return how many bytes were actually hashed. +// Throw on any errors. +// +size_t CodeDirectory::generateHash(DynamicHash *hasher, FileDesc fd, Hashing::Byte *digest, size_t limit) +{ + size_t size = hashFileData(fd, hasher, limit); + hasher->finish(digest); + return size; +} + + +// +// Ditto, but hash a memory buffer instead. +// +size_t CodeDirectory::generateHash(DynamicHash *hasher, const void *data, size_t length, Hashing::Byte *digest) +{ + hasher->update(data, length); + hasher->finish(digest); + return length; +} + + +// +// Turn a hash of canonical type into a hex string +// +std::string CodeDirectory::hexHash(const unsigned char *hash) const +{ + size_t size = this->hashSize; + char result[2*size+1]; + for (unsigned n = 0; n < size; n++) + sprintf(result+2*n, "%02.2x", hash[n]); + return result; +} + + +// +// Generate a screening code string from a (complete) CodeDirectory. +// This can be used to make a lightweight pre-screening code from (just) a CodeDirectory. +// +std::string CodeDirectory::screeningCode() const +{ + if (slotIsPresent(-cdInfoSlot)) // has Info.plist + return "I" + hexHash((*this)[-cdInfoSlot]); // use Info.plist hash + if (pageSize == 0) // good-enough proxy for "not a Mach-O file" + return "M" + hexHash((*this)[0]); // use hash of main executable + return "N"; // no suitable screening code +} + + +} // CodeSigning +} // Security + + +// +// Canonical text form for user-settable code directory flags. +// Note: This table is actually exported from Security.framework. +// +const SecCodeDirectoryFlagTable kSecCodeDirectoryFlagTable[] = { + { "host", kSecCodeSignatureHost, true }, + { "adhoc", kSecCodeSignatureAdhoc, false }, + { "hard", kSecCodeSignatureForceHard, true }, + { "kill", kSecCodeSignatureForceKill, true }, + { "expires", kSecCodeSignatureForceExpiration, true }, + { "restrict", kSecCodeSignatureRestrict, true }, + { "enforcement", kSecCodeSignatureEnforcement, true }, + { "library-validation", kSecCodeSignatureLibraryValidation, true }, + { NULL } +}; diff --git a/OSX/include/security_codesigning/codedirectory.h b/OSX/include/security_codesigning/codedirectory.h new file mode 100644 index 00000000..9e074099 --- /dev/null +++ b/OSX/include/security_codesigning/codedirectory.h @@ -0,0 +1,289 @@ +/* + * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// codedirectory - format and operations for code signing "code directory" structures +// +// A CodeDirectory is the top level object describing a particular instance +// of (static) code. It contains hashes of other objects that further describe +// parts of that code; these hashes hold the various pieces together. +// +// This means that if you reliably ascertain the contents of a CodeDirectory, +// you can verify the integrity of the entire code object it represents - the +// CodeDirectory can stand as a proxy for that code. +// +// Code signatures usually use CMS to sign the CodeDirectory to form full +// signature blobs; ad-hoc signatures simply record the interior hash of the +// CodeDirectory directly. The interior hash of the CodeDirectory is also widely +// used as concordance for a particular code instance - in essence, for +// different processes (or a process and the kernel) to "compare notes" +// to make sure they refer to the same code. +// +#ifndef _H_CODEDIRECTORY +#define _H_CODEDIRECTORY + +#include +#include +#include +#include +#include + + +namespace Security { +namespace CodeSigning { + + +// +// Conventional string names for various code signature components. +// Depending on storage, these may end up as filenames, extended attribute names, etc. +// +#define kSecCS_CODEDIRECTORYFILE "CodeDirectory" // CodeDirectory +#define kSecCS_SIGNATUREFILE "CodeSignature" // CMS Signature +#define kSecCS_REQUIREMENTSFILE "CodeRequirements" // internal requirements +#define kSecCS_RESOURCEDIRFILE "CodeResources" // resource directory +#define kSecCS_APPLICATIONFILE "CodeApplication" // application-specific resource +#define kSecCS_ENTITLEMENTFILE "CodeEntitlements" // entitlement configuration + + +// +// Special hash slot values. In a CodeDirectory, these show up at negative slot +// indices. This enumeration is also used widely in various internal APIs, and as +// type values in embedded SuperBlobs. +// +// How to add a new special slot type: +// 1. Add the new name at the end of the primary or virtual slot array (below). +// 2a. For slots representing existing code pieces, follow the ball for cdInfoSlot. +// 2b. For slots representing global signature components, follow the ball for cdResourceDirSlot. +// 2c. For slots representing per-architecture signature components, follow the ball for cdEntitlementSlot. +// ("Follow the ball" -> Global search for that name and do likewise.) +// +enum { + // + // Primary slot numbers. + // These values are potentially present in the CodeDirectory hash array + // under their negative values. They are also used in APIs and SuperBlobs. + // Note that zero must not be used for these (it's page 0 of the main code array), + // and it is important to assign contiguous (very) small values for them. + // + cdInfoSlot = 1, // Info.plist + cdRequirementsSlot = 2, // internal requirements + cdResourceDirSlot = 3, // resource directory + cdApplicationSlot = 4, // Application specific slot + cdEntitlementSlot = 5, // embedded entitlement configuration + // (add further primary slot numbers here) + + cdSlotCount, // total number of special slots (+1 for slot 0) + cdSlotMax = cdSlotCount - 1, // highest special slot number (as a positive number) + + // + // Virtual slot numbers. + // These values are NOT used in the CodeDirectory hash array. They are used as + // internal API identifiers and as types in SuperBlobs. + // Zero is okay to use here; and we assign that to the CodeDirectory itself so + // it shows up first in (properly sorted) SuperBlob indices. The rest of the + // numbers is set Far Away so the primary slot set can expand safely. + // It's okay to have large gaps in these assignments. + // + cdCodeDirectorySlot = 0, // CodeDirectory + cdSignatureSlot = 0x10000, // CMS signature + cdIdentificationSlot, // identification blob + // (add further virtual slot numbers here) +}; + + +// +// Special hash slot attributes. +// This is a central description of attributes of each slot. +// Various places in Code Signing pick up those attributes and act accordingly. +// +enum { + cdComponentPerArchitecture = 1, // slot value differs for each Mach-O architecture + cdComponentIsBlob = 2, // slot value is a Blob (need not be BlobWrapped) +}; + + +// +// A signature with a nonzero platform identifier value, when endorsed as originated by Apple, +// identifies code as belonging to a particular operating system deliverable set. Some system +// components restrict functionality to platform binaries. The actual values are arbitrary. +// +typedef uint8_t PlatformIdentifier; +static const PlatformIdentifier noPlatform = 0; +static const unsigned int maxPlatform = 255; // stored in a uint8_t + + +// +// A CodeDirectory is a typed Blob describing the secured pieces of a program. +// This structure describes the common header and provides access to the variable-size +// elements packed after it. For help in constructing a CodeDirectory, use the nested +// Builder class. +// +// At the heart of a CodeDirectory lies a packed array of hash digests. +// The array's zero-index element is at offset hashOffset, and the array covers +// elements in the range [-nSpecialSlots .. nCodeSlots-1]. Non-negative indices +// denote pages of the main executable. Negative indices indicate "special" hashes, +// each of a different thing (see cd*Slot constants above). +// Special slots that are in range but not present are zeroed out. Unallocated special +// slots are also presumed absent; this is not an error. (Thus the range of special +// slots can be extended at will.) +// +// HOW TO MANAGE COMPATIBILITY: +// Each CodeDirectory has a format (compatibility) version. Two constants control +// versioning: +// * currentVersion is the version used for newly created CodeDirectories. +// * compatibilityLimit is the highest version the code will accept as compatible. +// Test for version < currentVersion to detect old formats that may need special +// handling; this is done in checkIntegrity(). The current code rejects versions +// below earliestVersion. +// Break backward compatibility by rejecting versions that are unsuitable. +// Accept currentVersion < version <= compatibilityLimit as versions newer than +// those understood by this code but engineered (by newer code) to be backward +// compatible. Reject version > compatibilityLimit as incomprehensible gibberish. +// +// When creating a new version, increment currentVersion. When adding new fixed fields, +// just append them; the flex fields will shift to make room. To add new flex fields, +// add a fixed field containing the new field's offset and add suitable computations +// to the Builder to place the new data (right) before the hash array. Remember to check +// for offset in-range in checkIntegrity(). Older code will then simply ignore your +// new fields on load/read. +// Add flag bits to the existing flags field to add features that step outside +// of the linear versioning stream. Leave the 'spare' fields alone unless you need +// something extraordinarily weird - they're meant to be the final escape when everything +// else fails. +// As you create new versions, consider moving the compatibilityLimit out to open up +// new room for backward compatibility. +// To break backward compatibility intentionally, move currentVersion beyond the +// old compatibilityLimit (and move compatibilityLimit further out). +// +class CodeDirectory: public Blob { +public: + Endian version; // compatibility version + Endian flags; // setup and mode flags + Endian hashOffset; // offset of hash slot element at index zero + Endian identOffset; // offset of identifier string + Endian nSpecialSlots; // number of special hash slots + Endian nCodeSlots; // number of ordinary (code) hash slots + Endian codeLimit; // limit to main image signature range + uint8_t hashSize; // size of each hash digest (bytes) + uint8_t hashType; // type of hash (kSecCodeSignatureHash* constants) + uint8_t platform; // platform identifier; zero if not platform binary + uint8_t pageSize; // log2(page size in bytes); 0 => infinite + Endian spare2; // unused (must be zero) + Endian scatterOffset; // offset of optional scatter vector (zero if absent) + Endian teamIDOffset; // offset of optional teamID string + + // works with the version field; see comments above + static const uint32_t currentVersion = 0x20200; // "version 2.2" + static const uint32_t compatibilityLimit = 0x2F000; // "version 3 with wiggle room" + + static const uint32_t earliestVersion = 0x20001; // earliest supported version + static const uint32_t supportsScatter = 0x20100; // first version to support scatter option + static const uint32_t supportsTeamID = 0x20200; // first version to support team ID option + + void checkIntegrity() const; // throws if inconsistent or unsupported version + + typedef uint32_t HashAlgorithm; // types of internal glue hashes + typedef int Slot; // slot index (negative for special slots) + typedef unsigned int SpecialSlot; // positive special slot index (not for code slots) + + const char *identifier() const { return at(identOffset); } + char *identifier() { return at(identOffset); } + + // main hash array access + SpecialSlot maxSpecialSlot() const; + + unsigned char *operator [] (Slot slot) + { + assert(slot >= int(-nSpecialSlots) && slot < int(nCodeSlots)); + return at(hashOffset) + hashSize * slot; + } + + const unsigned char *operator [] (Slot slot) const + { + assert(slot >= int(-nSpecialSlots) && slot < int(nCodeSlots)); + return at(hashOffset) + hashSize * slot; + } + + // + // The main page hash array can be "scattered" across the code file + // by specifying an array of Scatter elements, terminated with an + // element whose count field is zero. + // The scatter vector is optional; if absent, the hash array covers + // a single contiguous range of pages. CodeDirectory versions below + // supportsScatter never have scatter vectors (they lack the scatterOffset field). + // + struct Scatter { + Endian count; // number of pages; zero for sentinel (only) + Endian base; // first page number + Endian targetOffset; // byte offset in target + Endian spare; // reserved (must be zero) + }; + Scatter *scatterVector() // first scatter vector element (NULL if none) + { return (version >= supportsScatter && scatterOffset) ? at(scatterOffset) : NULL; } + const Scatter *scatterVector() const + { return (version >= supportsScatter && scatterOffset) ? at(scatterOffset) : NULL; } + + const char *teamID() const { return version >= supportsTeamID && teamIDOffset ? at(teamIDOffset) : NULL; } + char *teamID() { return version >= supportsTeamID && teamIDOffset ? at(teamIDOffset) : NULL; } + +public: + bool validateSlot(const void *data, size_t size, Slot slot) const; // validate memory buffer against page slot + bool validateSlot(UnixPlusPlus::FileDesc fd, size_t size, Slot slot) const; // read and validate file + bool slotIsPresent(Slot slot) const; + + class Builder; + +public: + static DynamicHash *hashFor(HashAlgorithm hashType); // create a DynamicHash subclass for (hashType) digests + DynamicHash *getHash() const { return hashFor(this->hashType); } // make one for me + CFDataRef cdhash() const; + + std::string hexHash(const unsigned char *hash) const; // encode any canonical-type hash as a hex string + +protected: + static size_t generateHash(DynamicHash *hash, UnixPlusPlus::FileDesc fd, Hashing::Byte *digest, size_t limit = 0); // hash to count or end of file + static size_t generateHash(DynamicHash *hash, const void *data, size_t length, Hashing::Byte *digest); // hash data buffer + +public: + // + // Information about SpecialSlots. + // This specifies meta-data about slots themselves; + // it does not work with the contents of hash slots. + // + static const char *canonicalSlotName(SpecialSlot slot); + static unsigned slotAttributes(SpecialSlot slot); + IFDEBUG(static const char * const debugSlotName[]); + +public: + // + // Canonical screening code. Requires a fully formed CodeDirectory. + // + std::string screeningCode() const; +}; + + +} // CodeSigning +} // Security + + +#endif //_H_CODEDIRECTORY diff --git a/Security/libsecurity_codesigning/lib/cs.cpp b/OSX/include/security_codesigning/cs.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/cs.cpp rename to OSX/include/security_codesigning/cs.cpp diff --git a/Security/libsecurity_codesigning/lib/cs.h b/OSX/include/security_codesigning/cs.h similarity index 100% rename from Security/libsecurity_codesigning/lib/cs.h rename to OSX/include/security_codesigning/cs.h diff --git a/Security/libsecurity_codesigning/lib/cscdefs.c b/OSX/include/security_codesigning/cscdefs.c similarity index 100% rename from Security/libsecurity_codesigning/lib/cscdefs.c rename to OSX/include/security_codesigning/cscdefs.c diff --git a/Security/libsecurity_codesigning/lib/cscdefs.h b/OSX/include/security_codesigning/cscdefs.h similarity index 100% rename from Security/libsecurity_codesigning/lib/cscdefs.h rename to OSX/include/security_codesigning/cscdefs.h diff --git a/Security/libsecurity_codesigning/lib/csdatabase.cpp b/OSX/include/security_codesigning/csdatabase.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/csdatabase.cpp rename to OSX/include/security_codesigning/csdatabase.cpp diff --git a/Security/libsecurity_codesigning/lib/csdatabase.h b/OSX/include/security_codesigning/csdatabase.h similarity index 100% rename from Security/libsecurity_codesigning/lib/csdatabase.h rename to OSX/include/security_codesigning/csdatabase.h diff --git a/Security/libsecurity_codesigning/lib/cserror.cpp b/OSX/include/security_codesigning/cserror.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/cserror.cpp rename to OSX/include/security_codesigning/cserror.cpp diff --git a/Security/libsecurity_codesigning/lib/cserror.h b/OSX/include/security_codesigning/cserror.h similarity index 100% rename from Security/libsecurity_codesigning/lib/cserror.h rename to OSX/include/security_codesigning/cserror.h diff --git a/Security/libsecurity_codesigning/lib/csgeneric.cpp b/OSX/include/security_codesigning/csgeneric.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/csgeneric.cpp rename to OSX/include/security_codesigning/csgeneric.cpp diff --git a/Security/libsecurity_codesigning/lib/csgeneric.h b/OSX/include/security_codesigning/csgeneric.h similarity index 100% rename from Security/libsecurity_codesigning/lib/csgeneric.h rename to OSX/include/security_codesigning/csgeneric.h diff --git a/Security/libsecurity_codesigning/lib/cskernel.cpp b/OSX/include/security_codesigning/cskernel.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/cskernel.cpp rename to OSX/include/security_codesigning/cskernel.cpp diff --git a/Security/libsecurity_codesigning/lib/cskernel.h b/OSX/include/security_codesigning/cskernel.h similarity index 100% rename from Security/libsecurity_codesigning/lib/cskernel.h rename to OSX/include/security_codesigning/cskernel.h diff --git a/Security/libsecurity_codesigning/lib/csprocess.cpp b/OSX/include/security_codesigning/csprocess.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/csprocess.cpp rename to OSX/include/security_codesigning/csprocess.cpp diff --git a/Security/libsecurity_codesigning/lib/csprocess.h b/OSX/include/security_codesigning/csprocess.h similarity index 100% rename from Security/libsecurity_codesigning/lib/csprocess.h rename to OSX/include/security_codesigning/csprocess.h diff --git a/OSX/include/security_codesigning/csutilities.cpp b/OSX/include/security_codesigning/csutilities.cpp new file mode 100644 index 00000000..c6f0231b --- /dev/null +++ b/OSX/include/security_codesigning/csutilities.cpp @@ -0,0 +1,260 @@ +/* + * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// csutilities - miscellaneous utilities for the code signing implementation +// +#include "csutilities.h" +#include +#include +#include +#include +#include +#include +#include +#include + +namespace Security { +namespace CodeSigning { + + +// +// Test for the canonical Apple CA certificate +// +bool isAppleCA(SecCertificateRef cert) +{ + SecAppleTrustAnchorFlags flags = 0; + if (SecIsInternalRelease()) + flags |= kSecAppleTrustAnchorFlagsIncludeTestAnchors; + return SecIsAppleTrustAnchor(cert, flags); +} + + +// +// Calculate the canonical hash of a certificate, given its raw (DER) data. +// +void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest) +{ + SHA1 hasher; + hasher(certData, certLength); + hasher.finish(digest); +} + + +// +// Ditto, given a SecCertificateRef +// +void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest) +{ + assert(cert); + CSSM_DATA certData; + MacOSError::check(SecCertificateGetData(cert, &certData)); + hashOfCertificate(certData.Data, certData.Length, digest); +} + + +// +// One-stop hash-certificate-and-compare +// +bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest) +{ + SHA1::Digest dig; + hashOfCertificate(cert, dig); + return !memcmp(dig, digest, SHA1::digestLength); +} + + +// +// Check to see if a certificate contains a particular field, by OID. This works for extensions, +// even ones not recognized by the local CL. It does not return any value, only presence. +// +bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid) +{ + assert(cert); + CSSM_DATA *value; + switch (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &oid, &value)) { + case errSecSuccess: + MacOSError::check(SecCertificateReleaseFirstFieldValue(cert, &oid, value)); + return true; // extension found by oid + case errSecUnknownTag: + break; // oid not recognized by CL - continue below + default: + MacOSError::throwMe(rc); // error: fail + } + + // check the CL's bag of unrecognized extensions + CSSM_DATA **values; + bool found = false; + if (SecCertificateCopyFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, &values)) + return false; // no unrecognized extensions - no match + if (values) + for (CSSM_DATA **p = values; *p; p++) { + const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)(*p)->Data; + if (oid == ext->extnId) { + found = true; + break; + } + } + MacOSError::check(SecCertificateReleaseFieldValues(cert, &CSSMOID_X509V3CertificateExtensionCStruct, values)); + return found; +} + + +// +// Retrieve X.509 policy extension OIDs, if any. +// This currently ignores policy qualifiers. +// +bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid) +{ + bool matched = false; + assert(cert); + CSSM_DATA *data; + if (OSStatus rc = SecCertificateCopyFirstFieldValue(cert, &CSSMOID_CertificatePolicies, &data)) + MacOSError::throwMe(rc); + if (data && data->Data && data->Length == sizeof(CSSM_X509_EXTENSION)) { + const CSSM_X509_EXTENSION *ext = (const CSSM_X509_EXTENSION *)data->Data; + assert(ext->format == CSSM_X509_DATAFORMAT_PARSED); + const CE_CertPolicies *policies = (const CE_CertPolicies *)ext->value.parsedValue; + if (policies) + for (unsigned int n = 0; n < policies->numPolicies; n++) { + const CE_PolicyInformation &cp = policies->policies[n]; + if (cp.certPolicyId == policyOid) { + matched = true; + break; + } + } + } + SecCertificateReleaseFirstFieldValue(cert, &CSSMOID_PolicyConstraints, data); + return matched; +} + + +// +// Copyfile +// +Copyfile::Copyfile() +{ + if (!(mState = copyfile_state_alloc())) + UnixError::throwMe(); +} + +void Copyfile::set(uint32_t flag, const void *value) +{ + check(::copyfile_state_set(mState, flag, value)); +} + +void Copyfile::get(uint32_t flag, void *value) +{ + check(::copyfile_state_set(mState, flag, value)); +} + +void Copyfile::operator () (const char *src, const char *dst, copyfile_flags_t flags) +{ + check(::copyfile(src, dst, mState, flags)); +} + +void Copyfile::check(int rc) +{ + if (rc < 0) + UnixError::throwMe(); +} + + +// +// MessageTracer support +// +MessageTrace::MessageTrace(const char *domain, const char *signature) +{ + mAsl = asl_new(ASL_TYPE_MSG); + if (domain) + asl_set(mAsl, "com.apple.message.domain", domain); + if (signature) + asl_set(mAsl, "com.apple.message.signature", signature); +} + +void MessageTrace::add(const char *key, const char *format, ...) +{ + va_list args; + va_start(args, format); + char value[200]; + vsnprintf(value, sizeof(value), format, args); + va_end(args); + asl_set(mAsl, (string("com.apple.message.") + key).c_str(), value); +} + +void MessageTrace::send(const char *format, ...) +{ + va_list args; + va_start(args, format); + asl_vlog(NULL, mAsl, ASL_LEVEL_NOTICE, format, args); + va_end(args); +} + + + +// Resource limited async workers for doing work on nested bundles +LimitedAsync::LimitedAsync(bool async) +{ + // validate multiple resources concurrently if bundle resides on solid-state media + + // How many async workers to spin off. If zero, validating only happens synchronously. + long async_workers = 0; + + long ncpu = sysconf(_SC_NPROCESSORS_ONLN); + + if (async && ncpu > 0) + async_workers = ncpu - 1; // one less because this thread also validates + + mResourceSemaphore = new Dispatch::Semaphore(async_workers); +} + +LimitedAsync::LimitedAsync(LimitedAsync &limitedAsync) +{ + mResourceSemaphore = new Dispatch::Semaphore(*limitedAsync.mResourceSemaphore); +} + +LimitedAsync::~LimitedAsync() +{ + delete mResourceSemaphore; +} + +bool LimitedAsync::perform(Dispatch::Group &groupRef, void (^block)()) { + __block Dispatch::SemaphoreWait wait(*mResourceSemaphore, DISPATCH_TIME_NOW); + + if (wait.acquired()) { + dispatch_queue_t defaultQueue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0); + + groupRef.enqueue(defaultQueue, ^{ + // Hold the semaphore count until the worker is done validating. + Dispatch::SemaphoreWait innerWait(wait); + block(); + }); + return true; + } else { + block(); + return false; + } +} + +} // end namespace CodeSigning +} // end namespace Security diff --git a/OSX/include/security_codesigning/csutilities.h b/OSX/include/security_codesigning/csutilities.h new file mode 100644 index 00000000..1de14505 --- /dev/null +++ b/OSX/include/security_codesigning/csutilities.h @@ -0,0 +1,202 @@ +/* + * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// csutilities - miscellaneous utilities for the code signing implementation +// +// This is a collection of odds and ends that wouldn't fit anywhere else. +// The common theme is that the contents are otherwise naturally homeless. +// +#ifndef _H_CSUTILITIES +#define _H_CSUTILITIES + +#include +#include +#include +#include +#include +#include +#include +#include + +namespace Security { +namespace CodeSigning { + + +// +// Test for the canonical Apple CA certificate +// +bool isAppleCA(SecCertificateRef cert); + + +// +// Calculate canonical hashes of certificate. +// This is simply defined as (always) the SHA1 hash of the DER. +// +void hashOfCertificate(const void *certData, size_t certLength, SHA1::Digest digest); +void hashOfCertificate(SecCertificateRef cert, SHA1::Digest digest); +bool verifyHash(SecCertificateRef cert, const Hashing::Byte *digest); + + +// +// Calculate hashes of (a section of) a file. +// Starts at the current file position. +// Extends to end of file, or (if limit > 0) at most limit bytes. +// Returns number of bytes digested. +// +template +size_t hashFileData(UnixPlusPlus::FileDesc fd, _Hash *hasher, size_t limit = 0) +{ + unsigned char buffer[4096]; + size_t total = 0; + for (;;) { + size_t size = sizeof(buffer); + if (limit && limit < size) + size = limit; + size_t got = fd.read(buffer, size); + total += got; + if (fd.atEnd()) + break; + hasher->update(buffer, got); + if (limit && (limit -= got) == 0) + break; + } + return total; +} + +template +size_t hashFileData(const char *path, _Hash *hasher) +{ + UnixPlusPlus::AutoFileDesc fd(path); + return hashFileData(fd, hasher); +} + + +// +// Check to see if a certificate contains a particular field, by OID. This works for extensions, +// even ones not recognized by the local CL. It does not return any value, only presence. +// +bool certificateHasField(SecCertificateRef cert, const CSSM_OID &oid); +bool certificateHasPolicy(SecCertificateRef cert, const CSSM_OID &policyOid); + + +// +// Encapsulation of the copyfile(3) API. +// This is slated to go into utilities once stable. +// +class Copyfile { +public: + Copyfile(); + ~Copyfile() { copyfile_state_free(mState); } + + operator copyfile_state_t () const { return mState; } + + void set(uint32_t flag, const void *value); + void get(uint32_t flag, void *value); + + void operator () (const char *src, const char *dst, copyfile_flags_t flags); + +private: + void check(int rc); + +private: + copyfile_state_t mState; +}; + + +// +// MessageTracer support +// +class MessageTrace { +public: + MessageTrace(const char *domain, const char *signature); + ~MessageTrace() { ::asl_free(mAsl); } + void add(const char *key, const char *format, ...); + void send(const char *format, ...); + +private: + aslmsg mAsl; +}; + + +// +// A reliable uid set/reset bracket +// +class UidGuard { +public: + UidGuard() : mPrevious(-1) { } + UidGuard(uid_t uid) : mPrevious(-1) { seteuid(uid); } + ~UidGuard() + { + if (active()) + UnixError::check(::seteuid(mPrevious)); + } + + bool seteuid(uid_t uid) + { + if (uid == geteuid()) + return true; // no change, don't bother the kernel + if (!active()) + mPrevious = ::geteuid(); + return ::seteuid(uid) == 0; + } + + bool active() const { return mPrevious != uid_t(-1); } + operator bool () const { return active(); } + uid_t saved() const { assert(active()); return mPrevious; } + +private: + uid_t mPrevious; +}; + + +// This class provides resource limited parallelization, +// used for work on nested bundles (e.g. signing or validating them). + +// We only spins off async workers if they are available right now, +// otherwise we continue synchronously in the current thread. +// This is important because we must progress at all times, otherwise +// deeply nested bundles will deadlock on waiting for resource validation, +// with no available workers to actually do so. +// Their nested resources, however, may again spin off async workers if +// available. + +class LimitedAsync { + NOCOPY(LimitedAsync) +public: + LimitedAsync(bool async); + LimitedAsync(LimitedAsync& limitedAsync); + virtual ~LimitedAsync(); + + bool perform(Dispatch::Group &groupRef, void (^block)()); + +private: + Dispatch::Semaphore *mResourceSemaphore; +}; + + + +} // end namespace CodeSigning +} // end namespace Security + +#endif // !_H_CSUTILITIES diff --git a/Security/libsecurity_codesigning/lib/detachedrep.cpp b/OSX/include/security_codesigning/detachedrep.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/detachedrep.cpp rename to OSX/include/security_codesigning/detachedrep.cpp diff --git a/Security/libsecurity_codesigning/lib/detachedrep.h b/OSX/include/security_codesigning/detachedrep.h similarity index 100% rename from Security/libsecurity_codesigning/lib/detachedrep.h rename to OSX/include/security_codesigning/detachedrep.h diff --git a/Security/libsecurity_codesigning/lib/dirscanner.cpp b/OSX/include/security_codesigning/dirscanner.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/dirscanner.cpp rename to OSX/include/security_codesigning/dirscanner.cpp diff --git a/Security/libsecurity_codesigning/lib/dirscanner.h b/OSX/include/security_codesigning/dirscanner.h similarity index 100% rename from Security/libsecurity_codesigning/lib/dirscanner.h rename to OSX/include/security_codesigning/dirscanner.h diff --git a/Security/libsecurity_codesigning/lib/diskrep.cpp b/OSX/include/security_codesigning/diskrep.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/diskrep.cpp rename to OSX/include/security_codesigning/diskrep.cpp diff --git a/Security/libsecurity_codesigning/lib/diskrep.h b/OSX/include/security_codesigning/diskrep.h similarity index 100% rename from Security/libsecurity_codesigning/lib/diskrep.h rename to OSX/include/security_codesigning/diskrep.h diff --git a/OSX/include/security_codesigning/drmaker.cpp b/OSX/include/security_codesigning/drmaker.cpp new file mode 100644 index 00000000..7883755f --- /dev/null +++ b/OSX/include/security_codesigning/drmaker.cpp @@ -0,0 +1,195 @@ +/* + * Copyright (c) 2012 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// drmaker - create automatic Designated Requirements +// +#include "drmaker.h" +#include "csutilities.h" +#include +#include +//#include + +namespace Security { +namespace CodeSigning { + + +static const uint8_t adcSdkMarker[] = { APPLE_EXTENSION_OID, 2, 1 }; // iOS intermediate marker +const CSSM_DATA adcSdkMarkerOID = { sizeof(adcSdkMarker), (uint8_t *)adcSdkMarker }; + +static const uint8_t caspianSdkMarker[] = { APPLE_EXTENSION_OID, 2, 6 }; // Caspian intermediate marker +const CSSM_DATA devIdSdkMarkerOID = { sizeof(caspianSdkMarker), (uint8_t *)caspianSdkMarker }; +static const uint8_t caspianLeafMarker[] = { APPLE_EXTENSION_OID, 1, 13 }; // Caspian leaf certificate marker +const CSSM_DATA devIdLeafMarkerOID = { sizeof(caspianLeafMarker), (uint8_t *)caspianLeafMarker }; + + + +DRMaker::DRMaker(const Requirement::Context &context) + : ctx(context) +{ +} + +DRMaker::~DRMaker() +{ +} + + +// +// Generate the default (implicit) Designated Requirement for this StaticCode. +// This is a heuristic of sorts, and may change over time (for the better, we hope). +// +Requirement *DRMaker::make() +{ + // we can't make an explicit DR for a (proposed) ad-hoc signing because that requires the CodeDirectory (which we ain't got yet) + if (ctx.certCount() == 0) + return NULL; + + // always require the identifier + this->put(opAnd); + this->ident(ctx.identifier); + + if (isAppleCA(ctx.cert(Requirement::anchorCert)) +#if defined(TEST_APPLE_ANCHOR) + || !memcmp(anchorHash, Requirement::testAppleAnchorHash(), SHA1::digestLength) +#endif + ) + appleAnchor(); + else + nonAppleAnchor(); + + return Maker::make(); +} + + +void DRMaker::nonAppleAnchor() +{ + // get the Organization DN element for the leaf + CFRef leafOrganization; + MacOSError::check(SecCertificateCopySubjectComponent(ctx.cert(Requirement::leafCert), + &CSSMOID_OrganizationName, &leafOrganization.aref())); + + // now step up the cert chain looking for the first cert with a different one + int slot = Requirement::leafCert; // start at leaf + if (leafOrganization) { + while (SecCertificateRef ca = ctx.cert(slot+1)) { // NULL if you over-run the anchor slot + CFRef caOrganization; + MacOSError::check(SecCertificateCopySubjectComponent(ca, &CSSMOID_OrganizationName, &caOrganization.aref())); + if (!caOrganization || CFStringCompare(leafOrganization, caOrganization, 0) != kCFCompareEqualTo) + break; + slot++; + } + if (slot == ctx.certCount() - 1) // went all the way to the anchor... + slot = Requirement::anchorCert; // ... so say that + } + + // nail the last cert with the leaf's Organization value + SHA1::Digest authorityHash; + hashOfCertificate(ctx.cert(slot), authorityHash); + this->anchor(slot, authorityHash); +} + + +void DRMaker::appleAnchor() +{ + if (isIOSSignature()) { + // get the Common Name DN element for the leaf + CFRef leafCN; + MacOSError::check(SecCertificateCopySubjectComponent(ctx.cert(Requirement::leafCert), + &CSSMOID_CommonName, &leafCN.aref())); + + // apple anchor generic and ... + this->put(opAnd); + this->anchorGeneric(); // apple generic anchor and... + // ... leaf[subject.CN] = and ... + this->put(opAnd); + this->put(opCertField); // certificate + this->put(0); // leaf + this->put("subject.CN"); // [subject.CN] + this->put(matchEqual); // = + this->putData(leafCN); // + // ... cert 1[field.] exists + this->put(opCertGeneric); // certificate + this->put(1); // 1 + this->putData(adcSdkMarkerOID.Data, adcSdkMarkerOID.Length); // [field.] + this->put(matchExists); // exists + return; + } + + if (isDeveloperIDSignature()) { + // get the Organizational Unit DN element for the leaf (it contains the TEAMID) + CFRef teamID; + MacOSError::check(SecCertificateCopySubjectComponent(ctx.cert(Requirement::leafCert), + &CSSMOID_OrganizationalUnitName, &teamID.aref())); + + // apple anchor generic and ... + this->put(opAnd); + this->anchorGeneric(); // apple generic anchor and... + + // ... certificate 1[intermediate marker oid] exists and ... + this->put(opAnd); + this->put(opCertGeneric); // certificate + this->put(1); // 1 + this->putData(caspianSdkMarker, sizeof(caspianSdkMarker)); + this->put(matchExists); // exists + + // ... certificate leaf[Caspian cert oid] exists and ... + this->put(opAnd); + this->put(opCertGeneric); // certificate + this->put(0); // leaf + this->putData(caspianLeafMarker, sizeof(caspianLeafMarker)); + this->put(matchExists); // exists + + // ... leaf[subject.OU] = + this->put(opCertField); // certificate + this->put(0); // leaf + this->put("subject.OU"); // [subject.OU] + this->put(matchEqual); // = + this->putData(teamID); // TEAMID + return; + } + + // otherwise, claim this program for Apple Proper + this->anchor(); +} + +bool DRMaker::isIOSSignature() +{ + if (ctx.certCount() == 3) // leaf, one intermediate, anchor + if (SecCertificateRef intermediate = ctx.cert(1)) // get intermediate + if (certificateHasField(intermediate, CssmOid::overlay(adcSdkMarkerOID))) + return true; + return false; +} + +bool DRMaker::isDeveloperIDSignature() +{ + if (ctx.certCount() == 3) // leaf, one intermediate, anchor + if (SecCertificateRef intermediate = ctx.cert(1)) // get intermediate + if (certificateHasField(intermediate, CssmOid::overlay(devIdSdkMarkerOID))) + return true; + return false; +} + + +} // end namespace CodeSigning +} // end namespace Security diff --git a/Security/libsecurity_codesigning/lib/drmaker.h b/OSX/include/security_codesigning/drmaker.h similarity index 100% rename from Security/libsecurity_codesigning/lib/drmaker.h rename to OSX/include/security_codesigning/drmaker.h diff --git a/OSX/include/security_codesigning/evaluationmanager.cpp b/OSX/include/security_codesigning/evaluationmanager.cpp new file mode 100644 index 00000000..d64d6e1a --- /dev/null +++ b/OSX/include/security_codesigning/evaluationmanager.cpp @@ -0,0 +1,366 @@ +/* + * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include "evaluationmanager.h" +#include "policyengine.h" +#include +#include +#include +#include + + + + +namespace Security { +namespace CodeSigning { + + + + +#pragma mark - EvaluationTask + + +// +// An evaluation task object manages the assessment - either directly, or in the +// form of waiting for another evaluation task to finish an assessment on the +// same target. +// +class EvaluationTask +{ +public: + CFURLRef path() const { return mPath.get(); } + AuthorityType type() const { return mType; } + bool isSharable() const { return mSharable; } + void setUnsharable() { mSharable = false; } + +private: + EvaluationTask(PolicyEngine *engine, CFURLRef path, AuthorityType type); + virtual ~EvaluationTask(); + void performEvaluation(SecAssessmentFlags flags, CFDictionaryRef context); + void waitForCompletion(SecAssessmentFlags flags, CFMutableDictionaryRef result); + + PolicyEngine *mPolicyEngine; + AuthorityType mType; + dispatch_queue_t mWorkQueue; + dispatch_queue_t mFeedbackQueue; + dispatch_semaphore_t mAssessmentLock; + __block dispatch_once_t mAssessmentKicked; + int32_t mReferenceCount; + int32_t mEvalCount; +// This whole thing is a pre-existing crutch and must be fixed soon. +#define UNOFFICIAL_MAX_XPC_ID_LENGTH 127 + char mXpcActivityName[UNOFFICIAL_MAX_XPC_ID_LENGTH]; + bool mSharable; + + CFCopyRef mPath; + CFCopyRef mResult; + std::vector mFeedback; + + std::exception_ptr mExceptionToRethrow; + + friend class EvaluationManager; +}; + + +EvaluationTask::EvaluationTask(PolicyEngine *engine, CFURLRef path, AuthorityType type) : + mPolicyEngine(engine), mType(type), mAssessmentLock(dispatch_semaphore_create(0)), + mAssessmentKicked(0), mReferenceCount(0), mEvalCount(0), mSharable(true), + mExceptionToRethrow(0) +{ + mXpcActivityName[0] = 0; + + mWorkQueue = dispatch_queue_create("EvaluationTask", 0); + mFeedbackQueue = dispatch_queue_create("EvaluationTaskFeedback", 0); + + mPath = path; + mResult.take(makeCFMutableDictionary()); +} + + +EvaluationTask::~EvaluationTask() +{ + dispatch_release(mFeedbackQueue); + dispatch_release(mWorkQueue); + dispatch_release(mAssessmentLock); +} + + +void EvaluationTask::performEvaluation(SecAssessmentFlags flags, CFDictionaryRef context) +{ + bool performTheEvaluation = false; + bool lowPriority = flags & kSecAssessmentFlagLowPriority; + + // each evaluation task performs at most a single evaluation + if (OSAtomicIncrement32Barrier(&mEvalCount) == 1) + performTheEvaluation = true; + + // define a block to run when the assessment has feedback available + SecAssessmentFeedback relayFeedback = ^Boolean(CFStringRef type, CFDictionaryRef information) { + + __block Boolean proceed = true; + dispatch_sync(mFeedbackQueue, ^{ + if (mFeedback.size() > 0) { + proceed = false; // we need at least one interested party to proceed + // forward the feedback to all registered listeners + for (int i = 0; i < mFeedback.size(); ++i) { + proceed |= mFeedback[i](type, information); + } + } + }); + if (!proceed) + this->setUnsharable(); // don't share an expiring evaluation task + return proceed; + }; + + + // if the calling context has a feedback block, register it to listen to + // our feedback relay + dispatch_sync(mFeedbackQueue, ^{ + SecAssessmentFeedback feedback = (SecAssessmentFeedback)CFDictionaryGetValue(context, kSecAssessmentContextKeyFeedback); + if (feedback && CFGetTypeID(feedback) == CFGetTypeID(relayFeedback)) + mFeedback.push_back(feedback); + }); + + // if we haven't already started the evaluation (we're the first interested + // party), do it now + if (performTheEvaluation) { + dispatch_semaphore_t startLock = dispatch_semaphore_create(0); + + // create the assessment block + dispatch_async(mWorkQueue, dispatch_block_create_with_qos_class(DISPATCH_BLOCK_ENFORCE_QOS_CLASS, QOS_CLASS_UTILITY, 0, ^{ + // signal that the assessment is ready to start + dispatch_semaphore_signal(startLock); + + // wait until we're permitted to start the assessment. if we're in low + // priority mode, this will not happen until we're on AC power. if not + // in low priority mode, we're either already free to perform the + // assessment or we will be quite soon + dispatch_semaphore_wait(mAssessmentLock, DISPATCH_TIME_FOREVER); + + // Unregister a possibly still scheduled activity, as it lost its point. + if (strlen(mXpcActivityName)) { + xpc_activity_unregister(mXpcActivityName); + } + + // copy the original context into our own mutable dictionary and replace + // (or assign) the feedback entry within it to our multi-receiver + // feedback relay block + CFRef contextOverride = makeCFMutableDictionary(context); + CFDictionaryRemoveValue(contextOverride.get(), kSecAssessmentContextKeyFeedback); + CFDictionaryAddValue(contextOverride.get(), kSecAssessmentContextKeyFeedback, relayFeedback); + + try { + // perform the evaluation + switch (mType) { + case kAuthorityExecute: + mPolicyEngine->evaluateCode(mPath.get(), kAuthorityExecute, flags, contextOverride.get(), mResult.get(), true); + break; + case kAuthorityInstall: + mPolicyEngine->evaluateInstall(mPath.get(), flags, contextOverride.get(), mResult.get()); + break; + case kAuthorityOpenDoc: + mPolicyEngine->evaluateDocOpen(mPath.get(), flags, contextOverride.get(), mResult.get()); + break; + default: + MacOSError::throwMe(errSecCSInvalidAttributeValues); + break; + } + } catch(...) { + mExceptionToRethrow = std::current_exception(); + } + + })); + + // wait for the assessment to start + dispatch_semaphore_wait(startLock, DISPATCH_TIME_FOREVER); + dispatch_release(startLock); + + if (lowPriority) { + // This whole thing is a crutch and should be handled differently. + // Maybe by having just one activity that just kicks off all remaining + // background assessments, CTS determines that it's a good time. + + // reduce the bundle path name to just the app component and generate an + // xpc_activity identifier from it. this identifier should be smaller than + // 128 characters due to rdar://problem/20094806 + string path = cfString(mPath); + size_t bundleNamePosition = path.rfind('/'); + const char *bundleName = "/default"; + if (bundleNamePosition != string::npos) + bundleName = path.c_str() + bundleNamePosition; + snprintf(mXpcActivityName, UNOFFICIAL_MAX_XPC_ID_LENGTH, "com.apple.security.assess%s", bundleName); + + // schedule the assessment to be permitted to run (beyond start) -- this + // will either happen once we're no longer on battery power, or + // immediately, based on the flag value of kSecAssessmentFlagLowPriority + xpc_object_t criteria = xpc_dictionary_create(NULL, NULL, 0); + xpc_dictionary_set_bool(criteria, XPC_ACTIVITY_REPEATING, false); + xpc_dictionary_set_int64(criteria, XPC_ACTIVITY_DELAY, 0); + xpc_dictionary_set_int64(criteria, XPC_ACTIVITY_GRACE_PERIOD, 0); + + xpc_dictionary_set_string(criteria, XPC_ACTIVITY_PRIORITY, XPC_ACTIVITY_PRIORITY_MAINTENANCE); + xpc_dictionary_set_bool(criteria, XPC_ACTIVITY_ALLOW_BATTERY, false); + + xpc_activity_register(mXpcActivityName, criteria, ^(xpc_activity_t activity) { + dispatch_once(&mAssessmentKicked, ^{ + dispatch_semaphore_signal(mAssessmentLock); + }); + }); + xpc_release(criteria); + } + } + + // If this is a foreground assessment to begin with, or if an assessment + // with an existing task has been requested in the foreground, kick it + // immediately. + if (!lowPriority) { + dispatch_once(&mAssessmentKicked, ^{ + dispatch_semaphore_signal(mAssessmentLock); + }); + } +} + + + +void EvaluationTask::waitForCompletion(SecAssessmentFlags flags, CFMutableDictionaryRef result) +{ + // if the caller didn't request low priority we will elevate the dispatch + // queue priority via our wait block + dispatch_qos_class_t qos_class = QOS_CLASS_USER_INITIATED; + if (flags & kSecAssessmentFlagLowPriority) + qos_class = QOS_CLASS_UTILITY; + + // wait for the assessment to complete; our wait block will queue up behind + // the assessment and the copy its results + dispatch_sync(mWorkQueue, dispatch_block_create_with_qos_class (DISPATCH_BLOCK_ENFORCE_QOS_CLASS, qos_class, 0, ^{ + // copy the class result back to the caller + cfDictionaryApplyBlock(mResult.get(), ^(const void *key, const void *value){ + CFDictionaryAddValue(result, key, value); + }); + })); + + if (mExceptionToRethrow) std::rethrow_exception(mExceptionToRethrow); +} + + + +#pragma mark - + + +static Boolean evaluationTasksAreEqual(const EvaluationTask *task1, const EvaluationTask *task2) +{ + if (!task1->isSharable() || !task2->isSharable()) return false; + if ((task1->type() != task2->type()) || + (cfString(task1->path()) != cfString(task2->path()))) + return false; + + return true; +} + + + + +#pragma mark - EvaluationManager + + +EvaluationManager *EvaluationManager::globalManager() +{ + static EvaluationManager *singleton; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + singleton = new EvaluationManager(); + }); + return singleton; +} + + +EvaluationManager::EvaluationManager() +{ + static CFDictionaryValueCallBacks evalTaskValueCallbacks = kCFTypeDictionaryValueCallBacks; + evalTaskValueCallbacks.equal = (CFDictionaryEqualCallBack)evaluationTasksAreEqual; + evalTaskValueCallbacks.retain = NULL; + evalTaskValueCallbacks.release = NULL; + mCurrentEvaluations.take( + CFDictionaryCreateMutable(NULL, + 0, + &kCFTypeDictionaryKeyCallBacks, + &evalTaskValueCallbacks)); + + mListLockQueue = dispatch_queue_create("EvaluationManagerSyncronization", 0); +} + + +EvaluationManager::~EvaluationManager() +{ + dispatch_release(mListLockQueue); +} + + +EvaluationTask *EvaluationManager::evaluationTask(PolicyEngine *engine, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result) +{ + __block EvaluationTask *evalTask = NULL; + + dispatch_sync(mListLockQueue, ^{ + // is path already being evaluated? + if (!(flags & kSecAssessmentFlagIgnoreActiveAssessments)) + evalTask = (EvaluationTask *)CFDictionaryGetValue(mCurrentEvaluations.get(), path); + if (!evalTask) { + // create a new task for the evaluation + evalTask = new EvaluationTask(engine, path, type); + if (flags & kSecAssessmentFlagIgnoreActiveAssessments) + evalTask->setUnsharable(); + CFDictionaryAddValue(mCurrentEvaluations.get(), path, evalTask); + } + evalTask->mReferenceCount++; + }); + + if (evalTask) + evalTask->performEvaluation(flags, context); + + return evalTask; +} + + +void EvaluationManager::waitForCompletion(EvaluationTask *task, SecAssessmentFlags flags, CFMutableDictionaryRef result) +{ + task->waitForCompletion(flags, result); +} + + +void EvaluationManager::removeTask(EvaluationTask *task) +{ + dispatch_sync(mListLockQueue, ^{ + // are we done with this evaluation task? + if (--task->mReferenceCount == 0) { + // yes -- remove it from our list and delete the object + CFDictionaryRemoveValue(mCurrentEvaluations.get(), task->path()); + delete task; + } + }); +} + + + +} // end namespace CodeSigning +} // end namespace Security + diff --git a/OSX/include/security_codesigning/evaluationmanager.h b/OSX/include/security_codesigning/evaluationmanager.h new file mode 100644 index 00000000..bad99dc4 --- /dev/null +++ b/OSX/include/security_codesigning/evaluationmanager.h @@ -0,0 +1,63 @@ +/* + * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#ifndef _H_EVALUATIONMANAGER +#define _H_EVALUATIONMANAGER + +#include "policydb.h" +#include + +namespace Security { +namespace CodeSigning { + + +class PolicyEngine; +class EvaluationTask; /* an opaque type */ + +// +// EvaluationManager manages a list of concurrent evaluation tasks (each of +// which is wrapped within an EvaluationTask object). +// +class EvaluationManager +{ +public: + static EvaluationManager *globalManager(); + + EvaluationTask *evaluationTask(PolicyEngine *engine, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result); + void waitForCompletion(EvaluationTask *task, SecAssessmentFlags flags, CFMutableDictionaryRef result); + void removeTask(EvaluationTask *task); + +private: + CFCopyRef mCurrentEvaluations; + EvaluationManager(); + ~EvaluationManager(); + + dispatch_queue_t mListLockQueue; +}; + + + +} // end namespace CodeSigning +} // end namespace Security + +#endif //_H_EVALUATIONMANAGER + diff --git a/Security/libsecurity_codesigning/lib/filediskrep.cpp b/OSX/include/security_codesigning/filediskrep.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/filediskrep.cpp rename to OSX/include/security_codesigning/filediskrep.cpp diff --git a/Security/libsecurity_codesigning/lib/filediskrep.h b/OSX/include/security_codesigning/filediskrep.h similarity index 100% rename from Security/libsecurity_codesigning/lib/filediskrep.h rename to OSX/include/security_codesigning/filediskrep.h diff --git a/Security/libsecurity_codesigning/lib/kerneldiskrep.cpp b/OSX/include/security_codesigning/kerneldiskrep.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/kerneldiskrep.cpp rename to OSX/include/security_codesigning/kerneldiskrep.cpp diff --git a/Security/libsecurity_codesigning/lib/kerneldiskrep.h b/OSX/include/security_codesigning/kerneldiskrep.h similarity index 100% rename from Security/libsecurity_codesigning/lib/kerneldiskrep.h rename to OSX/include/security_codesigning/kerneldiskrep.h diff --git a/OSX/include/security_codesigning/machorep.cpp b/OSX/include/security_codesigning/machorep.cpp new file mode 100644 index 00000000..d362b5ab --- /dev/null +++ b/OSX/include/security_codesigning/machorep.cpp @@ -0,0 +1,409 @@ +/* + * Copyright (c) 2006,2011-2012,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// machorep - DiskRep mix-in for handling Mach-O main executables +// +#include "machorep.h" +#include "StaticCode.h" +#include "reqmaker.h" + + +namespace Security { +namespace CodeSigning { + +using namespace UnixPlusPlus; + + +// +// Object management. +// We open the main executable lazily, so nothing much happens on construction. +// If the context specifies a file offset, we directly pick that Mach-O binary (only). +// if it specifies an architecture, we try to pick that. Otherwise, we deliver the whole +// Universal object (which will usually deliver the "native" architecture later). +// +MachORep::MachORep(const char *path, const Context *ctx) + : SingleDiskRep(path), mSigningData(NULL) +{ + if (ctx) + if (ctx->offset) + mExecutable = new Universal(fd(), (size_t)ctx->offset, ctx->size); + else if (ctx->arch) { + auto_ptr full(new Universal(fd())); + mExecutable = new Universal(fd(), full->archOffset(ctx->arch), full->archLength(ctx->arch)); + } else + mExecutable = new Universal(fd()); + else + mExecutable = new Universal(fd()); + + assert(mExecutable); + CODESIGN_DISKREP_CREATE_MACHO(this, (char*)path, (void*)ctx); +} + +MachORep::~MachORep() +{ + delete mExecutable; + ::free(mSigningData); +} + + +// +// Sniffer function for "plausible Mach-O binary" +// +bool MachORep::candidate(FileDesc &fd) +{ + switch (Universal::typeOf(fd)) { + case MH_EXECUTE: + case MH_DYLIB: + case MH_DYLINKER: + case MH_BUNDLE: + case MH_KEXT_BUNDLE: + case MH_PRELOAD: + return true; // dynamic image; supported + case MH_OBJECT: + return false; // maybe later... + default: + return false; // not Mach-O (or too exotic) + } +} + + + +// +// Nowadays, the main executable object is created upon construction. +// +Universal *MachORep::mainExecutableImage() +{ + return mExecutable; +} + + +// +// Signing base is the start of the Mach-O architecture we're using +// +size_t MachORep::signingBase() +{ + return mainExecutableImage()->archOffset(); +} + + +// +// We choose the binary identifier for a Mach-O binary as follows: +// - If the Mach-O headers have a UUID command, use the UUID. +// - Otherwise, use the SHA-1 hash of the (entire) load commands. +// +CFDataRef MachORep::identification() +{ + std::auto_ptr macho(mainExecutableImage()->architecture()); + return identificationFor(macho.get()); +} + +CFDataRef MachORep::identificationFor(MachO *macho) +{ + // if there is a LC_UUID load command, use the UUID contained therein + if (const load_command *cmd = macho->findCommand(LC_UUID)) { + const uuid_command *uuidc = reinterpret_cast(cmd); + // uuidc->cmdsize should be sizeof(uuid_command), so if it is not, + // something is wrong. Fail out. + if (macho->flip(uuidc->cmdsize) != sizeof(uuid_command)) + MacOSError::throwMe(errSecCSSignatureInvalid); + char result[4 + sizeof(uuidc->uuid)]; + memcpy(result, "UUID", 4); + memcpy(result+4, uuidc->uuid, sizeof(uuidc->uuid)); + return makeCFData(result, sizeof(result)); + } + + // otherwise, use the SHA-1 hash of the entire load command area (this is way, way obsolete) + SHA1 hash; + hash(&macho->header(), sizeof(mach_header)); + hash(macho->loadCommands(), macho->commandLength()); + SHA1::Digest digest; + hash.finish(digest); + return makeCFData(digest, sizeof(digest)); +} + + +// +// Retrieve a component from the executable. +// This reads the entire signing SuperBlob when first called for an executable, +// and then caches it for further use. +// Note that we could read individual components directly off disk and only cache +// the SuperBlob Index directory. Our caller (usually SecStaticCode) is expected +// to cache the pieces anyway. +// +CFDataRef MachORep::component(CodeDirectory::SpecialSlot slot) +{ + switch (slot) { + case cdInfoSlot: + return infoPlist(); + default: + return embeddedComponent(slot); + } +} + + +// Retrieve a component from the embedded signature SuperBlob (if present). +// This reads the entire signing SuperBlob when first called for an executable, +// and then caches it for further use. +// Note that we could read individual components directly off disk and only cache +// the SuperBlob Index directory. Our caller (usually SecStaticCode) is expected +// to cache the pieces anyway. But it's not clear that the resulting multiple I/O +// calls wouldn't be slower in the end. +// +CFDataRef MachORep::embeddedComponent(CodeDirectory::SpecialSlot slot) +{ + if (!mSigningData) { // fetch and cache + auto_ptr macho(mainExecutableImage()->architecture()); + if (macho.get()) + if (const linkedit_data_command *cs = macho->findCodeSignature()) { + size_t offset = macho->flip(cs->dataoff); + size_t length = macho->flip(cs->datasize); + if ((mSigningData = EmbeddedSignatureBlob::readBlob(macho->fd(), macho->offset() + offset, length))) { + secdebug("machorep", "%zd signing bytes in %d blob(s) from %s(%s)", + mSigningData->length(), mSigningData->count(), + mainExecutablePath().c_str(), macho->architecture().name()); + } else { + secdebug("machorep", "failed to read signing bytes from %s(%s)", + mainExecutablePath().c_str(), macho->architecture().name()); + MacOSError::throwMe(errSecCSSignatureInvalid); + } + } + } + if (mSigningData) + return mSigningData->component(slot); + + // not found + return NULL; +} + + +// +// Extract an embedded Info.plist from the file. +// Returns NULL if none is found. +// +CFDataRef MachORep::infoPlist() +{ + CFRef info; + try { + auto_ptr macho(mainExecutableImage()->architecture()); + if (const section *sect = macho->findSection("__TEXT", "__info_plist")) { + if (macho->is64()) { + const section_64 *sect64 = reinterpret_cast(sect); + info.take(macho->dataAt(macho->flip(sect64->offset), (size_t)macho->flip(sect64->size))); + } else { + info.take(macho->dataAt(macho->flip(sect->offset), macho->flip(sect->size))); + } + } + } catch (...) { + secdebug("machorep", "exception reading embedded Info.plist"); + } + return info.yield(); +} + + +// +// Provide a (vaguely) human readable characterization of this code +// +string MachORep::format() +{ + if (Universal *fat = mainExecutableImage()) { + Universal::Architectures archs; + fat->architectures(archs); + if (fat->isUniversal()) { + string s = "Mach-O universal ("; + for (Universal::Architectures::const_iterator it = archs.begin(); + it != archs.end(); ++it) { + if (it != archs.begin()) + s += " "; + s += it->displayName(); + } + return s + ")"; + } else { + assert(archs.size() == 1); + return string("Mach-O thin (") + archs.begin()->displayName() + ")"; + } + } else + return "Mach-O (unrecognized format)"; +} + + +// +// Flush cached data +// +void MachORep::flush() +{ + size_t offset = mExecutable->offset(); + size_t length = mExecutable->length(); + delete mExecutable; + mExecutable = NULL; + ::free(mSigningData); + mSigningData = NULL; + SingleDiskRep::flush(); + mExecutable = new Universal(fd(), offset, length); +} + + +// +// Return a recommended unique identifier. +// If our file has an embedded Info.plist, use the CFBundleIdentifier from that. +// Otherwise, use the default. +// +string MachORep::recommendedIdentifier(const SigningContext &ctx) +{ + if (CFDataRef info = infoPlist()) { + if (CFRef dict = makeCFDictionaryFrom(info)) { + CFStringRef code = CFStringRef(CFDictionaryGetValue(dict, kCFBundleIdentifierKey)); + if (code && CFGetTypeID(code) != CFStringGetTypeID()) + MacOSError::throwMe(errSecCSBadDictionaryFormat); + if (code) + return cfString(code); + } else + MacOSError::throwMe(errSecCSBadDictionaryFormat); + } + + // ah well. Use the default + return SingleDiskRep::recommendedIdentifier(ctx); +} + + +// +// The default suggested requirements for Mach-O binaries are as follows: +// Library requirement: Composed from dynamic load commands. +// +const Requirements *MachORep::defaultRequirements(const Architecture *arch, const SigningContext &ctx) +{ + assert(arch); // enforced by signing infrastructure + Requirements::Maker maker; + + // add library requirements from DYLIB commands (if any) + if (Requirement *libreq = libraryRequirements(arch, ctx)) + maker.add(kSecLibraryRequirementType, libreq); // takes ownership + + // that's all + return maker.make(); +} + +Requirement *MachORep::libraryRequirements(const Architecture *arch, const SigningContext &ctx) +{ + auto_ptr macho(mainExecutableImage()->architecture(*arch)); + Requirement::Maker maker; + Requirement::Maker::Chain chain(maker, opOr); + + if (macho.get()) + if (const linkedit_data_command *ldep = macho->findLibraryDependencies()) { + size_t offset = macho->flip(ldep->dataoff); + size_t length = macho->flip(ldep->datasize); + if (LibraryDependencyBlob *deplist = LibraryDependencyBlob::readBlob(macho->fd(), macho->offset() + offset, length)) { + try { + secdebug("machorep", "%zd library dependency bytes in %d blob(s) from %s(%s)", + deplist->length(), deplist->count(), + mainExecutablePath().c_str(), macho->architecture().name()); + unsigned count = deplist->count(); + // we could walk through DYLIB load commands in parallel. We just don't need anything from them so far + for (unsigned n = 0; n < count; n++) { + const Requirement *req = NULL; + if (const BlobCore *dep = deplist->blob(n)) { + if ((req = Requirement::specific(dep))) { + // binary code requirement; good to go + } else if (const BlobWrapper *wrap = BlobWrapper::specific(dep)) { + // blob-wrapped text form - convert to binary requirement + std::string reqString = std::string((const char *)wrap->data(), wrap->length()); + CFRef areq; + MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString), kSecCSDefaultFlags, &areq.aref())); + CFRef reqData; + MacOSError::check(SecRequirementCopyData(areq, kSecCSDefaultFlags, &reqData.aref())); + req = Requirement::specific((const BlobCore *)CFDataGetBytePtr(reqData)); + } else { + secdebug("machorep", "unexpected blob type 0x%x in slot %d of binary dependencies", dep->magic(), n); + continue; + } + chain.add(); + maker.copy(req); + } else + secdebug("machorep", "missing DR info for library index %d", n); + } + ::free(deplist); + } catch (...) { + ::free(deplist); + throw; + } + } + } + if (chain.empty()) + return NULL; + else + return maker.make(); +} + + +// +// Default to system page size for segmented (paged) signatures +// +size_t MachORep::pageSize(const SigningContext &) +{ + return segmentedPageSize; +} + + +// +// Strict validation +// +void MachORep::strictValidate(const CodeDirectory* cd, const ToleratedErrors& tolerated) +{ + // if the constructor found suspicious issues, fail a struct validation now + if (mExecutable->isSuspicious() && tolerated.find(errSecCSBadMainExecutable) == tolerated.end()) + MacOSError::throwMe(errSecCSBadMainExecutable); + + // the signature's code extent must be what we would have picked (no funny hand editing) + if (cd) { + auto_ptr macho(mExecutable->architecture()); + if (cd->codeLimit != macho->signingExtent()) + MacOSError::throwMe(errSecCSSignatureInvalid); + } +} + + +// +// FileDiskRep::Writers +// +DiskRep::Writer *MachORep::writer() +{ + return new Writer(this); +} + + +// +// Write a component. +// MachORep::Writers don't write to components directly; the signing code uses special +// knowledge of the Mach-O format to build embedded signatures and blasts them directly +// to disk. Thus this implementation will never be called (and, if called, will simply fail). +// +void MachORep::Writer::component(CodeDirectory::SpecialSlot slot, CFDataRef data) +{ + assert(false); + MacOSError::throwMe(errSecCSInternalError); +} + + +} // end namespace CodeSigning +} // end namespace Security diff --git a/Security/libsecurity_codesigning/lib/machorep.h b/OSX/include/security_codesigning/machorep.h similarity index 100% rename from Security/libsecurity_codesigning/lib/machorep.h rename to OSX/include/security_codesigning/machorep.h diff --git a/OSX/include/security_codesigning/opaquewhitelist.cpp b/OSX/include/security_codesigning/opaquewhitelist.cpp new file mode 100644 index 00000000..7fbde5fc --- /dev/null +++ b/OSX/include/security_codesigning/opaquewhitelist.cpp @@ -0,0 +1,269 @@ +/* + * Copyright (c) 2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#include "opaquewhitelist.h" +#include "csutilities.h" +#include "StaticCode.h" +#include +#include +#include +#include +#include +#include +#include +#include + +namespace Security { +namespace CodeSigning { + +using namespace SQLite; + + +static std::string hashString(CFDataRef hash); +static void attachOpaque(SecStaticCodeRef code, SecAssessmentFeedback feedback); + + +// +// Open the database +// +OpaqueWhitelist::OpaqueWhitelist(const char *path, int flags) + : SQLite::Database(path ? path : opaqueDatabase, flags) +{ + SQLite::Statement createConditions(*this, + "CREATE TABLE IF NOT EXISTS conditions (" + " label text," + " weight real not null unique," + " source text," + " identifier text," + " version text," + " conditions text not null);" + ); + createConditions.execute(); + mOverrideQueue = dispatch_queue_create("com.apple.security.assessment.whitelist-override", DISPATCH_QUEUE_SERIAL); +} + +OpaqueWhitelist::~OpaqueWhitelist() +{ + dispatch_release(mOverrideQueue); +} + + +// +// Check if a code object is whitelisted +// +bool OpaqueWhitelist::contains(SecStaticCodeRef codeRef, SecAssessmentFeedback feedback, OSStatus reason) +{ + // make our own copy of the code object, so we can poke at it without disturbing the original + SecPointer code = new SecStaticCode(SecStaticCode::requiredStatic(codeRef)->diskRep()); + + CFCopyRef current = code->cdHash(); // current cdhash + CFDataRef opaque = NULL; // holds computed opaque cdhash + bool match = false; // holds final result + + if (!current) + return false; // unsigned + + // collect auxiliary information for trace + CFRef info; + std::string team = ""; + CFStringRef cfVersion = NULL, cfShortVersion = NULL, cfExecutable = NULL; + if (errSecSuccess == SecCodeCopySigningInformation(code->handle(false), kSecCSSigningInformation, &info.aref())) { + if (CFStringRef cfTeam = CFStringRef(CFDictionaryGetValue(info, kSecCodeInfoTeamIdentifier))) + team = cfString(cfTeam); + if (CFDictionaryRef infoPlist = CFDictionaryRef(CFDictionaryGetValue(info, kSecCodeInfoPList))) { + if (CFTypeRef version = CFDictionaryGetValue(infoPlist, kCFBundleVersionKey)) + if (CFGetTypeID(version) == CFStringGetTypeID()) + cfVersion = CFStringRef(version); + if (CFTypeRef shortVersion = CFDictionaryGetValue(infoPlist, _kCFBundleShortVersionStringKey)) + if (CFGetTypeID(shortVersion) == CFStringGetTypeID()) + cfShortVersion = CFStringRef(shortVersion); + if (CFTypeRef executable = CFDictionaryGetValue(infoPlist, kCFBundleExecutableKey)) + if (CFGetTypeID(executable) == CFStringGetTypeID()) + cfExecutable = CFStringRef(executable); + } + } + + // compute and attach opaque signature + attachOpaque(code->handle(false), feedback); + opaque = code->cdHash(); + + // lookup current cdhash in whitelist + SQLite::Statement lookup(*this, "SELECT opaque FROM whitelist WHERE current=:current" + " AND opaque != 'disable override'"); + lookup.bind(":current") = current.get(); + while (lookup.nextRow()) { + CFRef expected = lookup[0].data(); + if (CFEqual(opaque, expected)) { + match = true; // actual opaque cdhash matches expected + break; + } + } + + // prepare strings for use inside block + std::string currentHash = hashString(current); + std::string opaqueHash = hashString(opaque); + + // send a trace indicating the result + MessageTrace trace("com.apple.security.assessment.whitelist2", code->identifier().c_str()); + trace.add("signature2", "%s", currentHash.c_str()); + trace.add("signature3", "%s", opaqueHash.c_str()); + trace.add("result", match ? "pass" : "fail"); + trace.add("reason", "%d", reason); + if (!team.empty()) + trace.add("teamid", "%s", team.c_str()); + if (cfVersion) + trace.add("version", "%s", cfString(cfVersion).c_str()); + if (cfShortVersion) + trace.add("version2", "%s", cfString(cfShortVersion).c_str()); + if (cfExecutable) + trace.add("execname", "%s", cfString(cfExecutable).c_str()); + trace.send(""); + + return match; +} + + +// +// Obtain special validation conditions for a static code, based on database configuration. +// +CFDictionaryRef OpaqueWhitelist::validationConditionsFor(SecStaticCodeRef code) +{ + // figure out which team key to use + std::string team = "UNKNOWN"; + CFStringRef cfId = NULL; + CFStringRef cfVersion = NULL; + CFRef info; // holds lifetimes for the above + if (errSecSuccess == SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref())) { + if (CFStringRef cfTeam = CFStringRef(CFDictionaryGetValue(info, kSecCodeInfoTeamIdentifier))) + team = cfString(cfTeam); + cfId = CFStringRef(CFDictionaryGetValue(info, kSecCodeInfoIdentifier)); + if (CFDictionaryRef infoPlist = CFDictionaryRef(CFDictionaryGetValue(info, kSecCodeInfoPList))) + if (CFTypeRef version = CFDictionaryGetValue(infoPlist, _kCFBundleShortVersionStringKey)) + if (CFGetTypeID(version) == CFStringGetTypeID()) + cfVersion = CFStringRef(version); + } + if (cfId == NULL) // unsigned; punt + return NULL; + + // find the highest weight matching condition. We perform no merging and the heaviest rule wins + SQLite::Statement matches(*this, + "SELECT conditions FROM conditions" + " WHERE (source = :source or source IS NULL)" + " AND (identifier = :identifier or identifier is NULL)" + " AND ((:version IS NULL AND version IS NULL) OR (version = :version OR version IS NULL))" + " ORDER BY weight DESC" + " LIMIT 1" + ); + matches.bind(":source") = team; + matches.bind(":identifier") = cfString(cfId); + if (cfVersion) + matches.bind(":version") = cfString(cfVersion); + if (matches.nextRow()) { + CFTemp conditions((const char*)matches[0]); + return conditions.yield(); + } + // no matches + return NULL; +} + + +// +// Convert a SHA1 hash to a hex string +// +static std::string hashString(CFDataRef hash) +{ + if (CFDataGetLength(hash) != sizeof(SHA1::Digest)) { + return std::string(); + } else { + const UInt8 *bytes = CFDataGetBytePtr(hash); + char s[2 * SHA1::digestLength + 1]; + for (unsigned n = 0; n < SHA1::digestLength; n++) + sprintf(&s[2*n], "%2.2x", bytes[n]); + return std::string(s); + } +} + + +// +// Add a code object to the whitelist +// +void OpaqueWhitelist::add(SecStaticCodeRef codeRef) +{ + // make our own copy of the code object + SecPointer code = new SecStaticCode(SecStaticCode::requiredStatic(codeRef)->diskRep()); + + CFCopyRef current = code->cdHash(); + attachOpaque(code->handle(false), NULL); // compute and attach an opaque signature + CFDataRef opaque = code->cdHash(); + + SQLite::Statement insert(*this, "INSERT OR REPLACE INTO whitelist (current,opaque) VALUES (:current, :opaque)"); + insert.bind(":current") = current.get(); + insert.bind(":opaque") = opaque; + insert.execute(); +} + + +// +// Generate and attach an ad-hoc opaque signature +// +static void attachOpaque(SecStaticCodeRef code, SecAssessmentFeedback feedback) +{ + CFTemp rules("{" // same resource rules as used for collection + "rules={" + "'^.*' = #T" + "'^Info\\.plist$' = {omit=#T,weight=10}" + "},rules2={" + "'^(Frameworks|SharedFrameworks|Plugins|Plug-ins|XPCServices|Helpers|MacOS)/' = {nested=#T, weight=0}" + "'^.*' = #T" + "'^Info\\.plist$' = {omit=#T,weight=10}" + "'^[^/]+$' = {top=#T, weight=0}" + "}" + "}"); + + CFRef signature = CFDataCreateMutable(NULL, 0); + CFTemp arguments("{%O=%O, %O=#N, %O=%O}", + kSecCodeSignerDetached, signature.get(), + kSecCodeSignerIdentity, /* kCFNull, */ + kSecCodeSignerResourceRules, rules.get()); + CFRef signer; + SecCSFlags creationFlags = kSecCSSignOpaque | kSecCSSignNoV1 | kSecCSSignBundleRoot; + SecCSFlags operationFlags = 0; + + if (feedback) + operationFlags |= kSecCSReportProgress; + MacOSError::check(SecStaticCodeSetCallback(code, kSecCSDefaultFlags, NULL, ^CFTypeRef(SecStaticCodeRef code, CFStringRef stage, CFDictionaryRef info) { + if (CFEqual(stage, CFSTR("progress"))) { + bool proceed = feedback(kSecAssessmentFeedbackProgress, info); + if (!proceed) + SecStaticCodeCancelValidation(code, kSecCSDefaultFlags); + } + return NULL; + })); + + MacOSError::check(SecCodeSignerCreate(arguments, creationFlags, &signer.aref())); + MacOSError::check(SecCodeSignerAddSignature(signer, code, operationFlags)); + MacOSError::check(SecCodeSetDetachedSignature(code, signature, kSecCSDefaultFlags)); +} + + +} // end namespace CodeSigning +} // end namespace Security diff --git a/Security/libsecurity_codesigning/lib/opaquewhitelist.h b/OSX/include/security_codesigning/opaquewhitelist.h similarity index 100% rename from Security/libsecurity_codesigning/lib/opaquewhitelist.h rename to OSX/include/security_codesigning/opaquewhitelist.h diff --git a/Security/libsecurity_codesigning/lib/piddiskrep.cpp b/OSX/include/security_codesigning/piddiskrep.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/piddiskrep.cpp rename to OSX/include/security_codesigning/piddiskrep.cpp diff --git a/Security/libsecurity_codesigning/lib/piddiskrep.h b/OSX/include/security_codesigning/piddiskrep.h similarity index 100% rename from Security/libsecurity_codesigning/lib/piddiskrep.h rename to OSX/include/security_codesigning/piddiskrep.h diff --git a/Security/libsecurity_codesigning/lib/policydb.cpp b/OSX/include/security_codesigning/policydb.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/policydb.cpp rename to OSX/include/security_codesigning/policydb.cpp diff --git a/Security/libsecurity_codesigning/lib/policydb.h b/OSX/include/security_codesigning/policydb.h similarity index 100% rename from Security/libsecurity_codesigning/lib/policydb.h rename to OSX/include/security_codesigning/policydb.h diff --git a/OSX/include/security_codesigning/policyengine.cpp b/OSX/include/security_codesigning/policyengine.cpp new file mode 100644 index 00000000..f5b9cb29 --- /dev/null +++ b/OSX/include/security_codesigning/policyengine.cpp @@ -0,0 +1,1106 @@ +/* + * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#include "policyengine.h" +#include "xar++.h" +#include "quarantine++.h" +#include "codesigning_dtrace.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "diskrep.h" +#include "codedirectory.h" +#include "csutilities.h" +#include "StaticCode.h" + +#include +#include "SecCodePriv.h" +#undef check // Macro! Yech. + +extern "C" { +#include +} + + +namespace Security { +namespace CodeSigning { + +static const double NEGATIVE_HOLD = 60.0/86400; // 60 seconds to cache negative outcomes + +static const char RECORDER_DIR[] = "/tmp/gke-"; // recorder mode destination for detached signatures +enum { + recorder_code_untrusted = 0, // signed but untrusted + recorder_code_adhoc = 1, // unsigned; signature recorded + recorder_code_unable = 2, // unsigned; unable to record signature +}; + + +static void authorizeUpdate(SecAssessmentFlags flags, CFDictionaryRef context); +static bool codeInvalidityExceptions(SecStaticCodeRef code, CFMutableDictionaryRef result); +static CFTypeRef installerPolicy() CF_RETURNS_RETAINED; + + +// +// Core structure +// +PolicyEngine::PolicyEngine() + : PolicyDatabase(NULL, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE) +{ +} + +PolicyEngine::~PolicyEngine() +{ } + + +// +// Top-level evaluation driver +// +void PolicyEngine::evaluate(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result) +{ + // update GKE + installExplicitSet(gkeAuthFile, gkeSigsFile); + + // find the global evaluation manager + EvaluationManager *evaluationManager = EvaluationManager::globalManager(); + + // perform the evaluation + EvaluationTask *evaluationTask = evaluationManager->evaluationTask(this, path, type, flags, context, result); + evaluationManager->waitForCompletion(evaluationTask, flags, result); + evaluationManager->removeTask(evaluationTask); + + // if rejected, reset the automatic rearm timer + if (CFDictionaryGetValue(result, kSecAssessmentAssessmentVerdict) == kCFBooleanFalse) + resetRearmTimer("reject"); +} + + +static std::string createWhitelistScreen(char type, SHA1 &hash) +{ + SHA1::Digest digest; + hash.finish(digest); + char buffer[2*SHA1::digestLength + 2] = { type }; + for (size_t n = 0; n < SHA1::digestLength; n++) + sprintf(buffer + 1 + 2*n, "%02.2x", digest[n]); + return buffer; +} + + +void PolicyEngine::evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, bool nested, CFMutableDictionaryRef result) +{ + + SQLite::Statement query(*this, + "SELECT allow, requirement, id, label, expires, flags, disabled, filter_unsigned, remarks FROM scan_authority" + " WHERE type = :type" + " ORDER BY priority DESC;"); + query.bind(":type").integer(type); + + SQLite3::int64 latentID = 0; // first (highest priority) disabled matching ID + std::string latentLabel; // ... and associated label, if any + + while (query.nextRow()) { + bool allow = int(query[0]); + const char *reqString = query[1]; + SQLite3::int64 id = query[2]; + const char *label = query[3]; + double expires = query[4]; + sqlite3_int64 ruleFlags = query[5]; + SQLite3::int64 disabled = query[6]; +// const char *filter = query[7]; +// const char *remarks = query[8]; + + CFRef requirement; + MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString), kSecCSDefaultFlags, &requirement.aref())); + switch (OSStatus rc = SecStaticCodeCheckValidity(code, kSecCSBasicValidateOnly | kSecCSCheckGatekeeperArchitectures, requirement)) { + case errSecSuccess: + break; // rule match; process below + case errSecCSReqFailed: + continue; // rule does not apply + case errSecCSVetoed: + return; // nested code has failed to pass + default: + MacOSError::throwMe(rc); // general error; pass to caller + } + + // if this rule is disabled, skip it but record the first matching one for posterity + if (disabled && latentID == 0) { + latentID = id; + latentLabel = label ? label : ""; + continue; + } + + // current rule is first rule (in priority order) that matched. Apply it + if (nested) // success, nothing to record + return; + + CFRef info; // as needed + if (flags & kSecAssessmentFlagRequestOrigin) { + if (!info) + MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref())); + if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates))) + setOrigin(chain, result); + } + if (!(ruleFlags & kAuthorityFlagInhibitCache) && !(flags & kSecAssessmentFlagNoCache)) { // cache inhibit + if (!info) + MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref())); + if (SecTrustRef trust = SecTrustRef(CFDictionaryGetValue(info, kSecCodeInfoTrust))) { + CFRef xinfo; + MacOSError::check(SecTrustCopyExtendedResult(trust, &xinfo.aref())); + if (CFDateRef limit = CFDateRef(CFDictionaryGetValue(xinfo, kSecTrustExpirationDate))) { + this->recordOutcome(code, allow, type, min(expires, dateToJulian(limit)), id); + } + } + } + if (allow) { + if (SYSPOLICY_ASSESS_OUTCOME_ACCEPT_ENABLED()) { + if (!info) + MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref())); + CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique)); + SYSPOLICY_ASSESS_OUTCOME_ACCEPT(cfString(path).c_str(), type, label, cdhash ? CFDataGetBytePtr(cdhash) : NULL); + } + } else { + if (SYSPOLICY_ASSESS_OUTCOME_DENY_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) { + if (!info) + MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref())); + CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique)); + std::string cpath = cfString(path); + const void *hashp = cdhash ? CFDataGetBytePtr(cdhash) : NULL; + SYSPOLICY_ASSESS_OUTCOME_DENY(cpath.c_str(), type, label, hashp); + SYSPOLICY_RECORDER_MODE(cpath.c_str(), type, label, hashp, recorder_code_untrusted); + } + } + cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow); + addAuthority(flags, result, label, id); + return; + } + + // no applicable authority (but signed, perhaps temporarily). Deny by default + CFRef info; + MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref())); + if (flags & kSecAssessmentFlagRequestOrigin) { + if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates))) + setOrigin(chain, result); + } + if (SYSPOLICY_ASSESS_OUTCOME_DEFAULT_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) { + CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique)); + const void *hashp = cdhash ? CFDataGetBytePtr(cdhash) : NULL; + std::string cpath = cfString(path); + SYSPOLICY_ASSESS_OUTCOME_DEFAULT(cpath.c_str(), type, latentLabel.c_str(), hashp); + SYSPOLICY_RECORDER_MODE(cpath.c_str(), type, latentLabel.c_str(), hashp, 0); + } + if (!(flags & kSecAssessmentFlagNoCache)) + this->recordOutcome(code, false, type, this->julianNow() + NEGATIVE_HOLD, latentID); + cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, false); + addAuthority(flags, result, latentLabel.c_str(), latentID); +} + + +void PolicyEngine::adjustValidation(SecStaticCodeRef code) +{ + CFRef conditions = mOpaqueWhitelist.validationConditionsFor(code); + SecStaticCodeSetValidationConditions(code, conditions); +} + + +bool PolicyEngine::temporarySigning(SecStaticCodeRef code, AuthorityType type, CFURLRef path, SecAssessmentFlags matchFlags) +{ + if (matchFlags == 0) { // playback; consult authority table for matches + DiskRep *rep = SecStaticCode::requiredStatic(code)->diskRep(); + std::string screen; + if (CFRef info = rep->component(cdInfoSlot)) { + SHA1 hash; + hash.update(CFDataGetBytePtr(info), CFDataGetLength(info)); + screen = createWhitelistScreen('I', hash); + } else if (rep->mainExecutableImage()) { + screen = "N"; + } else { + SHA1 hash; + hashFileData(rep->mainExecutablePath().c_str(), &hash); + screen = createWhitelistScreen('M', hash); + } + SQLite::Statement query(*this, + "SELECT flags FROM authority " + "WHERE type = :type" + " AND NOT flags & :flag" + " AND CASE WHEN filter_unsigned IS NULL THEN remarks = :remarks ELSE filter_unsigned = :screen END"); + query.bind(":type").integer(type); + query.bind(":flag").integer(kAuthorityFlagDefault); + query.bind(":screen") = screen; + query.bind(":remarks") = cfString(path); + if (!query.nextRow()) // guaranteed no matching rule + return false; + matchFlags = SQLite3::int64(query[0]); + } + + try { + // ad-hoc sign the code and attach the signature + CFRef signature = CFDataCreateMutable(NULL, 0); + CFTemp arguments("{%O=%O, %O=#N}", kSecCodeSignerDetached, signature.get(), kSecCodeSignerIdentity); + CFRef signer; + MacOSError::check(SecCodeSignerCreate(arguments, (matchFlags & kAuthorityFlagWhitelistV2) ? kSecCSSignOpaque : kSecCSSignV1, &signer.aref())); + MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags)); + MacOSError::check(SecCodeSetDetachedSignature(code, signature, kSecCSDefaultFlags)); + + SecRequirementRef dr = NULL; + SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, &dr); + CFStringRef drs = NULL; + SecRequirementCopyString(dr, kSecCSDefaultFlags, &drs); + + // if we're in GKE recording mode, save that signature and report its location + if (SYSPOLICY_RECORDER_MODE_ENABLED()) { + int status = recorder_code_unable; // ephemeral signature (not recorded) + if (geteuid() == 0) { + CFRef uuid = CFUUIDCreate(NULL); + std::string sigfile = RECORDER_DIR + cfStringRelease(CFUUIDCreateString(NULL, uuid)) + ".tsig"; + try { + UnixPlusPlus::AutoFileDesc fd(sigfile, O_WRONLY | O_CREAT); + fd.write(CFDataGetBytePtr(signature), CFDataGetLength(signature)); + status = recorder_code_adhoc; // recorded signature + SYSPOLICY_RECORDER_MODE_ADHOC_PATH(cfString(path).c_str(), type, sigfile.c_str()); + } catch (...) { } + } + + // now report the D probe itself + CFRef info; + MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref())); + CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique)); + SYSPOLICY_RECORDER_MODE(cfString(path).c_str(), type, "", + cdhash ? CFDataGetBytePtr(cdhash) : NULL, status); + } + + return true; // it worked; we're now (well) signed + } catch (...) { } + + return false; +} + + +// +// Executable code. +// Read from disk, evaluate properly, cache as indicated. +// +void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result, bool handleUnsigned) +{ + // not really a Gatekeeper function... but reject all "hard quarantined" files because they were made from sandboxed sources without download privilege + FileQuarantine qtn(cfString(path).c_str()); + if (qtn.flag(QTN_FLAG_HARD)) + MacOSError::throwMe(errSecCSFileHardQuarantined); + + CFCopyRef code; + MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref())); + + SecCSFlags validationFlags = kSecCSEnforceRevocationChecks | kSecCSCheckAllArchitectures; + if (!(flags & kSecAssessmentFlagAllowWeak)) + validationFlags |= kSecCSStrictValidate; + adjustValidation(code); + + // deal with a very special case (broken 10.6/10.7 Applet bundles) + OSStatus rc = SecStaticCodeCheckValidity(code, validationFlags | kSecCSBasicValidateOnly, NULL); + if (rc == errSecCSSignatureFailed) { + if (!codeInvalidityExceptions(code, result)) { // invalidly signed, no exceptions -> error + if (SYSPOLICY_ASSESS_OUTCOME_BROKEN_ENABLED()) + SYSPOLICY_ASSESS_OUTCOME_BROKEN(cfString(path).c_str(), type, false); + MacOSError::throwMe(rc); + } + // recognized exception - treat as unsigned + if (SYSPOLICY_ASSESS_OUTCOME_BROKEN_ENABLED()) + SYSPOLICY_ASSESS_OUTCOME_BROKEN(cfString(path).c_str(), type, true); + rc = errSecCSUnsigned; + } + + // ad-hoc sign unsigned code + if (rc == errSecCSUnsigned && handleUnsigned && (!overrideAssessment(flags) || SYSPOLICY_RECORDER_MODE_ENABLED())) { + if (temporarySigning(code, type, path, 0)) { + rc = errSecSuccess; // clear unsigned; we are now well-signed + validationFlags |= kSecCSBasicValidateOnly; // no need to re-validate deep contents + } + } + + // prepare for deep traversal of (hopefully) good signatures + SecAssessmentFeedback feedback = SecAssessmentFeedback(CFDictionaryGetValue(context, kSecAssessmentContextKeyFeedback)); + MacOSError::check(SecStaticCodeSetCallback(code, kSecCSDefaultFlags, NULL, ^CFTypeRef (SecStaticCodeRef item, CFStringRef cfStage, CFDictionaryRef info) { + string stage = cfString(cfStage); + if (stage == "prepared") { + if (!CFEqual(item, code)) // genuine nested (not top) code + adjustValidation(item); + } else if (stage == "progress") { + if (feedback && CFEqual(item, code)) { // top level progress + bool proceed = feedback(kSecAssessmentFeedbackProgress, info); + if (!proceed) + SecStaticCodeCancelValidation(code, kSecCSDefaultFlags); + } + } else if (stage == "validated") { + SecStaticCodeSetCallback(item, kSecCSDefaultFlags, NULL, NULL); // clear callback to avoid unwanted recursion + evaluateCodeItem(item, path, type, flags, item != code, result); + if (CFTypeRef verdict = CFDictionaryGetValue(result, kSecAssessmentAssessmentVerdict)) + if (CFEqual(verdict, kCFBooleanFalse)) + return makeCFNumber(OSStatus(errSecCSVetoed)); // (signal nested-code policy failure, picked up below) + } + return NULL; + })); + + // go for it! + switch (rc = SecStaticCodeCheckValidity(code, validationFlags | kSecCSCheckNestedCode | kSecCSRestrictSymlinks | kSecCSReportProgress, NULL)) { + case errSecSuccess: // continue below + break; + case errSecCSUnsigned: + cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict); + addAuthority(flags, result, "no usable signature"); + return; + case errSecCSVetoed: // nested code rejected by rule book; result was filled out there + return; + case errSecCSWeakResourceRules: + case errSecCSWeakResourceEnvelope: + case errSecCSResourceNotSupported: + case errSecCSAmbiguousBundleFormat: + case errSecCSSignatureNotVerifiable: + case errSecCSRegularFile: + case errSecCSBadMainExecutable: + case errSecCSBadFrameworkVersion: + case errSecCSUnsealedAppRoot: + case errSecCSUnsealedFrameworkRoot: + case errSecCSInvalidSymlink: + { + // consult the whitelist + bool allow = false; + const char *label; + // we've bypassed evaluateCodeItem before we failed validation. Explicitly apply it now + SecStaticCodeSetCallback(code, kSecCSDefaultFlags, NULL, NULL); + evaluateCodeItem(code, path, type, flags | kSecAssessmentFlagNoCache, false, result); + if (CFTypeRef verdict = CFDictionaryGetValue(result, kSecAssessmentAssessmentVerdict)) { + // verdict rendered from a nested component - signature not acceptable to Gatekeeper + if (CFEqual(verdict, kCFBooleanFalse)) // nested code rejected by rule book; result was filled out there + return; + if (CFEqual(verdict, kCFBooleanTrue) && !(flags & kSecAssessmentFlagIgnoreWhitelist)) + if (mOpaqueWhitelist.contains(code, feedback, rc)) + allow = true; + } + if (allow) { + label = "allowed cdhash"; + } else { + CFDictionaryReplaceValue(result, kSecAssessmentAssessmentVerdict, kCFBooleanFalse); + label = "obsolete resource envelope"; + } + cfadd(result, "{%O=%d}", kSecAssessmentAssessmentCodeSigningError, rc); + addAuthority(flags, result, label, 0, NULL, true); + return; + } + default: + MacOSError::throwMe(rc); + } +} + + +// +// Installer archive. +// Hybrid policy: If we detect an installer signature, use and validate that. +// If we don't, check for a code signature instead. +// +void PolicyEngine::evaluateInstall(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result) +{ + const AuthorityType type = kAuthorityInstall; + + // check for recent explicit approval, using a bookmark's FileResourceIdentifierKey + if (CFRef bookmark = cfLoadFile(lastApprovedFile)) { + Boolean stale; + if (CFRef url = CFURLCreateByResolvingBookmarkData(NULL, bookmark, + kCFBookmarkResolutionWithoutUIMask | kCFBookmarkResolutionWithoutMountingMask, NULL, NULL, &stale, NULL)) + if (CFRef savedIdent = CFDataRef(CFURLCreateResourcePropertyForKeyFromBookmarkData(NULL, kCFURLFileResourceIdentifierKey, bookmark))) + if (CFRef savedMod = CFDateRef(CFURLCreateResourcePropertyForKeyFromBookmarkData(NULL, kCFURLContentModificationDateKey, bookmark))) { + CFRef currentIdent; + CFRef currentMod; + if (CFURLCopyResourcePropertyForKey(path, kCFURLFileResourceIdentifierKey, ¤tIdent.aref(), NULL)) + if (CFURLCopyResourcePropertyForKey(path, kCFURLContentModificationDateKey, ¤tMod.aref(), NULL)) + if (CFEqual(savedIdent, currentIdent) && CFEqual(savedMod, currentMod)) { + cfadd(result, "{%O=#T}", kSecAssessmentAssessmentVerdict); + addAuthority(flags, result, "explicit preference"); + return; + } + } + } + + Xar xar(cfString(path).c_str()); + if (!xar) { + // follow the code signing path + evaluateCode(path, type, flags, context, result, true); + return; + } + + SQLite3::int64 latentID = 0; // first (highest priority) disabled matching ID + std::string latentLabel; // ... and associated label, if any + if (!xar.isSigned()) { + // unsigned xar + if (SYSPOLICY_ASSESS_OUTCOME_UNSIGNED_ENABLED()) + SYSPOLICY_ASSESS_OUTCOME_UNSIGNED(cfString(path).c_str(), type); + cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict); + addAuthority(flags, result, "no usable signature"); + return; + } + if (CFRef certs = xar.copyCertChain()) { + CFRef policy = installerPolicy(); + CFRef trust; + MacOSError::check(SecTrustCreateWithCertificates(certs, policy, &trust.aref())); +// MacOSError::check(SecTrustSetAnchorCertificates(trust, cfEmptyArray())); // no anchors + MacOSError::check(SecTrustSetOptions(trust, kSecTrustOptionAllowExpired | kSecTrustOptionImplicitAnchors)); + + SecTrustResultType trustResult; + MacOSError::check(SecTrustEvaluate(trust, &trustResult)); + CFRef chain; + CSSM_TP_APPLE_EVIDENCE_INFO *info; + MacOSError::check(SecTrustGetResult(trust, &trustResult, &chain.aref(), &info)); + + if (flags & kSecAssessmentFlagRequestOrigin) + setOrigin(chain, result); + + switch (trustResult) { + case kSecTrustResultProceed: + case kSecTrustResultUnspecified: + break; + default: + { + OSStatus rc; + MacOSError::check(SecTrustGetCssmResultCode(trust, &rc)); + MacOSError::throwMe(rc); + } + } + + SQLite::Statement query(*this, + "SELECT allow, requirement, id, label, flags, disabled FROM scan_authority" + " WHERE type = :type" + " ORDER BY priority DESC;"); + query.bind(":type").integer(type); + while (query.nextRow()) { + bool allow = int(query[0]); + const char *reqString = query[1]; + SQLite3::int64 id = query[2]; + const char *label = query[3]; + //sqlite_uint64 ruleFlags = query[4]; + SQLite3::int64 disabled = query[5]; + + CFRef requirement; + MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString), kSecCSDefaultFlags, &requirement.aref())); + switch (OSStatus rc = SecRequirementEvaluate(requirement, chain, NULL, kSecCSDefaultFlags)) { + case errSecSuccess: // success + break; + case errSecCSReqFailed: // requirement missed, but otherwise okay + continue; + default: // broken in some way; all tests will fail like this so bail out + MacOSError::throwMe(rc); + } + if (disabled) { + if (latentID == 0) { + latentID = id; + if (label) + latentLabel = label; + } + continue; // the loop + } + + if (SYSPOLICY_ASSESS_OUTCOME_ACCEPT_ENABLED() || SYSPOLICY_ASSESS_OUTCOME_DENY_ENABLED()) { + if (allow) + SYSPOLICY_ASSESS_OUTCOME_ACCEPT(cfString(path).c_str(), type, label, NULL); + else + SYSPOLICY_ASSESS_OUTCOME_DENY(cfString(path).c_str(), type, label, NULL); + } + + // not adding to the object cache - we could, but it's not likely to be worth it + cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow); + addAuthority(flags, result, label, id); + return; + } + } + if (SYSPOLICY_ASSESS_OUTCOME_DEFAULT_ENABLED()) + SYSPOLICY_ASSESS_OUTCOME_DEFAULT(cfString(path).c_str(), type, latentLabel.c_str(), NULL); + + // no applicable authority. Deny by default + cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict); + addAuthority(flags, result, latentLabel.c_str(), latentID); +} + + +// +// Create a suitable policy array for verification of installer signatures. +// +static SecPolicyRef makeCRLPolicy() +{ + CFRef policy; + MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_CRL, &policy.aref())); + CSSM_APPLE_TP_CRL_OPTIONS options; + memset(&options, 0, sizeof(options)); + options.Version = CSSM_APPLE_TP_CRL_OPTS_VERSION; + options.CrlFlags = CSSM_TP_ACTION_FETCH_CRL_FROM_NET | CSSM_TP_ACTION_CRL_SUFFICIENT; + CSSM_DATA optData = { sizeof(options), (uint8 *)&options }; + MacOSError::check(SecPolicySetValue(policy, &optData)); + return policy.yield(); +} + +static SecPolicyRef makeOCSPPolicy() +{ + CFRef policy; + MacOSError::check(SecPolicyCopy(CSSM_CERT_X_509v3, &CSSMOID_APPLE_TP_REVOCATION_OCSP, &policy.aref())); + CSSM_APPLE_TP_OCSP_OPTIONS options; + memset(&options, 0, sizeof(options)); + options.Version = CSSM_APPLE_TP_OCSP_OPTS_VERSION; + options.Flags = CSSM_TP_ACTION_OCSP_SUFFICIENT; + CSSM_DATA optData = { sizeof(options), (uint8 *)&options }; + MacOSError::check(SecPolicySetValue(policy, &optData)); + return policy.yield(); +} + +static CFTypeRef installerPolicy() +{ + CFRef base = SecPolicyCreateBasicX509(); + CFRef crl = makeCRLPolicy(); + CFRef ocsp = makeOCSPPolicy(); + return makeCFArray(3, base.get(), crl.get(), ocsp.get()); +} + + +// +// LaunchServices-layer document open. +// We don't cache those at present. If we ever do, we need to authenticate CoreServicesUIAgent as the source of its risk assessment. +// +void PolicyEngine::evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result) +{ + if (context) { + if (CFStringRef riskCategory = CFStringRef(CFDictionaryGetValue(context, kLSDownloadRiskCategoryKey))) { + FileQuarantine qtn(cfString(path).c_str()); + + if (CFEqual(riskCategory, kLSRiskCategorySafe) + || CFEqual(riskCategory, kLSRiskCategoryNeutral) + || CFEqual(riskCategory, kLSRiskCategoryUnknown) + || CFEqual(riskCategory, kLSRiskCategoryMayContainUnsafeExecutable)) { + cfadd(result, "{%O=#T}", kSecAssessmentAssessmentVerdict); + addAuthority(flags, result, "_XProtect"); + } else if (qtn.flag(QTN_FLAG_HARD)) { + MacOSError::throwMe(errSecCSFileHardQuarantined); + } else if (qtn.flag(QTN_FLAG_ASSESSMENT_OK)) { + cfadd(result, "{%O=#T}", kSecAssessmentAssessmentVerdict); + addAuthority(flags, result, "Prior Assessment"); + } else if (!overrideAssessment(flags)) { // no need to do more work if we're off + try { + evaluateCode(path, kAuthorityExecute, flags, context, result, false); + } catch (...) { + // some documents can't be code signed, so this may be quite benign + } + } + if (CFDictionaryGetValue(result, kSecAssessmentAssessmentVerdict) == NULL) { // no code signature to help us out + cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict); + addAuthority(flags, result, "_XProtect"); + } + addToAuthority(result, kLSDownloadRiskCategoryKey, riskCategory); + return; + } + } + // insufficient information from LS - deny by default + cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict); + addAuthority(flags, result, "Insufficient Context"); +} + + +// +// Result-creation helpers +// +void PolicyEngine::addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef parent, const char *label, SQLite::int64 row, CFTypeRef cacheInfo, bool weak) +{ + CFRef auth = makeCFMutableDictionary(); + if (label && label[0]) + cfadd(auth, "{%O=%s}", kSecAssessmentAssessmentSource, label); + if (row) + CFDictionaryAddValue(auth, kSecAssessmentAssessmentAuthorityRow, CFTempNumber(row)); + if (overrideAssessment(flags)) + CFDictionaryAddValue(auth, kSecAssessmentAssessmentAuthorityOverride, kDisabledOverride); + if (cacheInfo) + CFDictionaryAddValue(auth, kSecAssessmentAssessmentFromCache, cacheInfo); + if (weak) { + CFDictionaryAddValue(auth, kSecAssessmentAssessmentWeakSignature, kCFBooleanTrue); + CFDictionaryReplaceValue(parent, kSecAssessmentAssessmentAuthority, auth); + } else { + CFDictionaryAddValue(parent, kSecAssessmentAssessmentAuthority, auth); + } +} + +void PolicyEngine::addToAuthority(CFMutableDictionaryRef parent, CFStringRef key, CFTypeRef value) +{ + CFMutableDictionaryRef authority = CFMutableDictionaryRef(CFDictionaryGetValue(parent, kSecAssessmentAssessmentAuthority)); + assert(authority); + CFDictionaryAddValue(authority, key, value); +} + + +// +// Add a rule to the policy database +// +CFDictionaryRef PolicyEngine::add(CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context) +{ + // default type to execution + if (type == kAuthorityInvalid) + type = kAuthorityExecute; + + authorizeUpdate(flags, context); + CFDictionary ctx(context, errSecCSInvalidAttributeValues); + CFCopyRef target = inTarget; + CFRef bookmark = NULL; + std::string filter_unsigned; + + switch (type) { + case kAuthorityExecute: + normalizeTarget(target, type, ctx, &filter_unsigned); + // bookmarks are untrusted and just a hint to callers + bookmark = ctx.get(kSecAssessmentRuleKeyBookmark); + break; + case kAuthorityInstall: + if (inTarget && CFGetTypeID(inTarget) == CFURLGetTypeID()) { + // no good way to turn an installer file into a requirement. Pretend to succeeed so caller proceeds + CFRef properties = makeCFArray(2, kCFURLFileResourceIdentifierKey, kCFURLContentModificationDateKey); + CFRef error; + CFURLBookmarkCreationOptions options = kCFURLBookmarkCreationDoNotIncludeSandboxExtensionsMask | kCFURLBookmarkCreationMinimalBookmarkMask; + if (CFRef bookmark = CFURLCreateBookmarkData(NULL, CFURLRef(inTarget), options, properties, NULL, &error.aref())) { + UnixPlusPlus::AutoFileDesc fd(lastApprovedFile, O_WRONLY | O_CREAT | O_TRUNC); + fd.write(CFDataGetBytePtr(bookmark), CFDataGetLength(bookmark)); + return NULL; + } + } + break; + case kAuthorityOpenDoc: + // handle document-open differently: use quarantine flags for whitelisting + if (!target || CFGetTypeID(target) != CFURLGetTypeID()) // can only "add" file paths + MacOSError::throwMe(errSecCSInvalidObjectRef); + try { + std::string spath = cfString(target.as()); + FileQuarantine qtn(spath.c_str()); + qtn.setFlag(QTN_FLAG_ASSESSMENT_OK); + qtn.applyTo(spath.c_str()); + } catch (const CommonError &error) { + // could not set quarantine flag - report qualified success + return cfmake("{%O=%O,'assessment:error'=%d}", + kSecAssessmentAssessmentAuthorityOverride, CFSTR("error setting quarantine"), error.osStatus()); + } catch (...) { + return cfmake("{%O=%O}", kSecAssessmentAssessmentAuthorityOverride, CFSTR("unable to set quarantine")); + } + return NULL; + } + + // if we now have anything else, we're busted + if (!target || CFGetTypeID(target) != SecRequirementGetTypeID()) + MacOSError::throwMe(errSecCSInvalidObjectRef); + + double priority = 0; + string label; + bool allow = true; + double expires = never; + string remarks; + SQLite::uint64 dbFlags = kAuthorityFlagWhitelistV2; + + if (CFNumberRef pri = ctx.get(kSecAssessmentUpdateKeyPriority)) + CFNumberGetValue(pri, kCFNumberDoubleType, &priority); + if (CFStringRef lab = ctx.get(kSecAssessmentUpdateKeyLabel)) + label = cfString(lab); + if (CFDateRef time = ctx.get(kSecAssessmentUpdateKeyExpires)) + // we're using Julian dates here; convert from CFDate + expires = dateToJulian(time); + if (CFBooleanRef allowing = ctx.get(kSecAssessmentUpdateKeyAllow)) + allow = allowing == kCFBooleanTrue; + if (CFStringRef rem = ctx.get(kSecAssessmentUpdateKeyRemarks)) + remarks = cfString(rem); + + CFRef requirementText; + MacOSError::check(SecRequirementCopyString(target.as(), kSecCSDefaultFlags, &requirementText.aref())); + SQLite::Transaction xact(*this, SQLite3::Transaction::deferred, "add_rule"); + SQLite::Statement insert(*this, + "INSERT INTO authority (type, allow, requirement, priority, label, expires, filter_unsigned, remarks, flags)" + " VALUES (:type, :allow, :requirement, :priority, :label, :expires, :filter_unsigned, :remarks, :flags);"); + insert.bind(":type").integer(type); + insert.bind(":allow").integer(allow); + insert.bind(":requirement") = requirementText.get(); + insert.bind(":priority") = priority; + if (!label.empty()) + insert.bind(":label") = label; + insert.bind(":expires") = expires; + insert.bind(":filter_unsigned") = filter_unsigned.empty() ? NULL : filter_unsigned.c_str(); + if (!remarks.empty()) + insert.bind(":remarks") = remarks; + insert.bind(":flags").integer(dbFlags); + insert.execute(); + SQLite::int64 newRow = this->lastInsert(); + if (bookmark) { + SQLite::Statement bi(*this, "INSERT INTO bookmarkhints (bookmark, authority) VALUES (:bookmark, :authority)"); + bi.bind(":bookmark") = CFDataRef(bookmark); + bi.bind(":authority").integer(newRow); + bi.execute(); + } + this->purgeObjects(priority); + xact.commit(); + notify_post(kNotifySecAssessmentUpdate); + return cfmake("{%O=%d}", kSecAssessmentUpdateKeyRow, newRow); +} + + +CFDictionaryRef PolicyEngine::remove(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context) +{ + if (type == kAuthorityOpenDoc) { + // handle document-open differently: use quarantine flags for whitelisting + authorizeUpdate(flags, context); + if (!target || CFGetTypeID(target) != CFURLGetTypeID()) + MacOSError::throwMe(errSecCSInvalidObjectRef); + std::string spath = cfString(CFURLRef(target)).c_str(); + FileQuarantine qtn(spath.c_str()); + qtn.clearFlag(QTN_FLAG_ASSESSMENT_OK); + qtn.applyTo(spath.c_str()); + return NULL; + } + return manipulateRules("DELETE FROM authority", target, type, flags, context, true); +} + +CFDictionaryRef PolicyEngine::enable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize) +{ + return manipulateRules("UPDATE authority SET disabled = 0", target, type, flags, context, authorize); +} + +CFDictionaryRef PolicyEngine::disable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize) +{ + return manipulateRules("UPDATE authority SET disabled = 1", target, type, flags, context, authorize); +} + +CFDictionaryRef PolicyEngine::find(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context) +{ + SQLite::Statement query(*this); + selectRules(query, "SELECT scan_authority.id, scan_authority.type, scan_authority.requirement, scan_authority.allow, scan_authority.label, scan_authority.priority, scan_authority.remarks, scan_authority.expires, scan_authority.disabled, bookmarkhints.bookmark FROM scan_authority LEFT OUTER JOIN bookmarkhints ON scan_authority.id = bookmarkhints.authority", + "scan_authority", target, type, flags, context, + " ORDER BY priority DESC"); + CFRef found = makeCFMutableArray(0); + while (query.nextRow()) { + SQLite::int64 id = query[0]; + int type = int(query[1]); + const char *requirement = query[2]; + int allow = int(query[3]); + const char *label = query[4]; + double priority = query[5]; + const char *remarks = query[6]; + double expires = query[7]; + int disabled = int(query[8]); + CFRef bookmark = query[9].data(); + CFRef rule = makeCFMutableDictionary(5, + kSecAssessmentRuleKeyID, CFTempNumber(id).get(), + kSecAssessmentRuleKeyType, CFRef(typeNameFor(type)).get(), + kSecAssessmentRuleKeyRequirement, CFTempString(requirement).get(), + kSecAssessmentRuleKeyAllow, allow ? kCFBooleanTrue : kCFBooleanFalse, + kSecAssessmentRuleKeyPriority, CFTempNumber(priority).get() + ); + if (label) + CFDictionaryAddValue(rule, kSecAssessmentRuleKeyLabel, CFTempString(label)); + if (remarks) + CFDictionaryAddValue(rule, kSecAssessmentRuleKeyRemarks, CFTempString(remarks)); + if (expires != never) + CFDictionaryAddValue(rule, kSecAssessmentRuleKeyExpires, CFRef(julianToDate(expires))); + if (disabled) + CFDictionaryAddValue(rule, kSecAssessmentRuleKeyDisabled, CFTempNumber(disabled)); + if (bookmark) + CFDictionaryAddValue(rule, kSecAssessmentRuleKeyBookmark, bookmark); + CFArrayAppendValue(found, rule); + } + if (CFArrayGetCount(found) == 0) + MacOSError::throwMe(errSecCSNoMatches); + return cfmake("{%O=%O}", kSecAssessmentUpdateKeyFound, found.get()); +} + + +CFDictionaryRef PolicyEngine::update(CFTypeRef target, SecAssessmentFlags flags, CFDictionaryRef context) +{ + // update GKE + installExplicitSet(gkeAuthFile, gkeSigsFile); + + AuthorityType type = typeFor(context, kAuthorityInvalid); + CFStringRef edit = CFStringRef(CFDictionaryGetValue(context, kSecAssessmentContextKeyUpdate)); + CFDictionaryRef result; + if (CFEqual(edit, kSecAssessmentUpdateOperationAdd)) + result = this->add(target, type, flags, context); + else if (CFEqual(edit, kSecAssessmentUpdateOperationRemove)) + result = this->remove(target, type, flags, context); + else if (CFEqual(edit, kSecAssessmentUpdateOperationEnable)) + result = this->enable(target, type, flags, context, true); + else if (CFEqual(edit, kSecAssessmentUpdateOperationDisable)) + result = this->disable(target, type, flags, context, true); + else if (CFEqual(edit, kSecAssessmentUpdateOperationFind)) + result = this->find(target, type, flags, context); + else + MacOSError::throwMe(errSecCSInvalidAttributeValues); + if (result == NULL) + result = makeCFDictionary(0); // success, no details + return result; +} + + +// +// Construct and prepare an SQL query on the authority table, operating on some set of existing authority records. +// In essence, this appends a suitable WHERE clause to the stanza passed and prepares it on the statement given. +// +void PolicyEngine::selectRules(SQLite::Statement &action, std::string phrase, std::string table, + CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, std::string suffix /* = "" */) +{ + CFDictionary ctx(context, errSecCSInvalidAttributeValues); + CFCopyRef target = inTarget; + std::string filter_unsigned; // ignored; used just to trigger ad-hoc signing + normalizeTarget(target, type, ctx, &filter_unsigned); + + string label; + if (CFStringRef lab = ctx.get(kSecAssessmentUpdateKeyLabel)) + label = cfString(CFStringRef(lab)); + + if (!target) { + if (label.empty()) { + if (type == kAuthorityInvalid) { + action.query(phrase + suffix); + } else { + action.query(phrase + " WHERE " + table + ".type = :type" + suffix); + action.bind(":type").integer(type); + } + } else { // have label + if (type == kAuthorityInvalid) { + action.query(phrase + " WHERE " + table + ".label = :label" + suffix); + } else { + action.query(phrase + " WHERE " + table + ".type = :type AND " + table + ".label = :label" + suffix); + action.bind(":type").integer(type); + } + action.bind(":label") = label; + } + } else if (CFGetTypeID(target) == CFNumberGetTypeID()) { + action.query(phrase + " WHERE " + table + ".id = :id" + suffix); + action.bind(":id").integer(cfNumber(target.as())); + } else if (CFGetTypeID(target) == SecRequirementGetTypeID()) { + if (type == kAuthorityInvalid) + type = kAuthorityExecute; + CFRef requirementText; + MacOSError::check(SecRequirementCopyString(target.as(), kSecCSDefaultFlags, &requirementText.aref())); + action.query(phrase + " WHERE " + table + ".type = :type AND " + table + ".requirement = :requirement" + suffix); + action.bind(":type").integer(type); + action.bind(":requirement") = requirementText.get(); + } else + MacOSError::throwMe(errSecCSInvalidObjectRef); +} + + +// +// Execute an atomic change to existing records in the authority table. +// +CFDictionaryRef PolicyEngine::manipulateRules(const std::string &stanza, + CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize) +{ + SQLite::Transaction xact(*this, SQLite3::Transaction::deferred, "rule_change"); + SQLite::Statement action(*this); + if (authorize) + authorizeUpdate(flags, context); + selectRules(action, stanza, "authority", inTarget, type, flags, context); + action.execute(); + unsigned int changes = this->changes(); // latch change count + // We MUST purge objects with priority <= MAX(priority of any changed rules); + // but for now we just get lazy and purge them ALL. + if (changes) { + this->purgeObjects(1.0E100); + xact.commit(); + notify_post(kNotifySecAssessmentUpdate); + return cfmake("{%O=%d}", kSecAssessmentUpdateKeyCount, changes); + } + // no change; return an error + MacOSError::throwMe(errSecCSNoMatches); +} + + +// +// Fill in extra information about the originator of cryptographic credentials found - if any +// +void PolicyEngine::setOrigin(CFArrayRef chain, CFMutableDictionaryRef result) +{ + if (chain) + if (CFArrayGetCount(chain) > 0) + if (SecCertificateRef leaf = SecCertificateRef(CFArrayGetValueAtIndex(chain, 0))) + if (CFStringRef summary = SecCertificateCopyLongDescription(NULL, leaf, NULL)) { + CFDictionarySetValue(result, kSecAssessmentAssessmentOriginator, summary); + CFRelease(summary); + } +} + + +// +// Take an assessment outcome and record it in the object cache +// +void PolicyEngine::recordOutcome(SecStaticCodeRef code, bool allow, AuthorityType type, double expires, SQLite::int64 authority) +{ + CFRef info; + MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref())); + CFDataRef cdHash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique)); + assert(cdHash); // was signed + CFRef path; + MacOSError::check(SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref())); + assert(expires); + SQLite::Transaction xact(*this, SQLite3::Transaction::deferred, "caching"); + SQLite::Statement insert(*this, + "INSERT OR REPLACE INTO object (type, allow, hash, expires, path, authority)" + " VALUES (:type, :allow, :hash, :expires, :path," + " CASE :authority WHEN 0 THEN (SELECT id FROM authority WHERE label = 'No Matching Rule') ELSE :authority END" + " );"); + insert.bind(":type").integer(type); + insert.bind(":allow").integer(allow); + insert.bind(":hash") = cdHash; + insert.bind(":expires") = expires; + insert.bind(":path") = cfString(path); + insert.bind(":authority").integer(authority); + insert.execute(); + xact.commit(); +} + + +// +// Record a UI failure record after proper validation of the caller +// +void PolicyEngine::recordFailure(CFDictionaryRef info) +{ + CFRef infoData = makeCFData(info); + UnixPlusPlus::AutoFileDesc fd(lastRejectFile, O_WRONLY | O_CREAT | O_TRUNC); + fd.write(CFDataGetBytePtr(infoData), CFDataGetLength(infoData)); + notify_post(kNotifySecAssessmentRecordingChange); +} + + +// +// Perform update authorization processing. +// Throws an exception if authorization is denied. +// +static void authorizeUpdate(SecAssessmentFlags flags, CFDictionaryRef context) +{ + AuthorizationRef authorization = NULL; + + if (context) + if (CFTypeRef authkey = CFDictionaryGetValue(context, kSecAssessmentUpdateKeyAuthorization)) + if (CFGetTypeID(authkey) == CFDataGetTypeID()) { + CFDataRef authdata = CFDataRef(authkey); + if (CFDataGetLength(authdata) != sizeof(AuthorizationExternalForm)) + MacOSError::throwMe(errSecCSInvalidObjectRef); + MacOSError::check(AuthorizationCreateFromExternalForm((AuthorizationExternalForm *)CFDataGetBytePtr(authdata), &authorization)); + } + if (authorization == NULL) + MacOSError::throwMe(errSecCSDBDenied); + + AuthorizationItem right[] = { + { "com.apple.security.assessment.update", 0, NULL, 0 } + }; + AuthorizationRights rights = { sizeof(right) / sizeof(right[0]), right }; + MacOSError::check(AuthorizationCopyRights(authorization, &rights, NULL, + kAuthorizationFlagExtendRights | kAuthorizationFlagInteractionAllowed, NULL)); + + MacOSError::check(AuthorizationFree(authorization, kAuthorizationFlagDefaults)); +} + + +// +// Perform common argument normalizations for update operations +// +void PolicyEngine::normalizeTarget(CFRef &target, AuthorityType type, CFDictionary &context, std::string *signUnsigned) +{ + // turn CFURLs into (designated) SecRequirements + if (target && CFGetTypeID(target) == CFURLGetTypeID()) { + CFRef code; + CFURLRef path = target.as(); + MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref())); + switch (OSStatus rc = SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref())) { + case errSecSuccess: { + // use the *default* DR to avoid unreasonably wide DRs opening up Gatekeeper to attack + CFRef info; + MacOSError::check(SecCodeCopySigningInformation(code, kSecCSRequirementInformation, &info.aref())); + target = CFDictionaryGetValue(info, kSecCodeInfoImplicitDesignatedRequirement); + } + break; + case errSecCSUnsigned: + if (signUnsigned && temporarySigning(code, type, path, kAuthorityFlagWhitelistV2)) { // ad-hoc signed the code temporarily + MacOSError::check(SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref())); + CFRef info; + MacOSError::check(SecCodeCopySigningInformation(code, kSecCSInternalInformation, &info.aref())); + if (CFDataRef cdData = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoCodeDirectory))) + *signUnsigned = ((const CodeDirectory *)CFDataGetBytePtr(cdData))->screeningCode(); + break; + } + MacOSError::check(rc); + case errSecCSSignatureFailed: + // recover certain cases of broken signatures (well, try) + if (codeInvalidityExceptions(code, NULL)) { + // Ad-hoc sign the code in place (requiring a writable subject). This requires root privileges. + CFRef signer; + CFTemp arguments("{%O=#N}", kSecCodeSignerIdentity); + MacOSError::check(SecCodeSignerCreate(arguments, kSecCSSignOpaque, &signer.aref())); + MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags)); + MacOSError::check(SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref())); + break; + } + MacOSError::check(rc); + default: + MacOSError::check(rc); + } + if (context.get(kSecAssessmentUpdateKeyRemarks) == NULL) { + // no explicit remarks; add one with the path + CFRef path; + MacOSError::check(SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref())); + CFMutableDictionaryRef dict = makeCFMutableDictionary(context.get()); + CFDictionaryAddValue(dict, kSecAssessmentUpdateKeyRemarks, CFTempString(cfString(path))); + context.take(dict); + } + CFStringRef edit = CFStringRef(context.get(kSecAssessmentContextKeyUpdate)); + if (type == kAuthorityExecute && CFEqual(edit, kSecAssessmentUpdateOperationAdd)) { + // implicitly whitelist the code + mOpaqueWhitelist.add(code); + } + } +} + + +// +// Process special overrides for invalidly signed code. +// This is the (hopefully minimal) concessions we make to keep hurting our customers +// for our own prior mistakes... +// +static bool codeInvalidityExceptions(SecStaticCodeRef code, CFMutableDictionaryRef result) +{ + if (OSAIsRecognizedExecutableURL) { + CFRef info; + MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref())); + if (CFURLRef executable = CFURLRef(CFDictionaryGetValue(info, kSecCodeInfoMainExecutable))) { + SInt32 error; + if (OSAIsRecognizedExecutableURL(executable, &error)) { + if (result) + CFDictionaryAddValue(result, + kSecAssessmentAssessmentAuthorityOverride, CFSTR("ignoring known invalid applet signature")); + return true; + } + } + } + return false; +} + + +} // end namespace CodeSigning +} // end namespace Security diff --git a/OSX/include/security_codesigning/policyengine.h b/OSX/include/security_codesigning/policyengine.h new file mode 100644 index 00000000..46083083 --- /dev/null +++ b/OSX/include/security_codesigning/policyengine.h @@ -0,0 +1,101 @@ +/* + * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#ifndef _H_POLICYENGINE +#define _H_POLICYENGINE + +#include "SecAssessment.h" +#include "opaquewhitelist.h" +#include "evaluationmanager.h" +#include "policydb.h" +#include +#include +#include +#include +#include +#include + +namespace Security { +namespace CodeSigning { + + +typedef uint EngineOperation; +enum { + opInvalid = 0, + opEvaluate, + opAddAuthority, + opRemoveAuthority, +}; + + +class PolicyEngine : public PolicyDatabase { +public: + PolicyEngine(); + virtual ~PolicyEngine(); + +public: + void evaluate(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result); + + CFDictionaryRef update(CFTypeRef target, SecAssessmentFlags flags, CFDictionaryRef context); + CFDictionaryRef add(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context); + CFDictionaryRef remove(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context); + CFDictionaryRef enable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize); + CFDictionaryRef disable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize); + CFDictionaryRef find(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context); + + void recordFailure(CFDictionaryRef info); + +public: + static void addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef parent, const char *label, SQLite::int64 row = 0, CFTypeRef cacheInfo = NULL, bool weak = false); + static void addToAuthority(CFMutableDictionaryRef parent, CFStringRef key, CFTypeRef value); + +private: + void evaluateCode(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result, bool handleUnsigned); + void evaluateInstall(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result); + void evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result); + + void evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, bool nested, CFMutableDictionaryRef result); + void adjustValidation(SecStaticCodeRef code); + bool temporarySigning(SecStaticCodeRef code, AuthorityType type, CFURLRef path, SecAssessmentFlags matchFlags); + void normalizeTarget(CFRef &target, AuthorityType type, CFDictionary &context, std::string *signUnsigned); + + void selectRules(SQLite::Statement &action, std::string stanza, std::string table, + CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, std::string suffix = ""); + CFDictionaryRef manipulateRules(const std::string &stanza, + CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize); + + void setOrigin(CFArrayRef chain, CFMutableDictionaryRef result); + + void recordOutcome(SecStaticCodeRef code, bool allow, AuthorityType type, double expires, SQLite::int64 authority); + +private: + OpaqueWhitelist mOpaqueWhitelist; + + friend class EvaluationManager; + friend class EvaluationTask; +}; + + +} // end namespace CodeSigning +} // end namespace Security + +#endif //_H_POLICYENGINE diff --git a/Security/libsecurity_codesigning/lib/quarantine++.cpp b/OSX/include/security_codesigning/quarantine++.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/quarantine++.cpp rename to OSX/include/security_codesigning/quarantine++.cpp diff --git a/Security/libsecurity_codesigning/lib/quarantine++.h b/OSX/include/security_codesigning/quarantine++.h similarity index 100% rename from Security/libsecurity_codesigning/lib/quarantine++.h rename to OSX/include/security_codesigning/quarantine++.h diff --git a/OSX/include/security_codesigning/reqdumper.cpp b/OSX/include/security_codesigning/reqdumper.cpp new file mode 100644 index 00000000..c7e180f6 --- /dev/null +++ b/OSX/include/security_codesigning/reqdumper.cpp @@ -0,0 +1,367 @@ +/* + * Copyright (c) 2006-2007,2011-2013 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// reqdumper - Requirement un-parsing (disassembly) +// +#include "reqdumper.h" +#include // OID encoder +#include + +namespace Security { +namespace CodeSigning { + +using namespace UnixPlusPlus; + + +// +// Table of reserved words (keywords), generated by ANTLR +// +static const char * const keywords[] = { +#include "RequirementKeywords.h" + "", + NULL +}; + + +// +// Printf to established output channel +// +void Dumper::print(const char *format, ...) +{ + char buffer[256]; + va_list args; + va_start(args, format); + vsnprintf(buffer, sizeof(buffer), format, args); + va_end(args); + mOutput += buffer; +} + + +// +// Dump the underlying Requirement program +// +void Dumper::dump() +{ + this->expr(); + + // remove any initial space + if (mOutput[0] == ' ') + mOutput = mOutput.substr(1); +} + + +// +// Dump an entire Requirements set, using temporary Dumper objects. +// +// This detects single Requirement inputs and dumps them successfully (using +// single-requirement syntax). No indication of error is returned in this case. +// +string Dumper::dump(const Requirements *reqs, bool debug /* = false */) +{ + if (!reqs) { + return "# no requirement(s)"; + } else if (reqs->magic() == Requirement::typeMagic) { // single requirement + return dump((const Requirement *)reqs) + "\n"; + } else { + string result; + for (unsigned n = 0; n < reqs->count(); n++) { + char prefix[200]; + if (reqs->type(n) < kSecRequirementTypeCount) + snprintf(prefix, sizeof(prefix), + "%s => ", Requirement::typeNames[reqs->type(n)]); + else + snprintf(prefix, sizeof(prefix), "/*unknown type*/ %d => ", reqs->type(n)); + Dumper dumper(reqs->blob(n), debug); + dumper.expr(); + result += prefix + dumper.value() + "\n"; + } + return result; + } +} + +string Dumper::dump(const Requirement *req, bool debug /* = false */) +{ + Dumper dumper(req, debug); + try { + dumper.dump(); + return dumper; + } catch (const CommonError &err) { + if (debug) { + char errstr[80]; + snprintf(errstr, sizeof(errstr), " !! error %ld !!", (unsigned long)err.osStatus()); + return dumper.value() + errstr; + } + throw; + } +} + +string Dumper::dump(const BlobCore *req, bool debug /* = false */) +{ + switch (req->magic()) { + case Requirement::typeMagic: + return dump(static_cast(req), debug); + break; + case Requirements::typeMagic: + return dump(static_cast(req), debug); + break; + default: + return "invalid data type"; + } +} + + +// +// Element dumpers. Output accumulates in internal buffer. +// +void Dumper::expr(SyntaxLevel level) +{ + if (mDebug) + print("/*@0x%x*/", pc()); + ExprOp op = ExprOp(get()); + switch (op & ~opFlagMask) { + case opFalse: + print("never"); + break; + case opTrue: + print("always"); + break; + case opIdent: + print("identifier "); + data(); + break; + case opAppleAnchor: + print("anchor apple"); + break; + case opAppleGenericAnchor: + print("anchor apple generic"); + break; + case opAnchorHash: + print("certificate"); certSlot(); print(" = "); hashData(); + break; + case opInfoKeyValue: + if (mDebug) + print("/*legacy*/"); + print("info["); dotString(); print("] = "); data(); + break; + case opAnd: + if (level < slAnd) + print("("); + expr(slAnd); + print(" and "); + expr(slAnd); + if (level < slAnd) + print(")"); + break; + case opOr: + if (level < slOr) + print("("); + expr(slOr); + print(" or "); + expr(slOr); + if (level < slOr) + print(")"); + break; + case opNot: + print("! "); + expr(slPrimary); + break; + case opCDHash: + print("cdhash "); + hashData(); + break; + case opInfoKeyField: + print("info["); dotString(); print("]"); match(); + break; + case opEntitlementField: + print("entitlement["); dotString(); print("]"); match(); + break; + case opCertField: + print("certificate"); certSlot(); print("["); dotString(); print("]"); match(); + break; + case opCertGeneric: + print("certificate"); certSlot(); print("["); + { + const unsigned char *data; size_t length; + getData(data, length); + print("field.%s", CssmOid((unsigned char *)data, length).toOid().c_str()); + } + print("]"); match(); + break; + case opCertPolicy: + print("certificate"); certSlot(); print("["); + { + const unsigned char *data; size_t length; + getData(data, length); + print("policy.%s", CssmOid((unsigned char *)data, length).toOid().c_str()); + } + print("]"); match(); + break; + case opTrustedCert: + print("certificate"); certSlot(); print("trusted"); + break; + case opTrustedCerts: + print("anchor trusted"); + break; + case opNamedAnchor: + print("anchor apple "); data(); + break; + case opNamedCode: + print("("); data(); print(")"); + break; + case opPlatform: + print("platform = %d", get()); + break; + default: + if (op & opGenericFalse) { + print(" false /* opcode %d */", op & ~opFlagMask); + break; + } else if (op & opGenericSkip) { + print(" /* opcode %d */", op & ~opFlagMask); + break; + } else { + print("OPCODE %d NOT UNDERSTOOD (ending print)", op); + return; + } + } +} + +void Dumper::certSlot() +{ + switch (int32_t slot = get()) { + case Requirement::anchorCert: + print(" root"); + break; + case Requirement::leafCert: + print(" leaf"); + break; + default: + print(" %d", slot); + break; + } +} + +void Dumper::match() +{ + switch (MatchOperation op = MatchOperation(get())) { + case matchExists: + print(" /* exists */"); + break; + case matchEqual: + print(" = "); data(); + break; + case matchContains: + print(" ~ "); data(); + break; + case matchBeginsWith: + print(" = "); data(); print("*"); + break; + case matchEndsWith: + print(" = *"); data(); + break; + case matchLessThan: + print(" < "); data(); + break; + case matchGreaterEqual: + print(" >= "); data(); + break; + case matchLessEqual: + print(" <= "); data(); + break; + case matchGreaterThan: + print(" > "); data(); + break; + default: + print("MATCH OPCODE %d NOT UNDERSTOOD", op); + break; + } +} + +void Dumper::hashData() +{ + print("H\""); + const unsigned char *data; size_t length; + getData(data, length); + printBytes(data, length); + print("\""); +} + +void Dumper::data(PrintMode bestMode /* = isSimple */, bool dotOkay /* = false */) +{ + const unsigned char *data; size_t length; + getData(data, length); + for (unsigned n = 0; n < length; n++) + if ((isalnum(data[n]) || (data[n] == '.' && dotOkay))) { // simple + if (n == 0 && isdigit(data[n])) // unquoted idents can't start with a digit + bestMode = isPrintable; + } else if (isgraph(data[n]) || isspace(data[n])) { + if (bestMode == isSimple) + bestMode = isPrintable; + } else { + bestMode = isBinary; + break; // pessimal + } + + if (bestMode == isSimple) { + string s((const char *)data, length); + for (const char * const * k = keywords; *k; k++) + if (s == *k) { + bestMode = isPrintable; // reserved word; need quotes + break; + } + } + + switch (bestMode) { + case isSimple: + print("%.*s", length, data); + break; + case isPrintable: + print("\""); + for (unsigned n = 0; n < length; n++) + switch (data[n]) { + case '\\': + case '"': + print("\\%c", data[n]); + break; + default: + print("%c", data[n]); + break; + } + print("\""); + break; + default: + print("0x"); + printBytes(data, length); + break; + } +} + +void Dumper::printBytes(const Byte *data, size_t length) +{ + for (unsigned n = 0; n < length; n++) + print("%02.2x", data[n]); +} + + +} // CodeSigning +} // Security diff --git a/Security/libsecurity_codesigning/lib/reqdumper.h b/OSX/include/security_codesigning/reqdumper.h similarity index 100% rename from Security/libsecurity_codesigning/lib/reqdumper.h rename to OSX/include/security_codesigning/reqdumper.h diff --git a/OSX/include/security_codesigning/reqinterp.cpp b/OSX/include/security_codesigning/reqinterp.cpp new file mode 100644 index 00000000..effd233e --- /dev/null +++ b/OSX/include/security_codesigning/reqinterp.cpp @@ -0,0 +1,583 @@ +/* + * Copyright (c) 2006,2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// reqinterp - Requirement language (exprOp) interpreter +// +#include "reqinterp.h" +#include "codesigning_dtrace.h" +#include +#include +#include +#include +#include "csutilities.h" + +namespace Security { +namespace CodeSigning { + + +// +// Fragment fetching, caching, and evaluation. +// +// Several language elements allow "calling" of separate requirement programs +// stored on disk as (binary) requirement blobs. The Fragments class takes care +// of finding, loading, caching, and evaluating them. +// +// This is a singleton for (process global) caching. It works fine as multiple instances, +// at a loss of caching effectiveness. +// +class Fragments { +public: + Fragments(); + + bool named(const std::string &name, const Requirement::Context &ctx) + { return evalNamed("subreq", name, ctx); } + bool namedAnchor(const std::string &name, const Requirement::Context &ctx) + { return evalNamed("anchorreq", name, ctx); } + +private: + bool evalNamed(const char *type, const std::string &name, const Requirement::Context &ctx); + CFDataRef fragment(const char *type, const std::string &name); + + typedef std::map > FragMap; + +private: + CFBundleRef mMyBundle; // Security.framework bundle + Mutex mLock; // lock for all of the below... + FragMap mFragments; // cached fragments +}; + +static ModuleNexus fragments; + + +// +// Magic certificate features +// +static CFStringRef appleIntermediateCN = CFSTR("Apple Code Signing Certification Authority"); +static CFStringRef appleIntermediateO = CFSTR("Apple Inc."); + + +// +// Main interpreter function. +// +// ExprOp code is in Polish Notation (operator followed by operands), +// and this engine uses opportunistic evaluation. +// +bool Requirement::Interpreter::evaluate() +{ return eval(stackLimit); } + +bool Requirement::Interpreter::eval(int depth) +{ + if (--depth <= 0) // nested too deeply - protect the stack + MacOSError::throwMe(errSecCSReqInvalid); + + ExprOp op = ExprOp(get()); + CODESIGN_EVAL_REQINT_OP(op, this->pc() - sizeof(uint32_t)); + switch (op & ~opFlagMask) { + case opFalse: + return false; + case opTrue: + return true; + case opIdent: + return mContext->directory && getString() == mContext->directory->identifier(); + case opAppleAnchor: + return appleSigned(); + case opAppleGenericAnchor: + return appleAnchored(); + case opAnchorHash: + { + SecCertificateRef cert = mContext->cert(get()); + return verifyAnchor(cert, getSHA1()); + } + case opInfoKeyValue: // [legacy; use opInfoKeyField] + { + string key = getString(); + return infoKeyValue(key, Match(CFTempString(getString()), matchEqual)); + } + case opAnd: + return eval(depth) & eval(depth); + case opOr: + return eval(depth) | eval(depth); + case opCDHash: + if (mContext->directory) { + CFRef cdhash = mContext->directory->cdhash(); + CFRef required = getHash(); + return CFEqual(cdhash, required); + } else + return false; + case opNot: + return !eval(depth); + case opInfoKeyField: + { + string key = getString(); + Match match(*this); + return infoKeyValue(key, match); + } + case opEntitlementField: + { + string key = getString(); + Match match(*this); + return entitlementValue(key, match); + } + case opCertField: + { + SecCertificateRef cert = mContext->cert(get()); + string key = getString(); + Match match(*this); + return certFieldValue(key, match, cert); + } + case opCertGeneric: + { + SecCertificateRef cert = mContext->cert(get()); + string key = getString(); + Match match(*this); + return certFieldGeneric(key, match, cert); + } + case opCertPolicy: + { + SecCertificateRef cert = mContext->cert(get()); + string key = getString(); + Match match(*this); + return certFieldPolicy(key, match, cert); + } + case opTrustedCert: + return trustedCert(get()); + case opTrustedCerts: + return trustedCerts(); + case opNamedAnchor: + return fragments().namedAnchor(getString(), *mContext); + case opNamedCode: + return fragments().named(getString(), *mContext); + case opPlatform: + { + int32_t targetPlatform = get(); + return mContext->directory && mContext->directory->platform == targetPlatform; + } + default: + // opcode not recognized - handle generically if possible, fail otherwise + if (op & (opGenericFalse | opGenericSkip)) { + // unknown opcode, but it has a size field and can be safely bypassed + skip(get()); + if (op & opGenericFalse) { + CODESIGN_EVAL_REQINT_UNKNOWN_FALSE(op); + return false; + } else { + CODESIGN_EVAL_REQINT_UNKNOWN_SKIPPED(op); + return eval(depth); + } + } + // unrecognized opcode and no way to interpret it + secdebug("csinterp", "opcode 0x%x cannot be handled; aborting", op); + MacOSError::throwMe(errSecCSUnimplemented); + } +} + + +// +// Evaluate an Info.plist key condition +// +bool Requirement::Interpreter::infoKeyValue(const string &key, const Match &match) +{ + if (mContext->info) // we have an Info.plist + if (CFTypeRef value = CFDictionaryGetValue(mContext->info, CFTempString(key))) + return match(value); + return false; +} + + +// +// Evaluate an entitlement condition +// +bool Requirement::Interpreter::entitlementValue(const string &key, const Match &match) +{ + if (mContext->entitlements) // we have an Info.plist + if (CFTypeRef value = CFDictionaryGetValue(mContext->entitlements, CFTempString(key))) + return match(value); + return false; +} + + +bool Requirement::Interpreter::certFieldValue(const string &key, const Match &match, SecCertificateRef cert) +{ + // no cert, no chance + if (cert == NULL) + return false; + + // a table of recognized keys for the "certificate[foo]" syntax + static const struct CertField { + const char *name; + const CSSM_OID *oid; + } certFields[] = { + { "subject.C", &CSSMOID_CountryName }, + { "subject.CN", &CSSMOID_CommonName }, + { "subject.D", &CSSMOID_Description }, + { "subject.L", &CSSMOID_LocalityName }, +// { "subject.C-L", &CSSMOID_CollectiveLocalityName }, // missing from Security.framework headers + { "subject.O", &CSSMOID_OrganizationName }, + { "subject.C-O", &CSSMOID_CollectiveOrganizationName }, + { "subject.OU", &CSSMOID_OrganizationalUnitName }, + { "subject.C-OU", &CSSMOID_CollectiveOrganizationalUnitName }, + { "subject.ST", &CSSMOID_StateProvinceName }, + { "subject.C-ST", &CSSMOID_CollectiveStateProvinceName }, + { "subject.STREET", &CSSMOID_StreetAddress }, + { "subject.C-STREET", &CSSMOID_CollectiveStreetAddress }, + { "subject.UID", &CSSMOID_UserID }, + { NULL, NULL } + }; + + // DN-component single-value match + for (const CertField *cf = certFields; cf->name; cf++) + if (cf->name == key) { + CFRef value; + if (OSStatus rc = SecCertificateCopySubjectComponent(cert, cf->oid, &value.aref())) { + secdebug("csinterp", "cert %p lookup for DN.%s failed rc=%d", cert, key.c_str(), (int)rc); + return false; + } + return match(value); + } + + // email multi-valued match (any of...) + if (key == "email") { + CFRef value; + if (OSStatus rc = SecCertificateCopyEmailAddresses(cert, &value.aref())) { + secdebug("csinterp", "cert %p lookup for email failed rc=%d", cert, (int)rc); + return false; + } + return match(value); + } + + // unrecognized key. Fail but do not abort to promote backward compatibility down the road + secdebug("csinterp", "cert field notation \"%s\" not understood", key.c_str()); + return false; +} + + +bool Requirement::Interpreter::certFieldGeneric(const string &key, const Match &match, SecCertificateRef cert) +{ + // the key is actually a (binary) OID value + CssmOid oid((char *)key.data(), key.length()); + return certFieldGeneric(oid, match, cert); +} + +bool Requirement::Interpreter::certFieldGeneric(const CssmOid &oid, const Match &match, SecCertificateRef cert) +{ + return cert && certificateHasField(cert, oid) && match(kCFBooleanTrue); +} + +bool Requirement::Interpreter::certFieldPolicy(const string &key, const Match &match, SecCertificateRef cert) +{ + // the key is actually a (binary) OID value + CssmOid oid((char *)key.data(), key.length()); + return certFieldPolicy(oid, match, cert); +} + +bool Requirement::Interpreter::certFieldPolicy(const CssmOid &oid, const Match &match, SecCertificateRef cert) +{ + return cert && certificateHasPolicy(cert, oid) && match(kCFBooleanTrue); +} + + +// +// Check the Apple-signed condition +// +bool Requirement::Interpreter::appleAnchored() +{ + if (SecCertificateRef cert = mContext->cert(anchorCert)) + if (isAppleCA(cert) +#if defined(TEST_APPLE_ANCHOR) + || verifyAnchor(cert, testAppleAnchorHash()) +#endif + ) + return true; + return false; +} + +bool Requirement::Interpreter::appleSigned() +{ + if (appleAnchored()) + if (SecCertificateRef intermed = mContext->cert(-2)) // first intermediate + // first intermediate common name match (exact) + if (certFieldValue("subject.CN", Match(appleIntermediateCN, matchEqual), intermed) + && certFieldValue("subject.O", Match(appleIntermediateO, matchEqual), intermed)) + return true; + return false; +} + + +// +// Verify an anchor requirement against the context +// +bool Requirement::Interpreter::verifyAnchor(SecCertificateRef cert, const unsigned char *digest) +{ + // get certificate bytes + if (cert) { + CSSM_DATA certData; + MacOSError::check(SecCertificateGetData(cert, &certData)); + + // verify hash + SHA1 hasher; + hasher(certData.Data, certData.Length); + return hasher.verify(digest); + } + return false; +} + + +// +// Check one or all certificate(s) in the cert chain against the Trust Settings database. +// +bool Requirement::Interpreter::trustedCerts() +{ + int anchor = mContext->certCount() - 1; + for (int slot = 0; slot <= anchor; slot++) + if (SecCertificateRef cert = mContext->cert(slot)) + switch (trustSetting(cert, slot == anchor)) { + case kSecTrustSettingsResultTrustRoot: + case kSecTrustSettingsResultTrustAsRoot: + return true; + case kSecTrustSettingsResultDeny: + return false; + case kSecTrustSettingsResultUnspecified: + break; + default: + assert(false); + return false; + } + else + return false; + return false; +} + +bool Requirement::Interpreter::trustedCert(int slot) +{ + if (SecCertificateRef cert = mContext->cert(slot)) { + int anchorSlot = mContext->certCount() - 1; + switch (trustSetting(cert, slot == anchorCert || slot == anchorSlot)) { + case kSecTrustSettingsResultTrustRoot: + case kSecTrustSettingsResultTrustAsRoot: + return true; + case kSecTrustSettingsResultDeny: + case kSecTrustSettingsResultUnspecified: + return false; + default: + assert(false); + return false; + } + } else + return false; +} + + +// +// Explicitly check one certificate against the Trust Settings database and report +// the findings. This is a helper for the various Trust Settings evaluators. +// +SecTrustSettingsResult Requirement::Interpreter::trustSetting(SecCertificateRef cert, bool isAnchor) +{ + // the SPI input is the uppercase hex form of the SHA-1 of the certificate... + assert(cert); + SHA1::Digest digest; + hashOfCertificate(cert, digest); + string Certhex = CssmData(digest, sizeof(digest)).toHex(); + for (string::iterator it = Certhex.begin(); it != Certhex.end(); ++it) + if (islower(*it)) + *it = toupper(*it); + + // call Trust Settings and see what it finds + SecTrustSettingsDomain domain; + SecTrustSettingsResult result; + CSSM_RETURN *errors = NULL; + uint32 errorCount = 0; + bool foundMatch, foundAny; + switch (OSStatus rc = SecTrustSettingsEvaluateCert( + CFTempString(Certhex), // settings index + &CSSMOID_APPLE_TP_CODE_SIGNING, // standard code signing policy + NULL, 0, // policy string (unused) + kSecTrustSettingsKeyUseAny, // no restriction on key usage @@@ + isAnchor, // consult system default anchor set + + &domain, // domain of found setting + &errors, &errorCount, // error set and maximum count + &result, // the actual setting + &foundMatch, &foundAny // optimization hints (not used) + )) { + case errSecSuccess: + ::free(errors); + if (foundMatch) + return result; + else + return kSecTrustSettingsResultUnspecified; + default: + ::free(errors); + MacOSError::throwMe(rc); + } +} + + +// +// Create a Match object from the interpreter stream +// +Requirement::Interpreter::Match::Match(Interpreter &interp) +{ + switch (mOp = interp.get()) { + case matchExists: + break; + case matchEqual: + case matchContains: + case matchBeginsWith: + case matchEndsWith: + case matchLessThan: + case matchGreaterThan: + case matchLessEqual: + case matchGreaterEqual: + mValue.take(makeCFString(interp.getString())); + break; + default: + // Assume this (unknown) match type has a single data argument. + // This gives us a chance to keep the instruction stream aligned. + interp.getString(); // discard + break; + } +} + + +// +// Execute a match against a candidate value +// +bool Requirement::Interpreter::Match::operator () (CFTypeRef candidate) const +{ + // null candidates always fail + if (!candidate) + return false; + + // interpret an array as matching alternatives (any one succeeds) + if (CFGetTypeID(candidate) == CFArrayGetTypeID()) { + CFArrayRef array = CFArrayRef(candidate); + CFIndex count = CFArrayGetCount(array); + for (CFIndex n = 0; n < count; n++) + if ((*this)(CFArrayGetValueAtIndex(array, n))) // yes, it's recursive + return true; + } + + switch (mOp) { + case matchExists: // anything but NULL and boolean false "exists" + return !CFEqual(candidate, kCFBooleanFalse); + case matchEqual: // equality works for all CF types + return CFEqual(candidate, mValue); + case matchContains: + if (CFGetTypeID(candidate) == CFStringGetTypeID()) { + CFStringRef value = CFStringRef(candidate); + if (CFStringFindWithOptions(value, mValue, CFRangeMake(0, CFStringGetLength(value)), 0, NULL)) + return true; + } + return false; + case matchBeginsWith: + if (CFGetTypeID(candidate) == CFStringGetTypeID()) { + CFStringRef value = CFStringRef(candidate); + if (CFStringFindWithOptions(value, mValue, CFRangeMake(0, CFStringGetLength(mValue)), 0, NULL)) + return true; + } + return false; + case matchEndsWith: + if (CFGetTypeID(candidate) == CFStringGetTypeID()) { + CFStringRef value = CFStringRef(candidate); + CFIndex matchLength = CFStringGetLength(mValue); + CFIndex start = CFStringGetLength(value) - matchLength; + if (start >= 0) + if (CFStringFindWithOptions(value, mValue, CFRangeMake(start, matchLength), 0, NULL)) + return true; + } + return false; + case matchLessThan: + return inequality(candidate, kCFCompareNumerically, kCFCompareLessThan, true); + case matchGreaterThan: + return inequality(candidate, kCFCompareNumerically, kCFCompareGreaterThan, true); + case matchLessEqual: + return inequality(candidate, kCFCompareNumerically, kCFCompareGreaterThan, false); + case matchGreaterEqual: + return inequality(candidate, kCFCompareNumerically, kCFCompareLessThan, false); + default: + // unrecognized match types can never match + return false; + } +} + + +bool Requirement::Interpreter::Match::inequality(CFTypeRef candidate, CFStringCompareFlags flags, + CFComparisonResult outcome, bool negate) const +{ + if (CFGetTypeID(candidate) == CFStringGetTypeID()) { + CFStringRef value = CFStringRef(candidate); + if ((CFStringCompare(value, mValue, flags) == outcome) == negate) + return true; + } + return false; +} + + +// +// External fragments +// +Fragments::Fragments() +{ + mMyBundle = CFBundleGetBundleWithIdentifier(CFSTR("com.apple.security")); +} + + +bool Fragments::evalNamed(const char *type, const std::string &name, const Requirement::Context &ctx) +{ + if (CFDataRef fragData = fragment(type, name)) { + const Requirement *req = (const Requirement *)CFDataGetBytePtr(fragData); // was prevalidated as Requirement + return req->validates(ctx); + } + return false; +} + + +CFDataRef Fragments::fragment(const char *type, const std::string &name) +{ + string key = name + "!!" + type; // compound key + StLock _(mLock); // lock for cache access + FragMap::const_iterator it = mFragments.find(key); + if (it == mFragments.end()) { + CFRef fragData; // will always be set (NULL on any errors) + if (CFRef fragURL = CFBundleCopyResourceURL(mMyBundle, CFTempString(name), CFSTR("csreq"), CFTempString(type))) + if (CFRef data = cfLoadFile(fragURL)) { // got data + const Requirement *req = (const Requirement *)CFDataGetBytePtr(data); + if (req->validateBlob(CFDataGetLength(data))) // looks like a Requirement... + fragData = data; // ... so accept it + else + Syslog::warning("Invalid sub-requirement at %s", cfString(fragURL).c_str()); + } + if (CODESIGN_EVAL_REQINT_FRAGMENT_LOAD_ENABLED()) + CODESIGN_EVAL_REQINT_FRAGMENT_LOAD(type, name.c_str(), fragData ? CFDataGetBytePtr(fragData) : NULL); + mFragments[key] = fragData; // cache it, success or failure + return fragData; + } + CODESIGN_EVAL_REQINT_FRAGMENT_HIT(type, name.c_str()); + return it->second; +} + + +} // CodeSigning +} // Security diff --git a/OSX/include/security_codesigning/reqinterp.h b/OSX/include/security_codesigning/reqinterp.h new file mode 100644 index 00000000..a221f96d --- /dev/null +++ b/OSX/include/security_codesigning/reqinterp.h @@ -0,0 +1,92 @@ +/* + * Copyright (c) 2006-2007,2011 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// reqinterp - Requirement language (exprOp) interpreter +// +#ifndef _H_REQINTERP +#define _H_REQINTERP + +#include +#include +#include // CssmOid + +namespace Security { +namespace CodeSigning { + + +// +// An interpreter for exprForm-type requirements. +// This is a simple Polish Notation stack evaluator. +// +class Requirement::Interpreter : public Requirement::Reader { +public: + Interpreter(const Requirement *req, const Context *ctx) : Reader(req), mContext(ctx) { } + + static const unsigned stackLimit = 1000; + + bool evaluate(); + +protected: + class Match { + public: + Match(Interpreter &interp); // reads match postfix from interp + Match(CFStringRef value, MatchOperation op) : mValue(value), mOp(op) { } // explicit + Match() : mValue(NULL), mOp(matchExists) { } // explict test for presence + bool operator () (CFTypeRef candidate) const; // match to candidate + + protected: + bool inequality(CFTypeRef candidate, CFStringCompareFlags flags, CFComparisonResult outcome, bool negate) const; + + private: + CFCopyRef mValue; // match value + MatchOperation mOp; // type of match + }; + +protected: + bool eval(int depth); + + bool infoKeyValue(const std::string &key, const Match &match); + bool entitlementValue(const std::string &key, const Match &match); + bool certFieldValue(const string &key, const Match &match, SecCertificateRef cert); + bool certFieldGeneric(const string &key, const Match &match, SecCertificateRef cert); + bool certFieldGeneric(const CssmOid &oid, const Match &match, SecCertificateRef cert); + bool certFieldPolicy(const string &key, const Match &match, SecCertificateRef cert); + bool certFieldPolicy(const CssmOid &oid, const Match &match, SecCertificateRef cert); + bool verifyAnchor(SecCertificateRef cert, const unsigned char *digest); + bool appleSigned(); + bool appleAnchored(); + bool trustedCerts(); + bool trustedCert(int slot); + + static SecTrustSettingsResult trustSetting(SecCertificateRef cert, bool isAnchor); + +private: + const Context * const mContext; +}; + + +} // CodeSigning +} // Security + +#endif //_H_REQINTERP diff --git a/OSX/include/security_codesigning/reqmaker.cpp b/OSX/include/security_codesigning/reqmaker.cpp new file mode 100644 index 00000000..034c3cf1 --- /dev/null +++ b/OSX/include/security_codesigning/reqmaker.cpp @@ -0,0 +1,180 @@ +/* + * Copyright (c) 2006,2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// reqmaker - Requirement assembler +// +#include "reqmaker.h" + +namespace Security { +namespace CodeSigning { + + +// +// Requirement::Makers +// +Requirement::Maker::Maker(Kind k) + : mSize(1024) +{ + mBuffer = (Requirement *)malloc(mSize); + mBuffer->initialize(); + mBuffer->kind(k); + mPC = sizeof(Requirement); +} + +// need at least (size) bytes in the creation buffer +void Requirement::Maker::require(size_t size) +{ + if (mPC + size > mSize) { + mSize *= 2; + if (mPC + size > mSize) + mSize = (Offset)(mPC + size); + if (!(mBuffer = (Requirement *)realloc(mBuffer, mSize))) + UnixError::throwMe(ENOMEM); + } +} + +// allocate (size) bytes at end of buffer and return pointer to that +void *Requirement::Maker::alloc(size_t size) +{ + // round size up to preserve alignment + size_t usedSize = LowLevelMemoryUtilities::alignUp(size, baseAlignment); + require(usedSize); + void *data = mBuffer->at(mPC); + mPC += usedSize; + + // clear any padding (avoid random bytes in code image) + const uint32_t zero = 0; + memcpy(mBuffer->at(mPC - usedSize + size), &zero, usedSize - size); + + // all done + return data; +} + +// put contiguous data blob +void Requirement::Maker::putData(const void *data, size_t length) +{ + put(uint32_t(length)); + memcpy(alloc(length), data, length); +} + +// Specialized Maker put operations +void Requirement::Maker::anchor() +{ + put(opAppleAnchor); +} + +void Requirement::Maker::anchorGeneric() +{ + put(opAppleGenericAnchor); +} + +void Requirement::Maker::anchor(int slot, SHA1::Digest digest) +{ + put(opAnchorHash); + put(slot); + putData(digest, SHA1::digestLength); +} + +void Requirement::Maker::anchor(int slot, const void *cert, size_t length) +{ + SHA1 hasher; + hasher(cert, length); + SHA1::Digest digest; + hasher.finish(digest); + anchor(slot, digest); +} + +void Requirement::Maker::trustedAnchor() +{ + put(opTrustedCerts); +} + +void Requirement::Maker::trustedAnchor(int slot) +{ + put(opTrustedCert); + put(slot); +} + +void Requirement::Maker::infoKey(const string &key, const string &value) +{ + put(opInfoKeyValue); + put(key); + put(value); +} + +void Requirement::Maker::ident(const string &identifier) +{ + put(opIdent); + put(identifier); +} + +void Requirement::Maker::cdhash(SHA1::Digest digest) +{ + put(opCDHash); + putData(digest, SHA1::digestLength); +} + +void Requirement::Maker::cdhash(CFDataRef digest) +{ + put(opCDHash); + putData(CFDataGetBytePtr(digest), CFDataGetLength(digest)); +} + +void Requirement::Maker::platform(int platformIdentifier) +{ + put(opPlatform); + put(platformIdentifier); +} + + +void Requirement::Maker::copy(const Requirement *req) +{ + assert(req); + if (req->kind() != exprForm) // don't know how to embed this + MacOSError::throwMe(errSecCSReqUnsupported); + this->copy(req->at(sizeof(Requirement)), req->length() - sizeof(Requirement)); +} + + +void *Requirement::Maker::insert(const Label &label, size_t length) +{ + require(length); + memmove(mBuffer->at(label.pos + length), + mBuffer->at(label.pos), mPC - label.pos); + mPC += length; + return mBuffer->at(label.pos); +} + + +Requirement *Requirement::Maker::make() +{ + mBuffer->length(mPC); + Requirement *result = mBuffer; + mBuffer = NULL; + return result; +} + + +} // CodeSigning +} // Security diff --git a/OSX/include/security_codesigning/reqmaker.h b/OSX/include/security_codesigning/reqmaker.h new file mode 100644 index 00000000..721fc1f3 --- /dev/null +++ b/OSX/include/security_codesigning/reqmaker.h @@ -0,0 +1,135 @@ +/* + * Copyright (c) 2006,2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// reqmaker - Requirement assembler +// +#ifndef _H_REQMAKER +#define _H_REQMAKER + +#include + +namespace Security { +namespace CodeSigning { + + +// +// A Requirement::Maker is a tool for creating a Requirement blob. +// It's primarily an assember for the binary requirements (exprOp) language. +// Initialize it, call put() methods to generate the exprOp program, then +// call make() to get the assembled Requirement blob, malloc'ed for you. +// The Maker is not reusable. +// +class Requirement::Maker { +public: + Maker(Kind k = exprForm); + ~Maker() { free(mBuffer); } + + template + T *alloc(size_t size) { return reinterpret_cast(alloc(size)); } + + template + void put(const T &value) { *alloc >(sizeof(T)) = value; } + void put(ExprOp op) { put(uint32_t(op)); } + void put(MatchOperation op) { put(uint32_t(op)); } + void put(const std::string &s) { putData(s.data(), s.size()); } + void put(const char *s) { putData(s, strlen(s)); } + void putData(const void *data, size_t length); + void putData(CFStringRef s) { put(cfString(s)); } + + void anchor(int slot, SHA1::Digest digest); // given slot/digest + void anchor(int slot, const void *cert, size_t length); // given slot/cert + void anchor(); // made-by-Apple + void anchorGeneric(); // anything drawn from the Apple anchor + + void trustedAnchor(); + void trustedAnchor(int slot); + + void infoKey(const std::string &key, const std::string &value); + void ident(const std::string &identHash); + void cdhash(SHA1::Digest digest); + void cdhash(CFDataRef digest); + void platform(int platformIdentifier); + + void copy(const void *data, size_t length) + { memcpy(this->alloc(length), data, length); } + void copy(const Requirement *req); // inline expand + + // + // Keep labels into exprOp code, and allow for "shifting in" + // prefix code as needed (exprOp is a prefix-code language). + // + struct Label { + const Offset pos; + Label(const Maker &maker) : pos((const Offset)maker.length()) { } + }; + void *insert(const Label &label, size_t length = sizeof(uint32_t)); + + template + Endian &insert(const Label &label, size_t length = sizeof(T)) + { return *reinterpret_cast*>(insert(label, length)); } + + // + // Help with making operator chains (foo AND bar AND baz...). + // Note that the empty case (no elements at all) must be resolved by the caller. + // + class Chain : public Label { + public: + Chain(Maker &myMaker, ExprOp op) + : Label(myMaker), maker(myMaker), mJoiner(op), mCount(0) { } + + void add() const + { if (mCount++) maker.insert(*this) = mJoiner; } + + Maker &maker; + bool empty() const { return mCount == 0; } + + private: + ExprOp mJoiner; + mutable unsigned mCount; + }; + + + // + // Over-all construction management + // + void kind(Kind k) { mBuffer->kind(k); } + size_t length() const { return mPC; } + Requirement *make(); + Requirement *operator () () { return make(); } + +protected: + void require(size_t size); + void *alloc(size_t size); + +private: + Requirement *mBuffer; + Offset mSize; + Offset mPC; +}; + + +} // CodeSigning +} // Security + +#endif //_H_REQMAKER diff --git a/Security/libsecurity_codesigning/lib/reqparser.cpp b/OSX/include/security_codesigning/reqparser.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/reqparser.cpp rename to OSX/include/security_codesigning/reqparser.cpp diff --git a/Security/libsecurity_codesigning/lib/reqparser.h b/OSX/include/security_codesigning/reqparser.h similarity index 100% rename from Security/libsecurity_codesigning/lib/reqparser.h rename to OSX/include/security_codesigning/reqparser.h diff --git a/OSX/include/security_codesigning/reqreader.cpp b/OSX/include/security_codesigning/reqreader.cpp new file mode 100644 index 00000000..63b1e352 --- /dev/null +++ b/OSX/include/security_codesigning/reqreader.cpp @@ -0,0 +1,91 @@ +/* + * Copyright (c) 2007,2011 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// reqreader - Requirement language (exprOp) reader/scanner +// +#include "reqreader.h" +#include +#include +#include // for hex encoding +#include "csutilities.h" + +namespace Security { +namespace CodeSigning { + + +// +// Requirement::Reader +// +Requirement::Reader::Reader(const Requirement *req) + : mReq(req), mPC(sizeof(Requirement)) +{ + assert(req); + if (req->kind() != exprForm) + MacOSError::throwMe(errSecCSReqUnsupported); +} + + +// +// Access helpers to retrieve various data types from the data stream +// +void Requirement::Reader::getData(const void *&data, size_t &length) +{ + length = get(); + checkSize(length); + data = (mReq->at(mPC)); + mPC += LowLevelMemoryUtilities::alignUp(length, baseAlignment); +} + +string Requirement::Reader::getString() +{ + const char *s; size_t length; + getData(s, length); + return string(s, length); +} + +CFDataRef Requirement::Reader::getHash() +{ + const unsigned char *s; size_t length; + getData(s, length); + return makeCFData(s, length); +} + +const unsigned char *Requirement::Reader::getSHA1() +{ + const unsigned char *digest; size_t length; + getData(digest, length); + if (length != CC_SHA1_DIGEST_LENGTH) + MacOSError::throwMe(errSecCSReqInvalid); + return digest; +} + +void Requirement::Reader::skip(size_t length) +{ + checkSize(length); + mPC += length; +} + + +} // CodeSigning +} // Security diff --git a/OSX/include/security_codesigning/reqreader.h b/OSX/include/security_codesigning/reqreader.h new file mode 100644 index 00000000..b3f4a781 --- /dev/null +++ b/OSX/include/security_codesigning/reqreader.h @@ -0,0 +1,86 @@ +/* + * Copyright (c) 2007,2011,2013 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// reqreader - Requirement language (exprOp) reader/scanner +// +#ifndef _H_REQREADER +#define _H_REQREADER + +#include +#include + +namespace Security { +namespace CodeSigning { + + +// +// The Reader class provides structured access to a opExpr-type code requirement. +// +class Requirement::Reader { +public: + Reader(const Requirement *req); + + const Requirement *requirement() const { return mReq; } + + template T get(); + void getData(const void *&data, size_t &length); + + std::string getString(); + CFDataRef getHash(); + const unsigned char *getSHA1(); + + template void getData(T *&data, size_t &length) + { return getData(reinterpret_cast(data), length); } + +protected: + void checkSize(size_t length) + { + if (mPC + length < mPC || mPC + length > mReq->length()) + MacOSError::throwMe(errSecCSReqInvalid); + } + + void skip(size_t length); + + Offset pc() const { return mPC; } + bool atEnd() const { return mPC >= mReq->length(); } + +private: + const Requirement * const mReq; + Offset mPC; +}; + +template +T Requirement::Reader::get() +{ + checkSize(sizeof(T)); + const Endian *value = mReq->at >(mPC); + mPC += sizeof(T); + return *value; +} + + +} // CodeSigning +} // Security + +#endif //_H_REQREADER diff --git a/Security/libsecurity_codesigning/lib/requirement.cpp b/OSX/include/security_codesigning/requirement.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/requirement.cpp rename to OSX/include/security_codesigning/requirement.cpp diff --git a/OSX/include/security_codesigning/requirement.h b/OSX/include/security_codesigning/requirement.h new file mode 100644 index 00000000..eb089475 --- /dev/null +++ b/OSX/include/security_codesigning/requirement.h @@ -0,0 +1,215 @@ +/* + * Copyright (c) 2006-2012 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// requirement - Code Requirement Blob description +// +#ifndef _H_REQUIREMENT +#define _H_REQUIREMENT + +#include +#include +#include +#include +#include "codedirectory.h" +#include + +namespace Security { +namespace CodeSigning { + + +// +// Single requirement. +// This is a contiguous binary blob, starting with this header +// and followed by binary expr-code. All links within the blob +// are offset-relative to the start of the header. +// This is designed to be a binary stable format. Note that we restrict +// outselves to 4GB maximum size (4 byte size/offset), and we expect real +// Requirement blobs to be fairly small (a few kilobytes at most). +// +// The "kind" field allows for adding different kinds of Requirements altogether +// in the future. We expect to stay within the framework of "opExpr" requirements, +// but it never hurts to have a way out. +// +class Requirement: public Blob { +public: + class Maker; // makes Requirement blobs + class Context; // evaluation context + class Reader; // structured reader + class Interpreter; // evaluation engine + + // different forms of Requirements. Right now, we only support exprForm ("opExprs") + enum Kind { + exprForm = 1 // prefix expr form + }; + + void kind(Kind k) { mKind = k; } + Kind kind() const { return Kind(uint32_t(mKind)); } + + // validate this requirement against a code context + void validate(const Context &ctx, OSStatus failure = errSecCSReqFailed) const; // throws on all failures + bool validates(const Context &ctx, OSStatus failure = errSecCSReqFailed) const; // returns on clean miss + + // certificate positions (within a standard certificate chain) + static const int leafCert = 0; // index for leaf (first in chain) + static const int anchorCert = -1; // index for anchor (last in chain) + +#if defined(TEST_APPLE_ANCHOR) + static const char testAppleAnchorEnv[]; + static const SHA1::Digest &testAppleAnchorHash(); +#endif //TEST_APPLE_ANCHOR + + // common alignment rule for all requirement forms + static const size_t baseAlignment = sizeof(uint32_t); // (we might as well say "four") + + // canonical (source) names of Requirement types (matched to SecRequirementType in CSCommon.h) + static const char *const typeNames[]; + + IFDUMP(void dump() const); + +private: + Endian mKind; // expression kind +}; + + +// +// An interpretation context +// +class Requirement::Context { +protected: + Context() + : certs(NULL), info(NULL), entitlements(NULL), identifier(""), directory(NULL) { } + +public: + Context(CFArrayRef certChain, CFDictionaryRef infoDict, CFDictionaryRef entitlementDict, + const std::string &ident, const CodeDirectory *dir) + : certs(certChain), info(infoDict), entitlements(entitlementDict), identifier(ident), directory(dir) { } + + CFArrayRef certs; // certificate chain + CFDictionaryRef info; // Info.plist + CFDictionaryRef entitlements; // entitlement plist + std::string identifier; // signing identifier + const CodeDirectory *directory; // CodeDirectory + + SecCertificateRef cert(int ix) const; // get a cert from the cert chain (NULL if not found) + unsigned int certCount() const; // length of cert chain (including root) +}; + + +// +// exprForm opcodes. +// +// Opcodes are broken into flags in the (HBO) high byte, and an opcode value +// in the remaining 24 bits. Note that opcodes will remain fairly small +// (almost certainly <60000), so we have the third byte to play around with +// in the future, if needed. For now, small opcodes effective reserve this byte +// as zero. +// The flag byte allows for limited understanding of unknown opcodes. It allows +// the interpreter to use the known opcode parts of the program while semi-creatively +// disregarding the parts it doesn't know about. An unrecognized opcode with zero +// flag byte causes evaluation to categorically fail, since the semantics of such +// an opcode cannot safely be predicted. +// +enum { + // semantic bits or'ed into the opcode + opFlagMask = 0xFF000000, // high bit flags + opGenericFalse = 0x80000000, // has size field; okay to default to false + opGenericSkip = 0x40000000, // has size field; skip and continue +}; + +enum ExprOp { + opFalse, // unconditionally false + opTrue, // unconditionally true + opIdent, // match canonical code [string] + opAppleAnchor, // signed by Apple as Apple's product + opAnchorHash, // match anchor [cert hash] + opInfoKeyValue, // *legacy* - use opInfoKeyField [key; value] + opAnd, // binary prefix expr AND expr [expr; expr] + opOr, // binary prefix expr OR expr [expr; expr] + opCDHash, // match hash of CodeDirectory directly [cd hash] + opNot, // logical inverse [expr] + opInfoKeyField, // Info.plist key field [string; match suffix] + opCertField, // Certificate field [cert index; field name; match suffix] + opTrustedCert, // require trust settings to approve one particular cert [cert index] + opTrustedCerts, // require trust settings to approve the cert chain + opCertGeneric, // Certificate component by OID [cert index; oid; match suffix] + opAppleGenericAnchor, // signed by Apple in any capacity + opEntitlementField, // entitlement dictionary field [string; match suffix] + opCertPolicy, // Certificate policy by OID [cert index; oid; match suffix] + opNamedAnchor, // named anchor type + opNamedCode, // named subroutine + opPlatform, // platform constraint [integer] + exprOpCount // (total opcode count in use) +}; + +// match suffix opcodes +enum MatchOperation { + matchExists, // anything but explicit "false" - no value stored + matchEqual, // equal (CFEqual) + matchContains, // partial match (substring) + matchBeginsWith, // partial match (initial substring) + matchEndsWith, // partial match (terminal substring) + matchLessThan, // less than (string with numeric comparison) + matchGreaterThan, // greater than (string with numeric comparison) + matchLessEqual, // less or equal (string with numeric comparison) + matchGreaterEqual, // greater or equal (string with numeric comparison) +}; + + +// +// We keep Requirement groups in SuperBlobs, indexed by SecRequirementType +// +typedef SuperBlob<0xfade0c01> Requirements; + + +// +// Byte order flippers +// +inline CodeSigning::ExprOp h2n(CodeSigning::ExprOp op) +{ + uint32_t intOp = (uint32_t) op; + return (CodeSigning::ExprOp) ::h2n(intOp); +} + +inline CodeSigning::ExprOp n2h(CodeSigning::ExprOp op) +{ + uint32_t intOp = (uint32_t) op; + return (CodeSigning::ExprOp) ::n2h(intOp); +} + + +inline CodeSigning::MatchOperation h2n(CodeSigning::MatchOperation op) +{ + return CodeSigning::MatchOperation(::h2n((uint32_t) op)); +} + +inline CodeSigning::MatchOperation n2h(CodeSigning::MatchOperation op) +{ + return CodeSigning::MatchOperation(::n2h((uint32_t) op)); +} + + +} // CodeSigning +} // Security + +#endif //_H_REQUIREMENT diff --git a/OSX/include/security_codesigning/resources.cpp b/OSX/include/security_codesigning/resources.cpp new file mode 100644 index 00000000..5695800e --- /dev/null +++ b/OSX/include/security_codesigning/resources.cpp @@ -0,0 +1,363 @@ +/* + * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// resource directory construction and verification +// +#include "resources.h" +#include "csutilities.h" +#include +#include +#include +#include +#include + +// These are pretty nasty, but are a quick safe fix +// to pass information down to the gatekeeper collection tool +extern "C" { + int GKBIS_DS_Store_Present; + int GKBIS_Dot_underbar_Present; + int GKBIS_Num_localizations; + int GKBIS_Num_files; + int GKBIS_Num_dirs; + int GKBIS_Num_symlinks; +} + +namespace Security { +namespace CodeSigning { + + +static string removeTrailingSlash(string path) +{ + if (path.substr(path.length()-2, 2) == "/.") + return path.substr(0, path.length()-2); + else if (path.substr(path.length()-1, 1) == "/") + return path.substr(0, path.length()-1); + else + return path; +} + +// +// Construction and maintainance +// +ResourceBuilder::ResourceBuilder(const std::string &root, const std::string &relBase, + CFDictionaryRef rulesDict, CodeDirectory::HashAlgorithm hashType, bool strict, const MacOSErrorSet& toleratedErrors) + : mHashType(hashType), + mCheckUnreadable(strict && toleratedErrors.find(errSecCSSignatureNotVerifiable) == toleratedErrors.end()), + mCheckUnknownType(strict && toleratedErrors.find(errSecCSResourceNotSupported) == toleratedErrors.end()) +{ + assert(!root.empty()); + char realroot[PATH_MAX]; + if (realpath(root.c_str(), realroot) == NULL) + UnixError::throwMe(); + mRoot = realroot; + if (realpath(removeTrailingSlash(relBase).c_str(), realroot) == NULL) + UnixError::throwMe(); + mRelBase = realroot; + if (mRoot != mRelBase && mRelBase != mRoot + "/Contents") + MacOSError::throwMe(errSecCSInternalError); + const char * paths[2] = { mRoot.c_str(), NULL }; + mFTS = fts_open((char * const *)paths, FTS_PHYSICAL | FTS_COMFOLLOW | FTS_NOCHDIR, NULL); + if (!mFTS) + UnixError::throwMe(); + mRawRules = rulesDict; + CFDictionary rules(rulesDict, errSecCSResourceRulesInvalid); + rules.apply(this, &ResourceBuilder::addRule); +} + +ResourceBuilder::~ResourceBuilder() +{ + for (Rules::iterator it = mRules.begin(); it != mRules.end(); ++it) + delete *it; + fts_close(mFTS); // do not check error - it's not worth aborting over (double fault etc.) +} + + +// +// Parse and add one matching rule +// +void ResourceBuilder::addRule(CFTypeRef key, CFTypeRef value) +{ + string pattern = cfString(key, errSecCSResourceRulesInvalid); + unsigned weight = 1; + uint32_t flags = 0; + if (CFGetTypeID(value) == CFBooleanGetTypeID()) { + if (value == kCFBooleanFalse) + flags |= omitted; + } else { + CFDictionary rule(value, errSecCSResourceRulesInvalid); + if (CFNumberRef weightRef = rule.get("weight")) + weight = cfNumber(weightRef); + if (CFBooleanRef omitRef = rule.get("omit")) + if (omitRef == kCFBooleanTrue) + flags |= omitted; + if (CFBooleanRef optRef = rule.get("optional")) + if (optRef == kCFBooleanTrue) + flags |= optional; + if (CFBooleanRef nestRef = rule.get("nested")) + if (nestRef == kCFBooleanTrue) + flags |= nested; + } + addRule(new Rule(pattern, weight, flags)); +} + +static bool findStringEndingNoCase(const char *path, const char * end) +{ + size_t len_path = strlen(path); + size_t len_end = strlen(end); + + if (len_path >= len_end) { + return strcasecmp(path + (len_path - len_end), end) == 0; + } else + return false; +} + +// +// Locate the next non-ignored file, look up its rule, and return it. +// Returns NULL when we're out of files. +// +void ResourceBuilder::scan(Scanner next) +{ + bool first = true; + + while (FTSENT *ent = fts_read(mFTS)) { + static const char ds_store[] = ".DS_Store"; + const char *relpath = ent->fts_path + mRoot.size() + 1; // skip prefix + "/" + std::string rp; + if (mRelBase != mRoot) { + assert(mRelBase == mRoot + "/Contents"); + rp = "../" + string(relpath); + if (rp.substr(0, 12) == "../Contents/") + rp = rp.substr(12); + relpath = rp.c_str(); + } + switch (ent->fts_info) { + case FTS_F: + secdebug("rdirenum", "file %s", ent->fts_path); + GKBIS_Num_files++; + + // These are checks for the gatekeeper collection + static const char underbar[] = "._"; + if (strncasecmp(ent->fts_name, underbar, strlen(underbar)) == 0) + GKBIS_Dot_underbar_Present++; + + if (strcasecmp(ent->fts_name, ds_store) == 0) + GKBIS_DS_Store_Present++; + + if (Rule *rule = findRule(relpath)) + if (!(rule->flags & (omitted | exclusion))) + next(ent, rule->flags, string(relpath), rule); + break; + case FTS_SL: + // symlinks cannot ever be nested code, so quietly convert to resource file + secdebug("rdirenum", "symlink %s", ent->fts_path); + GKBIS_Num_symlinks++; + + if (strcasecmp(ent->fts_name, ds_store) == 0) + MacOSError::throwMe(errSecCSDSStoreSymlink); + + if (Rule *rule = findRule(relpath)) + if (!(rule->flags & (omitted | exclusion))) + next(ent, rule->flags & ~nested, string(relpath), rule); + break; + case FTS_D: + secdebug("rdirenum", "entering %s", ent->fts_path); + GKBIS_Num_dirs++; + + if (!first) { // skip root directory (relpath invalid) + if (Rule *rule = findRule(relpath)) { + if (rule->flags & nested) { + if (strchr(ent->fts_name, '.')) { // nested, has extension -> treat as nested bundle + next(ent, rule->flags, string(relpath), rule); + fts_set(mFTS, ent, FTS_SKIP); + } + } else if (rule->flags & exclusion) { // exclude the whole directory + fts_set(mFTS, ent, FTS_SKIP); + } + // else treat as normal directory and descend into it + } + } + // Report the number of localizations + if (findStringEndingNoCase(ent->fts_name, ".lproj")) + GKBIS_Num_localizations++; + first = false; + + break; + case FTS_DP: + secdebug("rdirenum", "leaving %s", ent->fts_path); + break; + case FTS_DNR: + secdebug("rdirenum", "cannot read directory %s", ent->fts_path); + if (mCheckUnreadable) + MacOSError::throwMe(errSecCSSignatureNotVerifiable); + break; + default: + secdebug("rdirenum", "type %d (errno %d): %s", + ent->fts_info, ent->fts_errno, ent->fts_path); + if (mCheckUnknownType) + MacOSError::throwMe(errSecCSResourceNotSupported); + break; + } + } +} + + +// +// Check a single for for inclusion in the resource envelope +// +bool ResourceBuilder::includes(string path) const +{ + // process first-directory exclusions + size_t firstslash = path.find('/'); + if (firstslash != string::npos) + if (Rule *rule = findRule(path.substr(0, firstslash))) + if (rule->flags & exclusion) + return rule->flags & softTarget; + + // process full match + if (Rule *rule = findRule(path)) + return !(rule->flags & (omitted | exclusion)) || (rule->flags & softTarget); + else + return false; +} + + +// +// Find the best-matching resource rule for an alleged resource file. +// Returns NULL if no rule matches, or an exclusion rule applies. +// +ResourceBuilder::Rule *ResourceBuilder::findRule(string path) const +{ + Rule *bestRule = NULL; + secdebug("rscan", "test %s", path.c_str()); + for (Rules::const_iterator it = mRules.begin(); it != mRules.end(); ++it) { + Rule *rule = *it; + secdebug("rscan", "try %s", rule->source.c_str()); + if (rule->match(path.c_str())) { + secdebug("rscan", "match"); + if (rule->flags & exclusion) { + secdebug("rscan", "excluded"); + return rule; + } + if (!bestRule || rule->weight > bestRule->weight) + bestRule = rule; + } + } + secdebug("rscan", "choosing %s (%d,0x%x)", + bestRule ? bestRule->source.c_str() : "NOTHING", + bestRule ? bestRule->weight : 0, + bestRule ? bestRule->flags : 0); + return bestRule; +} + + +// +// Hash a file and return a CFDataRef with the hash +// +CFDataRef ResourceBuilder::hashFile(const char *path) const +{ + UnixPlusPlus::AutoFileDesc fd(path); + fd.fcntl(F_NOCACHE, true); // turn off page caching (one-pass) + MakeHash hasher(this); + hashFileData(fd, hasher.get()); + Hashing::Byte digest[hasher->digestLength()]; + hasher->finish(digest); + return CFDataCreate(NULL, digest, sizeof(digest)); +} + + +// +// Regex matching objects +// +ResourceBuilder::Rule::Rule(const std::string &pattern, unsigned w, uint32_t f) + : weight(w), flags(f), source(pattern) +{ + if (::regcomp(this, pattern.c_str(), REG_EXTENDED | REG_NOSUB)) //@@@ REG_ICASE? + MacOSError::throwMe(errSecCSResourceRulesInvalid); + secdebug("csresource", "%p rule %s added (weight %d, flags 0x%x)", + this, pattern.c_str(), w, f); +} + +ResourceBuilder::Rule::~Rule() +{ + ::regfree(this); +} + +bool ResourceBuilder::Rule::match(const char *s) const +{ + switch (::regexec(this, s, 0, NULL, 0)) { + case 0: + return true; + case REG_NOMATCH: + return false; + default: + MacOSError::throwMe(errSecCSResourceRulesInvalid); + } +} + + +std::string ResourceBuilder::escapeRE(const std::string &s) +{ + string r; + for (string::const_iterator it = s.begin(); it != s.end(); ++it) { + char c = *it; + if (strchr("\\[]{}().+*?", c)) + r.push_back('\\'); + r.push_back(c); + } + return r; +} + + +// +// Resource Seals +// +ResourceSeal::ResourceSeal(CFTypeRef it) + : mDict(NULL), mHash(NULL), mRequirement(NULL), mLink(NULL), mFlags(0) +{ + if (it == NULL) + MacOSError::throwMe(errSecCSResourcesInvalid); + if (CFGetTypeID(it) == CFDataGetTypeID()) { + mHash = CFDataRef(it); + } else { + int optional = 0; + mDict = CFDictionaryRef(it); + bool err; + if (CFDictionaryGetValue(mDict, CFSTR("requirement"))) + err = !cfscan(mDict, "{requirement=%SO,?optional=%B}", &mRequirement, &optional); + else if (CFDictionaryGetValue(mDict, CFSTR("symlink"))) + err = !cfscan(mDict, "{symlink=%SO,?optional=%B}", &mLink, &optional); + else + err = !cfscan(mDict, "{hash=%XO,?optional=%B}", &mHash, &optional); + if (err) + MacOSError::throwMe(errSecCSResourcesInvalid); + if (optional) + mFlags |= ResourceBuilder::optional; + if (mRequirement) + mFlags |= ResourceBuilder::nested; + } +} + + +} // end namespace CodeSigning +} // end namespace Security diff --git a/OSX/include/security_codesigning/resources.h b/OSX/include/security_codesigning/resources.h new file mode 100644 index 00000000..4bdcc7e6 --- /dev/null +++ b/OSX/include/security_codesigning/resources.h @@ -0,0 +1,140 @@ +/* + * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// resource directory construction and verification +// +#ifndef _H_RSIGN +#define _H_RSIGN + +#include "codedirectory.h" +#include +#include +#include +#include "regex.h" +#include +#include +#include + +namespace Security { +namespace CodeSigning { + + +// +// The builder of ResourceDirectories. +// +// Note that this *is* a ResourceEnumerator, which can enumerate +// its source directory once (only). +// +class ResourceBuilder { + NOCOPY(ResourceBuilder) +public: + ResourceBuilder(const std::string &root, const std::string &relBase, + CFDictionaryRef rulesDict, CodeDirectory::HashAlgorithm hashType, bool strict, const MacOSErrorSet& toleratedErrors); + ~ResourceBuilder(); + + std::string root() const { return mRoot; } + + enum { + optional = 0x01, // may be absent at runtime + omitted = 0x02, // do not seal even if present + nested = 0x04, // nested code (recursively signed) + exclusion = 0x10, // overriding exclusion (stop looking) + softTarget = 0x20, // valid symlink target even though omitted/excluded + }; + + typedef unsigned int Weight; + +public: + class Rule : private regex_t { + public: + Rule(const std::string &pattern, Weight weight, uint32_t flags); + ~Rule(); + + bool match(const char *s) const; + + const Weight weight; + const uint32_t flags; + std::string source; + }; + void addRule(Rule *rule) { mRules.push_back(rule); } + void addExclusion(const std::string &pattern, uint32_t flags = 0) { mRules.insert(mRules.begin(), new Rule(pattern, 0, exclusion | flags)); } + + static std::string escapeRE(const std::string &s); + + typedef void (^Scanner)(FTSENT *ent, uint32_t flags, const std::string relpath, Rule *rule); + void scan(Scanner next); + bool includes(string path) const; + Rule *findRule(string path) const; + + DynamicHash *getHash() const { return CodeDirectory::hashFor(this->mHashType); } + CFDataRef hashFile(const char *path) const; + + CFDictionaryRef rules() const { return mRawRules; } + +protected: + void addRule(CFTypeRef key, CFTypeRef value); + +private: + std::string mRoot, mRelBase; + FTS *mFTS; + CFCopyRef mRawRules; + typedef std::vector Rules; + Rules mRules; + CodeDirectory::HashAlgorithm mHashType; + bool mCheckUnreadable; + bool mCheckUnknownType; +}; + + +// +// The "seal" on a single resource. +// +class ResourceSeal { +public: + ResourceSeal(CFTypeRef ref); + +public: + operator bool () const { return mHash; } + bool operator ! () const { return mHash == NULL; } + + const Hashing::Byte *hash() const { return CFDataGetBytePtr(mHash); } + bool nested() const { return mFlags & ResourceBuilder::nested; } + bool optional() const { return mFlags & ResourceBuilder::optional; } + CFDictionaryRef dict() const { return mDict; } + CFStringRef requirement() const { return mRequirement; } + CFStringRef link() const { return mLink; } + +private: + CFDictionaryRef mDict; + CFDataRef mHash; + CFStringRef mRequirement; + CFStringRef mLink; + uint32_t mFlags; +}; + + +} // end namespace CodeSigning +} // end namespace Security + +#endif // !_H_RSIGN diff --git a/Security/libsecurity_codesigning/lib/security_codesigning.d b/OSX/include/security_codesigning/security_codesigning.d similarity index 100% rename from Security/libsecurity_codesigning/lib/security_codesigning.d rename to OSX/include/security_codesigning/security_codesigning.d diff --git a/Security/libsecurity_codesigning/lib/security_codesigning.exp b/OSX/include/security_codesigning/security_codesigning.exp similarity index 100% rename from Security/libsecurity_codesigning/lib/security_codesigning.exp rename to OSX/include/security_codesigning/security_codesigning.exp diff --git a/Security/libsecurity_codesigning/lib/sigblob.cpp b/OSX/include/security_codesigning/sigblob.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/sigblob.cpp rename to OSX/include/security_codesigning/sigblob.cpp diff --git a/Security/libsecurity_codesigning/lib/sigblob.h b/OSX/include/security_codesigning/sigblob.h similarity index 100% rename from Security/libsecurity_codesigning/lib/sigblob.h rename to OSX/include/security_codesigning/sigblob.h diff --git a/OSX/include/security_codesigning/signer.cpp b/OSX/include/security_codesigning/signer.cpp new file mode 100644 index 00000000..daa2dac7 --- /dev/null +++ b/OSX/include/security_codesigning/signer.cpp @@ -0,0 +1,670 @@ +/* + * Copyright (c) 2006-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// signer - Signing operation supervisor and controller +// +#include "signer.h" +#include "resources.h" +#include "signerutils.h" +#include "SecCodeSigner.h" +#include +#include +#include +#include +#include +#include "resources.h" +#include "machorep.h" +#include "reqparser.h" +#include "reqdumper.h" +#include "csutilities.h" +#include +#include +#include +#include +#include + +namespace Security { +namespace CodeSigning { + + +// +// Sign some code. +// +void SecCodeSigner::Signer::sign(SecCSFlags flags) +{ + rep = code->diskRep()->base(); + this->prepare(flags); + + PreSigningContext context(*this); + + /* If an explicit teamID was passed in it must be + the same as what came from the cert */ + std::string teamIDFromCert = state.getTeamIDFromSigner(context.certs); + + if (state.mPreserveMetadata & kSecCodeSignerPreserveTeamIdentifier) { + /* If preserving the team identifier, teamID is set previously when the + code object is still available */ + if (!teamIDFromCert.empty() && teamID != teamIDFromCert) + MacOSError::throwMe(errSecCSInvalidFlags); + } else { + if (teamIDFromCert.empty()) { + /* state.mTeamID is an explicitly passed teamID */ + teamID = state.mTeamID; + } else if (state.mTeamID.empty() || (state.mTeamID == teamIDFromCert)) { + /* If there was no explicit team ID set, or the explicit team ID matches + what is in the cert, use the team ID from the certificate */ + teamID = teamIDFromCert; + } else { + /* The caller passed in an explicit team ID that does not match what is + in the signing cert, which is an invalid usage */ + MacOSError::throwMe(errSecCSInvalidFlags); + } + } + + if (Universal *fat = state.mNoMachO ? NULL : rep->mainExecutableImage()) { + signMachO(fat, context); + } else { + signArchitectureAgnostic(context); + } +} + + +// +// Remove any existing code signature from code +// +void SecCodeSigner::Signer::remove(SecCSFlags flags) +{ + // can't remove a detached signature + if (state.mDetached) + MacOSError::throwMe(errSecCSNotSupported); + + rep = code->diskRep(); + if (Universal *fat = state.mNoMachO ? NULL : rep->mainExecutableImage()) { + // architecture-sensitive removal + MachOEditor editor(rep->writer(), *fat, kSecCodeSignatureNoHash, rep->mainExecutablePath()); + editor.allocate(); // create copy + editor.commit(); // commit change + } else { + // architecture-agnostic removal + RefPointer writer = rep->writer(); + writer->remove(); + writer->flush(); + } +} + + +// +// Contemplate the object-to-be-signed and set up the Signer state accordingly. +// +void SecCodeSigner::Signer::prepare(SecCSFlags flags) +{ + // make sure the rep passes strict validation + if (strict) + rep->strictValidate(NULL, MacOSErrorSet()); + + // initialize progress/cancellation state + code->prepareProgress(0); // totally fake workload - we don't know how many files we'll encounter + + // get the Info.plist out of the rep for some creative defaulting + CFRef infoDict; + if (CFRef infoData = rep->component(cdInfoSlot)) + infoDict.take(makeCFDictionaryFrom(infoData)); + + uint32_t inherit = code->isSigned() ? state.mPreserveMetadata : 0; + + // work out the canonical identifier + identifier = state.mIdentifier; + if (identifier.empty() && (inherit & kSecCodeSignerPreserveIdentifier)) + identifier = code->identifier(); + if (identifier.empty()) { + identifier = rep->recommendedIdentifier(state); + if (identifier.find('.') == string::npos) + identifier = state.mIdentifierPrefix + identifier; + if (identifier.find('.') == string::npos && state.isAdhoc()) + identifier = identifier + "-" + uniqueName(); + secdebug("signer", "using default identifier=%s", identifier.c_str()); + } else + secdebug("signer", "using explicit identifier=%s", identifier.c_str()); + + teamID = state.mTeamID; + if (teamID.empty() && (inherit & kSecCodeSignerPreserveTeamIdentifier)) { + const char *c_id = code->teamID(); + if (c_id) + teamID = c_id; + } + + entitlements = state.mEntitlementData; + if (!entitlements && (inherit & kSecCodeSignerPreserveEntitlements)) + entitlements = code->component(cdEntitlementSlot); + + // work out the CodeDirectory flags word + bool haveCdFlags = false; + if (!haveCdFlags && state.mCdFlagsGiven) { + cdFlags = state.mCdFlags; + secdebug("signer", "using explicit cdFlags=0x%x", cdFlags); + haveCdFlags = true; + } + if (!haveCdFlags) { + cdFlags = 0; + if (infoDict) + if (CFTypeRef csflags = CFDictionaryGetValue(infoDict, CFSTR("CSFlags"))) { + if (CFGetTypeID(csflags) == CFNumberGetTypeID()) { + cdFlags = cfNumber(CFNumberRef(csflags)); + secdebug("signer", "using numeric cdFlags=0x%x from Info.plist", cdFlags); + } else if (CFGetTypeID(csflags) == CFStringGetTypeID()) { + cdFlags = cdTextFlags(cfString(CFStringRef(csflags))); + secdebug("signer", "using text cdFlags=0x%x from Info.plist", cdFlags); + } else + MacOSError::throwMe(errSecCSBadDictionaryFormat); + haveCdFlags = true; + } + } + if (!haveCdFlags && (inherit & kSecCodeSignerPreserveFlags)) { + cdFlags = code->codeDirectory(false)->flags & ~kSecCodeSignatureAdhoc; + secdebug("signer", "using inherited cdFlags=0x%x", cdFlags); + haveCdFlags = true; + } + if (!haveCdFlags) + cdFlags = 0; + if (state.mSigner == SecIdentityRef(kCFNull)) // ad-hoc signing requested... + cdFlags |= kSecCodeSignatureAdhoc; // ... so note that + + // prepare the internal requirements input + if (state.mRequirements) { + if (CFGetTypeID(state.mRequirements) == CFDataGetTypeID()) { // binary form + const Requirements *rp = (const Requirements *)CFDataGetBytePtr(state.mRequirements.as()); + if (!rp->validateBlob()) + MacOSError::throwMe(errSecCSReqInvalid); + requirements = rp->clone(); + } else if (CFGetTypeID(state.mRequirements) == CFStringGetTypeID()) { // text form + CFRef reqText = CFStringCreateMutableCopy(NULL, 0, state.mRequirements.as()); + // substitute $ variable tokens + CFRange range = { 0, CFStringGetLength(reqText) }; + CFStringFindAndReplace(reqText, CFSTR("$self.identifier"), CFTempString(identifier), range, 0); + requirements = parseRequirements(cfString(reqText)); + } else + MacOSError::throwMe(errSecCSInvalidObjectRef); + } else if (inherit & kSecCodeSignerPreserveRequirements) + if (const Requirements *rp = code->internalRequirements()) + requirements = rp->clone(); + + // prepare the resource directory, if any + string rpath = rep->resourcesRootPath(); + if (!rpath.empty()) { + // explicitly given resource rules always win + CFCopyRef resourceRules = state.mResourceRules; + + // inherited rules come next (overriding embedded ones!) + if (!resourceRules && (inherit & kSecCodeSignerPreserveResourceRules)) + if (CFDictionaryRef oldRules = code->resourceDictionary(false)) + resourceRules = oldRules; + + // embedded resource rules come next + if (!resourceRules && infoDict) + if (CFTypeRef spec = CFDictionaryGetValue(infoDict, _kCFBundleResourceSpecificationKey)) { + if (CFGetTypeID(spec) == CFStringGetTypeID()) + if (CFRef data = cfLoadFile(rpath + "/" + cfString(CFStringRef(spec)))) + if (CFDictionaryRef dict = makeCFDictionaryFrom(data)) + resourceRules.take(dict); + if (!resourceRules) // embedded rules present but unacceptable + MacOSError::throwMe(errSecCSResourceRulesInvalid); + } + + // if we got one from anywhere (but the defaults), sanity-check it + if (resourceRules) { + CFTypeRef rules = CFDictionaryGetValue(resourceRules, CFSTR("rules")); + if (!rules || CFGetTypeID(rules) != CFDictionaryGetTypeID()) + MacOSError::throwMe(errSecCSResourceRulesInvalid); + } + + // finally, ask the DiskRep for its default + if (!resourceRules) + resourceRules.take(rep->defaultResourceRules(state)); + + // resource root can optionally be the canonical bundle path, + // but sealed resource paths are always relative to rpath + string root = rpath; + if (state.signingFlags() & kSecCSSignBundleRoot) + root = cfStringRelease(rep->copyCanonicalPath()); + + // build the resource directory + buildResources(root, rpath, resourceRules); + } + + // screen and set the signing time + CFAbsoluteTime now = CFAbsoluteTimeGetCurrent(); + if (state.mSigningTime == CFDateRef(kCFNull)) { + signingTime = 0; // no time at all + } else if (!state.mSigningTime) { + signingTime = now; // default + } else { + CFAbsoluteTime time = CFDateGetAbsoluteTime(state.mSigningTime); + if (time > now) // not allowed to post-date a signature + MacOSError::throwMe(errSecCSBadDictionaryFormat); + signingTime = time; + } + + pagesize = state.mPageSize ? cfNumber(state.mPageSize) : rep->pageSize(state); + + // Timestamping setup + CFRef mTSAuth; // identity for client-side authentication to the Timestamp server +} + + +// +// Collect the resource seal for a program. +// This includes both sealed resources and information about nested code. +// +void SecCodeSigner::Signer::buildResources(std::string root, std::string relBase, CFDictionaryRef rulesDict) +{ + typedef ResourceBuilder::Rule Rule; + + secdebug("codesign", "start building resource directory"); + __block CFRef result = makeCFMutableDictionary(); + + CFDictionaryRef rules = cfget(rulesDict, "rules"); + assert(rules); + + if (this->state.mLimitedAsync == NULL) { + this->state.mLimitedAsync = + /* rdar://problem/20299541: Async workers (i.e. parallelization) are currently + * turned off, because the paths for signing code are not ready for it yet. */ + // new LimitedAsync(rep->fd().mediumType() == kIOPropertyMediumTypeSolidStateKey); + new LimitedAsync(false); + } + + CFDictionaryRef files2 = NULL; + if (!(state.signingFlags() & kSecCSSignV1)) { + CFCopyRef rules2 = cfget(rulesDict, "rules2"); + if (!rules2) { + // Clone V1 rules and add default nesting rules at weight 0 (overridden by anything in rules). + // V1 rules typically do not cover these places so we'll prevail, but if they do, we defer to them. + rules2 = cfmake("{+%O" + "'^(Frameworks|SharedFrameworks|PlugIns|Plug-ins|XPCServices|Helpers|MacOS|Library/(Automator|Spotlight|LoginItems))/' = {nested=#T, weight=0}" // exclude dynamic repositories + "}", rules); + } + + Dispatch::Group group; + Dispatch::Group &groupRef = group; // (into block) + + // build the modern (V2) resource seal + __block CFRef files = makeCFMutableDictionary(); + CFMutableDictionaryRef filesRef = files.get(); // (into block) + ResourceBuilder resourceBuilder(root, relBase, rules2, digestAlgorithm(), strict, MacOSErrorSet()); + ResourceBuilder &resources = resourceBuilder; // (into block) + rep->adjustResources(resources); + + resources.scan(^(FTSENT *ent, uint32_t ruleFlags, const std::string relpath, Rule *rule) { + bool isSymlink = (ent->fts_info == FTS_SL); + const std::string path(ent->fts_path); + const std::string accpath(ent->fts_accpath); + this->state.mLimitedAsync->perform(groupRef, ^{ + CFRef seal; + if (ruleFlags & ResourceBuilder::nested) { + seal.take(signNested(path, relpath)); + } else if (isSymlink) { + char target[PATH_MAX]; + ssize_t len = ::readlink(accpath.c_str(), target, sizeof(target)-1); + if (len < 0) + UnixError::check(-1); + target[len] = '\0'; + seal.take(cfmake("{symlink=%s}", target)); + } else { + seal.take(cfmake("{hash=%O}", + CFRef(resources.hashFile(accpath.c_str())).get())); + } + if (ruleFlags & ResourceBuilder::optional) + CFDictionaryAddValue(seal, CFSTR("optional"), kCFBooleanTrue); + CFTypeRef hash; + StLock _(resourceLock); + if ((hash = CFDictionaryGetValue(seal, CFSTR("hash"))) && CFDictionaryGetCount(seal) == 1) // simple form + CFDictionaryAddValue(filesRef, CFTempString(relpath).get(), hash); + else + CFDictionaryAddValue(filesRef, CFTempString(relpath).get(), seal.get()); + code->reportProgress(); + }); + }); + group.wait(); + CFDictionaryAddValue(result, CFSTR("rules2"), resourceBuilder.rules()); + files2 = files; + CFDictionaryAddValue(result, CFSTR("files2"), files2); + } + + CFDictionaryAddValue(result, CFSTR("rules"), rules); // preserve V1 rules in any case + if (!(state.signingFlags() & kSecCSSignNoV1)) { + // build the legacy (V1) resource seal + __block CFRef files = makeCFMutableDictionary(); + ResourceBuilder resourceBuilder(root, relBase, rules, digestAlgorithm(), strict, MacOSErrorSet()); + ResourceBuilder &resources = resourceBuilder; + rep->adjustResources(resources); // DiskRep-specific adjustments + resources.scan(^(FTSENT *ent, uint32_t ruleFlags, std::string relpath, Rule *rule) { + if (ent->fts_info == FTS_F) { + CFRef hash; + if (files2) // try to get the hash from a previously-made version + if (CFTypeRef seal = CFDictionaryGetValue(files2, CFTempString(relpath))) { + if (CFGetTypeID(seal) == CFDataGetTypeID()) + hash = CFDataRef(seal); + else + hash = CFDataRef(CFDictionaryGetValue(CFDictionaryRef(seal), CFSTR("hash"))); + } + if (!hash) + hash.take(resources.hashFile(ent->fts_accpath)); + if (ruleFlags == 0) { // default case - plain hash + cfadd(files, "{%s=%O}", relpath.c_str(), hash.get()); + secdebug("csresource", "%s added simple (rule %p)", relpath.c_str(), rule); + } else { // more complicated - use a sub-dictionary + cfadd(files, "{%s={hash=%O,optional=%B}}", + relpath.c_str(), hash.get(), ruleFlags & ResourceBuilder::optional); + secdebug("csresource", "%s added complex (rule %p)", relpath.c_str(), rule); + } + } + }); + CFDictionaryAddValue(result, CFSTR("files"), files.get()); + } + + resourceDirectory = result.get(); + resourceDictData.take(makeCFData(resourceDirectory.get())); +} + + +// +// Deal with one piece of nested code +// +CFMutableDictionaryRef SecCodeSigner::Signer::signNested(const std::string &path, const std::string &relpath) +{ + // sign nested code and collect nesting information + try { + SecPointer code = new SecStaticCode(DiskRep::bestGuess(path)); + if (state.signingFlags() & kSecCSSignNestedCode) + this->state.sign(code, state.signingFlags()); + std::string dr = Dumper::dump(code->designatedRequirement()); + return cfmake("{requirement=%s,cdhash=%O}", + Dumper::dump(code->designatedRequirement()).c_str(), + code->cdHash()); + } catch (const CommonError &err) { + CSError::throwMe(err.osStatus(), kSecCFErrorPath, CFTempURL(relpath, false, this->code->resourceBase())); + } +} + + +// +// Sign a Mach-O binary, using liberal dollops of that special Mach-O magic sauce. +// Note that this will deal just fine with non-fat Mach-O binaries, but it will +// treat them as architectural binaries containing (only) one architecture - that +// interpretation is courtesy of the Universal/MachO support classes. +// +void SecCodeSigner::Signer::signMachO(Universal *fat, const Requirement::Context &context) +{ + // Mach-O executable at the core - perform multi-architecture signing + auto_ptr editor(state.mDetached + ? static_cast(new BlobEditor(*fat, *this)) + : new MachOEditor(rep->writer(), *fat, this->digestAlgorithm(), rep->mainExecutablePath())); + assert(editor->count() > 0); + if (!editor->attribute(writerNoGlobal)) // can store architecture-common components + populate(*editor); + + // pass 1: prepare signature blobs and calculate sizes + for (MachOEditor::Iterator it = editor->begin(); it != editor->end(); ++it) { + MachOEditor::Arch &arch = *it->second; + arch.source.reset(fat->architecture(it->first)); + + // library validation is not compatible with i386 + if (arch.architecture.cpuType() == CPU_TYPE_I386) { + if (cdFlags & kSecCodeSignatureLibraryValidation) { + MacOSError::throwMe(errSecCSBadLVArch); + } + } + + arch.ireqs(requirements, rep->defaultRequirements(&arch.architecture, state), context); + if (editor->attribute(writerNoGlobal)) // can't store globally, add per-arch + populate(arch); + populate(arch.cdbuilder, arch, arch.ireqs, + arch.source->offset(), arch.source->signingExtent()); + + // add identification blob (made from this architecture) only if we're making a detached signature + if (state.mDetached) { + CFRef identification = MachORep::identificationFor(arch.source.get()); + arch.add(cdIdentificationSlot, BlobWrapper::alloc( + CFDataGetBytePtr(identification), CFDataGetLength(identification))); + } + + // prepare SuperBlob size estimate + size_t cdSize = arch.cdbuilder.size(CodeDirectory::currentVersion); + arch.blobSize = arch.size(cdSize, state.mCMSSize, 0); + } + + editor->allocate(); + + // pass 2: Finish and generate signatures, and write them + for (MachOEditor::Iterator it = editor->begin(); it != editor->end(); ++it) { + MachOEditor::Arch &arch = *it->second; + editor->reset(arch); + + // finish CodeDirectory (off new binary) and sign it + CodeDirectory *cd = arch.cdbuilder.build(); + CFRef signature = signCodeDirectory(cd); + + // complete the SuperBlob + arch.add(cdCodeDirectorySlot, cd); // takes ownership + arch.add(cdSignatureSlot, BlobWrapper::alloc( + CFDataGetBytePtr(signature), CFDataGetLength(signature))); + if (!state.mDryRun) { + EmbeddedSignatureBlob *blob = arch.make(); + editor->write(arch, blob); // takes ownership of blob + } + } + + // done: write edit copy back over the original + if (!state.mDryRun) + editor->commit(); +} + + +// +// Sign a binary that has no notion of architecture. +// That currently means anything that isn't Mach-O format. +// +void SecCodeSigner::Signer::signArchitectureAgnostic(const Requirement::Context &context) +{ + // non-Mach-O executable - single-instance signing + RefPointer writer = state.mDetached ? + (new DetachedBlobWriter(*this)) : rep->writer(); + CodeDirectory::Builder builder(state.mDigestAlgorithm); + InternalRequirements ireqs; + ireqs(requirements, rep->defaultRequirements(NULL, state), context); + populate(*writer); + populate(builder, *writer, ireqs, rep->signingBase(), rep->signingLimit()); + + // add identification blob (made from this architecture) only if we're making a detached signature + if (state.mDetached) { + CFRef identification = rep->identification(); + writer->component(cdIdentificationSlot, identification); + } + + CodeDirectory *cd = builder.build(); + CFRef signature = signCodeDirectory(cd); + if (!state.mDryRun) { + writer->codeDirectory(cd); + writer->signature(signature); + writer->flush(); + } + ::free(cd); +} + + +// +// Global populate - send components to destination buffers ONCE +// +void SecCodeSigner::Signer::populate(DiskRep::Writer &writer) +{ + if (resourceDirectory && !state.mDryRun) + writer.component(cdResourceDirSlot, resourceDictData); +} + + +// +// Per-architecture populate - send components to per-architecture buffers +// and populate the CodeDirectory for an architecture. In architecture-agnostic +// signing operations, the non-architectural binary is considered one (arbitrary) architecture +// for the purposes of this call. +// +void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer, + InternalRequirements &ireqs, size_t offset /* = 0 */, size_t length /* = 0 */) +{ + // fill the CodeDirectory + builder.executable(rep->mainExecutablePath(), pagesize, offset, length); + builder.flags(cdFlags); + builder.identifier(identifier); + builder.teamID(teamID); + builder.platform(state.mPlatform); + + if (CFRef data = rep->component(cdInfoSlot)) + builder.specialSlot(cdInfoSlot, data); + if (ireqs) { + CFRef data = makeCFData(*ireqs); + writer.component(cdRequirementsSlot, data); + builder.specialSlot(cdRequirementsSlot, data); + } + if (resourceDirectory) + builder.specialSlot(cdResourceDirSlot, resourceDictData); +#if NOT_YET + if (state.mApplicationData) + builder.specialSlot(cdApplicationSlot, state.mApplicationData); +#endif + if (entitlements) { + writer.component(cdEntitlementSlot, entitlements); + builder.specialSlot(cdEntitlementSlot, entitlements); + } + + writer.addDiscretionary(builder); +} + +#include + +// +// Generate the CMS signature for a (finished) CodeDirectory. +// +CFDataRef SecCodeSigner::Signer::signCodeDirectory(const CodeDirectory *cd) +{ + assert(state.mSigner); + CFRef defaultTSContext = NULL; + + // a null signer generates a null signature blob + if (state.mSigner == SecIdentityRef(kCFNull)) + return CFDataCreate(NULL, NULL, 0); + + // generate CMS signature + CFRef cms; + MacOSError::check(CMSEncoderCreate(&cms.aref())); + MacOSError::check(CMSEncoderSetCertificateChainMode(cms, kCMSCertificateChainWithRoot)); + CMSEncoderAddSigners(cms, state.mSigner); + CMSEncoderSetSignerAlgorithm(cms, kCMSEncoderDigestAlgorithmSHA256); + MacOSError::check(CMSEncoderSetHasDetachedContent(cms, true)); + + if (signingTime) { + MacOSError::check(CMSEncoderAddSignedAttributes(cms, kCMSAttrSigningTime)); + MacOSError::check(CMSEncoderSetSigningTime(cms, signingTime)); + } + + MacOSError::check(CMSEncoderUpdateContent(cms, cd, cd->length())); + + // Set up to call Timestamp server if requested + + if (state.mWantTimeStamp) + { + CFRef error = NULL; + defaultTSContext = SecCmsTSAGetDefaultContext(&error.aref()); + if (error) + MacOSError::throwMe(errSecDataNotAvailable); + + if (state.mNoTimeStampCerts || state.mTimestampService) { + if (state.mTimestampService) + CFDictionarySetValue(defaultTSContext, kTSAContextKeyURL, state.mTimestampService); + if (state.mNoTimeStampCerts) + CFDictionarySetValue(defaultTSContext, kTSAContextKeyNoCerts, kCFBooleanTrue); + } + + CmsMessageSetTSAContext(cms, defaultTSContext); + } + + CFDataRef signature; + MacOSError::check(CMSEncoderCopyEncodedContent(cms, &signature)); + + return signature; +} + + +// +// Parse a text of the form +// flag,...,flag +// where each flag is the canonical name of a signable CodeDirectory flag. +// No abbreviations are allowed, and internally set flags are not accepted. +// +uint32_t SecCodeSigner::Signer::cdTextFlags(std::string text) +{ + uint32_t flags = 0; + for (string::size_type comma = text.find(','); ; text = text.substr(comma+1), comma = text.find(',')) { + string word = (comma == string::npos) ? text : text.substr(0, comma); + const SecCodeDirectoryFlagTable *item; + for (item = kSecCodeDirectoryFlagTable; item->name; item++) + if (item->signable && word == item->name) { + flags |= item->value; + break; + } + if (!item->name) // not found + MacOSError::throwMe(errSecCSInvalidFlags); + if (comma == string::npos) // last word + break; + } + return flags; +} + + +// +// Generate a unique string from our underlying DiskRep. +// We could get 90%+ of the uniquing benefit by just generating +// a random string here. Instead, we pick the (hex string encoding of) +// the source rep's unique identifier blob. For universal binaries, +// this is the canonical local architecture, which is a bit arbitrary. +// This provides us with a consistent unique string for all architectures +// of a fat binary, *and* (unlike a random string) is reproducible +// for identical inputs, even upon resigning. +// +std::string SecCodeSigner::Signer::uniqueName() const +{ + CFRef identification = rep->identification(); + const UInt8 *ident = CFDataGetBytePtr(identification); + const CFIndex length = CFDataGetLength(identification); + string result; + for (CFIndex n = 0; n < length; n++) { + char hex[3]; + snprintf(hex, sizeof(hex), "%02x", ident[n]); + result += hex; + } + return result; +} + + +} // end namespace CodeSigning +} // end namespace Security diff --git a/OSX/include/security_codesigning/signer.h b/OSX/include/security_codesigning/signer.h new file mode 100644 index 00000000..3902d5bb --- /dev/null +++ b/OSX/include/security_codesigning/signer.h @@ -0,0 +1,103 @@ +/* + * Copyright (c) 2006-2012,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// signer - Signing operation supervisor and controller +// +#ifndef _H_SIGNER +#define _H_SIGNER + +#include "CodeSigner.h" +#include "cdbuilder.h" +#include "signerutils.h" +#include "StaticCode.h" +#include + +namespace Security { +namespace CodeSigning { + + +// +// The signer driver class. +// This is a workflow object, containing all the data needed for the various +// signing stages to cooperate. It is not meant to be API visible; that is +// SecCodeSigner's job. +// +class SecCodeSigner::Signer { +public: + Signer(SecCodeSigner &s, SecStaticCode *c) : state(s), code(c), requirements(NULL) + { strict = state.signingFlags() & kSecCSSignStrictPreflight; } + ~Signer() { ::free((Requirements *)requirements); } + + void sign(SecCSFlags flags); + void remove(SecCSFlags flags); + + SecCodeSigner &state; + SecStaticCode * const code; + + CodeDirectory::HashAlgorithm digestAlgorithm() const { return state.mDigestAlgorithm; } + + std::string path() const { return cfStringRelease(rep->copyCanonicalPath()); } + SecIdentityRef signingIdentity() const { return state.mSigner; } + std::string signingIdentifier() const { return identifier; } + +protected: + void prepare(SecCSFlags flags); // set up signing parameters + void signMachO(Universal *fat, const Requirement::Context &context); // sign a Mach-O binary + void signArchitectureAgnostic(const Requirement::Context &context); // sign anything else + + void populate(DiskRep::Writer &writer); // global + void populate(CodeDirectory::Builder &builder, DiskRep::Writer &writer, + InternalRequirements &ireqs, size_t offset = 0, size_t length = 0); // per-architecture + CFDataRef signCodeDirectory(const CodeDirectory *cd); + + uint32_t cdTextFlags(std::string text); // convert text CodeDirectory flags + std::string uniqueName() const; // derive unique string from rep + +protected: + void buildResources(std::string root, std::string relBase, CFDictionaryRef rules); + CFMutableDictionaryRef signNested(const std::string &path, const std::string &relpath); + CFDataRef hashFile(const char *path); + +private: + RefPointer rep; // DiskRep of Code being signed + CFRef resourceDirectory; // resource directory + CFRef resourceDictData; // XML form of resourceDirectory + std::string identifier; // signing identifier + std::string teamID; // team identifier + CFRef entitlements; // entitlements + uint32_t cdFlags; // CodeDirectory flags + const Requirements *requirements; // internal requirements ready-to-use + size_t pagesize; // size of main executable pages + CFAbsoluteTime signingTime; // signing time for CMS signature (0 => none) + bool strict; // strict validation + +private: + Mutex resourceLock; +}; + + +} // end namespace CodeSigning +} // end namespace Security + +#endif // !_H_CODESIGNER diff --git a/OSX/include/security_codesigning/signerutils.cpp b/OSX/include/security_codesigning/signerutils.cpp new file mode 100644 index 00000000..eb19d2d3 --- /dev/null +++ b/OSX/include/security_codesigning/signerutils.cpp @@ -0,0 +1,361 @@ +/* + * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// signerutils - utilities for signature generation +// +#include "signerutils.h" +#include "signer.h" +#include "SecCodeSigner.h" +#include +#include +#include "resources.h" +#include "csutilities.h" +#include "drmaker.h" +#include +#include +#include + +// for helper validation +#include "Code.h" +#include +#include + + +namespace Security { +namespace CodeSigning { + + +// +// About the Mach-O allocation helper +// +static const char helperName[] = "codesign_allocate"; +static const char helperPath[] = "/usr/bin/codesign_allocate"; +static const char helperOverride[] = "CODESIGN_ALLOCATE"; +static const size_t csAlign = 16; + + +// +// BlobWriters +// +void BlobWriter::component(CodeDirectory::SpecialSlot slot, CFDataRef data) +{ + return EmbeddedSignatureBlob::Maker::component(slot, data); +} + + +void DetachedBlobWriter::flush() +{ + EmbeddedSignatureBlob *blob = this->make(); + signer.code->detachedSignature(CFTempData(*blob)); + signer.state.returnDetachedSignature(blob, signer); + ::free(blob); +} + + +// +// ArchEditor +// +ArchEditor::ArchEditor(Universal &code, CodeDirectory::HashAlgorithm hashType, uint32_t attrs) + : DiskRep::Writer(attrs) +{ + Universal::Architectures archList; + code.architectures(archList); + for (Universal::Architectures::const_iterator it = archList.begin(); + it != archList.end(); ++it) + architecture[*it] = new Arch(*it, hashType); +} + + +ArchEditor::~ArchEditor() +{ + for (ArchMap::iterator it = begin(); it != end(); ++it) + delete it->second; +} + + +// +// BlobEditor +// +BlobEditor::BlobEditor(Universal &fat, SecCodeSigner::Signer &s) + : ArchEditor(fat, s.digestAlgorithm(), 0), signer(s) +{ } + + +void BlobEditor::component(CodeDirectory::SpecialSlot slot, CFDataRef data) +{ + mGlobal.component(slot, data); +} + +void BlobEditor::write(Arch &arch, EmbeddedSignatureBlob *blob) +{ + mMaker.add(arch.architecture.cpuType(), blob); +} + + +void BlobEditor::commit() +{ + // create the architecture-global blob and store it into the superblob + mMaker.add(0, mGlobal.make()); // takes ownership of blob + + // finish up the superblob and deliver it + DetachedSignatureBlob *blob = mMaker.make(); + signer.state.returnDetachedSignature(blob, signer); + ::free(blob); +} + + +// +// MachOEditor's allocate() method spawns the codesign_allocate helper tool to +// "drill up" the Mach-O binary for insertion of Code Signing signature data. +// After the tool succeeds, we open the new file and are ready to write it. +// +MachOEditor::MachOEditor(DiskRep::Writer *w, Universal &code, CodeDirectory::HashAlgorithm hashType, std::string srcPath) + : ArchEditor(code, hashType, w->attributes()), + writer(w), + sourcePath(srcPath), + tempPath(srcPath + ".cstemp"), + mNewCode(NULL), + mTempMayExist(false) +{ + if (const char *path = getenv(helperOverride)) { + mHelperPath = path; + mHelperOverridden = true; + } else { + mHelperPath = helperPath; + mHelperOverridden = false; + } +} + +MachOEditor::~MachOEditor() +{ + delete mNewCode; + if (mTempMayExist) + ::remove(tempPath.c_str()); // ignore error (can't do anything about it) + this->kill(); +} + + +void MachOEditor::component(CodeDirectory::SpecialSlot slot, CFDataRef data) +{ + writer->component(slot, data); +} + + +void MachOEditor::allocate() +{ + // note that we may have a temporary file from now on (for cleanup in the error case) + mTempMayExist = true; + + // run codesign_allocate to make room in the executable file + fork(); + wait(); + if (!Child::succeeded()) + MacOSError::throwMe(errSecCSHelperFailed); + + // open the new (temporary) Universal file + { + UidGuard guard(0); + mFd.open(tempPath, O_RDWR); + } + mNewCode = new Universal(mFd); +} + +static const unsigned char appleReq[] = { + // anchor apple and info["Application-Group"] = "com.apple.tool.codesign_allocate" + 0xfa, 0xde, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, + 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x11, 0x41, 0x70, 0x70, 0x6c, + 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2d, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x63, 0x6f, 0x6d, 0x2e, 0x61, 0x70, 0x70, 0x6c, + 0x65, 0x2e, 0x74, 0x6f, 0x6f, 0x6c, 0x2e, 0x63, 0x6f, 0x64, 0x65, 0x73, 0x69, 0x67, 0x6e, 0x5f, + 0x61, 0x6c, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x65, +}; + +void MachOEditor::parentAction() +{ + if (mHelperOverridden) { + CODESIGN_ALLOCATE_VALIDATE((char*)mHelperPath, this->pid()); + // check code identity of an overridden allocation helper + SecPointer code = new SecStaticCode(DiskRep::bestGuess(mHelperPath)); + code->staticValidate(kSecCSDefaultFlags, NULL); + code->validateRequirement((const Requirement *)appleReq, errSecCSReqFailed); + } +} + +void MachOEditor::childAction() +{ + vector arguments; + arguments.push_back(helperName); + arguments.push_back("-i"); + arguments.push_back(sourcePath.c_str()); + arguments.push_back("-o"); + arguments.push_back(tempPath.c_str()); + + for (Iterator it = architecture.begin(); it != architecture.end(); ++it) { + size_t size = LowLevelMemoryUtilities::alignUp(it->second->blobSize, csAlign); + char *ssize; // we'll leak this (execv is coming soon) + asprintf(&ssize, "%zd", size); + + if (const char *arch = it->first.name()) { + CODESIGN_ALLOCATE_ARCH((char*)arch, (unsigned int)size); + arguments.push_back("-a"); + arguments.push_back(arch); + } else { + CODESIGN_ALLOCATE_ARCHN(it->first.cpuType(), it->first.cpuSubtype(), (unsigned int)size); + arguments.push_back("-A"); + char *anum; + asprintf(&anum, "%d", it->first.cpuType()); + arguments.push_back(anum); + asprintf(&anum, "%d", it->first.cpuSubtype()); + arguments.push_back(anum); + } + arguments.push_back(ssize); + } + arguments.push_back(NULL); + + if (mHelperOverridden) + ::csops(0, CS_OPS_MARKKILL, NULL, 0); // force code integrity + ::seteuid(0); // activate privilege if caller has it; ignore error if not + execv(mHelperPath, (char * const *)&arguments[0]); +} + +void MachOEditor::reset(Arch &arch) +{ + arch.source.reset(mNewCode->architecture(arch.architecture)); + arch.cdbuilder.reopen(tempPath, + arch.source->offset(), arch.source->signingOffset()); +} + + +// +// MachOEditor's write() method actually writes the blob into the CODESIGNING section +// of the executable image file. +// +void MachOEditor::write(Arch &arch, EmbeddedSignatureBlob *blob) +{ + if (size_t offset = arch.source->signingOffset()) { + size_t signingLength = arch.source->signingLength(); + CODESIGN_ALLOCATE_WRITE((char*)arch.architecture.name(), offset, (unsigned)blob->length(), (unsigned)signingLength); + if (signingLength < blob->length()) + MacOSError::throwMe(errSecCSCMSTooLarge); + arch.source->seek(offset); + arch.source->writeAll(*blob); + ::free(blob); // done with it + } else { + secdebug("signer", "%p cannot find CODESIGNING section", this); + MacOSError::throwMe(errSecCSInternalError); + } +} + + +// +// Commit the edit. +// This moves the temporary editor copy over the source image file. +// Note that the Universal object returned by allocate() is still open +// and valid; the caller owns it. +// +void MachOEditor::commit() +{ + // if the file's owned by someone else *and* we can become root... + struct stat st; + UnixError::check(::stat(sourcePath.c_str(), &st)); + + // copy over all the *other* stuff + Copyfile copy; + int fd = mFd; + copy.set(COPYFILE_STATE_DST_FD, &fd); + { + // perform copy under root or file-owner privileges if available + UidGuard guard; + if (!guard.seteuid(0)) + guard.seteuid(st.st_uid); + + // copy metadata from original file... + copy(sourcePath.c_str(), NULL, COPYFILE_SECURITY | COPYFILE_METADATA); + + // ... but explicitly update the timestamps since we did change the file + char buf; + mFd.read(&buf, sizeof(buf), 0); + mFd.write(&buf, sizeof(buf), 0); + + // move the new file into place + UnixError::check(::rename(tempPath.c_str(), sourcePath.c_str())); + mTempMayExist = false; // we renamed it away + } +} + + +// +// InternalRequirements +// +void InternalRequirements::operator () (const Requirements *given, const Requirements *defaulted, const Requirement::Context &context) +{ + // first add the default internal requirements + if (defaulted) { + this->add(defaulted); + ::free((void *)defaulted); // was malloc(3)ed by DiskRep + } + + // now override them with any requirements explicitly given by the signer + if (given) + this->add(given); + + // now add the Designated Requirement, if we can make it and it's not been provided + if (!this->contains(kSecDesignatedRequirementType)) { + DRMaker maker(context); + if (Requirement *dr = maker.make()) { + this->add(kSecDesignatedRequirementType, dr); // takes ownership of dr + } + } + + // return the result + mReqs = this->make(); +} + + +// +// Pre-Signing contexts +// +PreSigningContext::PreSigningContext(const SecCodeSigner::Signer &signer) +{ + // construct a cert chain + if (signer.signingIdentity() != SecIdentityRef(kCFNull)) { + CFRef signingCert; + MacOSError::check(SecIdentityCopyCertificate(signer.signingIdentity(), &signingCert.aref())); + CFRef policy = SecPolicyCreateWithOID(kSecPolicyAppleCodeSigning); + CFRef trust; + MacOSError::check(SecTrustCreateWithCertificates(CFArrayRef(signingCert.get()), policy, &trust.aref())); + SecTrustResultType result; + MacOSError::check(SecTrustEvaluate(trust, &result)); + CSSM_TP_APPLE_EVIDENCE_INFO *info; + MacOSError::check(SecTrustGetResult(trust, &result, &mCerts.aref(), &info)); + this->certs = mCerts; + } + + // other stuff + this->identifier = signer.signingIdentifier(); +} + + +} // end namespace CodeSigning +} // end namespace Security diff --git a/Security/libsecurity_codesigning/lib/signerutils.h b/OSX/include/security_codesigning/signerutils.h similarity index 100% rename from Security/libsecurity_codesigning/lib/signerutils.h rename to OSX/include/security_codesigning/signerutils.h diff --git a/OSX/include/security_codesigning/singlediskrep.cpp b/OSX/include/security_codesigning/singlediskrep.cpp new file mode 100644 index 00000000..5b01b138 --- /dev/null +++ b/OSX/include/security_codesigning/singlediskrep.cpp @@ -0,0 +1,139 @@ +/* + * Copyright (c) 2006-2011,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// singlediskrep - semi-abstract diskrep for a single file of some kind +// +#include "singlediskrep.h" +#include "csutilities.h" +#include +#include + +namespace Security { +namespace CodeSigning { + +using namespace UnixPlusPlus; + + +// +// Construct a SingleDiskRep +// +SingleDiskRep::SingleDiskRep(const std::string &path) + : mPath(path) +{ +} + + +// +// The default binary identification of a SingleDiskRep is the (SHA-1) hash +// of the entire file itself. +// +CFDataRef SingleDiskRep::identification() +{ + SHA1 hash; + this->fd().seek(0); + hashFileData(this->fd(), &hash); + SHA1::Digest digest; + hash.finish(digest); + return makeCFData(digest, sizeof(digest)); +} + + +// +// Both the canonical and main executable path of a SingleDiskRep is, well, its path. +// +CFURLRef SingleDiskRep::copyCanonicalPath() +{ + return makeCFURL(mPath); +} + +string SingleDiskRep::mainExecutablePath() +{ + return mPath; +} + + +// +// The default signing limit is the size of the file. +// This will do unless the signing data gets creatively stuck in there somewhere. +// +size_t SingleDiskRep::signingLimit() +{ + return fd().fileSize(); +} + +// +// A lazily opened read-only file descriptor for the path. +// +FileDesc &SingleDiskRep::fd() +{ + if (!mFd) + mFd.open(mPath, O_RDONLY); + + return mFd; +} + +// +// Flush cached state +// +void SingleDiskRep::flush() +{ + mFd.close(); +} + + +// +// The recommended identifier of a SingleDiskRep is, absent any better clue, +// the basename of its path. +// +string SingleDiskRep::recommendedIdentifier(const SigningContext &) +{ + return canonicalIdentifier(mPath); +} + + +// +// Paranoid validation +// +void SingleDiskRep::strictValidate(const CodeDirectory* cd, const ToleratedErrors& tolerated) +{ + // code limit must cover (exactly) the entire file + if (cd && cd->codeLimit != signingLimit()) + MacOSError::throwMe(errSecCSSignatureInvalid); +} + + + +// +// Prototype Writers +// +FileDesc &SingleDiskRep::Writer::fd() +{ + if (!mFd) + mFd.open(rep->path(), O_RDWR); + return mFd; +} + + +} // end namespace CodeSigning +} // end namespace Security diff --git a/Security/libsecurity_codesigning/lib/singlediskrep.h b/OSX/include/security_codesigning/singlediskrep.h similarity index 100% rename from Security/libsecurity_codesigning/lib/singlediskrep.h rename to OSX/include/security_codesigning/singlediskrep.h diff --git a/Security/libsecurity_codesigning/lib/slcrep.cpp b/OSX/include/security_codesigning/slcrep.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/slcrep.cpp rename to OSX/include/security_codesigning/slcrep.cpp diff --git a/Security/libsecurity_codesigning/lib/slcrep.h b/OSX/include/security_codesigning/slcrep.h similarity index 100% rename from Security/libsecurity_codesigning/lib/slcrep.h rename to OSX/include/security_codesigning/slcrep.h diff --git a/Security/libsecurity_codesigning/lib/syspolicy.sql b/OSX/include/security_codesigning/syspolicy.sql similarity index 100% rename from Security/libsecurity_codesigning/lib/syspolicy.sql rename to OSX/include/security_codesigning/syspolicy.sql diff --git a/Security/libsecurity_codesigning/lib/xar++.cpp b/OSX/include/security_codesigning/xar++.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/xar++.cpp rename to OSX/include/security_codesigning/xar++.cpp diff --git a/Security/libsecurity_codesigning/lib/xar++.h b/OSX/include/security_codesigning/xar++.h similarity index 100% rename from Security/libsecurity_codesigning/lib/xar++.h rename to OSX/include/security_codesigning/xar++.h diff --git a/Security/libsecurity_codesigning/lib/xpcengine.cpp b/OSX/include/security_codesigning/xpcengine.cpp similarity index 100% rename from Security/libsecurity_codesigning/lib/xpcengine.cpp rename to OSX/include/security_codesigning/xpcengine.cpp diff --git a/Security/libsecurity_codesigning/lib/xpcengine.h b/OSX/include/security_codesigning/xpcengine.h similarity index 100% rename from Security/libsecurity_codesigning/lib/xpcengine.h rename to OSX/include/security_codesigning/xpcengine.h diff --git a/Security/libsecurity_comcryption/lib/comDebug.h b/OSX/include/security_comcryption/comDebug.h similarity index 100% rename from Security/libsecurity_comcryption/lib/comDebug.h rename to OSX/include/security_comcryption/comDebug.h diff --git a/Security/libsecurity_comcryption/lib/comcryptPriv.c b/OSX/include/security_comcryption/comcryptPriv.c similarity index 100% rename from Security/libsecurity_comcryption/lib/comcryptPriv.c rename to OSX/include/security_comcryption/comcryptPriv.c diff --git a/Security/libsecurity_comcryption/lib/comcryptPriv.h b/OSX/include/security_comcryption/comcryptPriv.h similarity index 100% rename from Security/libsecurity_comcryption/lib/comcryptPriv.h rename to OSX/include/security_comcryption/comcryptPriv.h diff --git a/Security/libsecurity_comcryption/lib/comcryption.c b/OSX/include/security_comcryption/comcryption.c similarity index 100% rename from Security/libsecurity_comcryption/lib/comcryption.c rename to OSX/include/security_comcryption/comcryption.c diff --git a/Security/libsecurity_comcryption/lib/comcryption.h b/OSX/include/security_comcryption/comcryption.h similarity index 100% rename from Security/libsecurity_comcryption/lib/comcryption.h rename to OSX/include/security_comcryption/comcryption.h diff --git a/Security/libsecurity_cryptkit/lib/ByteRep.txt b/OSX/include/security_cryptkit/ByteRep.txt similarity index 100% rename from Security/libsecurity_cryptkit/lib/ByteRep.txt rename to OSX/include/security_cryptkit/ByteRep.txt diff --git a/Security/libsecurity_cryptkit/lib/CipherFileDES.c b/OSX/include/security_cryptkit/CipherFileDES.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/CipherFileDES.c rename to OSX/include/security_cryptkit/CipherFileDES.c diff --git a/Security/libsecurity_cryptkit/lib/CipherFileDES.h b/OSX/include/security_cryptkit/CipherFileDES.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/CipherFileDES.h rename to OSX/include/security_cryptkit/CipherFileDES.h diff --git a/Security/libsecurity_cryptkit/lib/CipherFileFEED.c b/OSX/include/security_cryptkit/CipherFileFEED.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/CipherFileFEED.c rename to OSX/include/security_cryptkit/CipherFileFEED.c diff --git a/Security/libsecurity_cryptkit/lib/CipherFileFEED.h b/OSX/include/security_cryptkit/CipherFileFEED.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/CipherFileFEED.h rename to OSX/include/security_cryptkit/CipherFileFEED.h diff --git a/Security/libsecurity_cryptkit/lib/CipherFileTypes.h b/OSX/include/security_cryptkit/CipherFileTypes.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/CipherFileTypes.h rename to OSX/include/security_cryptkit/CipherFileTypes.h diff --git a/Security/libsecurity_cryptkit/lib/Crypt.h b/OSX/include/security_cryptkit/Crypt.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/Crypt.h rename to OSX/include/security_cryptkit/Crypt.h diff --git a/Security/libsecurity_cryptkit/lib/CryptKit.def b/OSX/include/security_cryptkit/CryptKit.def similarity index 100% rename from Security/libsecurity_cryptkit/lib/CryptKit.def rename to OSX/include/security_cryptkit/CryptKit.def diff --git a/Security/libsecurity_cryptkit/lib/CryptKit.h b/OSX/include/security_cryptkit/CryptKit.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/CryptKit.h rename to OSX/include/security_cryptkit/CryptKit.h diff --git a/Security/libsecurity_cryptkit/lib/CryptKitAsn1.cpp b/OSX/include/security_cryptkit/CryptKitAsn1.cpp similarity index 100% rename from Security/libsecurity_cryptkit/lib/CryptKitAsn1.cpp rename to OSX/include/security_cryptkit/CryptKitAsn1.cpp diff --git a/Security/libsecurity_cryptkit/lib/CryptKitAsn1.h b/OSX/include/security_cryptkit/CryptKitAsn1.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/CryptKitAsn1.h rename to OSX/include/security_cryptkit/CryptKitAsn1.h diff --git a/OSX/include/security_cryptkit/CryptKitDER.cpp b/OSX/include/security_cryptkit/CryptKitDER.cpp new file mode 100644 index 00000000..f8cabe31 --- /dev/null +++ b/OSX/include/security_cryptkit/CryptKitDER.cpp @@ -0,0 +1,1244 @@ +/* + * Copyright (c) 2000-2001,2011-2012,2014 Apple Inc. All Rights Reserved. + * + * The contents of this file constitute Original Code as defined in and are + * subject to the Apple Public Source License Version 1.2 (the 'License'). + * You may not use this file except in compliance with the License. Please obtain + * a copy of the License at http://www.apple.com/publicsource and read it before + * using this file. + * + * This Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS + * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT + * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR + * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the + * specific language governing rights and limitations under the License. + */ + + +/* + * CryptKitDER.h - snacc-based routines to create and parse DER-encoded FEE + * keys and signatures + * + */ + +#include "ckconfig.h" + +#if CRYPTKIT_DER_ENABLE + +#include +#include +#include +#include +#include +#include "CryptKitAsn1.h" +#include +#include +#include +#include +#include + +#define PRINT_SIG_GIANTS 0 +#define PRINT_CURVE_PARAMS 0 +#define PRINT_SIZES 0 +#if PRINT_SIZES +#define szprint(s) printf s +#else +#define szprint(s) +#endif + +/* + * Trivial exception class associated with a feeReturn. + */ +class feeException +{ +protected: + feeException(feeReturn frtn, const char *op); +public: + ~feeException() throw() {} + feeReturn frtn() const throw() { return mFrtn; } + static void throwMe(feeReturn frtn, const char *op = NULL) __attribute__((noreturn)); +private: + feeReturn mFrtn; +}; + +feeException::feeException( + feeReturn frtn, + const char *op) + : mFrtn(frtn) +{ + if(op) { + dbgLog(("%s: %s\n", op, feeReturnString(frtn))); + } +} + +void feeException::throwMe(feeReturn frtn, const char *op /*= NULL*/) { throw feeException(frtn, op); } + +/* + * ASN1 encoding rules specify that an integer's sign is indicated by the MSB + * of the first (MS) content byte. For a non-negative number, if the MSB of + * the MS byte (of the unencoded number) is one, then the encoding starts with + * a byte of zeroes to indicate positive sign. For a negative number, the first + * nine bits can not be all 1 - if they are (in the undecoded number), leading + * bytes of 0xff are trimmed off until the first nine bits are something other + * than one. Also, the first nine bits of the encoded number can not all be + * zero. + * + * CryptKit giants express their sign as part of the giantstruct.sign field. + * The giantDigit array (giantstruct.n[]) is stored l.s. digit first. + * + * These routines are independent of platform, endianness, and giatn digit size. + */ + +/* routines to guess maximum size of DER-encoded objects */ +static unsigned feeSizeOfSnaccGiant( + giant g) +{ + unsigned rtn = abs(g->sign) * GIANT_BYTES_PER_DIGIT; + szprint(("feeSizeOfSnaccGiant: sign %d size %d\n", g->sign, rtn + 4)); + return rtn + 4; +} + +/* PUBLIC... */ +unsigned feeSizeOfDERSig( + giant g1, + giant g2) +{ + unsigned rtn = feeSizeOfSnaccGiant(g1); + rtn += feeSizeOfSnaccGiant(g2); + szprint(("feeSizeOfDERSig: size %d\n", rtn + 4)); + return rtn + 4; +} + +/* perform 2's complement of byte array, expressed MS byte first */ +static void twosComplement( + unsigned char *bytePtr, // points to MS byte + unsigned numBytes) +{ + unsigned char *outp = bytePtr + numBytes - 1; + unsigned char carry = 1; // first time thru, carry = 1 to add one to 1's comp + for(unsigned byteDex=0; byteDex unsigned int + */ +static unsigned cssmDataToInt( + const CSSM_DATA &cdata) +{ + if((cdata.Length == 0) || (cdata.Data == NULL)) { + return 0; + } + unsigned len = (unsigned)cdata.Length; + if(len > sizeof(int)) { + feeException::throwMe(FR_BadKeyBlob, "cssmDataToInt"); + } + + unsigned rtn = 0; + uint8 *cp = cdata.Data; + for(unsigned i=0; i CSSM_DATA, mallocing from an SecNssCoder + */ +static void intToCssmData( + unsigned num, + CSSM_DATA &cdata, + SecNssCoder &coder) +{ + unsigned len = 0; + + if(num < 0x100) { + len = 1; + } + else if(num < 0x10000) { + len = 2; + } + else if(num < 0x1000000) { + len = 3; + } + else { + len = 4; + } + cdata.Data = (uint8 *)coder.malloc(len); + cdata.Length = len; + uint8 *cp = &cdata.Data[len - 1]; + for(unsigned i=0; i>= 8; + } +} + +/* + * Convert a decoded ASN integer, as a CSSM_DATA, to a (mallocd) giant. + * Only known exception is a feeException. + */ +static giant cssmDataToGiant( + const CSSM_DATA &cdata) +{ + char *rawOcts = (char *)cdata.Data; + unsigned numBytes = (unsigned)cdata.Length; + unsigned numGiantDigits; + int sign = 1; + giant grtn; + feeReturn frtn = FR_Success; + unsigned char *inp = NULL; + unsigned digitDex; // index into g->giantDigit[] + + /* handle degenerate case (value of zero) */ + if((numBytes == 0) || ((numBytes == 1) && rawOcts[0] == 0)) { + grtn = newGiant(1); + if(grtn == NULL) { + feeException::throwMe(FR_Memory, "newGiant(1)"); + } + int_to_giant(0, grtn); + return grtn; + } + + /* make a copy of raw octets if we have to do two's complement */ + unsigned char *byteArray = NULL; + bool didMalloc = false; + if(rawOcts[0] & 0x80) { + sign = -1; + numBytes++; + byteArray = (unsigned char *)fmalloc(numBytes); + didMalloc = true; + byteArray[0] = 0xff; + memmove(byteArray + 1, rawOcts, numBytes-1); + twosComplement(byteArray, numBytes); + } + else { + /* no copy */ + char *foo = rawOcts; + byteArray = (unsigned char *)foo; + } + + /* cook up a new giant */ + numGiantDigits = (numBytes + GIANT_BYTES_PER_DIGIT - 1) / + GIANT_BYTES_PER_DIGIT; + grtn = newGiant(numGiantDigits); + if(grtn == NULL) { + frtn = FR_Memory; + goto abort; + } + + /* + * Convert byteArray to array of giantDigits + * inp - raw input bytes, LSB last + * grtn->n[] - output array of giantDigits, LSD first + * Start at LS byte and LD digit + */ + digitDex = 0; // index into g->giantDigit[] + giantDigit thisDigit; + inp = byteArray + numBytes - 1; + unsigned dex; // total byte counter + unsigned byteDex; // index into one giantDigit + unsigned shiftCount; + for(dex=0; dexn[digitDex++] = thisDigit; + } + grtn->sign = (int)numGiantDigits * sign; + + /* trim leading (MS) zeroes */ + gtrimSign(grtn); +abort: + if(didMalloc) { + ffree(byteArray); + } + if(frtn) { + feeException::throwMe(frtn, "bigIntStrToGiant"); + } + return grtn; +} + +/* + * Convert a giant to an CSSM_DATA, mallocing using specified coder. + * Only known exception is a feeException. + */ + static void giantToCssmData( + giant g, + CSSM_DATA &cdata, + SecNssCoder &coder) +{ + unsigned char doPrepend = 0; + unsigned numGiantDigits = abs(g->sign); + unsigned numBytes = numGiantDigits * GIANT_BYTES_PER_DIGIT; + giantDigit msGiantBit = 0; + if(isZero(g)) { + /* special degenerate case */ + intToCssmData(0, cdata, coder); + return; + } + else { + msGiantBit = g->n[numGiantDigits - 1] >> (GIANT_BITS_PER_DIGIT - 1); + } + + /* prepend a byte of zero if necessary */ + if((g->sign < 0) || // negative - to handle 2's complement + ((g->sign > 0) && msGiantBit)) { // ensure MS byte is zero + doPrepend = 1; + numBytes++; + } + + unsigned char *rawBytes = (unsigned char *)fmalloc(numBytes); + if(rawBytes == NULL) { + feeException::throwMe(FR_Memory, "giantToCssmData fmalloc(rawBytes)"); + } + unsigned char *outp = rawBytes; + if(doPrepend) { + *outp++ = 0; + } + + /* + * Convert array of giantDigits to bytes. + * outp point to MS output byte. + */ + int digitDex; // index into g->giantDigit[] + unsigned byteDex; // byte index into a giantDigit + for(digitDex=numGiantDigits-1; digitDex>=0; digitDex--) { + /* one loop per giantDigit, starting at MS end */ + giantDigit thisDigit = g->n[digitDex]; + unsigned char *bp = outp + GIANT_BYTES_PER_DIGIT - 1; + for(byteDex=0; byteDex>= 8; + } + outp += GIANT_BYTES_PER_DIGIT; + } + + /* do two's complement for negative giants */ + if(g->sign < 0) { + twosComplement(rawBytes, numBytes); + } + + /* strip off redundant leading bits (nine zeroes or nine ones) */ + outp = rawBytes; + unsigned char *endp = outp + numBytes - 1; + while((*outp == 0) && // m.s. byte zero + (outp < endp) && // more bytes exist + (!(outp[1] & 0x80))) { // 9th bit is 0 + outp++; + numBytes--; + } + while((*outp == 0xff) && // m.s. byte all ones + (outp < endp) && // more bytes exist + (outp[1] & 0x80)) { // 9th bit is 1 + outp++; + numBytes--; + } + cdata.Data = (uint8 *)coder.malloc(numBytes); + memmove(cdata.Data, outp, numBytes); + cdata.Length = numBytes; + ffree(rawBytes); + return; +} + +/* curveParams : CryptKit <--> FEECurveParametersASN1 */ +/* Only known exception is a feeException */ +static void feeCurveParamsToASN1( + const curveParams *cp, + FEECurveParametersASN1 &asnCp, + SecNssCoder &coder) +{ + #if PRINT_CURVE_PARAMS + printf("===encoding curveParams; cp:\n"); printCurveParams(cp); + #endif + memset(&asnCp, 0, sizeof(asnCp)); + try { + intToCssmData(cp->primeType, asnCp.primeType, coder); + intToCssmData(cp->curveType, asnCp.curveType, coder); + intToCssmData(cp->q, asnCp.q, coder); + intToCssmData(cp->k, asnCp.k, coder); + intToCssmData(cp->m, asnCp.m, coder); + giantToCssmData(cp->a, asnCp.a, coder); + giantToCssmData(cp->b, asnCp.b_, coder); + giantToCssmData(cp->c, asnCp.c, coder); + giantToCssmData(cp->x1Plus, asnCp.x1Plus, coder); + giantToCssmData(cp->x1Minus, asnCp.x1Minus, coder); + giantToCssmData(cp->cOrderPlus, asnCp.cOrderPlus, coder); + giantToCssmData(cp->cOrderMinus, asnCp.cOrderMinus, coder); + giantToCssmData(cp->x1OrderPlus, asnCp.x1OrderPlus, coder); + giantToCssmData(cp->x1OrderMinus, asnCp.x1OrderMinus, coder); + if(cp->primeType == FPT_General) { + giantToCssmData(cp->basePrime, asnCp.basePrime, coder); + } + } + catch(const feeException &ferr) { + throw; + } + catch(...) { + feeException::throwMe(FR_Memory, "feeCurveParamsToSnacc catchall"); // ??? + } +} + +static curveParams *feeCurveParamsFromAsn1( + const FEECurveParametersASN1 &asnCp) +{ + curveParams *cp = newCurveParams(); + if(cp == NULL) { + feeException::throwMe(FR_Memory, "feeCurveParamsFromSnacc alloc cp"); + } + cp->primeType = (feePrimeType)cssmDataToInt(asnCp.primeType); + cp->curveType = (feeCurveType)cssmDataToInt(asnCp.curveType); + cp->q = cssmDataToInt(asnCp.q); + cp->k = cssmDataToInt(asnCp.k); + cp->m = cssmDataToInt(asnCp.m); + cp->a = cssmDataToGiant(asnCp.a); + cp->b = cssmDataToGiant(asnCp.b_); + cp->c = cssmDataToGiant(asnCp.c); + cp->x1Plus = cssmDataToGiant(asnCp.x1Plus); + cp->x1Minus = cssmDataToGiant(asnCp.x1Minus); + cp->cOrderPlus = cssmDataToGiant(asnCp.cOrderPlus); + cp->cOrderMinus = cssmDataToGiant(asnCp.cOrderMinus); + cp->x1OrderPlus = cssmDataToGiant(asnCp.x1OrderPlus); + cp->x1OrderMinus = cssmDataToGiant(asnCp.x1OrderMinus); + if(asnCp.basePrime.Data != NULL) { + cp->basePrime = cssmDataToGiant(asnCp.basePrime); + } + + /* remaining fields inferred */ + curveParamsInferFields(cp); + allocRecipGiants(cp); + #if PRINT_CURVE_PARAMS + printf("===decoding curveParams; cp:\n"); printCurveParams(cp); + #endif + return cp; +} + +/*** + *** Public routines. These are usable from C code; they never throw. + ***/ + +/* + * Encode/decode the two FEE signature types. We malloc returned data via + * fmalloc(); caller must free via ffree(). + */ +feeReturn feeDEREncodeElGamalSignature( + giant u, + giant PmX, + unsigned char **encodedSig, // fmallocd and RETURNED + unsigned *encodedSigLen) // RETURNED +{ + /* convert to FEEElGamalSignatureASN1 */ + FEEElGamalSignatureASN1 asnSig; + SecNssCoder coder; + + try { + giantToCssmData(u, asnSig.u, coder); + giantToCssmData(PmX, asnSig.pmX, coder); + } + catch(const feeException &ferr) { + return ferr.frtn(); + } + + /* DER encode */ + PRErrorCode perr; + CSSM_DATA encBlob; // mallocd by coder + perr = coder.encodeItem(&asnSig, FEEElGamalSignatureASN1Template, encBlob); + if(perr) { + return FR_Memory; + } + + /* copy out to caller */ + *encodedSig = (unsigned char *)fmalloc((unsigned)encBlob.Length); + *encodedSigLen = (unsigned)encBlob.Length; + memmove(*encodedSig, encBlob.Data, encBlob.Length); + + #if PRINT_SIG_GIANTS + printf("feeEncodeElGamalSignature:\n"); + printf(" u : "); printGiantHex(u); + printf(" PmX : "); printGiantHex(PmX); + #endif + + return FR_Success; +} + +/* + * Encode a DER formatted ECDSA signature + */ +feeReturn feeDEREncodeECDSASignature( + giant c, + giant d, + unsigned char **encodedSig, // fmallocd and RETURNED + unsigned *encodedSigLen) // RETURNED +{ + /* convert to FEEECDSASignatureASN1 */ + FEEECDSASignatureASN1 asnSig; + SecNssCoder coder; + + try { + giantToCssmData(c, asnSig.c, coder); + giantToCssmData(d, asnSig.d, coder); + } + catch(const feeException &ferr) { + return ferr.frtn(); + } + + /* DER encode */ + PRErrorCode perr; + CSSM_DATA encBlob; // mallocd by coder + perr = coder.encodeItem(&asnSig, FEEECDSASignatureASN1Template, encBlob); + if(perr) { + return FR_Memory; + } + + /* copy out to caller */ + *encodedSig = (unsigned char *)fmalloc((unsigned)encBlob.Length); + *encodedSigLen = (unsigned)encBlob.Length; + memmove(*encodedSig, encBlob.Data, encBlob.Length); + + #if PRINT_SIG_GIANTS + printf("feeDEREncodeECDSASignature:\n"); + printf(" c : "); printGiantHex(c); + printf(" d : "); printGiantHex(d); + #endif + return FR_Success; + +} + +#if PRINT_SIG_GIANTS +static void printHex( + const unsigned char *buf, + unsigned len, + unsigned maxLen) +{ + bool doEllipsis = false; + unsigned dex; + if(len > maxLen) { + len = maxLen; + doEllipsis = true; + } + for(dex=0; dex>1))) { + return FR_BadSignatureFormat; + } + + try { + *c = giant_with_data((uint8_t*)encodedSig,(int)groupBytesLen); + *d = giant_with_data((uint8_t*)encodedSig+groupBytesLen, (int)groupBytesLen); + } + catch(const feeException &ferr) { + return ferr.frtn(); + } + catch(...) { + /* FIXME - bad sig? memory? */ + return FR_Memory; + } +#if PRINT_SIG_GIANTS + printf("feeRAWDecodeECDSASignature:\n"); + printf(" c : "); printGiantHex(*c); + printf(" d : "); printGiantHex(*d); +#endif + return FR_Success; +} + +/* + * Encode/decode the FEE private and public keys. We malloc returned data via + * falloc(); caller must free via ffree(). Public C functions which never throw. + */ +feeReturn feeDEREncodePublicKey( + int version, + const curveParams *cp, + giant plusX, + giant minusX, + giant plusY, // may be NULL + unsigned char **keyBlob, // fmallocd and RETURNED + unsigned *keyBlobLen) // RETURNED +{ + FEEPublicKeyASN1 asnKey; + SecNssCoder coder; + + memset(&asnKey, 0, sizeof(asnKey)); + intToCssmData(version, asnKey.version, coder); + + try { + feeCurveParamsToASN1(cp, asnKey.curveParams, coder); + giantToCssmData(plusX, asnKey.plusX, coder); + giantToCssmData(minusX, asnKey.minusX, coder); + if(plusY != NULL) { + giantToCssmData(plusY, asnKey.plusY, coder); + } + } + catch(const feeException &ferr) { + return ferr.frtn(); + } + + /* DER encode */ + PRErrorCode perr; + CSSM_DATA encBlob; // mallocd by coder + perr = coder.encodeItem(&asnKey, FEEPublicKeyASN1Template, encBlob); + if(perr) { + return FR_Memory; + } + + /* copy out */ + *keyBlob = (unsigned char *)fmalloc((unsigned)encBlob.Length); + *keyBlobLen = (unsigned)encBlob.Length; + memmove(*keyBlob, encBlob.Data, encBlob.Length); + return FR_Success; +} + +feeReturn feeDEREncodePrivateKey( + int version, + const curveParams *cp, + const giant privData, + unsigned char **keyBlob, // fmallocd and RETURNED + unsigned *keyBlobLen) // RETURNED +{ + FEEPrivateKeyASN1 asnKey; + SecNssCoder coder; + + memset(&asnKey, 0, sizeof(asnKey)); + intToCssmData(version, asnKey.version, coder); + + try { + feeCurveParamsToASN1(cp, asnKey.curveParams, coder); + giantToCssmData(privData, asnKey.privData, coder); + } + catch(const feeException &ferr) { + return ferr.frtn(); + } + + /* DER encode */ + PRErrorCode perr; + CSSM_DATA encBlob; // mallocd by coder + perr = coder.encodeItem(&asnKey, FEEPrivateKeyASN1Template, encBlob); + if(perr) { + return FR_Memory; + } + + /* copy out */ + *keyBlob = (unsigned char *)fmalloc((unsigned)encBlob.Length); + *keyBlobLen = (unsigned)encBlob.Length; + memmove(*keyBlob, encBlob.Data, encBlob.Length); + return FR_Success; +} + +feeReturn feeDERDecodePublicKey( + const unsigned char *keyBlob, + unsigned keyBlobLen, + int *version, // this and remainder RETURNED + curveParams **cp, + giant *plusX, + giant *minusX, + giant *plusY) // may be NULL +{ + FEEPublicKeyASN1 asnKey; + SecNssCoder coder; + + memset(&asnKey, 0, sizeof(asnKey)); + PRErrorCode perr = coder.decode(keyBlob, keyBlobLen, + FEEPublicKeyASN1Template, &asnKey); + if(perr) { + return FR_BadKeyBlob; + } + + try { + *version = cssmDataToInt(asnKey.version); + *cp = feeCurveParamsFromAsn1(asnKey.curveParams); + *plusX = cssmDataToGiant(asnKey.plusX); + *minusX = cssmDataToGiant(asnKey.minusX); + if(asnKey.plusY.Data != NULL) { + /* optional */ + *plusY = cssmDataToGiant(asnKey.plusY); + } + else { + *plusY = newGiant(1); + int_to_giant(0, *plusY); + } + } + catch(const feeException &ferr) { + return ferr.frtn(); + } + catch(...) { + /* FIXME - bad sig? memory? */ + return FR_Memory; + } + return FR_Success; +} + +feeReturn feeDERDecodePrivateKey( + const unsigned char *keyBlob, + unsigned keyBlobLen, + int *version, // this and remainder RETURNED + curveParams **cp, + giant *privData) // RETURNED +{ + FEEPrivateKeyASN1 asnKey; + SecNssCoder coder; + + memset(&asnKey, 0, sizeof(asnKey)); + PRErrorCode perr = coder.decode(keyBlob, keyBlobLen, + FEEPrivateKeyASN1Template, &asnKey); + if(perr) { + return FR_BadKeyBlob; + } + + try { + *version = cssmDataToInt(asnKey.version); + *cp = feeCurveParamsFromAsn1(asnKey.curveParams); + *privData = cssmDataToGiant(asnKey.privData); + } + catch(const feeException &ferr) { + return ferr.frtn(); + } + catch(...) { + /* FIXME - bad sig? memory? */ + return FR_Memory; + } + return FR_Success; +} + +#pragma mark --- ECDSA support --- + +/* convert between feeDepth and curve OIDs */ +static const CSSM_OID *depthToOid( + feeDepth depth) +{ + switch(depth) { + case FEE_DEPTH_secp192r1: + return &CSSMOID_secp192r1; + case FEE_DEPTH_secp256r1: + return &CSSMOID_secp256r1; + case FEE_DEPTH_secp384r1: + return &CSSMOID_secp384r1; + case FEE_DEPTH_secp521r1: + return &CSSMOID_secp521r1; + default: + dbgLog(("depthToOid needs work\n")); + return NULL; + } +} + +static feeReturn curveOidToFeeDepth( + const CSSM_OID *curveOid, + feeDepth *depth) /* RETURNED */ +{ + if(nssCompareCssmData(curveOid, &CSSMOID_secp192r1)) { + *depth = FEE_DEPTH_secp192r1; + } + else if(nssCompareCssmData(curveOid, &CSSMOID_secp256r1)) { + *depth = FEE_DEPTH_secp256r1; + } + else if(nssCompareCssmData(curveOid, &CSSMOID_secp384r1)) { + *depth = FEE_DEPTH_secp384r1; + } + else if(nssCompareCssmData(curveOid, &CSSMOID_secp521r1)) { + *depth = FEE_DEPTH_secp521r1; + } + else { + dbgLog(("curveOidToFeeDepth: unknown curve OID\n")); + return FR_BadKeyBlob; + } + return FR_Success; +} + + +/* + * Validate a decoded CSSM_X509_ALGORITHM_IDENTIFIER and infer + * depth from its algorith.parameter + */ +static feeReturn feeAlgIdToDepth( + const CSSM_X509_ALGORITHM_IDENTIFIER *algId, + feeDepth *depth) +{ + const CSSM_OID *oid = &algId->algorithm; + /* FIXME what's the value here for a private key!? */ + if(!nssCompareCssmData(oid, &CSSMOID_ecPublicKey)) { + dbgLog(("feeAlgIdToDepth: bad OID")); + return FR_BadKeyBlob; + } + + /* + * AlgId.params is curve OID, still encoded since it's an ASN_ANY. + * First two bytes of encoded OID are (06, length) + */ + const CSSM_DATA *param = &algId->parameters; + if((param->Length <= 2) || (param->Data[0] != BER_TAG_OID)) { + dbgLog(("feeAlgIdToDepth: no curve params\n")); + return FR_BadKeyBlob; + } + + CSSM_OID decOid = {param->Length-2, algId->parameters.Data+2}; + return curveOidToFeeDepth(&decOid, depth); +} + +/* + * Prepare an CSSM_X509_ALGORITHM_IDENTIFIER for encoding. + */ +static feeReturn feeSetupAlgId( + feeDepth depth, + SecNssCoder &coder, + CSSM_X509_ALGORITHM_IDENTIFIER &algId) +{ + algId.algorithm = CSSMOID_ecPublicKey; + const CSSM_OID *curveOid = depthToOid(depth); + if(curveOid == NULL) { + return FR_IllegalDepth; + } + + /* quick & dirty encode of the parameter OID; it's an ASN_ANY in the template */ + coder.allocItem(algId.parameters, curveOid->Length + 2); + algId.parameters.Data[0] = BER_TAG_OID; + algId.parameters.Data[1] = curveOid->Length; + memmove(algId.parameters.Data+2, curveOid->Data, curveOid->Length); + return FR_Success; +} + +#pragma mark --- ECDSA public key, X.509 format --- + +/* + * Encode/decode public key in X.509 format. + */ +feeReturn feeDEREncodeX509PublicKey( + const unsigned char *pubBlob, /* x and y octet string */ + unsigned pubBlobLen, + curveParams *cp, + unsigned char **x509Blob, /* fmallocd and RETURNED */ + unsigned *x509BlobLen) /* RETURNED */ +{ + SecNssCoder coder; + CSSM_X509_SUBJECT_PUBLIC_KEY_INFO nssPubKeyInfo; + + memset(&nssPubKeyInfo, 0, sizeof(nssPubKeyInfo)); + + /* The x/y string, to be encoded in a bit string */ + nssPubKeyInfo.subjectPublicKey.Data = (uint8 *)pubBlob; + nssPubKeyInfo.subjectPublicKey.Length = pubBlobLen * 8; + + feeDepth depth; + feeReturn frtn = curveParamsDepth(cp, &depth); + if(frtn) { + dbgLog(("feeDEREncodePKCS8PrivateKey: curveParamsDepth error\n")); + return frtn; + } + + CSSM_X509_ALGORITHM_IDENTIFIER &algId = nssPubKeyInfo.algorithm; + frtn = feeSetupAlgId(depth, coder, algId); + if(frtn) { + return frtn; + } + + /* DER encode */ + CSSM_DATA encBlob; // mallocd by coder + PRErrorCode perr = coder.encodeItem(&nssPubKeyInfo, kSecAsn1SubjectPublicKeyInfoTemplate, encBlob); + if(perr) { + return FR_Memory; + } + + /* copy out */ + *x509Blob = (unsigned char *)fmalloc((unsigned)encBlob.Length); + *x509BlobLen = (unsigned)encBlob.Length; + memmove(*x509Blob, encBlob.Data, encBlob.Length); + return FR_Success; +} + +feeReturn feeDERDecodeX509PublicKey( + const unsigned char *x509Blob, + unsigned x509BlobLen, + feeDepth *depth, /* RETURNED */ + unsigned char **pubBlob, /* x and y octet string RETURNED */ + unsigned *pubBlobLen) /* RETURNED */ +{ + SecNssCoder coder; + CSSM_X509_SUBJECT_PUBLIC_KEY_INFO nssPubKeyInfo; + PRErrorCode perr; + + memset(&nssPubKeyInfo, 0, sizeof(nssPubKeyInfo)); + perr = coder.decode(x509Blob, x509BlobLen, kSecAsn1SubjectPublicKeyInfoTemplate, + &nssPubKeyInfo); + if(perr) { + dbgLog(("decode(SubjectPublicKeyInfo) error")); + return FR_BadKeyBlob; + } + + /* verify alg identifier & depth */ + feeReturn frtn = feeAlgIdToDepth(&nssPubKeyInfo.algorithm, depth); + if(frtn) { + return frtn; + } + + /* copy public key string - it's in bits here */ + CSSM_DATA *pubKey = &nssPubKeyInfo.subjectPublicKey; + unsigned keyLen =(unsigned) (pubKey->Length + 7) / 8; + *pubBlob = (unsigned char *)fmalloc(keyLen); + if(*pubBlob == NULL) { + return FR_Memory; + } + memmove(*pubBlob, pubKey->Data, keyLen); + *pubBlobLen = keyLen; + return FR_Success; +} + +#pragma mark --- ECDSA keys, OpenSSL format --- + +/* + * Encode private, and decode private or public key, in unencrypted OpenSSL format. + */ +feeReturn feeDEREncodeOpenSSLPrivateKey( + const unsigned char *privBlob, /* private data octet string */ + unsigned privBlobLen, + const unsigned char *pubBlob, /* public key, optional */ + unsigned pubBlobLen, + curveParams *cp, + unsigned char **openBlob, /* fmallocd and RETURNED */ + unsigned *openBlobLen) /* RETURNED */ +{ + feeDepth depth; + const CSSM_OID *curveOid; + SecNssCoder coder; + + NSS_ECDSA_PrivateKey ecdsaPrivKey; + memset(&ecdsaPrivKey, 0, sizeof(ecdsaPrivKey)); + uint8 vers = 1; + ecdsaPrivKey.version.Data = &vers; + ecdsaPrivKey.version.Length = 1; + ecdsaPrivKey.privateKey.Data = (uint8 *)privBlob; + ecdsaPrivKey.privateKey.Length = privBlobLen; + + /* Params - ASN_ANY - actually the curve OID */ + if(curveParamsDepth(cp, &depth)) { + dbgLog(("feeDEREncodeOpenSSLPrivateKey: bad depth")); + return FR_BadKeyBlob; + } + curveOid = depthToOid(depth); + if(curveOid == NULL) { + return FR_BadKeyBlob; + } + + /* quickie DER-encode of the curve OID */ + try { + coder.allocItem(ecdsaPrivKey.params, curveOid->Length + 2); + } + catch(...) { + return FR_Memory; + } + ecdsaPrivKey.params.Data[0] = BER_TAG_OID; + ecdsaPrivKey.params.Data[1] = curveOid->Length; + memmove(ecdsaPrivKey.params.Data+2, curveOid->Data, curveOid->Length); + + /* public key - optional - bit string, length in bits */ + if(pubBlob) { + ecdsaPrivKey.pubKey.Data = (uint8 *)pubBlob; + ecdsaPrivKey.pubKey.Length = pubBlobLen * 8; + } + + CSSM_DATA encPriv = {0, NULL}; + PRErrorCode perr = coder.encodeItem(&ecdsaPrivKey, kSecAsn1ECDSAPrivateKeyInfoTemplate, encPriv); + if(perr) { + return FR_Memory; + } + + /* copy out */ + *openBlob = (unsigned char *)fmalloc((unsigned)encPriv.Length); + *openBlobLen = (unsigned)encPriv.Length; + memmove(*openBlob, encPriv.Data, encPriv.Length); + return FR_Success; +} + +feeReturn feeDERDecodeOpenSSLKey( + const unsigned char *osBlob, + unsigned osBlobLen, + feeDepth *depth, /* RETURNED */ + unsigned char **privBlob, /* private data octet string RETURNED */ + unsigned *privBlobLen, /* RETURNED */ + unsigned char **pubBlob, /* public data octet string optionally RETURNED */ + unsigned *pubBlobLen) +{ + SecNssCoder coder; + NSS_ECDSA_PrivateKey ecdsaPrivKey; + memset(&ecdsaPrivKey, 0, sizeof(ecdsaPrivKey)); + if(coder.decode(osBlob, osBlobLen, + kSecAsn1ECDSAPrivateKeyInfoTemplate, &ecdsaPrivKey)) { + dbgLog(("Error decoding openssl priv key\n")); + return FR_BadKeyBlob; + } + + unsigned keyLen = (unsigned)ecdsaPrivKey.privateKey.Length; + if(keyLen == 0) { + dbgLog(("NULL priv key data in PKCS8\n")); + } + *privBlob = (unsigned char *)fmalloc(keyLen); + if(*privBlob == NULL) { + return FR_Memory; + } + *privBlobLen = keyLen; + memmove(*privBlob, ecdsaPrivKey.privateKey.Data, keyLen); + + /* curve OID --> depth */ + if(ecdsaPrivKey.params.Data != NULL) { + /* quickie decode */ + const CSSM_DATA *param = &ecdsaPrivKey.params; + if((param->Data[0] != BER_TAG_OID) || (param->Length <= 2)) { + dbgLog(("feeDERDecodeOpenSSLKey: bad curve params\n")); + return FR_BadKeyBlob; + } + CSSM_OID decOid = {param->Length-2, param->Data+2}; + if(curveOidToFeeDepth(&decOid, depth)) { + return FR_BadKeyBlob; + } + } + + /* Public key, if it's there and caller wants it */ + if((ecdsaPrivKey.pubKey.Length != 0) && (pubBlob != NULL)) { + *pubBlobLen = (unsigned)(ecdsaPrivKey.pubKey.Length + 7) / 8; + *pubBlob = (unsigned char *)fmalloc(*pubBlobLen); + memmove(*pubBlob, ecdsaPrivKey.pubKey.Data, *pubBlobLen); + } + return FR_Success; +} + +#pragma mark --- ECDSA public key, PKCS8 format --- + +/* + * Encode/decode private key in unencrypted PKCS8 format. + */ +feeReturn feeDEREncodePKCS8PrivateKey( + const unsigned char *privBlob, /* private data octet string */ + unsigned privBlobLen, + const unsigned char *pubBlob, /* public blob, optional */ + unsigned pubBlobLen, + curveParams *cp, + unsigned char **pkcs8Blob, /* fmallocd and RETURNED */ + unsigned *pkcs8BlobLen) /* RETURNED */ +{ + /* First encode a NSS_ECDSA_PrivateKey */ + unsigned char *encPriv = NULL; + unsigned encPrivLen = 0; + feeReturn frtn = feeDEREncodeOpenSSLPrivateKey(privBlob, privBlobLen, + pubBlob, pubBlobLen, cp, &encPriv, &encPrivLen); + if(frtn) { + return frtn; + } + + /* That encoding goes into NSS_PrivateKeyInfo.private key */ + SecNssCoder coder; + NSS_PrivateKeyInfo nssPrivKeyInfo; + CSSM_X509_ALGORITHM_IDENTIFIER &algId = nssPrivKeyInfo.algorithm; + memset(&nssPrivKeyInfo, 0, sizeof(nssPrivKeyInfo)); + nssPrivKeyInfo.privateKey.Data = (uint8 *)encPriv; + nssPrivKeyInfo.privateKey.Length = encPrivLen; + uint8 vers = 0; + + feeDepth depth; + frtn = curveParamsDepth(cp, &depth); + if(frtn) { + dbgLog(("feeDEREncodePKCS8PrivateKey: curveParamsDepth error\n")); + goto errOut; + } + frtn = feeSetupAlgId(depth, coder, algId); + if(frtn) { + goto errOut; + } + + nssPrivKeyInfo.version.Data = &vers; + nssPrivKeyInfo.version.Length = 1; + + /* DER encode */ + CSSM_DATA encPrivInfo; // mallocd by coder + if(coder.encodeItem(&nssPrivKeyInfo, kSecAsn1PrivateKeyInfoTemplate, encPrivInfo)) { + frtn = FR_Memory; + goto errOut; + } + + /* copy out */ + *pkcs8Blob = (unsigned char *)fmalloc((unsigned)encPrivInfo.Length); + *pkcs8BlobLen = (unsigned)encPrivInfo.Length; + memmove(*pkcs8Blob, encPrivInfo.Data, encPrivInfo.Length); +errOut: + if(encPriv) { + ffree(encPriv); + } + return frtn; +} + +feeReturn feeDERDecodePKCS8PrivateKey( + const unsigned char *pkcs8Blob, + unsigned pkcs8BlobLen, + feeDepth *depth, /* RETURNED */ + unsigned char **privBlob, /* private data octet string RETURNED */ + unsigned *privBlobLen, /* RETURNED */ + unsigned char **pubBlob, /* optionally returned, if it's there */ + unsigned *pubBlobLen) +{ + NSS_PrivateKeyInfo nssPrivKeyInfo; + PRErrorCode perr; + SecNssCoder coder; + + memset(&nssPrivKeyInfo, 0, sizeof(nssPrivKeyInfo)); + perr = coder.decode(pkcs8Blob, pkcs8BlobLen, kSecAsn1PrivateKeyInfoTemplate, &nssPrivKeyInfo); + if(perr) { + dbgLog(("Error decoding top level PKCS8\n")); + return FR_BadKeyBlob; + } + + /* verify alg identifier & depth */ + feeReturn frtn = feeAlgIdToDepth(&nssPrivKeyInfo.algorithm, depth); + if(frtn) { + return frtn; + } + + /* + * nssPrivKeyInfo.privateKey is an octet string containing an encoded + * NSS_ECDSA_PrivateKey. + */ + frtn = feeDERDecodeOpenSSLKey((const unsigned char *)nssPrivKeyInfo.privateKey.Data, + (unsigned)nssPrivKeyInfo.privateKey.Length, depth, + privBlob, privBlobLen, + pubBlob, pubBlobLen); + + return frtn; +} + +#endif /* CRYPTKIT_DER_ENABLE */ diff --git a/OSX/include/security_cryptkit/CryptKitDER.h b/OSX/include/security_cryptkit/CryptKitDER.h new file mode 100644 index 00000000..28b6ed03 --- /dev/null +++ b/OSX/include/security_cryptkit/CryptKitDER.h @@ -0,0 +1,198 @@ +/* + * Copyright (c) 2001,2011,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +#ifndef _CRYPTKIT_DER_H_ +#define _CRYPTKIT_DER_H_ + +#include + +#if CRYPTKIT_DER_ENABLE + +#include +#include +#include +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * Encode/decode the two FEE signature types. We malloc returned data via + * falloc(); caller must free via ffree(). + */ +feeReturn feeDEREncodeElGamalSignature( + giant u, + giant PmX, + unsigned char **encodedSig, // fallocd and RETURNED + unsigned *encodedSigLen); // RETURNED + +feeReturn feeDEREncodeECDSASignature( + giant c, + giant d, + unsigned char **encodedSig, // fallocd and RETURNED + unsigned *encodedSigLen); // RETURNED + +feeReturn feeDERDecodeElGamalSignature( + const unsigned char *encodedSig, + size_t encodedSigLen, + giant *u, // newGiant'd and RETURNED + giant *PmX); // newGiant'd and RETURNED + +feeReturn feeDERDecodeECDSASignature( + const unsigned char *encodedSig, + size_t encodedSigLen, + giant *c, // newGiant'd and RETURNED + giant *d); // newGiant'd and RETURNED + +/* + * RAW format for ECDSA signatures + */ +feeReturn feeRAWEncodeECDSASignature( + unsigned groupBytesLen, + giant c, + giant d, + unsigned char **encodedSig, // fallocd and RETURNED + unsigned *encodedSigLen); // RETURNED + +feeReturn feeRAWDecodeECDSASignature( + unsigned groupBytesLen, + const unsigned char *encodedSig, + size_t encodedSigLen, + giant *c, // newGiant'd and RETURNED + giant *d); // newGiant'd and RETURNED + + + +/* + * Encode/decode the FEE private and public keys. We malloc returned data via + * falloc(); caller must free via ffree(). + * These use a DER format which is custom to this module. + */ +feeReturn feeDEREncodePublicKey( + int version, + const curveParams *cp, + giant plusX, + giant minusX, + giant plusY, // may be NULL + unsigned char **keyBlob, // fmallocd and RETURNED + unsigned *keyBlobLen); // RETURNED + +feeReturn feeDEREncodePrivateKey( + int version, + const curveParams *cp, + const giant privData, + unsigned char **keyBlob, // fmallocd and RETURNED + unsigned *keyBlobLen); // RETURNED + +feeReturn feeDERDecodePublicKey( + const unsigned char *keyBlob, + unsigned keyBlobLen, + int *version, // this and remainder RETURNED + curveParams **cp, + giant *plusX, + giant *minusX, + giant *plusY); // always valid, may be (giant)0 + +feeReturn feeDERDecodePrivateKey( + const unsigned char *keyBlob, + unsigned keyBlobLen, + int *version, // this and remainder RETURNED + curveParams **cp, + giant *privData); // RETURNED + +/* obtain the max size of a DER-encoded signature (either ElGamal or ECDSA) */ +unsigned feeSizeOfDERSig( + giant g1, + giant g2); + +/* + * Encode/decode public key in X.509 format. + */ +feeReturn feeDEREncodeX509PublicKey( + const unsigned char *pubBlob, /* x and y octet string */ + unsigned pubBlobLen, + curveParams *cp, + unsigned char **x509Blob, /* fmallocd and RETURNED */ + unsigned *x509BlobLen); /* RETURNED */ + +feeReturn feeDERDecodeX509PublicKey( + const unsigned char *x509Blob, + unsigned x509BlobLen, + feeDepth *depth, /* RETURNED */ + unsigned char **pubBlob, /* x and y octet string RETURNED */ + unsigned *pubBlobLen); /* RETURNED */ + +/* + * Encode private, and decode private or public key, in unencrypted OpenSSL format. + */ +feeReturn feeDEREncodeOpenSSLPrivateKey( + const unsigned char *privBlob, /* private data octet string */ + unsigned privBlobLen, + const unsigned char *pubBlob, /* public key, optional */ + unsigned pubBlobLen, + curveParams *cp, + unsigned char **openBlob, /* fmallocd and RETURNED */ + unsigned *openBlobLen); /* RETURNED */ + +feeReturn feeDERDecodeOpenSSLKey( + const unsigned char *osBlob, + unsigned osBlobLen, + feeDepth *depth, /* RETURNED */ + unsigned char **privBlob, /* private data octet string RETURNED */ + unsigned *privBlobLen, /* RETURNED */ + unsigned char **pubBlob, /* public data octet string optionally RETURNED */ + unsigned *pubBlobLen); + +/* + * Encode/decode private key in unencrypted PKCS8 format. + */ +feeReturn feeDEREncodePKCS8PrivateKey( + const unsigned char *privBlob, /* private data octet string */ + unsigned privBlobLen, + const unsigned char *pubBlob, /* public blob, optional */ + unsigned pubBlobLen, + curveParams *cp, + unsigned char **pkcs8Blob, /* fmallocd and RETURNED */ + unsigned *pkcs8BlobLen); /* RETURNED */ + +feeReturn feeDERDecodePKCS8PrivateKey( + const unsigned char *pkcs8Blob, + unsigned pkcs8BlobLen, + feeDepth *depth, /* RETURNED */ + unsigned char **privBlob, /* private data octet string RETURNED */ + unsigned *privBlobLen, /* RETURNED */ + unsigned char **pubBlob, /* optionally returned, if it's there */ + unsigned *pubBlobLen); + + +#ifdef __cplusplus +} +#endif + +#endif /* CRYPTKIT_DER_ENABLE */ +#endif /* _CRYPTKIT_DER_H_ */ + + diff --git a/Security/libsecurity_cryptkit/lib/CryptKitSA.h b/OSX/include/security_cryptkit/CryptKitSA.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/CryptKitSA.h rename to OSX/include/security_cryptkit/CryptKitSA.h diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/FEEDaffine.nb b/OSX/include/security_cryptkit/CurveParamDocs/FEEDaffine.nb similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/FEEDaffine.nb rename to OSX/include/security_cryptkit/CurveParamDocs/FEEDaffine.nb diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/FEEDsansY.nb b/OSX/include/security_cryptkit/CurveParamDocs/FEEDsansY.nb similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/FEEDsansY.nb rename to OSX/include/security_cryptkit/CurveParamDocs/FEEDsansY.nb diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/README b/OSX/include/security_cryptkit/CurveParamDocs/README similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/README rename to OSX/include/security_cryptkit/CurveParamDocs/README diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/curvegen.c b/OSX/include/security_cryptkit/CurveParamDocs/curvegen.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/curvegen.c rename to OSX/include/security_cryptkit/CurveParamDocs/curvegen.c diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/curverecords.nb b/OSX/include/security_cryptkit/CurveParamDocs/curverecords.nb similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/curverecords.nb rename to OSX/include/security_cryptkit/CurveParamDocs/curverecords.nb diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/disc.h b/OSX/include/security_cryptkit/CurveParamDocs/disc.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/disc.h rename to OSX/include/security_cryptkit/CurveParamDocs/disc.h diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/ellproj.c b/OSX/include/security_cryptkit/CurveParamDocs/ellproj.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/ellproj.c rename to OSX/include/security_cryptkit/CurveParamDocs/ellproj.c diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/ellproj.h b/OSX/include/security_cryptkit/CurveParamDocs/ellproj.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/ellproj.h rename to OSX/include/security_cryptkit/CurveParamDocs/ellproj.h diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/factor.c b/OSX/include/security_cryptkit/CurveParamDocs/factor.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/factor.c rename to OSX/include/security_cryptkit/CurveParamDocs/factor.c diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/fmodule.c b/OSX/include/security_cryptkit/CurveParamDocs/fmodule.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/fmodule.c rename to OSX/include/security_cryptkit/CurveParamDocs/fmodule.c diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/fmodule.h b/OSX/include/security_cryptkit/CurveParamDocs/fmodule.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/fmodule.h rename to OSX/include/security_cryptkit/CurveParamDocs/fmodule.h diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/giants.c b/OSX/include/security_cryptkit/CurveParamDocs/giants.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/giants.c rename to OSX/include/security_cryptkit/CurveParamDocs/giants.c diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/giants.h b/OSX/include/security_cryptkit/CurveParamDocs/giants.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/giants.h rename to OSX/include/security_cryptkit/CurveParamDocs/giants.h diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/schoof.c b/OSX/include/security_cryptkit/CurveParamDocs/schoof.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/schoof.c rename to OSX/include/security_cryptkit/CurveParamDocs/schoof.c diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/schoofs.c b/OSX/include/security_cryptkit/CurveParamDocs/schoofs.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/schoofs.c rename to OSX/include/security_cryptkit/CurveParamDocs/schoofs.c diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/tools.c b/OSX/include/security_cryptkit/CurveParamDocs/tools.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/tools.c rename to OSX/include/security_cryptkit/CurveParamDocs/tools.c diff --git a/Security/libsecurity_cryptkit/lib/CurveParamDocs/tools.h b/OSX/include/security_cryptkit/CurveParamDocs/tools.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/CurveParamDocs/tools.h rename to OSX/include/security_cryptkit/CurveParamDocs/tools.h diff --git a/Security/libsecurity_cryptkit/lib/ECDSA_Profile.h b/OSX/include/security_cryptkit/ECDSA_Profile.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/ECDSA_Profile.h rename to OSX/include/security_cryptkit/ECDSA_Profile.h diff --git a/Security/libsecurity_cryptkit/lib/ECDSA_Verify_Prefix.h b/OSX/include/security_cryptkit/ECDSA_Verify_Prefix.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/ECDSA_Verify_Prefix.h rename to OSX/include/security_cryptkit/ECDSA_Verify_Prefix.h diff --git a/Security/libsecurity_cryptkit/lib/HmacSha1Legacy.c b/OSX/include/security_cryptkit/HmacSha1Legacy.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/HmacSha1Legacy.c rename to OSX/include/security_cryptkit/HmacSha1Legacy.c diff --git a/Security/libsecurity_cryptkit/lib/HmacSha1Legacy.h b/OSX/include/security_cryptkit/HmacSha1Legacy.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/HmacSha1Legacy.h rename to OSX/include/security_cryptkit/HmacSha1Legacy.h diff --git a/Security/libsecurity_cryptkit/lib/Mathematica.FEE b/OSX/include/security_cryptkit/Mathematica.FEE similarity index 100% rename from Security/libsecurity_cryptkit/lib/Mathematica.FEE rename to OSX/include/security_cryptkit/Mathematica.FEE diff --git a/Security/libsecurity_cryptkit/lib/NSCipherFile.h b/OSX/include/security_cryptkit/NSCipherFile.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSCipherFile.h rename to OSX/include/security_cryptkit/NSCipherFile.h diff --git a/Security/libsecurity_cryptkit/lib/NSCipherFile.m b/OSX/include/security_cryptkit/NSCipherFile.m similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSCipherFile.m rename to OSX/include/security_cryptkit/NSCipherFile.m diff --git a/Security/libsecurity_cryptkit/lib/NSCryptors.h b/OSX/include/security_cryptkit/NSCryptors.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSCryptors.h rename to OSX/include/security_cryptkit/NSCryptors.h diff --git a/Security/libsecurity_cryptkit/lib/NSDESCryptor.h b/OSX/include/security_cryptkit/NSDESCryptor.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSDESCryptor.h rename to OSX/include/security_cryptkit/NSDESCryptor.h diff --git a/Security/libsecurity_cryptkit/lib/NSDESCryptor.m b/OSX/include/security_cryptkit/NSDESCryptor.m similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSDESCryptor.m rename to OSX/include/security_cryptkit/NSDESCryptor.m diff --git a/Security/libsecurity_cryptkit/lib/NSFEEPublicKey.h b/OSX/include/security_cryptkit/NSFEEPublicKey.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSFEEPublicKey.h rename to OSX/include/security_cryptkit/NSFEEPublicKey.h diff --git a/Security/libsecurity_cryptkit/lib/NSFEEPublicKey.m b/OSX/include/security_cryptkit/NSFEEPublicKey.m similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSFEEPublicKey.m rename to OSX/include/security_cryptkit/NSFEEPublicKey.m diff --git a/Security/libsecurity_cryptkit/lib/NSFEEPublicKeyPrivate.h b/OSX/include/security_cryptkit/NSFEEPublicKeyPrivate.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSFEEPublicKeyPrivate.h rename to OSX/include/security_cryptkit/NSFEEPublicKeyPrivate.h diff --git a/Security/libsecurity_cryptkit/lib/NSMD5Hash.h b/OSX/include/security_cryptkit/NSMD5Hash.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSMD5Hash.h rename to OSX/include/security_cryptkit/NSMD5Hash.h diff --git a/Security/libsecurity_cryptkit/lib/NSMD5Hash.m b/OSX/include/security_cryptkit/NSMD5Hash.m similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSMD5Hash.m rename to OSX/include/security_cryptkit/NSMD5Hash.m diff --git a/Security/libsecurity_cryptkit/lib/NSRandomNumberGenerator.h b/OSX/include/security_cryptkit/NSRandomNumberGenerator.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSRandomNumberGenerator.h rename to OSX/include/security_cryptkit/NSRandomNumberGenerator.h diff --git a/Security/libsecurity_cryptkit/lib/NSRandomNumberGenerator.m b/OSX/include/security_cryptkit/NSRandomNumberGenerator.m similarity index 100% rename from Security/libsecurity_cryptkit/lib/NSRandomNumberGenerator.m rename to OSX/include/security_cryptkit/NSRandomNumberGenerator.m diff --git a/Security/libsecurity_cryptkit/lib/README b/OSX/include/security_cryptkit/README similarity index 100% rename from Security/libsecurity_cryptkit/lib/README rename to OSX/include/security_cryptkit/README diff --git a/Security/libsecurity_cryptkit/lib/TOP_README b/OSX/include/security_cryptkit/TOP_README similarity index 100% rename from Security/libsecurity_cryptkit/lib/TOP_README rename to OSX/include/security_cryptkit/TOP_README diff --git a/Security/libsecurity_cryptkit/lib/buildSrcTree b/OSX/include/security_cryptkit/buildSrcTree similarity index 100% rename from Security/libsecurity_cryptkit/lib/buildSrcTree rename to OSX/include/security_cryptkit/buildSrcTree diff --git a/Security/libsecurity_cryptkit/lib/byteRep.c b/OSX/include/security_cryptkit/byteRep.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/byteRep.c rename to OSX/include/security_cryptkit/byteRep.c diff --git a/Security/libsecurity_cryptkit/lib/byteRep.h b/OSX/include/security_cryptkit/byteRep.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/byteRep.h rename to OSX/include/security_cryptkit/byteRep.h diff --git a/Security/libsecurity_cryptkit/lib/changes b/OSX/include/security_cryptkit/changes similarity index 100% rename from Security/libsecurity_cryptkit/lib/changes rename to OSX/include/security_cryptkit/changes diff --git a/Security/libsecurity_cryptkit/lib/ckDES.c b/OSX/include/security_cryptkit/ckDES.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/ckDES.c rename to OSX/include/security_cryptkit/ckDES.c diff --git a/Security/libsecurity_cryptkit/lib/ckDES.h b/OSX/include/security_cryptkit/ckDES.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/ckDES.h rename to OSX/include/security_cryptkit/ckDES.h diff --git a/Security/libsecurity_cryptkit/lib/ckMD5.c b/OSX/include/security_cryptkit/ckMD5.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/ckMD5.c rename to OSX/include/security_cryptkit/ckMD5.c diff --git a/Security/libsecurity_cryptkit/lib/ckMD5.h b/OSX/include/security_cryptkit/ckMD5.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/ckMD5.h rename to OSX/include/security_cryptkit/ckMD5.h diff --git a/Security/libsecurity_cryptkit/lib/ckSHA1.c b/OSX/include/security_cryptkit/ckSHA1.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/ckSHA1.c rename to OSX/include/security_cryptkit/ckSHA1.c diff --git a/Security/libsecurity_cryptkit/lib/ckSHA1.h b/OSX/include/security_cryptkit/ckSHA1.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/ckSHA1.h rename to OSX/include/security_cryptkit/ckSHA1.h diff --git a/Security/libsecurity_cryptkit/lib/ckSHA1_priv.c b/OSX/include/security_cryptkit/ckSHA1_priv.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/ckSHA1_priv.c rename to OSX/include/security_cryptkit/ckSHA1_priv.c diff --git a/Security/libsecurity_cryptkit/lib/ckSHA1_priv.h b/OSX/include/security_cryptkit/ckSHA1_priv.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/ckSHA1_priv.h rename to OSX/include/security_cryptkit/ckSHA1_priv.h diff --git a/Security/libsecurity_cryptkit/lib/ckconfig.h b/OSX/include/security_cryptkit/ckconfig.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/ckconfig.h rename to OSX/include/security_cryptkit/ckconfig.h diff --git a/Security/libsecurity_cryptkit/lib/ckutilities.c b/OSX/include/security_cryptkit/ckutilities.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/ckutilities.c rename to OSX/include/security_cryptkit/ckutilities.c diff --git a/Security/libsecurity_cryptkit/lib/ckutilities.h b/OSX/include/security_cryptkit/ckutilities.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/ckutilities.h rename to OSX/include/security_cryptkit/ckutilities.h diff --git a/Security/libsecurity_cryptkit/lib/curveParamData.h b/OSX/include/security_cryptkit/curveParamData.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/curveParamData.h rename to OSX/include/security_cryptkit/curveParamData.h diff --git a/Security/libsecurity_cryptkit/lib/curveParamDataOld.h b/OSX/include/security_cryptkit/curveParamDataOld.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/curveParamDataOld.h rename to OSX/include/security_cryptkit/curveParamDataOld.h diff --git a/Security/libsecurity_cryptkit/lib/curveParams.c b/OSX/include/security_cryptkit/curveParams.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/curveParams.c rename to OSX/include/security_cryptkit/curveParams.c diff --git a/Security/libsecurity_cryptkit/lib/curveParams.h b/OSX/include/security_cryptkit/curveParams.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/curveParams.h rename to OSX/include/security_cryptkit/curveParams.h diff --git a/Security/libsecurity_cryptkit/lib/elliptic.c b/OSX/include/security_cryptkit/elliptic.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/elliptic.c rename to OSX/include/security_cryptkit/elliptic.c diff --git a/Security/libsecurity_cryptkit/lib/elliptic.h b/OSX/include/security_cryptkit/elliptic.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/elliptic.h rename to OSX/include/security_cryptkit/elliptic.h diff --git a/Security/libsecurity_cryptkit/lib/ellipticMeasure.h b/OSX/include/security_cryptkit/ellipticMeasure.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/ellipticMeasure.h rename to OSX/include/security_cryptkit/ellipticMeasure.h diff --git a/Security/libsecurity_cryptkit/lib/ellipticProj.c b/OSX/include/security_cryptkit/ellipticProj.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/ellipticProj.c rename to OSX/include/security_cryptkit/ellipticProj.c diff --git a/Security/libsecurity_cryptkit/lib/ellipticProj.h b/OSX/include/security_cryptkit/ellipticProj.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/ellipticProj.h rename to OSX/include/security_cryptkit/ellipticProj.h diff --git a/Security/libsecurity_cryptkit/lib/enc64.c b/OSX/include/security_cryptkit/enc64.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/enc64.c rename to OSX/include/security_cryptkit/enc64.c diff --git a/Security/libsecurity_cryptkit/lib/enc64.h b/OSX/include/security_cryptkit/enc64.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/enc64.h rename to OSX/include/security_cryptkit/enc64.h diff --git a/Security/libsecurity_cryptkit/lib/engineNSA127.c b/OSX/include/security_cryptkit/engineNSA127.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/engineNSA127.c rename to OSX/include/security_cryptkit/engineNSA127.c diff --git a/Security/libsecurity_cryptkit/lib/falloc.c b/OSX/include/security_cryptkit/falloc.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/falloc.c rename to OSX/include/security_cryptkit/falloc.c diff --git a/Security/libsecurity_cryptkit/lib/falloc.h b/OSX/include/security_cryptkit/falloc.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/falloc.h rename to OSX/include/security_cryptkit/falloc.h diff --git a/Security/libsecurity_cryptkit/lib/feeCipherFile.c b/OSX/include/security_cryptkit/feeCipherFile.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeCipherFile.c rename to OSX/include/security_cryptkit/feeCipherFile.c diff --git a/Security/libsecurity_cryptkit/lib/feeCipherFile.h b/OSX/include/security_cryptkit/feeCipherFile.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeCipherFile.h rename to OSX/include/security_cryptkit/feeCipherFile.h diff --git a/Security/libsecurity_cryptkit/lib/feeCipherFileAtom.c b/OSX/include/security_cryptkit/feeCipherFileAtom.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeCipherFileAtom.c rename to OSX/include/security_cryptkit/feeCipherFileAtom.c diff --git a/Security/libsecurity_cryptkit/lib/feeDES.c b/OSX/include/security_cryptkit/feeDES.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeDES.c rename to OSX/include/security_cryptkit/feeDES.c diff --git a/Security/libsecurity_cryptkit/lib/feeDES.h b/OSX/include/security_cryptkit/feeDES.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeDES.h rename to OSX/include/security_cryptkit/feeDES.h diff --git a/Security/libsecurity_cryptkit/lib/feeDebug.h b/OSX/include/security_cryptkit/feeDebug.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeDebug.h rename to OSX/include/security_cryptkit/feeDebug.h diff --git a/OSX/include/security_cryptkit/feeDigitalSignature.c b/OSX/include/security_cryptkit/feeDigitalSignature.c new file mode 100644 index 00000000..77851ade --- /dev/null +++ b/OSX/include/security_cryptkit/feeDigitalSignature.c @@ -0,0 +1,674 @@ +/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. + * + * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT + * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE + * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE + * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, + * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL + * EXPOSE YOU TO LIABILITY. + *************************************************************************** + * + * feeDigitalSignature.c + * + * Revision History + * ---------------- + * 10/06/98 ap + * Changed to compile with C++. + * 9 Sep 98 at NeXT + * Major changes to use projective elliptic algebra for + * Weierstrass curves. + * 15 Jan 97 at NeXT + * FEE_SIG_VERSION = 3 (removed code for compatibilty with all older + * versions). + * Was modg(), is curveOrderJustify() + * Use plus curve for ellipic algebra per IEEE standards + * 22 Aug 96 at NeXT + * Ported guts of Blaine Garst's NSFEEDigitalSignature.m to C. + */ + +#include "ckconfig.h" +#include "feeTypes.h" +#include "feePublicKey.h" +#include "feePublicKeyPrivate.h" +#include "feeDigitalSignature.h" +#include "giantIntegers.h" +#include "elliptic.h" +#include "feeRandom.h" +#include "curveParams.h" +#include "falloc.h" +#include "ckutilities.h" +#include "feeDebug.h" +#include "platform.h" +#include "byteRep.h" +#include "feeECDSA.h" +#if CRYPTKIT_DER_ENABLE +#include "CryptKitDER.h" +#endif + +#include +#include "ellipticProj.h" + +#define SIG_DEBUG 0 +#if SIG_DEBUG +int sigDebug=1; // tweakable at runtime via debugger +#endif // SIG_DEBUG + +#define SIG_CURVE DEFAULT_CURVE + +/* + * true : justify randGiant to [2, x1OrderPlus-2] + * false : no truncate or mod of randGiant + */ +#define RAND_JUST_X1_ORDER_PLUS 1 + +#define FEE_SIG_VERSION 4 +#define FEE_SIG_VERSION_MIN 4 + +#ifndef max +#define max(a,b) ((a)>(b)? (a) : (b)) +#endif // max + +typedef struct { + giant PmX; // m 'o' P1; m = random + #if CRYPTKIT_ELL_PROJ_ENABLE + giant PmY; // y-coord of m 'o' P1 if we're + // using projective coords + #endif /* CRYPTKIT_ELL_PROJ_ENABLE */ + + giant u; + giant randGiant; // random m as giant - only known + // when signing +} sigInst; + +static sigInst *sinstAlloc() +{ + sigInst *sinst = (sigInst*) fmalloc(sizeof(sigInst)); + + bzero(sinst, sizeof(sigInst)); + return sinst; +} + +/* + * Create new feeSig object, including a random large integer 'randGiant' for + * possible use in salting a feeHash object, and 'PmX', equal to + * randGiant 'o' P1. Note that this is not called when *verifying* a + * signature, only when signing. + */ +feeSig feeSigNewWithKey( + feePubKey pubKey, + feeRandFcn randFcn, /* optional */ + void *randRef) +{ + sigInst *sinst = sinstAlloc(); + feeRand frand; + unsigned char *randBytes; + unsigned randBytesLen; + curveParams *cp; + + if(pubKey == NULL) { + return NULL; + } + cp = feePubKeyCurveParams(pubKey); + if(cp == NULL) { + return NULL; + } + + /* + * Generate random m, a little larger than key size, save as randGiant + */ + randBytesLen = (feePubKeyBitsize(pubKey) / 8) + 1 + 8; // +8bytes (64bits) to reduce the biais when with reduction mod prime. Per FIPS186-4 - "Using Extra Random Bits" + randBytes = (unsigned char*) fmalloc(randBytesLen); + if(randFcn) { + randFcn(randRef, randBytes, randBytesLen); + } + else { + frand = feeRandAlloc(); + feeRandBytes(frand, randBytes, randBytesLen); + feeRandFree(frand); + } + sinst->randGiant = giant_with_data(randBytes, randBytesLen); + memset(randBytes, 0, randBytesLen); + ffree(randBytes); + + #if FEE_DEBUG + if(isZero(sinst->randGiant)) { + printf("feeSigNewWithKey: randGiant = 0!\n"); + } + #endif // FEE_DEBUG + + /* + * Justify randGiant to be in [2, x1OrderPlus] + */ + x1OrderPlusJustify(sinst->randGiant, cp); + + /* PmX := randGiant 'o' P1 */ + sinst->PmX = newGiant(cp->maxDigits); + + #if CRYPTKIT_ELL_PROJ_ENABLE + + if(cp->curveType == FCT_Weierstrass) { + + pointProjStruct pt0; + + sinst->PmY = newGiant(cp->maxDigits); + + /* cook up pt0 as P1 */ + pt0.x = sinst->PmX; + pt0.y = sinst->PmY; + pt0.z = borrowGiant(cp->maxDigits); + gtog(cp->x1Plus, pt0.x); + gtog(cp->y1Plus, pt0.y); + int_to_giant(1, pt0.z); + + /* pt0 := P1 'o' randGiant */ + ellMulProjSimple(&pt0, sinst->randGiant, cp); + + returnGiant(pt0.z); + } + else { + if(SIG_CURVE == CURVE_PLUS) { + gtog(cp->x1Plus, sinst->PmX); + } + else { + gtog(cp->x1Minus, sinst->PmX); + } + elliptic_simple(sinst->PmX, sinst->randGiant, cp); + } + #else /* CRYPTKIT_ELL_PROJ_ENABLE */ + + if(SIG_CURVE == CURVE_PLUS) { + gtog(cp->x1Plus, sinst->PmX); + } + else { + gtog(cp->x1Minus, sinst->PmX); + } + elliptic_simple(sinst->PmX, sinst->randGiant, cp); + + #endif /* CRYPTKIT_ELL_PROJ_ENABLE */ + + return sinst; +} + +void feeSigFree(feeSig sig) +{ + sigInst *sinst = (sigInst*) sig; + + if(sinst->PmX) { + clearGiant(sinst->PmX); + freeGiant(sinst->PmX); + } + #if CRYPTKIT_ELL_PROJ_ENABLE + if(sinst->PmY) { + clearGiant(sinst->PmY); + freeGiant(sinst->PmY); + } + #endif /* CRYPTKIT_ELL_PROJ_ENABLE */ + if(sinst->u) { + clearGiant(sinst->u); + freeGiant(sinst->u); + } + if(sinst->randGiant) { + clearGiant(sinst->randGiant); + freeGiant(sinst->randGiant); + } + ffree(sinst); +} + +/* + * Obtain Pm after feeSigNewWithKey() or feeSigParse() + */ +unsigned char *feeSigPm(feeSig sig, + unsigned *PmLen) +{ + sigInst *sinst = (sigInst*) sig; + unsigned char *Pm; + + if(sinst->PmX == NULL) { + dbgLog(("feeSigPm: no PmX!\n")); + return NULL; + } + else { + Pm = mem_from_giant(sinst->PmX, PmLen); + #if SIG_DEBUG + if(sigDebug) + { + int i; + + printf("Pm : "); printGiant(sinst->PmX); + printf("PmData: "); + for(i=0; i<*PmLen; i++) { + printf("%x:", Pm[i]); + } + printf("\n"); + } + #endif // SIG_DEBUG + } + return Pm; +} + +/* + * Sign specified block of data (most likely a hash result) using + * specified feePubKey. + */ +feeReturn feeSigSign(feeSig sig, + const unsigned char *data, // data to be signed + unsigned dataLen, // in bytes + feePubKey pubKey) +{ + sigInst *sinst = (sigInst*) sig; + giant messageGiant = NULL; + unsigned maxlen; + giant privGiant; + unsigned privGiantBytes; + feeReturn frtn = FR_Success; + unsigned randBytesLen; + unsigned uDigits; // alloc'd digits in sinst->u + curveParams *cp; + + if(pubKey == NULL) { + return FR_BadPubKey; + } + cp = feePubKeyCurveParams(pubKey); + if(cp == NULL) { + return FR_BadPubKey; + } + + privGiant = feePubKeyPrivData(pubKey); + if(privGiant == NULL) { + dbgLog(("Attempt to Sign without private data\n")); + frtn = FR_IllegalArg; + goto abort; + } + privGiantBytes = abs(privGiant->sign) * GIANT_BYTES_PER_DIGIT; + + /* + * Note PmX = m 'o' P1. + * Get message/digest as giant. May be significantly different + * in size from pubKey's basePrime. + */ + messageGiant = giant_with_data(data, dataLen); // M(text) + randBytesLen = feePubKeyBitsize(pubKey) / 8; + maxlen = max(randBytesLen, dataLen); + + /* leave plenty of room.... */ + uDigits = (3 * (privGiantBytes + maxlen)) / GIANT_BYTES_PER_DIGIT; + sinst->u = newGiant(uDigits); + gtog(privGiant, sinst->u); // u := ourPri + mulg(messageGiant, sinst->u); // u *= M(text) + addg(sinst->randGiant, sinst->u); // u += m + + /* + * Paranoia: we're using the curveParams from the caller's pubKey; + * this cp will have a valid x1OrderPlusRecip if pubKey is the same + * as the one passed to feeSigNewWithKey() (since feeSigNewWithKey + * called x1OrderPlusJustify()). But the caller could conceivably be + * using a different instance of their pubKey, in which case + * the key's cp->x1OrderPlusRecip may not be valid. + */ + calcX1OrderPlusRecip(cp); + + /* u := u mod x1OrderPlus */ + #if SIG_DEBUG + if(sigDebug) { + printf("sigSign:\n"); + printf("u pre-modg : "); + printGiant(sinst->u); + } + #endif + modg_via_recip(cp->x1OrderPlus, cp->x1OrderPlusRecip, sinst->u); + + #if SIG_DEBUG + if(sigDebug) { + printf("privGiant : "); + printGiant(privGiant); + printf("u : "); + printGiant(sinst->u); + printf("messageGiant: "); + printGiant(messageGiant); + printf("curveParams :\n"); + printCurveParams(cp); + } + #endif // SIG_DEBUG +abort: + if(messageGiant) { + freeGiant(messageGiant); + } + return frtn; +} + +/* + * Given a feeSig processed by feeSigSign, obtain a malloc'd byte + * array representing the signature. + * See ByteRep.doc for info on the format of the signature string; + * PLEASE UPDATE THIS DOCUMENT WHEN YOU MAKE CHANGES TO THE STRING FORMAT. + */ +feeReturn feeSigData(feeSig sig, + unsigned char **sigData, // IGNORED....malloc'd and RETURNED + unsigned *sigDataLen) // RETURNED +{ + sigInst *sinst = (sigInst*) sig; + + #if CRYPTKIT_DER_ENABLE + return feeDEREncodeElGamalSignature(sinst->u, sinst->PmX, sigData, sigDataLen); + #else + *sigDataLen = lengthOfByteRepSig(sinst->u, sinst->PmX); + *sigData = (unsigned char*) fmalloc(*sigDataLen); + sigToByteRep(FEE_SIG_MAGIC, + FEE_SIG_VERSION, + FEE_SIG_VERSION_MIN, + sinst->u, + sinst->PmX, + *sigData); + return FR_Success; + #endif +} + +/* + * Obtain a feeSig object by parsing an existing signature block. + * Note that if Pm is used to salt a hash of the signed data, this must + * function must be called prior to hashing. + */ +feeReturn feeSigParse(const unsigned char *sigData, + size_t sigDataLen, + feeSig *sig) // RETURNED +{ + sigInst *sinst = NULL; + feeReturn frtn; + #if !CRYPTKIT_DER_ENABLE + int version; + int magic; + int minVersion; + int rtn; + #endif + + sinst = sinstAlloc(); + #if CRYPTKIT_DER_ENABLE + frtn = feeDERDecodeElGamalSignature(sigData, sigDataLen, &sinst->u, &sinst->PmX); + if(frtn) { + goto abort; + } + #else + rtn = byteRepToSig(sigData, + sigDataLen, + FEE_SIG_VERSION, + &magic, + &version, + &minVersion, + &sinst->u, + &sinst->PmX); + if(rtn == 0) { + frtn = FR_BadSignatureFormat; + goto abort; + } + switch(magic) { + case FEE_ECDSA_MAGIC: + frtn = FR_WrongSignatureType; // ECDSA! + goto abort; + case FEE_SIG_MAGIC: + break; // proceed + default: + frtn = FR_BadSignatureFormat; + goto abort; + } + #endif /* CRYPTKIT_DER_ENABLE */ + + #if SIG_DEBUG + if(sigDebug) { + printf("sigParse: \n"); + printf("u: "); + printGiant(sinst->u); + } + #endif // SIG_DEBUG + + *sig = sinst; + return FR_Success; + +abort: + if(sinst) { + feeSigFree(sinst); + } + return frtn; +} + +/* + * Verify signature, obtained via feeSigParse, for specified + * data (most likely a hash result) and feePubKey. Returns non-zero if + * signature valid. + */ + +#define LOG_BAD_SIG 0 + +#if CRYPTKIT_ELL_PROJ_ENABLE + +feeReturn feeSigVerifyNoProj(feeSig sig, + const unsigned char *data, + unsigned dataLen, + feePubKey pubKey); + +static void borrowPointProj(pointProj pt, unsigned maxDigits) +{ + pt->x = borrowGiant(maxDigits); + pt->y = borrowGiant(maxDigits); + pt->z = borrowGiant(maxDigits); +} + +static void returnPointProj(pointProj pt) +{ + returnGiant(pt->x); + returnGiant(pt->y); + returnGiant(pt->z); +} + +feeReturn feeSigVerify(feeSig sig, + const unsigned char *data, + unsigned dataLen, + feePubKey pubKey) +{ + pointProjStruct Q; + giant messageGiant = NULL; + pointProjStruct scratch; + sigInst *sinst = (sigInst*) sig; + feeReturn frtn; + curveParams *cp; + key origKey; // may be plus or minus key + + if(sinst->PmX == NULL) { + dbgLog(("sigVerify without parse!\n")); + return FR_IllegalArg; + } + + cp = feePubKeyCurveParams(pubKey); + if(cp->curveType != FCT_Weierstrass) { + return feeSigVerifyNoProj(sig, data, dataLen, pubKey); + } + + borrowPointProj(&Q, cp->maxDigits); + borrowPointProj(&scratch, cp->maxDigits); + + /* + * Q := P1 + */ + gtog(cp->x1Plus, Q.x); + gtog(cp->y1Plus, Q.y); + int_to_giant(1, Q.z); + + messageGiant = giant_with_data(data, dataLen); // M(ciphertext) + + /* Q := u 'o' P1 */ + ellMulProjSimple(&Q, sinst->u, cp); + + /* scratch := theirPub */ + origKey = feePubKeyPlusCurve(pubKey); + gtog(origKey->x, scratch.x); + gtog(origKey->y, scratch.y); + int_to_giant(1, scratch.z); + + #if SIG_DEBUG + if(sigDebug) { + printf("verify origKey:\n"); + printKey(origKey); + printf("messageGiant: "); + printGiant(messageGiant); + printf("curveParams:\n"); + printCurveParams(cp); + } + #endif // SIG_DEBUG + + /* scratch := M 'o' theirPub */ + ellMulProjSimple(&scratch, messageGiant, cp); + + #if SIG_DEBUG + if(sigDebug) { + printf("signature_compare, with\n"); + printf("p0 = Q:\n"); + printGiant(Q.x); + printf("p1 = Pm:\n"); + printGiant(sinst->PmX); + printf("p2 = scratch = R:\n"); + printGiant(scratch.x); + } + #endif // SIG_DEBUG + + if(signature_compare(Q.x, sinst->PmX, scratch.x, cp)) { + + frtn = FR_InvalidSignature; + #if LOG_BAD_SIG + printf("***yup, bad sig***\n"); + #endif // LOG_BAD_SIG + } + else { + frtn = FR_Success; + } + freeGiant(messageGiant); + + returnPointProj(&Q); + returnPointProj(&scratch); + return frtn; +} + +#else /* CRYPTKIT_ELL_PROJ_ENABLE */ + +#define feeSigVerifyNoProj(s, d, l, k) feeSigVerify(s, d, l, k) + +#endif /* CRYPTKIT_ELL_PROJ_ENABLE */ + +/* + * FEE_SIG_USING_PROJ true : this is the "no Weierstrass" case + * feeSigVerifyNoProj false : this is redefined to feeSigVerify + */ +feeReturn feeSigVerifyNoProj(feeSig sig, + const unsigned char *data, + unsigned dataLen, + feePubKey pubKey) +{ + giant Q = NULL; + giant messageGiant = NULL; + giant scratch = NULL; + sigInst *sinst = (sigInst*) sig; + feeReturn frtn; + curveParams *cp; + key origKey; // may be plus or minus key + + if(sinst->PmX == NULL) { + dbgLog(("sigVerify without parse!\n")); + frtn = FR_IllegalArg; + goto out; + } + + cp = feePubKeyCurveParams(pubKey); + Q = newGiant(cp->maxDigits); + + /* + * pick a key (+/-) + * Q := P1 + */ + if(SIG_CURVE == CURVE_PLUS) { + origKey = feePubKeyPlusCurve(pubKey); + gtog(cp->x1Plus, Q); + } + else { + origKey = feePubKeyMinusCurve(pubKey); + gtog(cp->x1Minus, Q); + } + + messageGiant = giant_with_data(data, dataLen); // M(ciphertext) + + /* Q := u 'o' P1 */ + elliptic_simple(Q, sinst->u, cp); + + /* scratch := theirPub */ + scratch = newGiant(cp->maxDigits); + gtog(origKey->x, scratch); + + #if SIG_DEBUG + if(sigDebug) { + printf("verify origKey:\n"); + printKey(origKey); + printf("messageGiant: "); + printGiant(messageGiant); + printf("curveParams:\n"); + printCurveParams(cp); + } + #endif // SIG_DEBUG + + /* scratch := M 'o' theirPub */ + elliptic_simple(scratch, messageGiant, cp); + + #if SIG_DEBUG + if(sigDebug) { + printf("signature_compare, with\n"); + printf("p0 = Q:\n"); + printGiant(Q); + printf("p1 = Pm:\n"); + printGiant(sinst->PmX); + printf("p2 = scratch = R:\n"); + printGiant(scratch); + } + #endif // SIG_DEBUG + + if(signature_compare(Q, sinst->PmX, scratch, cp)) { + + frtn = FR_InvalidSignature; + #if LOG_BAD_SIG + printf("***yup, bad sig***\n"); + #endif // LOG_BAD_SIG + } + else { + frtn = FR_Success; + } +out: + if(messageGiant != NULL) { + freeGiant(messageGiant); + } + if(Q != NULL) { + freeGiant(Q); + } + if(scratch != NULL) { + freeGiant(scratch); + } + return frtn; +} + +/* + * For given key, calculate maximum signature size. + */ +feeReturn feeSigSize( + feePubKey pubKey, + unsigned *maxSigLen) +{ + /* For now, assume that u and Pm.x in the signature are + * same size as the key's associated curveParams->basePrime. + * We might have to pad this a bit.... + */ + curveParams *cp = feePubKeyCurveParams(pubKey); + + if(cp == NULL) { + return FR_BadPubKey; + } + #if CRYPTKIT_DER_ENABLE + *maxSigLen = feeSizeOfDERSig(cp->basePrime, cp->basePrime); + #else + *maxSigLen = (unsigned)lengthOfByteRepSig(cp->basePrime, cp->basePrime); + #endif + return FR_Success; +} diff --git a/Security/libsecurity_cryptkit/lib/feeDigitalSignature.h b/OSX/include/security_cryptkit/feeDigitalSignature.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeDigitalSignature.h rename to OSX/include/security_cryptkit/feeDigitalSignature.h diff --git a/OSX/include/security_cryptkit/feeECDSA.c b/OSX/include/security_cryptkit/feeECDSA.c new file mode 100644 index 00000000..601bc6a4 --- /dev/null +++ b/OSX/include/security_cryptkit/feeECDSA.c @@ -0,0 +1,697 @@ +/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. + * + * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT + * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE + * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE + * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, + * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL + * EXPOSE YOU TO LIABILITY. + *************************************************************************** + * + * feeECDSA.c - Elliptic Curve Digital Signature Algorithm (per IEEE 1363) + * + * Revision History + * ---------------- + * 11/27/98 dmitch + * Added ECDSA_VERIFY_ONLY dependencies. + * 10/06/98 ap + * Changed to compile with C++. + * 3 Sep 98 at Apple + * Rewrote using projective elliptic algebra, per IEEE P1363. + * 17 Dec 97 at Apple + * Fixed c==0 bug in feeECDSAVerify() + * Created. + */ + +/**** + Nomenclature, per IEEE P1363 D1, Dec. 1997 + + G = initial public point = (x1Plus, y1Plus) as usual + x1OrderPlus = IEEE r = (always prime) order of x1Plus + f = message to be signed, generally a SHA1 message digest + s = signer's private key + W = signer's public key + * : integer multiplication, as in (x * y) + 'o' : elliptic multiply, as in (u 'o' G) + + Signing algorithm: + + 1) Obtain random u in [2, x1OrderPlus-2]; + 2) Compute x coordinate, call it c, of u 'o' G (elliptic mul); + 3) Reduce: c := c mod x1OrderPlus; + 4) If c = 0, goto (1); + 5) Compute u^(-1) (mod x1OrderPlus); + 6) Compute signature s as: + + d = [u^(-1) (f + (s*c))] (mod x1OrderPlus) + + 7) If d = 0, goto (1); + 8) Signature is the integer pair (c, d). Each integer + in the pair must be in [1, x1OrderPlus-1]. + + Note: therefore a component of the signature could be slightly + larger than base prime. + + Verification algorithm, given signature (c, d): + + 1) Compute h = d^(-1) (mod x1OrderPlus); + 2) Compute h1 = digest as giant integer (skips assigning to 'f' as in + IEEE spec) + 3) Compute h1 = h1 * h (mod x1OrderPlus) (i.e., = f * h) + 4) Compute h2 = c * h (mod x1OrderPlus); + 5) Compute h2W = h2 'o' W + 6) Compute h1G = h1 'o' G + 7) Compute elliptic sum of h1G + h2W + 8) If elliptic sum is point at infinity, signature is bad; stop. + 9) cPrime = x coordinate of elliptic sum, mod x1OrderPlus + 10) Signature is good iff cPrime == c. + +***********/ + +#include "ckconfig.h" + +#if CRYPTKIT_ECDSA_ENABLE + +#include "feeTypes.h" +#include "feePublicKey.h" +#include "feePublicKeyPrivate.h" +#include "giantIntegers.h" +#include "elliptic.h" +#include "feeRandom.h" +#include "curveParams.h" +#include "falloc.h" +#include "ckutilities.h" +#include "feeDebug.h" +#include "platform.h" +#include "byteRep.h" +#include +#include "feeECDSA.h" +#include "byteRep.h" +#include "feeDigitalSignature.h" +#include "ECDSA_Profile.h" +#include "ellipticProj.h" +#if CRYPTKIT_DER_ENABLE +#include "CryptKitDER.h" +#endif + +#ifndef ECDSA_VERIFY_ONLY +static void ECDSA_encode( + feeSigFormat format, // Signature format DER 9.62 / RAW + unsigned groupBytesLen, + giant c, + giant d, + unsigned char **sigData, // malloc'd and RETURNED + unsigned *sigDataLen); // RETURNED +#endif /* ECDSA_VERIFY_ONLY */ + +static feeReturn ECDSA_decode( + feeSigFormat format, // Signature format DER 9.62 / RAW + unsigned groupBytesLen, + const unsigned char *sigData, + size_t sigDataLen, + giant *gs, // alloc'd & RETURNED + giant *x0, // alloc'd & RETURNED + unsigned *sigVersion); // RETURNED + + +#define ECDSA_DEBUG 0 +#if ECDSA_DEBUG +int ecdsaDebug=1; /* tweakable at runtime via debugger */ +#define sigDbg(x) \ + if(ecdsaDebug) { \ + printf x; \ + } +#define sigLogGiant(s, g) \ + if(ecdsaDebug) { \ + printf(s); \ + printGiant(g) /*printGiantExp(g)*/; \ + } +#else // ECDSA_DEBUG +#define sigDbg(x) +#define sigLogGiant(s, g) +#endif // ECDSA_DEBUG + +#if ECDSA_PROFILE +/* + * Profiling accumulators. + */ +unsigned signStep1; +unsigned signStep2; +unsigned signStep34; +unsigned signStep5; +unsigned signStep67; +unsigned signStep8; +unsigned vfyStep1; +unsigned vfyStep3; +unsigned vfyStep4; +unsigned vfyStep5; +unsigned vfyStep6; +unsigned vfyStep7; +unsigned vfyStep8; +#endif // ECDSA_PROFILE + +/* + * Totally incompatible with feeDigitalSignature.c. Caller must be aware of + * signature format. We will detect an ElGamal signature, however, and + * return FR_WrongSignatureType from feeECDSAVerify(). + */ +#define FEE_ECDSA_VERSION 2 +#define FEE_ECDSA_VERSION_MIN 2 + +/* + * When true, use ellMulProjSimple rather than elliptic_simple in + * sign operation. Using ellMulProjSimple is a *big* win. + */ +#define ECDSA_SIGN_USE_PROJ 1 + +/* + * Sign specified block of data (most likely a hash result) using + * specified private key. Result, an enc64-encoded signature block, + * is returned in *sigData. + */ + +#ifndef ECDSA_VERIFY_ONLY + +feeReturn feeECDSASign( + feePubKey pubKey, + feeSigFormat format, // Signature format DER 9.62 / RAW + const unsigned char *data, // data to be signed + unsigned dataLen, // in bytes + feeRandFcn randFcn, // optional + void *randRef, // optional + unsigned char **sigData, // malloc'd and RETURNED + unsigned *sigDataLen) // RETURNED +{ + curveParams *cp; + + /* giant integers per IEEE P1363 notation */ + + giant c; // both 1363 'c' and 'i' + // i.e., x-coord of u's pub key + giant d; + giant u; // random private key + giant s; // private key as giant + giant f; // data (message) as giant + + feeReturn frtn = FR_Success; + feeRand frand; + unsigned char *randBytes; + unsigned randBytesLen; + unsigned groupBytesLen; + giant privGiant; + #if ECDSA_SIGN_USE_PROJ + pointProjStruct pt; // pt->x = c + giant pty; // pt->y + giant ptz; // pt->z + #endif // ECDSA_SIGN_USE_PROJ + + if(pubKey == NULL) { + return FR_BadPubKey; + } + cp = feePubKeyCurveParams(pubKey); + if(cp == NULL) { + return FR_BadPubKey; + } + if(cp->curveType != FCT_Weierstrass) { + return FR_IllegalCurve; + } + + CKASSERT(!isZero(cp->x1OrderPlus)); + + /* + * Private key and message to be signed as giants + */ + privGiant = feePubKeyPrivData(pubKey); + if(privGiant == NULL) { + dbgLog(("Attempt to Sign without private data\n")); + return FR_IllegalArg; + } + s = borrowGiant(cp->maxDigits); + gtog(privGiant, s); + if(dataLen > (cp->maxDigits * GIANT_BYTES_PER_DIGIT)) { + f = borrowGiant(BYTES_TO_GIANT_DIGITS(dataLen)); + } + else { + f = borrowGiant(cp->maxDigits); + } + deserializeGiant(data, f, dataLen); + + /* + * Certicom SEC1 states that if the digest is larger than the modulus, + * use the left q bits of the digest. + */ + unsigned hashBits = dataLen * 8; + if(hashBits > cp->q) { + gshiftright(hashBits - cp->q, f); + } + + sigDbg(("ECDSA sign:\n")); + sigLogGiant(" s : ", s); + sigLogGiant(" f : ", f); + + c = borrowGiant(cp->maxDigits); + d = borrowGiant(cp->maxDigits); + u = borrowGiant(cp->maxDigits); + if(randFcn == NULL) { + frand = feeRandAlloc(); + } + else { + frand = NULL; + } + + /* + * Random size is just larger than base prime + */ + groupBytesLen = ((feePubKeyBitsize(pubKey)+7) / 8); + randBytesLen = groupBytesLen+8; // +8bytes (64bits) to reduce the biais when with reduction mod prime. Per FIPS186-4 - "Using Extra Random Bits" + randBytes = (unsigned char*) fmalloc(randBytesLen); + + #if ECDSA_SIGN_USE_PROJ + /* quick temp pointProj */ + pty = borrowGiant(cp->maxDigits); + ptz = borrowGiant(cp->maxDigits); + pt.x = c; + pt.y = pty; + pt.z = ptz; + #endif // ECDSA_SIGN_USE_PROJ + + while(1) { + /* Repeat this loop until we have a non-zero c and d */ + + /* + * 1) Obtain random u in [2, x1OrderPlus-2] + */ + SIGPROF_START; + if(randFcn) { + randFcn(randRef, randBytes, randBytesLen); + } + else { + feeRandBytes(frand, randBytes, randBytesLen); + } + deserializeGiant(randBytes, u, randBytesLen); + sigLogGiant(" raw u : ", u); + sigLogGiant(" order : ", cp->x1OrderPlus); + x1OrderPlusJustify(u, cp); + SIGPROF_END(signStep1); + sigLogGiant(" in range u : ", u); + + /* + * note 'o' indicates elliptic multiply, * is integer mult. + * + * 2) Compute x coordinate, call it c, of u 'o' G + * 3) Reduce: c := c mod x1OrderPlus; + * 4) If c == 0, goto (1); + */ + SIGPROF_START; + gtog(cp->x1Plus, c); + + #if ECDSA_SIGN_USE_PROJ + + /* projective coordinates */ + gtog(cp->y1Plus, pty); + int_to_giant(1, ptz); + ellMulProjSimple(&pt, u, cp); + + #else /* ECDSA_SIGN_USE_PROJ */ + + /* the FEE way */ + elliptic_simple(c, u, cp); + + #endif /* ECDSA_SIGN_USE_PROJ */ + + SIGPROF_END(signStep2); + SIGPROF_START; + x1OrderPlusMod(c, cp); + SIGPROF_END(signStep34); + if(isZero(c)) { + dbgLog(("feeECDSASign: zero modulo (1)\n")); + continue; + } + + /* + * 5) Compute u^(-1) mod x1OrderPlus; + */ + SIGPROF_START; + gtog(u, d); + binvg_x1OrderPlus(cp, d); + SIGPROF_END(signStep5); + sigLogGiant(" u^(-1) : ", d); + + /* + * 6) Compute signature d as: + * d = [u^(-1) (f + s*c)] (mod x1OrderPlus) + */ + SIGPROF_START; + mulg(c, s); // s *= c + x1OrderPlusMod(s, cp); + addg(f, s); // s := f + (s * c) + x1OrderPlusMod(s, cp); + mulg(s, d); // d := u^(-1) (f + (s * c)) + x1OrderPlusMod(d, cp); + SIGPROF_END(signStep67); + + /* + * 7) If d = 0, goto (1); + */ + if(isZero(d)) { + dbgLog(("feeECDSASign: zero modulo (2)\n")); + continue; + } + sigLogGiant(" c : ", c); + sigLogGiant(" d : ", d); + break; // normal successful exit + } + + /* + * 8) signature is now the integer pair (c, d). + */ + + /* + * Cook up raw data representing the signature. + */ + SIGPROF_START; + ECDSA_encode(format,groupBytesLen, c, d, sigData, sigDataLen); + SIGPROF_END(signStep8); + + if(frand != NULL) { + feeRandFree(frand); + } + ffree(randBytes); + returnGiant(u); + returnGiant(d); + returnGiant(c); + returnGiant(f); + returnGiant(s); + #if ECDSA_SIGN_USE_PROJ + returnGiant(pty); + returnGiant(ptz); + #endif /* ECDSA_SIGN_USE_PROJ */ + return frtn; +} + +#endif /* ECDSA_VERIFY_ONLY */ + +/* + * Verify signature for specified data (most likely a hash result) and + * feePubKey. Returns FR_Success or FR_InvalidSignature. + */ + +#define LOG_BAD_SIG 0 + +feeReturn feeECDSAVerify(const unsigned char *sigData, + size_t sigDataLen, + const unsigned char *data, + unsigned dataLen, + feePubKey pubKey, + feeSigFormat format) +{ + /* giant integers per IEEE P1363 notation */ + giant h; // s^(-1) + giant h1; // f h + giant h2; // c times h + giant littleC; // newGiant from ECDSA_decode + giant littleD; // ditto + giant c; // borrowed, full size + giant d; // ditto + giant cPrime = NULL; // i mod r + pointProj h1G = NULL; // h1 'o' G + pointProj h2W = NULL; // h2 'o' W + key W; // i.e., their public key + + unsigned version; + feeReturn frtn; + curveParams *cp = feePubKeyCurveParams(pubKey); + unsigned groupBytesLen = ((feePubKeyBitsize(pubKey)+7) / 8); + int result; + + if(cp == NULL) { + return FR_BadPubKey; + } + + /* + * First decode the byteRep string. + */ + frtn = ECDSA_decode( + format, + groupBytesLen, + sigData, + sigDataLen, + &littleC, + &littleD, + &version); + if(frtn) { + return frtn; + } + + /* + * littleC and littleD have capacity = abs(sign), probably + * not big enough.... + */ + c = borrowGiant(cp->maxDigits); + d = borrowGiant(cp->maxDigits); + gtog(littleC, c); + gtog(littleD, d); + freeGiant(littleC); + freeGiant(littleD); + + sigDbg(("ECDSA verify:\n")); + + /* + * W = signer's public key + */ + W = feePubKeyPlusCurve(pubKey); + + /* + * 1) Compute h = d^(-1) (mod x1OrderPlus); + */ + SIGPROF_START; + h = borrowGiant(cp->maxDigits); + gtog(d, h); + binvg_x1OrderPlus(cp, h); + SIGPROF_END(vfyStep1); + + /* + * 2) h1 = digest as giant (skips assigning to 'f' in P1363) + */ + if(dataLen > (cp->maxDigits * GIANT_BYTES_PER_DIGIT)) { + h1 = borrowGiant(BYTES_TO_GIANT_DIGITS(dataLen)); + } + else { + h1 = borrowGiant(cp->maxDigits); + } + deserializeGiant(data, h1, dataLen); + + /* + * Certicom SEC1 states that if the digest is larger than the modulus, + * use the left q bits of the digest. + */ + unsigned hashBits = dataLen * 8; + if(hashBits > cp->q) { + gshiftright(hashBits - cp->q, h1); + } + + sigLogGiant(" Wx : ", W->x); + sigLogGiant(" f : ", h1); + sigLogGiant(" c : ", c); + sigLogGiant(" d : ", d); + sigLogGiant(" s^(-1) : ", h); + + /* + * 3) Compute h1 = f * h mod x1OrderPlus; + */ + SIGPROF_START; + mulg(h, h1); // h1 := f * h + x1OrderPlusMod(h1, cp); + SIGPROF_END(vfyStep3); + + /* + * 4) Compute h2 = c * h (mod x1OrderPlus); + */ + SIGPROF_START; + h2 = borrowGiant(cp->maxDigits); + gtog(c, h2); + mulg(h, h2); // h2 := c * h + x1OrderPlusMod(h2, cp); + SIGPROF_END(vfyStep4); + + /* + * 5) Compute h2W = h2 'o' W (W = theirPub) + */ + CKASSERT((W->y != NULL) && !isZero(W->y)); + h2W = newPointProj(cp->maxDigits); + gtog(W->x, h2W->x); + gtog(W->y, h2W->y); + int_to_giant(1, h2W->z); + ellMulProjSimple(h2W, h2, cp); + + /* + * 6) Compute h1G = h1 'o' G (G = {x1Plus, y1Plus, 1} ) + */ + CKASSERT((cp->y1Plus != NULL) && !isZero(cp->y1Plus)); + h1G = newPointProj(cp->maxDigits); + gtog(cp->x1Plus, h1G->x); + gtog(cp->y1Plus, h1G->y); + int_to_giant(1, h1G->z); + ellMulProjSimple(h1G, h1, cp); + + /* + * 7) h1G := (h1 'o' G) + (h2 'o' W) + */ + ellAddProj(h1G, h2W, cp); + + /* + * 8) If elliptic sum is point at infinity, signature is bad; stop. + */ + if(isZero(h1G->z)) { + dbgLog(("feeECDSAVerify: h1 * G = point at infinity\n")); + result = 1; + goto vfyDone; + } + normalizeProj(h1G, cp); + + /* + * 9) cPrime = x coordinate of elliptic sum, mod x1OrderPlus + */ + cPrime = borrowGiant(cp->maxDigits); + gtog(h1G->x, cPrime); + x1OrderPlusMod(cPrime, cp); + + /* + * 10) Good sig iff cPrime == c + */ + result = gcompg(c, cPrime); + +vfyDone: + if(result) { + frtn = FR_InvalidSignature; + #if LOG_BAD_SIG + printf("***yup, bad sig***\n"); + #endif // LOG_BAD_SIG + } + else { + frtn = FR_Success; + } + + returnGiant(c); + returnGiant(d); + returnGiant(h); + returnGiant(h1); + returnGiant(h2); + if(h1G != NULL) { + freePointProj(h1G); + } + if(h2W != NULL) { + freePointProj(h2W); + } + if(cPrime != NULL) { + returnGiant(cPrime); + } + return frtn; +} + +#ifndef ECDSA_VERIFY_ONLY + +/* + * Encode to/from byteRep. + */ +static void ECDSA_encode( + feeSigFormat format, // Signature format DER 9.62 / RAW + unsigned groupBytesLen, + giant c, + giant d, + unsigned char **sigData, // malloc'd and RETURNED + unsigned *sigDataLen) // RETURNED +{ + #if CRYPTKIT_DER_ENABLE + if (format==FSF_RAW) { + feeRAWEncodeECDSASignature(groupBytesLen,c, d, sigData, sigDataLen); + } else { + feeDEREncodeECDSASignature(c, d, sigData, sigDataLen); + } + #else + *sigDataLen = lengthOfByteRepSig(c, d); + *sigData = (unsigned char*) fmalloc(*sigDataLen); + sigToByteRep(FEE_ECDSA_MAGIC, + FEE_ECDSA_VERSION, + FEE_ECDSA_VERSION_MIN, + c, + d, + *sigData); + #endif +} + +#endif /* ECDSA_VERIFY_ONLY */ + +static feeReturn ECDSA_decode( + feeSigFormat format, // Signature format DER 9.62 / RAW + unsigned groupBytesLen, + const unsigned char *sigData, + size_t sigDataLen, + giant *c, // alloc'd & RETURNED + giant *d, // alloc'd & RETURNED + unsigned *sigVersion) // RETURNED +{ + #if CRYPTKIT_DER_ENABLE + feeReturn frtn; + if (format==FSF_RAW) { + frtn = feeRAWDecodeECDSASignature(groupBytesLen, sigData, sigDataLen, c, d); + } else { + frtn = feeDERDecodeECDSASignature(sigData, sigDataLen, c, d); + } + if(frtn == FR_Success) { + *sigVersion = FEE_ECDSA_VERSION; + } + return frtn; + #else + int magic; + int minVersion; + int rtn; + + rtn = byteRepToSig(sigData, + sigDataLen, + FEE_ECDSA_VERSION, + &magic, + (int *)sigVersion, + &minVersion, + c, + d); + if(rtn == 0) { + return FR_BadSignatureFormat; + } + switch(magic) { + case FEE_ECDSA_MAGIC: + return FR_Success; + case FEE_SIG_MAGIC: // ElGamal sig! + return FR_WrongSignatureType; + default: + return FR_BadSignatureFormat; + } + #endif +} + +/* + * For given key, calculate maximum signature size. + */ +feeReturn feeECDSASigSize( + feePubKey pubKey, + unsigned *maxSigLen) +{ + /* For now, assume that c and d in the signature are + * same size as the key's associated curveParams->basePrime. + * We might have to pad this a bit.... + */ + curveParams *cp = feePubKeyCurveParams(pubKey); + + if(cp == NULL) { + return FR_BadPubKey; + } + #if CRYPTKIT_DER_ENABLE + *maxSigLen = feeSizeOfDERSig(cp->basePrime, cp->basePrime); + #else + *maxSigLen = (unsigned)lengthOfByteRepSig(cp->basePrime, cp->basePrime); + #endif + return FR_Success; +} + +#endif /* CRYPTKIT_ECDSA_ENABLE */ + diff --git a/OSX/include/security_cryptkit/feeECDSA.h b/OSX/include/security_cryptkit/feeECDSA.h new file mode 100644 index 00000000..fc0cb28b --- /dev/null +++ b/OSX/include/security_cryptkit/feeECDSA.h @@ -0,0 +1,84 @@ +/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. + * + * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT + * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE + * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE + * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, + * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL + * EXPOSE YOU TO LIABILITY. + *************************************************************************** + * + * feeECDSA.h - Elliptic Curve Digital Signature Algorithm (per IEEE 1363) + * + * Revision History + * ---------------- + * 16 Jul 97 at Apple + * Created. + */ + +#ifndef _CK_FEEECDSA_H_ +#define _CK_FEEECDSA_H_ + +#if !defined(__MACH__) +#include +#include +#include +#else +#include +#include +#include +#endif + +/* + * Keep this one defined and visible even if we can't actually do ECDSA - feeSigParse() + * uses it to detect "wriong signature type". + */ +#define FEE_ECDSA_MAGIC 0xfee00517 + +#if CRYPTKIT_ECDSA_ENABLE + +#ifdef __cplusplus +extern "C" { +#endif + + +/* + * Sign specified block of data (most likely a hash result) using + * specified private key. Result, an enc64-encoded signature block, + * is returned in *sigData. + */ +feeReturn feeECDSASign(feePubKey pubKey, + feeSigFormat format, // Format of the signature DER/RAW + const unsigned char *data, // data to be signed + unsigned dataLen, // in bytes + feeRandFcn randFcn, // optional + void *randRef, // optional + unsigned char **sigData, // malloc'd and RETURNED + unsigned *sigDataLen); // RETURNED + +/* + * Verify signature, obtained via feeECDSASign, for specified + * data (most likely a hash result) and feePubKey. Returns FR_Success or + * FR_InvalidSignature. + */ +feeReturn feeECDSAVerify(const unsigned char *sigData, + size_t sigDataLen, + const unsigned char *data, + unsigned dataLen, + feePubKey pubKey, + feeSigFormat format); // Format of the signature DER/RAW + +/* + * For given key, calculate maximum signature size. + */ +feeReturn feeECDSASigSize( + feePubKey pubKey, + unsigned *maxSigLen); + +#ifdef __cplusplus +} +#endif + +#endif /* CRYPTKIT_ECDSA_ENABLE */ + +#endif /*_CK_FEEECDSA_H_*/ diff --git a/Security/libsecurity_cryptkit/lib/feeFEED.c b/OSX/include/security_cryptkit/feeFEED.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeFEED.c rename to OSX/include/security_cryptkit/feeFEED.c diff --git a/Security/libsecurity_cryptkit/lib/feeFEED.h b/OSX/include/security_cryptkit/feeFEED.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeFEED.h rename to OSX/include/security_cryptkit/feeFEED.h diff --git a/OSX/include/security_cryptkit/feeFEEDExp.c b/OSX/include/security_cryptkit/feeFEEDExp.c new file mode 100644 index 00000000..673289bb --- /dev/null +++ b/OSX/include/security_cryptkit/feeFEEDExp.c @@ -0,0 +1,735 @@ +/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. + * + * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT + * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE + * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE + * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, + * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL + * EXPOSE YOU TO LIABILITY. + *************************************************************************** + * + * FeeFEEDExp.c - generic FEED encryption object, 2:1 expansion + * + * Revision History + * ---------------- + * 10/06/98 ap + * Changed to compile with C++. + * 20 Jan 1998 at Apple + * Mods for primeType == PT_GENERAL case. + * 12 Jun 1997 at Apple + * Was curveOrderJustify(), is lesserX1OrderJustify() + * 03 Mar 1997 at Apple + * Trimmed plainBlockSize by one byte if q mod 8 = 0 + * 03 Feb 97 at NeXT + * Renamed to feeFEEDExp.c + * Justified random xaux to [2, minimumX1Order] + * Added feeFEEDExpCipherTextSize() + * 15 Jan 97 at NeXT + * Cleaned up which_curve/index code to use CURVE_MINUS/CURVE_PLUS + * 28 Aug 96 at NeXT + * Created from Blaine Garst's NSFEECryptor.m. + */ + +#include "ckconfig.h" + +#if CRYPTKIT_ASYMMETRIC_ENABLE + +#include "feeTypes.h" +#include "feeFEEDExp.h" +#include "feePublicKey.h" +#include "feePublicKeyPrivate.h" +#include "elliptic.h" +#include "falloc.h" +#include "feeRandom.h" +#include "ckutilities.h" +#include "feeFunctions.h" +#include "platform.h" +#include "feeDebug.h" +#include + +#define FEED_DEBUG 0 + +#define PRINT_GIANT(g) printGiant(g) + +/* + * Format of clue byte. Currently just one bit. + */ +#define CLUE_ELL_ADD_SIGN 0x01 +#define CLUE_ELL_ADD_SIGN_PLUS 0x01 +#define CLUE_ELL_ADD_SIGN_MINUS 0x00 + +/* + * Private data. + */ +typedef struct { + key plus; + key minus; + unsigned plainBlockSize; /* plaintext block size */ + unsigned cipherBlockSize;/* ciphertext block size */ + curveParams *cp; + giant gPriv; /* private data, only for decrypt */ + /* one of the follow two is valid for encrypt */ + feeRand rand; /* only created for encrypt */ + feeRandFcn randFcn; + void *randRef; + + /* + * temporary variables used for encrypt/decrypt. The values in these + * is not needed to be kept from block to block; we just + * alloc them once per lifetime of a feeFEED object as an optimization. + */ + giant xp; /* plaintext */ + giant xc; /* clue = r(P1?) */ + giant xq; /* r(pubB?) or priB?(xc) */ + giant xm; /* ciphertext */ + giant xaux; /* scratch */ + unsigned char *randData; /* only created for encrypt */ +} feedInst; + +/* + * "zero residue" indicator. + */ +#define RESID_ZERO 0xff + +/* + * Alloc and init a feeFEEDExp object associated with specified feePubKey. + */ +feeFEEDExp feeFEEDExpNewWithPubKey( + feePubKey pubKey, + feeRandFcn randFcn, // optional + void *randRef) +{ + feedInst *finst = (feedInst *) fmalloc(sizeof(feedInst)); + giant privGiant; + + finst->cp = curveParamsCopy(feePubKeyCurveParams(pubKey)); + finst->plus = new_public_with_key(feePubKeyPlusCurve(pubKey), + finst->cp); + finst->minus = new_public_with_key(feePubKeyMinusCurve(pubKey), + finst->cp); + + /* + * These might yield NULL data; we can only encrypt in that case. + */ + privGiant = feePubKeyPrivData(pubKey); + if(privGiant) { + finst->gPriv = newGiant(finst->cp->maxDigits); + gtog(privGiant, finst->gPriv); + } + else { + finst->gPriv = NULL; + } + + /* + * Conservative, rounding down, on plaintext blocks since we don't + * want to split bytes. + */ + if(finst->cp->primeType == FPT_General) { + unsigned blen = bitlen(finst->cp->basePrime); + + finst->plainBlockSize = blen / 8; + if((blen % 8) == 0) { + /* + * round down some more... + */ + finst->plainBlockSize--; + } + } + else { + finst->plainBlockSize = finst->cp->q / 8; + if(((finst->cp->q & 0x7) == 0) && (finst->cp->k > 0)) { + /* + * Special case, with q mod 8 == 0. Here we have to trim back + * the plainBlockSize by one byte. + */ + finst->plainBlockSize--; + } + } + + /* + * One block of ciphertext - two giants (with implied sign) and a + * parity byte + */ + finst->cipherBlockSize = (2 * finst->cp->minBytes) + 1; + + finst->xp = newGiant(finst->cp->maxDigits); + finst->xc = newGiant(finst->cp->maxDigits); + finst->xq = newGiant(finst->cp->maxDigits); + finst->xm = newGiant(finst->cp->maxDigits); + finst->xaux = newGiant(finst->cp->maxDigits); + finst->rand = NULL; + finst->randData = NULL; + finst->randFcn = randFcn; + finst->randRef = randRef; + return finst; +} + +void feeFEEDExpFree(feeFEEDExp feed) +{ + feedInst *finst = (feedInst *) feed; + + free_key(finst->plus); + free_key(finst->minus); + freeGiant(finst->xc); + clearGiant(finst->xp); freeGiant(finst->xp); + clearGiant(finst->xq); freeGiant(finst->xq); + freeGiant(finst->xm); + clearGiant(finst->xaux); freeGiant(finst->xaux); + if(finst->gPriv) { + clearGiant(finst->gPriv); + freeGiant(finst->gPriv); + } + if(finst->rand) { + feeRandFree(finst->rand); + } + if(finst->randData) { + ffree(finst->randData); + } + if(finst->cp) { + freeCurveParams(finst->cp); + } + ffree(finst); +} + +unsigned feeFEEDExpPlainBlockSize(feeFEEDExp feed) +{ + feedInst *finst = (feedInst *) feed; + + return finst->plainBlockSize; +} + +unsigned feeFEEDExpCipherBlockSize(feeFEEDExp feed) +{ + feedInst *finst = (feedInst *) feed; + + return finst->cipherBlockSize; +} + +unsigned feeFEEDExpCipherBufSize(feeFEEDExp feed) +{ + feedInst *finst = (feedInst *) feed; + + return 2 * finst->cipherBlockSize; +} + +/* + * Return the size of ciphertext to hold specified size of plaintext. + */ +unsigned feeFEEDExpCipherTextSize(feeFEEDExp feed, unsigned plainTextSize) +{ + /* + * Normal case is one block of ciphertext for each block of + * plaintext. Add one cipherBlock if + * plainTextSize % plainBlockSize == 0. + */ + feedInst *finst = (feedInst *) feed; + unsigned blocks = (plainTextSize + finst->plainBlockSize - 1) / + finst->plainBlockSize; + + if((plainTextSize % finst->plainBlockSize) == 0) { + blocks++; + } + return blocks * finst->cipherBlockSize; +} + +/* + * Return the size of plaintext to hold specified size of decrypted ciphertext. + */ +unsigned feeFEEDExpPlainTextSize(feeFEEDExp feed, unsigned cipherTextSize) +{ + feedInst *finst = (feedInst *) feed; + unsigned blocks = (cipherTextSize + finst->cipherBlockSize - 1) / + finst->cipherBlockSize; + + return blocks * finst->plainBlockSize; +} + +/* + * Encrypt a block or less of data. Caller malloc's cipherText. + */ +feeReturn feeFEEDExpEncryptBlock(feeFEEDExp feed, + const unsigned char *plainText, + unsigned plainTextLen, + unsigned char *cipherText, + unsigned *cipherTextLen, // RETURNED + int finalBlock) +{ + feedInst *finst = (feedInst *) feed; + int index; /* which curve (+/- 1) */ + char g = 0; /* parity, which_curve bits in ciphertext */ + key B; + unsigned char *ptext; /* for final block */ + unsigned ctextLen; + feeReturn frtn = FR_Success; + giant x1; + unsigned randLen; + curveParams *cp = finst->cp; + randLen = cp->minBytes+8; // +8bytes (64bits) to reduce the biais when with reduction mod prime. Per FIPS186-4 - "Using Extra Random Bits" + + if(plainTextLen > finst->plainBlockSize) { + return FR_IllegalArg; + } + else if ((plainTextLen < finst->plainBlockSize) && !finalBlock) { + return FR_IllegalArg; + } + + /* + * Init only on first encrypt + */ + if((finst->randFcn == NULL) && (finst->rand == NULL)) { + finst->rand = feeRandAlloc(); + } + if(finst->randData == NULL) { + finst->randData = (unsigned char*) fmalloc(randLen); + } + + /* + * plaintext as giant xp + */ + if(finalBlock) { + ptext = (unsigned char*) fmalloc(finst->plainBlockSize); + bzero(ptext, finst->plainBlockSize); + if(plainTextLen) { + /* + * 0 for empty block with resid length 0 + */ + bcopy(plainText, ptext, plainTextLen); + } + if(plainTextLen < finst->plainBlockSize) { + if(plainTextLen == 0) { + /* + * Special case - can't actually write zero here; + * it screws up deserializing the giant during + * decrypt + */ + ptext[finst->plainBlockSize - 1] = RESID_ZERO; + } + else { + ptext[finst->plainBlockSize - 1] = plainTextLen; + } + #if FEED_DEBUG + printf("encrypt: resid 0x%x\n", ptext[finst->plainBlockSize - 1]); + #endif + } + /* + * else handle evenly aligned case below... + */ + deserializeGiant(ptext, finst->xp, finst->plainBlockSize); + ffree(ptext); + } + else { + deserializeGiant(plainText, finst->xp, plainTextLen); + } + #if FEED_DEBUG + printf("encrypt:\n"); + printf(" xp : "); PRINT_GIANT(finst->xp); + #endif // FEED_DEBUG + + /* + * pick curve B? that data lies upon + */ + index = which_curve(finst->xp, finst->cp); + if(index == CURVE_PLUS) { + B = finst->plus; + x1 = finst->cp->x1Plus; + } + else { + B = finst->minus; + x1 = finst->cp->x1Minus; + } + #if FEED_DEBUG + printf(" which_curve: %s\n", + (index == CURVE_PLUS) ? "CURVE_PLUS" : "CURVE_MINUS"); + #endif + + /* + * random number as giant xaux + */ + if(finst->randFcn != NULL) { + finst->randFcn(finst->randRef, finst->randData, randLen); + } + else { + feeRandBytes(finst->rand, finst->randData, randLen); + } + deserializeGiant(finst->randData, finst->xaux, randLen); + + #if FEE_DEBUG + if(isZero(finst->xaux)) { + printf("feeFEEDExpEncryptBlock: random xaux = 0!\n"); + } + #endif // FEE_DEBUG + /* + * Justify random # to be in [2, minimumX1Order]. + */ + lesserX1OrderJustify(finst->xaux, cp); + #if FEED_DEBUG + printf(" xaux: "); PRINT_GIANT(finst->xaux); + #endif // FEED_DEBUG + + gtog(B->x, finst->xq); // xq = pubB? + elliptic_simple(finst->xq, finst->xaux, cp); + // xq = r(pubB?) + #if FEED_DEBUG + printf(" r(pubB?): "); PRINT_GIANT(finst->xq); + #endif + elliptic_add(finst->xp, finst->xq, finst->xm, cp, SIGN_PLUS); + // xm = data + r(pubB?) + gtog(x1, finst->xc); + elliptic_simple(finst->xc, finst->xaux, cp); + // xc = r(P1?) + elliptic_add(finst->xm, finst->xq, finst->xaux, cp, SIGN_PLUS); + // xaux = xm + xq (for curve +1) + // = (data + r(pubB?)) + r(pubB?) + if(gcompg(finst->xaux, finst->xp) == 0) { + g |= CLUE_ELL_ADD_SIGN_PLUS; + } + else { + g |= CLUE_ELL_ADD_SIGN_MINUS; + #if FEED_DEBUG + /* this better be true.... */ + elliptic_add(finst->xm, finst->xq, finst->xaux, cp, SIGN_MINUS); + if(gcompg(finst->xaux, finst->xp)) { + printf("*******elliptic_add(xm, xq, -1) != xp! *************\n"); + printf(" xq : "); PRINT_GIANT(finst->xq); + printf(" ell_add(xm, xq, -1) : "); PRINT_GIANT(finst->xaux); + } + #endif + } // g = (xaux == data) ? add : subtract + + /* + * Ciphertext = (xm, xc, g) + */ + serializeGiant(finst->xm, cipherText, cp->minBytes); + cipherText += cp->minBytes; + serializeGiant(finst->xc, cipherText, cp->minBytes); + cipherText += cp->minBytes; + *cipherText++ = g; + ctextLen = finst->cipherBlockSize; + #if FEED_DEBUG + printf(" xm : "); PRINT_GIANT(finst->xm); + printf(" xc : "); PRINT_GIANT(finst->xc); + printf(" g : %d\n", g); + #endif // FEED_DEBUG + if(finalBlock && (plainTextLen == finst->plainBlockSize)) { + /* + * Special case: finalBlock true, plainTextLen == blockSize. + * In this case we generate one more block of ciphertext, + * with a resid length of zero. + */ + unsigned moreCipher; // additional cipherLen + + #if FEED_DEBUG + printf("encrypt: one more empty block\n"); + #endif + frtn = feeFEEDExpEncryptBlock(feed, + NULL, // plainText not used + 0, // resid + cipherText, // append... + &moreCipher, + 1); + if(frtn == FR_Success) { + ctextLen += moreCipher; + } + } + + *cipherTextLen = ctextLen; + return frtn; +} + +/* + * Decrypt (exactly) a block of data. Caller malloc's plainText. Always + * generates feeFEEDExpPlainBlockSize of plaintext, unless finalBlock is + * non-zero (in which case feeFEEDExpPlainBlockSize or less bytes of + * plainText are generated). + */ +feeReturn feeFEEDExpDecryptBlock(feeFEEDExp feed, + const unsigned char *cipherText, + unsigned cipherTextLen, + unsigned char *plainText, + unsigned *plainTextLen, // RETURNED + int finalBlock) +{ + feedInst *finst = (feedInst *) feed; + char g; + int s; + feeReturn frtn = FR_Success; + curveParams *cp = finst->cp; + + if(finst->gPriv == NULL) { + /* + * Can't decrypt without private data + */ + return FR_BadPubKey; + } + + /* + * grab xm, xc, and g from cipherText + */ + deserializeGiant(cipherText, finst->xm, finst->cp->minBytes); + cipherText += finst->cp->minBytes; + deserializeGiant(cipherText, finst->xc, finst->cp->minBytes); + cipherText += finst->cp->minBytes; + g = *cipherText; + #if FEED_DEBUG + printf("decrypt g=%d\n", g); + printf(" privKey : "); PRINT_GIANT(finst->gPriv); + printf(" xm : "); PRINT_GIANT(finst->xm); + printf(" xc : "); PRINT_GIANT(finst->xc); + #endif // FEED_DEBUG + + if((g & CLUE_ELL_ADD_SIGN) == CLUE_ELL_ADD_SIGN_PLUS) { + s = SIGN_PLUS; + } + else { + s = SIGN_MINUS; + } + + /* + * xc = r(P1?) + * xc := r(P1?)(pri) = xq + * xp = data + r(priB+) +/- pri(rB?) + */ + elliptic_simple(finst->xc, finst->gPriv, cp); + #if FEED_DEBUG + printf(" xc1 : "); PRINT_GIANT(finst->xc); + #endif + elliptic_add(finst->xm, finst->xc, finst->xp, cp, s); + + /* + * plaintext in xp + */ + #if FEED_DEBUG + printf(" xp : "); PRINT_GIANT(finst->xp); + #endif // FEED_DEBUG + + if(finalBlock) { + /* + * Snag data from xp in order to find out how much to move to + * *plainText + */ + unsigned char *ptext = (unsigned char*) fmalloc(finst->plainBlockSize); + + serializeGiant(finst->xp, ptext, finst->plainBlockSize); + *plainTextLen = ptext[finst->plainBlockSize - 1]; + #if FEED_DEBUG + printf("decrypt: resid 0x%x\n", *plainTextLen); + #endif + if(*plainTextLen == RESID_ZERO) { + *plainTextLen = 0; + } + else if(*plainTextLen > (finst->plainBlockSize - 1)) { + dbgLog(("feeFEEDExpDecryptBlock: ptext overflow!\n")); + frtn = FR_BadCipherText; + } + else { + bcopy(ptext, plainText, *plainTextLen); + } + ffree(ptext); + } + else { + *plainTextLen = finst->plainBlockSize; + serializeGiant(finst->xp, plainText, *plainTextLen); + } + return frtn; +} + +/* + * Convenience routines to encrypt & decrypt multi-block data. + */ +feeReturn feeFEEDExpEncrypt(feeFEEDExp feed, + const unsigned char *plainText, + unsigned plainTextLen, + unsigned char **cipherText, // malloc'd and RETURNED + unsigned *cipherTextLen) // RETURNED +{ + const unsigned char *ptext; // per block + unsigned ptextLen; // total to go + unsigned thisPtextLen; // per block + unsigned char *ctext; // per block + unsigned ctextLen; // per block + unsigned char *ctextResult; // to return + unsigned ctextResultLen; + unsigned char *ctextPtr; + unsigned ctextLenTotal; // running total + feeReturn frtn; + int finalBlock; + unsigned numBlocks; + unsigned plainBlockSize; + + if(plainTextLen == 0) { + dbgLog(("feeFEEDExpDecrypt: NULL plainText\n")); + return FR_IllegalArg; + } + + ptext = plainText; + ptextLen = plainTextLen; + ctext = (unsigned char*) fmalloc(feeFEEDExpCipherBufSize(feed)); + plainBlockSize = feeFEEDExpPlainBlockSize(feed); + numBlocks = (plainTextLen + plainBlockSize - 1)/plainBlockSize; + ctextResultLen = (numBlocks + 1) * feeFEEDExpCipherBlockSize(feed); + ctextResult = (unsigned char*) fmalloc(ctextResultLen); + ctextPtr = ctextResult; + ctextLenTotal = 0; + + while(1) { + if(ptextLen <= plainBlockSize) { + finalBlock = 1; + thisPtextLen = ptextLen; + } + else { + finalBlock = 0; + thisPtextLen = plainBlockSize; + } + frtn = feeFEEDExpEncryptBlock(feed, + ptext, + thisPtextLen, + ctext, + &ctextLen, + finalBlock); + if(frtn) { + dbgLog(("feeFEEDExpEncrypt: encrypt error: %s\n", + feeReturnString(frtn))); + break; + } + if(ctextLen == 0) { + dbgLog(("feeFEEDExpEncrypt: null ciphertext\n")); + frtn = FR_Internal; + break; + } + bcopy(ctext, ctextPtr, ctextLen); + ctextLenTotal += ctextLen; + if(ctextLenTotal > ctextResultLen) { + dbgLog(("feeFEEDExpEncrypt: ciphertext overflow\n")); + frtn = FR_Internal; + break; + } + if(finalBlock) { + break; + } + ctextPtr += ctextLen; + ptext += thisPtextLen; + ptextLen -= thisPtextLen; + } + + ffree(ctext); + if(frtn) { + ffree(ctextResult); + *cipherText = NULL; + *cipherTextLen = 0; + } + else { + *cipherText = ctextResult; + *cipherTextLen = ctextLenTotal; + #if FEE_DEBUG + if(feeFEEDExpCipherTextSize(feed, plainTextLen) != + ctextLenTotal) { + printf("feeFEEDExpEncrypt: feeFEEDCipherTextSize " + "error!\n"); + printf("ptext %d exp ctext %d actual ctext %d\n", + plainTextLen, + feeFEEDExpCipherTextSize(feed, plainTextLen), + ctextLenTotal); + } + #endif // FEE_DEBUG + } + return frtn; + +} + +feeReturn feeFEEDExpDecrypt(feeFEEDExp feed, + const unsigned char *cipherText, + unsigned cipherTextLen, + unsigned char **plainText, // malloc'd and RETURNED + unsigned *plainTextLen) // RETURNED +{ + const unsigned char *ctext; + unsigned ctextLen; // total to go + unsigned char *ptext; // per block + unsigned ptextLen; // per block + unsigned char *ptextResult; // to return + unsigned char *ptextPtr; + unsigned ptextLenTotal; // running total + feeReturn frtn = FR_Success; + int finalBlock; + unsigned numBlocks; + unsigned plainBlockSize = + feeFEEDExpPlainBlockSize(feed); + unsigned cipherBlockSize = + feeFEEDExpCipherBlockSize(feed); + + if(cipherTextLen % cipherBlockSize) { + dbgLog(("feeFEEDExpDecrypt: unaligned cipherText\n")); + return FR_BadCipherText; + } + if(cipherTextLen == 0) { + dbgLog(("feeFEEDExpDecrypt: NULL cipherText\n")); + return FR_BadCipherText; + } + + ptext = (unsigned char*) fmalloc(plainBlockSize); + ctext = cipherText; + ctextLen = cipherTextLen; + numBlocks = cipherTextLen / cipherBlockSize; + ptextResult = (unsigned char*) fmalloc(plainBlockSize * numBlocks); + ptextPtr = ptextResult; + ptextLenTotal = 0; + + while(ctextLen) { + if(ctextLen == cipherBlockSize) { + finalBlock = 1; + } + else { + finalBlock = 0; + } + frtn = feeFEEDExpDecryptBlock(feed, + ctext, + cipherBlockSize, + ptext, + &ptextLen, + finalBlock); + if(frtn) { + dbgLog(("feeFEEDExpDecryptBlock: %s\n", + feeReturnString(frtn))); + break; + } + if(ptextLen == 0) { + /* + * Normal termination case for + * plainTextLen % plainBlockSize == 0 + */ + if(!finalBlock) { + dbgLog(("feeFEEDExpDecrypt: decrypt sync" + " error!\n")); + frtn = FR_BadCipherText; + } + break; + } + else if(ptextLen > plainBlockSize) { + dbgLog(("feeFEEDExpDecrypt: ptext overflow!\n")); + frtn = FR_Internal; + break; + } + else { + bcopy(ptext, ptextPtr, ptextLen); + ptextPtr += ptextLen; + ptextLenTotal += ptextLen; + } + ctext += cipherBlockSize; + ctextLen -= cipherBlockSize; + } + + ffree(ptext); + if(frtn) { + ffree(ptextResult); + *plainText = NULL; + *plainTextLen = 0; + } + else { + *plainText = ptextResult; + *plainTextLen = ptextLenTotal; + } + return frtn; + +} + +#endif /* CRYPTKIT_ASYMMETRIC_ENABLE */ diff --git a/Security/libsecurity_cryptkit/lib/feeFEEDExp.h b/OSX/include/security_cryptkit/feeFEEDExp.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeFEEDExp.h rename to OSX/include/security_cryptkit/feeFEEDExp.h diff --git a/Security/libsecurity_cryptkit/lib/feeFunctions.h b/OSX/include/security_cryptkit/feeFunctions.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeFunctions.h rename to OSX/include/security_cryptkit/feeFunctions.h diff --git a/Security/libsecurity_cryptkit/lib/feeHash.c b/OSX/include/security_cryptkit/feeHash.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeHash.c rename to OSX/include/security_cryptkit/feeHash.c diff --git a/Security/libsecurity_cryptkit/lib/feeHash.h b/OSX/include/security_cryptkit/feeHash.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeHash.h rename to OSX/include/security_cryptkit/feeHash.h diff --git a/Security/libsecurity_cryptkit/lib/feePublicKey.c b/OSX/include/security_cryptkit/feePublicKey.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/feePublicKey.c rename to OSX/include/security_cryptkit/feePublicKey.c diff --git a/Security/libsecurity_cryptkit/lib/feePublicKey.h b/OSX/include/security_cryptkit/feePublicKey.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/feePublicKey.h rename to OSX/include/security_cryptkit/feePublicKey.h diff --git a/Security/libsecurity_cryptkit/lib/feePublicKeyPrivate.h b/OSX/include/security_cryptkit/feePublicKeyPrivate.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/feePublicKeyPrivate.h rename to OSX/include/security_cryptkit/feePublicKeyPrivate.h diff --git a/Security/libsecurity_cryptkit/lib/feeRandom.c b/OSX/include/security_cryptkit/feeRandom.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeRandom.c rename to OSX/include/security_cryptkit/feeRandom.c diff --git a/Security/libsecurity_cryptkit/lib/feeRandom.h b/OSX/include/security_cryptkit/feeRandom.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/feeRandom.h rename to OSX/include/security_cryptkit/feeRandom.h diff --git a/OSX/include/security_cryptkit/feeTypes.h b/OSX/include/security_cryptkit/feeTypes.h new file mode 100644 index 00000000..87db4052 --- /dev/null +++ b/OSX/include/security_cryptkit/feeTypes.h @@ -0,0 +1,174 @@ +/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. + * + * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT + * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE + * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE + * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, + * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL + * EXPOSE YOU TO LIABILITY. + *************************************************************************** + * + * feeTypes.h - general purpose FEE typedefs and constants + * + * Revision History + * ---------------- + * 23 Mar 98 at Apple + * Added FR_BadKeyBlob. + * 20 Jan 98 at Apple + * New PT_GENERAL depth values. + * 09 Jan 98 at Apple + * Removed obsolete FEE_DEPTH_* values. + * 20 Aug 96 at NeXT + * Created. + */ + +#ifndef _CK_FEETYPES_H_ +#define _CK_FEETYPES_H_ + +/* + * Opaque public key object. + */ +typedef void *feePubKey; + +/* + * Standard return codes. + * Remember to update frtnStrings[] in utilities.c when adding new items. + */ +typedef enum { + FR_Success = 0, + FR_BadPubKey, + FR_BadPubKeyString, + FR_IncompatibleKey, /* incompatible key */ + FR_IllegalDepth, + FR_BadUsageName, /* bad usageName */ + FR_BadSignatureFormat, /* signature corrupted */ + FR_InvalidSignature, /* signature intact, but not valid */ + FR_IllegalArg, /* illegal argument */ + FR_BadCipherText, /* malformed ciphertext */ + FR_Unimplemented, /* unimplemented function */ + FR_BadCipherFile, + FR_BadEnc64, /* bad enc64() format */ + FR_WrongSignatureType, /* ElGamal vs. ECDSA */ + FR_BadKeyBlob, + FR_IllegalCurve, /* e.g., ECDSA with Montgomery curve */ + FR_Internal, /* internal library error */ + FR_Memory, /* out of memory */ + FR_ShortPrivData /* insufficient privData for creating + * private key */ + /* etc. */ +} feeReturn; + +typedef enum { + FSF_Default, /* default */ + FSF_DER, /* DER */ + FSF_RAW, /* RAW (for ECDSA, first half is r, second half is s */ +} feeSigFormat; + +/* + * The feeDepth parameter defines one of 'n' known curves. From a user's + * perspective, the most interesting parameter indicated by feeDepth is + * the size (in bits) of the key. + */ +typedef unsigned feeDepth; + +/* + * Prime and curve description parameters. + */ +typedef enum { + FPT_Default, /* default per key size */ + FPT_Mersenne, /* (2 ** q) - 1 */ + FPT_FEE, /* (2 ** q) - k */ + FPT_General /* random prime */ +} feePrimeType; + +typedef enum { + FCT_Default, /* default per key size */ + FCT_Montgomery, /* a==1, b==0 */ + FCT_Weierstrass, /* c==0. IEEE P1363 compliant. */ + FCT_ANSI, /* ANSI X9.62/Certicom, also FCT_Weierstrass */ + FCT_General /* Other */ +} feeCurveType; + +/* + * Some commonly used feeDepth values. In these definitions, q and k are + * from the expression (2^q - k), the base modulus of the curve. The case + * k=1 implies a Mersenne prime as the modulus. + */ +#define FEE_PROTOTYPE_CURVES 0 + +#if FEE_PROTOTYPE_CURVES + + /* q k a b c */ + /* ---- ---- ---- ---- ---- */ +#define FEE_DEPTH_31_1_W 0 /* 31 1 7 1 0 */ +#define FEE_DEPTH_31_1_M 1 /* 31 1 1 0 666 */ +#define FEE_DEPTH_31_1_P 2 /* 31 1 5824692 2067311435 0 */ +#define FEE_DEPTH_40_213 3 /* 40 213 1627500953 523907505 0 */ +#define FEE_DEPTH_127_1 4 /* 127 1 1 0 666 */ +#define FEE_DEPTH_127_1W 5 /* 127 1 666 1 0 */ +#define FEE_DEPTH_160_57 6 /* 160 57 0 3 0 */ +#define FEE_DEPTH_192_1425 7 /* 192 1425 0 -11 0 */ +#define FEE_DEPTH_192_M529891 8 /* 192 -529891 -152 722 0 */ + +/* + * The remaining curves are implemented as PT_GENERAL curves; modulo + * arithmetic does not utilize any FEE or Mersenne optimizations. These + * are here for performance measurements and DVT. + */ +#define FEE_DEPTH_127_GEN 9 /* 127 1 1 0 666 */ +#define FEE_DEPTH_160_GEN 10 /* 160 57 0 3 0 */ +#define FEE_DEPTH_161_GEN 11 /* 161 .. -152 722 0 */ + +/* + * The default depth. + */ +#define FEE_DEPTH_DEFAULT FEE_DEPTH_160_57 + +/* + * Last enumerated depth. + */ +#define FEE_DEPTH_MAX FEE_DEPTH_161_GEN + +#else /* FEE_PROTOTYPE_CURVES */ + +/* + * The real curves as of 4/9/2001. + * Note that ECDSA signatures can only be performed with curve of + * curveType FCT_Weierstrass. + * + * Default curveType for curves with same prime size is FCT_Weierstrass. + */ +#define FEE_DEPTH_31M 0 /* size=31 FPT_Mersenne FCT_Montgomery */ +#define FEE_DEPTH_31W 1 /* size=31 FPT_Mersenne FCT_Weierstrass */ +#define FEE_DEPTH_127M 2 /* size=127 FPT_Mersenne FCT_Montgomery */ +#define FEE_DEPTH_128W 3 /* size=128 FPT_FEE FCT_Weierstrass */ +#define FEE_DEPTH_161W 4 /* size=161 FPT_FEE FCT_Weierstrass */ +#define FEE_DEPTH_161G 5 /* size=161 FPT_General FCT_Weierstrass */ +#define FEE_DEPTH_192G 6 /* size=192 FPT_General FCT_Weierstrass */ + +/* ANSI X9.62/Certicom curves */ +#define FEE_DEPTH_secp192r1 7 /* size=192 FPT_General FCT_ANSI */ +#define FEE_DEPTH_secp256r1 8 /* size=256 FPT_General FCT_ANSI */ +#define FEE_DEPTH_secp384r1 9 /* size=384 FPT_General FCT_ANSI */ +#define FEE_DEPTH_secp521r1 10 /* size=521 FPT_General FCT_ANSI */ +/* + * The default depth. + */ +#define FEE_DEPTH_DEFAULT FEE_DEPTH_161W + +/* + * Last enumerated depth. + */ +#define FEE_DEPTH_MAX FEE_DEPTH_secp521r1 + +#endif /* FEE_PROTOTYPE_CURVES */ + +/* + * Random number generator callback function. + */ +typedef feeReturn (*feeRandFcn)( + void *ref, + unsigned char *bytes, /* must be alloc'd by caller */ + unsigned numBytes); + +#endif /* _CK_FEETYPES_H_ */ diff --git a/Security/libsecurity_cryptkit/lib/giantFFT.c b/OSX/include/security_cryptkit/giantFFT.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/giantFFT.c rename to OSX/include/security_cryptkit/giantFFT.c diff --git a/Security/libsecurity_cryptkit/lib/giantIntegers.c b/OSX/include/security_cryptkit/giantIntegers.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/giantIntegers.c rename to OSX/include/security_cryptkit/giantIntegers.c diff --git a/Security/libsecurity_cryptkit/lib/giantIntegers.h b/OSX/include/security_cryptkit/giantIntegers.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/giantIntegers.h rename to OSX/include/security_cryptkit/giantIntegers.h diff --git a/Security/libsecurity_cryptkit/lib/giantPortCommon.h b/OSX/include/security_cryptkit/giantPortCommon.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/giantPortCommon.h rename to OSX/include/security_cryptkit/giantPortCommon.h diff --git a/Security/libsecurity_cryptkit/lib/giantPort_Generic.h b/OSX/include/security_cryptkit/giantPort_Generic.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/giantPort_Generic.h rename to OSX/include/security_cryptkit/giantPort_Generic.h diff --git a/Security/libsecurity_cryptkit/lib/giantPort_PPC.c b/OSX/include/security_cryptkit/giantPort_PPC.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/giantPort_PPC.c rename to OSX/include/security_cryptkit/giantPort_PPC.c diff --git a/Security/libsecurity_cryptkit/lib/giantPort_PPC.h b/OSX/include/security_cryptkit/giantPort_PPC.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/giantPort_PPC.h rename to OSX/include/security_cryptkit/giantPort_PPC.h diff --git a/Security/libsecurity_cryptkit/lib/giantPort_PPC_Gnu.h b/OSX/include/security_cryptkit/giantPort_PPC_Gnu.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/giantPort_PPC_Gnu.h rename to OSX/include/security_cryptkit/giantPort_PPC_Gnu.h diff --git a/Security/libsecurity_cryptkit/lib/giantPort_PPC_Gnu.s b/OSX/include/security_cryptkit/giantPort_PPC_Gnu.s similarity index 100% rename from Security/libsecurity_cryptkit/lib/giantPort_PPC_Gnu.s rename to OSX/include/security_cryptkit/giantPort_PPC_Gnu.s diff --git a/Security/libsecurity_cryptkit/lib/giantPort_i486.h b/OSX/include/security_cryptkit/giantPort_i486.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/giantPort_i486.h rename to OSX/include/security_cryptkit/giantPort_i486.h diff --git a/Security/libsecurity_cryptkit/lib/giantPort_i486.s b/OSX/include/security_cryptkit/giantPort_i486.s similarity index 100% rename from Security/libsecurity_cryptkit/lib/giantPort_i486.s rename to OSX/include/security_cryptkit/giantPort_i486.s diff --git a/Security/libsecurity_cryptkit/lib/mutils.h b/OSX/include/security_cryptkit/mutils.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/mutils.h rename to OSX/include/security_cryptkit/mutils.h diff --git a/Security/libsecurity_cryptkit/lib/mutils.m b/OSX/include/security_cryptkit/mutils.m similarity index 100% rename from Security/libsecurity_cryptkit/lib/mutils.m rename to OSX/include/security_cryptkit/mutils.m diff --git a/Security/libsecurity_cryptkit/lib/platform.c b/OSX/include/security_cryptkit/platform.c similarity index 100% rename from Security/libsecurity_cryptkit/lib/platform.c rename to OSX/include/security_cryptkit/platform.c diff --git a/Security/libsecurity_cryptkit/lib/platform.h b/OSX/include/security_cryptkit/platform.h similarity index 100% rename from Security/libsecurity_cryptkit/lib/platform.h rename to OSX/include/security_cryptkit/platform.h diff --git a/Security/libsecurity_cryptkit/lib/unixMakefile b/OSX/include/security_cryptkit/unixMakefile similarity index 100% rename from Security/libsecurity_cryptkit/lib/unixMakefile rename to OSX/include/security_cryptkit/unixMakefile diff --git a/Security/libsecurity_filedb/lib/AppleDatabase.cpp b/OSX/include/security_filedb/AppleDatabase.cpp similarity index 100% rename from Security/libsecurity_filedb/lib/AppleDatabase.cpp rename to OSX/include/security_filedb/AppleDatabase.cpp diff --git a/Security/libsecurity_filedb/lib/AppleDatabase.h b/OSX/include/security_filedb/AppleDatabase.h similarity index 100% rename from Security/libsecurity_filedb/lib/AppleDatabase.h rename to OSX/include/security_filedb/AppleDatabase.h diff --git a/Security/libsecurity_filedb/lib/AtomicFile.cpp b/OSX/include/security_filedb/AtomicFile.cpp similarity index 100% rename from Security/libsecurity_filedb/lib/AtomicFile.cpp rename to OSX/include/security_filedb/AtomicFile.cpp diff --git a/Security/libsecurity_filedb/lib/AtomicFile.h b/OSX/include/security_filedb/AtomicFile.h similarity index 100% rename from Security/libsecurity_filedb/lib/AtomicFile.h rename to OSX/include/security_filedb/AtomicFile.h diff --git a/Security/libsecurity_filedb/lib/DbIndex.cpp b/OSX/include/security_filedb/DbIndex.cpp similarity index 100% rename from Security/libsecurity_filedb/lib/DbIndex.cpp rename to OSX/include/security_filedb/DbIndex.cpp diff --git a/Security/libsecurity_filedb/lib/DbIndex.h b/OSX/include/security_filedb/DbIndex.h similarity index 100% rename from Security/libsecurity_filedb/lib/DbIndex.h rename to OSX/include/security_filedb/DbIndex.h diff --git a/Security/libsecurity_filedb/lib/DbQuery.cpp b/OSX/include/security_filedb/DbQuery.cpp similarity index 100% rename from Security/libsecurity_filedb/lib/DbQuery.cpp rename to OSX/include/security_filedb/DbQuery.cpp diff --git a/Security/libsecurity_filedb/lib/DbQuery.h b/OSX/include/security_filedb/DbQuery.h similarity index 100% rename from Security/libsecurity_filedb/lib/DbQuery.h rename to OSX/include/security_filedb/DbQuery.h diff --git a/Security/libsecurity_filedb/lib/DbValue.cpp b/OSX/include/security_filedb/DbValue.cpp similarity index 100% rename from Security/libsecurity_filedb/lib/DbValue.cpp rename to OSX/include/security_filedb/DbValue.cpp diff --git a/Security/libsecurity_filedb/lib/DbValue.h b/OSX/include/security_filedb/DbValue.h similarity index 100% rename from Security/libsecurity_filedb/lib/DbValue.h rename to OSX/include/security_filedb/DbValue.h diff --git a/Security/libsecurity_filedb/lib/MetaAttribute.cpp b/OSX/include/security_filedb/MetaAttribute.cpp similarity index 100% rename from Security/libsecurity_filedb/lib/MetaAttribute.cpp rename to OSX/include/security_filedb/MetaAttribute.cpp diff --git a/Security/libsecurity_filedb/lib/MetaAttribute.h b/OSX/include/security_filedb/MetaAttribute.h similarity index 100% rename from Security/libsecurity_filedb/lib/MetaAttribute.h rename to OSX/include/security_filedb/MetaAttribute.h diff --git a/Security/libsecurity_filedb/lib/MetaRecord.cpp b/OSX/include/security_filedb/MetaRecord.cpp similarity index 100% rename from Security/libsecurity_filedb/lib/MetaRecord.cpp rename to OSX/include/security_filedb/MetaRecord.cpp diff --git a/Security/libsecurity_filedb/lib/MetaRecord.h b/OSX/include/security_filedb/MetaRecord.h similarity index 100% rename from Security/libsecurity_filedb/lib/MetaRecord.h rename to OSX/include/security_filedb/MetaRecord.h diff --git a/Security/libsecurity_filedb/lib/OverUnderflowCheck.h b/OSX/include/security_filedb/OverUnderflowCheck.h similarity index 100% rename from Security/libsecurity_filedb/lib/OverUnderflowCheck.h rename to OSX/include/security_filedb/OverUnderflowCheck.h diff --git a/OSX/include/security_filedb/ReadWriteSection.cpp b/OSX/include/security_filedb/ReadWriteSection.cpp new file mode 100644 index 00000000..9fe1b489 --- /dev/null +++ b/OSX/include/security_filedb/ReadWriteSection.cpp @@ -0,0 +1,57 @@ +#include "ReadWriteSection.h" + +uint32 WriteSection::put(uint32 inOffset, uint32 inValue) +{ + uint32 aLength = CheckUInt32Add(inOffset, sizeof(inValue)); + if (aLength > mCapacity) + grow(aLength); + + if (mAddress == NULL) + CssmError::throwMe(CSSMERR_DL_DATABASE_CORRUPT); + + *reinterpret_cast(mAddress + inOffset) = htonl(inValue); + return aLength; +} + + + +uint32 WriteSection::put(uint32 inOffset, uint32 inLength, const uint8 *inData) +{ + // if we are being asked to put 0 bytes, just return + if (inLength == 0 || inData == NULL) + { + return inOffset; + } + + uint32 aLength = CheckUInt32Add(inOffset, inLength); + + // Round up to nearest multiple of 4 bytes, to pad with zeros + uint32 aNewOffset = align(aLength); + if (aNewOffset > mCapacity) + grow(aNewOffset); + + if (mAddress == NULL) + CssmError::throwMe(CSSMERR_DL_DATABASE_CORRUPT); + + memcpy(mAddress + inOffset, inData, inLength); + + for (uint32 anOffset = aLength; anOffset < aNewOffset; anOffset++) + mAddress[anOffset] = 0; + + return aNewOffset; +} + + + +void WriteSection::grow(size_t inNewCapacity) +{ + size_t n = CheckUInt32Multiply((uint32)mCapacity, 2); + size_t aNewCapacity = max(n, inNewCapacity); + mAddress = reinterpret_cast(mAllocator.realloc(mAddress, aNewCapacity)); + + if (mAddress == NULL) + CssmError::throwMe(CSSMERR_DL_DATABASE_CORRUPT); + + memset(mAddress + mCapacity, 0, aNewCapacity - mCapacity); + mCapacity = aNewCapacity; +} diff --git a/Security/libsecurity_filedb/lib/ReadWriteSection.h b/OSX/include/security_filedb/ReadWriteSection.h similarity index 100% rename from Security/libsecurity_filedb/lib/ReadWriteSection.h rename to OSX/include/security_filedb/ReadWriteSection.h diff --git a/Security/libsecurity_filedb/lib/SelectionPredicate.cpp b/OSX/include/security_filedb/SelectionPredicate.cpp similarity index 100% rename from Security/libsecurity_filedb/lib/SelectionPredicate.cpp rename to OSX/include/security_filedb/SelectionPredicate.cpp diff --git a/Security/libsecurity_filedb/lib/SelectionPredicate.h b/OSX/include/security_filedb/SelectionPredicate.h similarity index 100% rename from Security/libsecurity_filedb/lib/SelectionPredicate.h rename to OSX/include/security_filedb/SelectionPredicate.h diff --git a/Security/libsecurity_keychain/lib/ACL.cpp b/OSX/include/security_keychain/ACL.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/ACL.cpp rename to OSX/include/security_keychain/ACL.cpp diff --git a/Security/libsecurity_keychain/lib/ACL.h b/OSX/include/security_keychain/ACL.h similarity index 100% rename from Security/libsecurity_keychain/lib/ACL.h rename to OSX/include/security_keychain/ACL.h diff --git a/Security/libsecurity_keychain/lib/Access.cpp b/OSX/include/security_keychain/Access.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/Access.cpp rename to OSX/include/security_keychain/Access.cpp diff --git a/Security/libsecurity_keychain/lib/Access.h b/OSX/include/security_keychain/Access.h similarity index 100% rename from Security/libsecurity_keychain/lib/Access.h rename to OSX/include/security_keychain/Access.h diff --git a/Security/libsecurity_keychain/lib/AppleBaselineEscrowCertificates.h b/OSX/include/security_keychain/AppleBaselineEscrowCertificates.h similarity index 100% rename from Security/libsecurity_keychain/lib/AppleBaselineEscrowCertificates.h rename to OSX/include/security_keychain/AppleBaselineEscrowCertificates.h diff --git a/Security/libsecurity_keychain/lib/CCallbackMgr.cp b/OSX/include/security_keychain/CCallbackMgr.cp similarity index 100% rename from Security/libsecurity_keychain/lib/CCallbackMgr.cp rename to OSX/include/security_keychain/CCallbackMgr.cp diff --git a/Security/libsecurity_keychain/lib/CCallbackMgr.h b/OSX/include/security_keychain/CCallbackMgr.h similarity index 100% rename from Security/libsecurity_keychain/lib/CCallbackMgr.h rename to OSX/include/security_keychain/CCallbackMgr.h diff --git a/OSX/include/security_keychain/Certificate.cpp b/OSX/include/security_keychain/Certificate.cpp new file mode 100644 index 00000000..1b625a49 --- /dev/null +++ b/OSX/include/security_keychain/Certificate.cpp @@ -0,0 +1,1471 @@ +/* + * Copyright (c) 2002-2007,2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// Certificate.cpp +// +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +using namespace KeychainCore; + +CL +Certificate::clForType(CSSM_CERT_TYPE type) +{ + return CL(gGuidAppleX509CL); +} + +Certificate::Certificate(const CSSM_DATA &data, CSSM_CERT_TYPE type, CSSM_CERT_ENCODING encoding) : + ItemImpl(CSSM_DL_DB_RECORD_X509_CERTIFICATE, reinterpret_cast(NULL), UInt32(data.Length), reinterpret_cast(data.Data)), + mHaveTypeAndEncoding(true), + mPopulated(false), + mType(type), + mEncoding(encoding), + mCL(clForType(type)), + mCertHandle(0), + mV1SubjectPublicKeyCStructValue(NULL), + mV1SubjectNameCStructValue(NULL), + mV1IssuerNameCStructValue(NULL), + mSha1Hash(NULL), + mEncodingVerified(false) +{ + if (data.Length == 0 || data.Data == NULL) + MacOSError::throwMe(errSecParam); +} + +// db item constructor +Certificate::Certificate(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId) : + ItemImpl(keychain, primaryKey, uniqueId), + mHaveTypeAndEncoding(false), + mPopulated(false), + mCL(NULL), + mCertHandle(0), + mV1SubjectPublicKeyCStructValue(NULL), + mV1SubjectNameCStructValue(NULL), + mV1IssuerNameCStructValue(NULL), + mSha1Hash(NULL), + mEncodingVerified(false) +{ +} + + + +Certificate* Certificate::make(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId) +{ + Certificate* c = new Certificate(keychain, primaryKey, uniqueId); + keychain->addItem(primaryKey, c); + return c; +} + + + +Certificate* Certificate::make(const Keychain &keychain, const PrimaryKey &primaryKey) +{ + Certificate* c = new Certificate(keychain, primaryKey); + keychain->addItem(primaryKey, c); + return c; +} + + + + +// PrimaryKey item constructor +Certificate::Certificate(const Keychain &keychain, const PrimaryKey &primaryKey) : + ItemImpl(keychain, primaryKey), + mHaveTypeAndEncoding(false), + mPopulated(false), + mCL(NULL), + mCertHandle(0), + mV1SubjectPublicKeyCStructValue(NULL), + mV1SubjectNameCStructValue(NULL), + mV1IssuerNameCStructValue(NULL), + mSha1Hash(NULL), + mEncodingVerified(false) +{ + // @@@ In this case we don't know the type... +} + +Certificate::Certificate(Certificate &certificate) : + ItemImpl(certificate), + mHaveTypeAndEncoding(certificate.mHaveTypeAndEncoding), + mPopulated(false /* certificate.mPopulated */), + mType(certificate.mType), + mEncoding(certificate.mEncoding), + mCL(certificate.mCL), + mCertHandle(0), + mV1SubjectPublicKeyCStructValue(NULL), + mV1SubjectNameCStructValue(NULL), + mV1IssuerNameCStructValue(NULL), + mSha1Hash(NULL), + mEncodingVerified(false) +{ +} + +Certificate::~Certificate() +try +{ + if (mV1SubjectPublicKeyCStructValue) + releaseFieldValue(CSSMOID_X509V1SubjectPublicKeyCStruct, mV1SubjectPublicKeyCStructValue); + + if (mCertHandle && mCL) + CSSM_CL_CertAbortCache(mCL->handle(), mCertHandle); + + if (mV1SubjectNameCStructValue) + releaseFieldValue(CSSMOID_X509V1SubjectNameCStruct, mV1SubjectNameCStructValue); + + if (mV1IssuerNameCStructValue) + releaseFieldValue(CSSMOID_X509V1IssuerNameCStruct, mV1IssuerNameCStructValue); + + if (mSha1Hash) + CFRelease(mSha1Hash); +} +catch (...) +{ +} + +CSSM_HANDLE +Certificate::certHandle() +{ + StLock_(mMutex); + const CSSM_DATA *cert = &data(); + if (!mCertHandle) + { + if (CSSM_RETURN retval = CSSM_CL_CertCache(clHandle(), cert, &mCertHandle)) + CssmError::throwMe(retval); + } + + return mCertHandle; +} + +/* Return a zero terminated list of CSSM_DATA_PTR's with the values of the field specified by field. Caller must call releaseFieldValues to free the storage allocated by this call. */ +CSSM_DATA_PTR * +Certificate::copyFieldValues(const CSSM_OID &field) +{ + StLock_(mMutex); + CSSM_CL_HANDLE clh = clHandle(); + CSSM_DATA_PTR fieldValue, *fieldValues; + CSSM_HANDLE resultsHandle = 0; + uint32 numberOfFields = 0; + CSSM_RETURN result; + + result = CSSM_CL_CertGetFirstCachedFieldValue(clh, certHandle(), &field, &resultsHandle, &numberOfFields, &fieldValue); + if (result) + { + if (result == CSSMERR_CL_NO_FIELD_VALUES) + return NULL; + + CssmError::throwMe(result); + } + + fieldValues = new CSSM_DATA_PTR[numberOfFields + 1]; + fieldValues[0] = fieldValue; + fieldValues[numberOfFields] = NULL; + + for (uint32 value = 1; value < numberOfFields; ++value) + { + CSSM_RETURN cresult = CSSM_CL_CertGetNextCachedFieldValue(clh, resultsHandle, &fieldValues[value]); + if (cresult) + { + fieldValues[value] = NULL; + result = cresult; + break; // No point in continuing really. + } + } + + CSSM_CL_CertAbortQuery(clh, resultsHandle); + + if (result) + { + releaseFieldValues(field, fieldValues); + CssmError::throwMe(result); + } + + return fieldValues; +} + +void +Certificate::releaseFieldValues(const CSSM_OID &field, CSSM_DATA_PTR *fieldValues) +{ + StLock_(mMutex); + if (fieldValues) + { + CSSM_CL_HANDLE clh = clHandle(); + + for (int ix = 0; fieldValues[ix]; ++ix) + CSSM_CL_FreeFieldValue(clh, &field, fieldValues[ix]); + + delete[] fieldValues; + } +} + +void +Certificate::addParsedAttribute(const CSSM_DB_ATTRIBUTE_INFO &info, const CSSM_OID &field) +{ + StLock_(mMutex); + CSSM_DATA_PTR *fieldValues = copyFieldValues(field); + if (fieldValues) + { + CssmDbAttributeData &anAttr = mDbAttributes->add(info); + for (int ix = 0; fieldValues[ix]; ++ix) + anAttr.add(*fieldValues[ix], *mDbAttributes); + + releaseFieldValues(field, fieldValues); + } +} + +void +Certificate::addSubjectKeyIdentifier() +{ + StLock_(mMutex); + const CSSM_DB_ATTRIBUTE_INFO &info = Schema::attributeInfo(kSecSubjectKeyIdentifierItemAttr); + const CSSM_OID &field = CSSMOID_SubjectKeyIdentifier; + + CSSM_DATA_PTR *fieldValues = copyFieldValues(field); + if (fieldValues) + { + CssmDbAttributeData &anAttr = mDbAttributes->add(info); + for (int ix = 0; fieldValues[ix]; ++ix) + { + const CSSM_X509_EXTENSION *extension = reinterpret_cast(fieldValues[ix]->Data); + if (extension == NULL || fieldValues[ix]->Length != sizeof(CSSM_X509_EXTENSION)) + { + assert(extension != NULL && fieldValues[ix]->Length == sizeof(CSSM_X509_EXTENSION)); + continue; + } + const CE_SubjectKeyID *skid = reinterpret_cast(extension->value.parsedValue); + if (skid == NULL) + { + assert(skid != NULL); + continue; + } + anAttr.add(*skid, *mDbAttributes); + } + + releaseFieldValues(field, fieldValues); + } +} + +/* Return a CSSM_DATA_PTR with the value of the first field specified by field. Caller must call releaseFieldValue to free the storage allocated by this call. */ +CSSM_DATA_PTR +Certificate::copyFirstFieldValue(const CSSM_OID &field) +{ + StLock_(mMutex); + CSSM_CL_HANDLE clh = clHandle(); + CSSM_DATA_PTR fieldValue; + CSSM_HANDLE resultsHandle = 0; + uint32 numberOfFields = 0; + CSSM_RETURN result; + + result = CSSM_CL_CertGetFirstCachedFieldValue(clh, certHandle(), &field, &resultsHandle, &numberOfFields, &fieldValue); + if (result) + { + if (result == CSSMERR_CL_NO_FIELD_VALUES) + return NULL; + + CssmError::throwMe(result); + } + + result = CSSM_CL_CertAbortQuery(clh, resultsHandle); + + if (result) + { + releaseFieldValue(field, fieldValue); + CssmError::throwMe(result); + } + + return fieldValue; +} + +void +Certificate::releaseFieldValue(const CSSM_OID &field, CSSM_DATA_PTR fieldValue) +{ + StLock_(mMutex); + if (fieldValue) + { + CSSM_CL_HANDLE clh = clHandle(); + CSSM_CL_FreeFieldValue(clh, &field, fieldValue); + } +} + + + +/* + This method computes the keyIdentifier for the public key in the cert as + described below: + + The keyIdentifier is composed of the 160-bit SHA-1 hash of the + value of the BIT STRING subjectPublicKey (excluding the tag, + length, and number of unused bits). +*/ +const CssmData & +Certificate::publicKeyHash() +{ + StLock_(mMutex); + if (mPublicKeyHash.Length) + return mPublicKeyHash; + + CSSM_DATA_PTR keyPtr = copyFirstFieldValue(CSSMOID_CSSMKeyStruct); + if (keyPtr && keyPtr->Data) + { + CssmClient::CSP csp(gGuidAppleCSP); + CssmClient::PassThrough passThrough(csp); + CSSM_KEY *key = reinterpret_cast(keyPtr->Data); + void *outData; + CssmData *cssmData; + + /* Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the + * associated key blob. + * Key is specified in CSSM_CSP_CreatePassThroughContext. + * Hash is allocated by the CSP, in the App's memory, and returned + * in *outData. */ + passThrough.key(key); + passThrough(CSSM_APPLECSP_KEYDIGEST, NULL, &outData); + cssmData = reinterpret_cast(outData); + + assert(cssmData->Length <= sizeof(mPublicKeyHashBytes)); + mPublicKeyHash.Data = mPublicKeyHashBytes; + mPublicKeyHash.Length = cssmData->Length; + memcpy(mPublicKeyHash.Data, cssmData->Data, cssmData->Length); + csp.allocator().free(cssmData->Data); + csp.allocator().free(cssmData); + } + + releaseFieldValue(CSSMOID_CSSMKeyStruct, keyPtr); + + return mPublicKeyHash; +} + +const CssmData & +Certificate::subjectKeyIdentifier() +{ + StLock_(mMutex); + if (mSubjectKeyID.Length) + return mSubjectKeyID; + + CSSM_DATA_PTR fieldValue = copyFirstFieldValue(CSSMOID_SubjectKeyIdentifier); + if (fieldValue && fieldValue->Data && fieldValue->Length == sizeof(CSSM_X509_EXTENSION)) + { + const CSSM_X509_EXTENSION *extension = reinterpret_cast(fieldValue->Data); + const CE_SubjectKeyID *skid = reinterpret_cast(extension->value.parsedValue); // CSSM_DATA + + if (skid->Length <= sizeof(mSubjectKeyIDBytes)) + { + mSubjectKeyID.Data = mSubjectKeyIDBytes; + mSubjectKeyID.Length = skid->Length; + memcpy(mSubjectKeyID.Data, skid->Data, skid->Length); + } + else + mSubjectKeyID.Length = 0; + } + + releaseFieldValue(CSSMOID_SubjectKeyIdentifier, fieldValue); + + return mSubjectKeyID; +} + + +/* + * Given an CSSM_X509_NAME, Find the first (or last) name/value pair with + * a printable value which matches the specified OID (e.g., CSSMOID_CommonName). + * Returns the CFString-style encoding associated with name component's BER tag. + * Returns NULL if none found. + */ +static const CSSM_DATA * +findPrintableField( + const CSSM_X509_NAME &x509Name, + const CSSM_OID *tvpType, // NULL means "any printable field" + bool lastInstance, // false means return first instance + CFStringBuiltInEncodings *encoding) // RETURNED +{ + const CSSM_DATA *result = NULL; + for(uint32 rdnDex=0; rdnDexnumberOfPairs; tvpDex++) { + const CSSM_X509_TYPE_VALUE_PAIR *tvpPtr = + &rdnPtr->AttributeTypeAndValue[tvpDex]; + + /* type/value pair: match caller's specified type? */ + if(tvpType != NULL && tvpType->Data != NULL) { + if(tvpPtr->type.Length != tvpType->Length) { + continue; + } + if(memcmp(tvpPtr->type.Data, tvpType->Data, tvpType->Length)) { + /* If we don't have a match but the requested OID is CSSMOID_UserID, + * look for a matching X.500 UserID OID: (0.9.2342.19200300.100.1.1) */ + const char cssm_userid_oid[] = { 0x09,0x49,0x86,0x49,0x1f,0x12,0x8c,0xe4,0x81,0x81 }; + const char x500_userid_oid[] = { 0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x01 }; + if(!(tvpType->Length == sizeof(cssm_userid_oid) && + !memcmp(tvpPtr->type.Data, x500_userid_oid, sizeof(x500_userid_oid)) && + !memcmp(tvpType->Data, cssm_userid_oid, sizeof(cssm_userid_oid)))) { + continue; + } + } + } + + /* printable? */ + switch(tvpPtr->valueType) { + case BER_TAG_PRINTABLE_STRING: + case BER_TAG_IA5_STRING: + *encoding = kCFStringEncodingASCII; + result = &tvpPtr->value; + break; + case BER_TAG_PKIX_UTF8_STRING: + case BER_TAG_GENERAL_STRING: + case BER_TAG_PKIX_UNIVERSAL_STRING: + *encoding = kCFStringEncodingUTF8; + result = &tvpPtr->value; + break; + case BER_TAG_T61_STRING: + case BER_TAG_VIDEOTEX_STRING: + case BER_TAG_ISO646_STRING: + *encoding = kCFStringEncodingISOLatin1; + result = &tvpPtr->value; + break; + case BER_TAG_PKIX_BMP_STRING: + *encoding = kCFStringEncodingUnicode; + result = &tvpPtr->value; + break; + default: + /* not printable */ + break; + } + /* if we found a result and we want the first instance, return it now. */ + if(result && !lastInstance) { + return result; + } + + } /* for each pair */ + } /* for each RDN */ + + /* result is NULL if no printable component was found */ + return result; +} + +/* + * Infer printable label for a given CSSM_X509_NAME. Returns NULL + * if no appropriate printable name found. Returns the CFString-style + * encoding associated with name component's BER tag. Also optionally + * returns Description component and its encoding if present and the + * returned name component was one we explicitly requested. + */ +static const CSSM_DATA *inferLabelFromX509Name( + const CSSM_X509_NAME *x509Name, + CFStringBuiltInEncodings *encoding, // RETURNED + const CSSM_DATA **description, // optionally RETURNED + CFStringBuiltInEncodings *descrEncoding) // RETURNED if description != NULL +{ + const CSSM_DATA *printValue; + if(description != NULL) { + *description = findPrintableField(*x509Name, &CSSMOID_Description, false, descrEncoding); + } + /* + * Search order (take the first one found with a printable + * value): + * -- common name + * -- Organizational Unit + * -- Organization + * -- email address + * -- field of any kind + */ + printValue = findPrintableField(*x509Name, &CSSMOID_CommonName, true, encoding); + if(printValue != NULL) { + return printValue; + } + printValue = findPrintableField(*x509Name, &CSSMOID_OrganizationalUnitName, false, encoding); + if(printValue != NULL) { + return printValue; + } + printValue = findPrintableField(*x509Name, &CSSMOID_OrganizationName, false, encoding); + if(printValue != NULL) { + return printValue; + } + printValue = findPrintableField(*x509Name, &CSSMOID_EmailAddress, false, encoding); + if(printValue != NULL) { + return printValue; + } + /* if we didn't get one of the above names, don't append description */ + if(description != NULL) { + *description = NULL; + } + /* take anything */ + return findPrintableField(*x509Name, NULL, false, encoding); +} + +/* + * Infer printable label for a given an CSSM_X509_NAME. Returns NULL + * if no appropriate printable name found. + */ +const CSSM_DATA *SecInferLabelFromX509Name( + const CSSM_X509_NAME *x509Name) +{ + /* callees of this routine don't care about the encoding */ + CFStringBuiltInEncodings encoding = kCFStringEncodingASCII; + return inferLabelFromX509Name(x509Name, &encoding, NULL, &encoding); +} + + +void +Certificate::inferLabel(bool addLabel, CFStringRef *rtnString) +{ + StLock_(mMutex); + // Set PrintName and optionally the Alias attribute for this certificate, based on the + // X509 SubjectAltName and SubjectName. + const CSSM_DATA *printName = NULL; + const CSSM_DATA *description = NULL; + std::vector emailAddresses; + CSSM_DATA puntData; + CssmAutoData printPlusDescr(Allocator::standard()); + CssmData printPlusDescData; + CFStringBuiltInEncodings printEncoding = kCFStringEncodingUTF8; + CFStringBuiltInEncodings descrEncoding = kCFStringEncodingUTF8; + + // Find the SubjectAltName fields, if any, and extract all the GNT_RFC822Name entries from all of them + const CSSM_OID &sanOid = CSSMOID_SubjectAltName; + CSSM_DATA_PTR *sanValues = copyFieldValues(sanOid); + const CSSM_OID &snOid = CSSMOID_X509V1SubjectNameCStruct; + CSSM_DATA_PTR snValue = copyFirstFieldValue(snOid); + + getNames(sanValues, snValue, GNT_RFC822Name, emailAddresses); + + if (snValue && snValue->Data) + { + const CSSM_X509_NAME &x509Name = *(const CSSM_X509_NAME *)snValue->Data; + printName = inferLabelFromX509Name(&x509Name, &printEncoding, + &description, &descrEncoding); + if (printName) + { + /* Don't ever use "Thawte Freemail Member" as the label for a cert. Instead force + a fall back on the email address. */ + const char tfm[] = "Thawte Freemail Member"; + if ( (printName->Length == sizeof(tfm) - 1) && + !memcmp(printName->Data, tfm, sizeof(tfm) - 1)) { + printName = NULL; + } + } + } + + /* Do a check to see if a '\0' was at the end of printName and strip it. */ + CssmData cleanedUpPrintName; + if((printName != NULL) && + (printName->Length != 0) && + (printEncoding != kCFStringEncodingISOLatin1) && + (printEncoding != kCFStringEncodingUnicode) && + (printName->Data[printName->Length - 1] == '\0')) { + cleanedUpPrintName.Data = printName->Data; + cleanedUpPrintName.Length = printName->Length - 1; + printName = &cleanedUpPrintName; + } + + if((printName != NULL) && (description != NULL) && (description->Length != 0)) + { + /* + * Munge Print Name (which in this case is the CommonName) and Description + * together with the Description in parentheses. We convert from whatever + * format Print Name and Description are in to UTF8 here. + */ + CFRef combo(CFStringCreateMutable(NULL, 0)); + CFRef cfPrint(CFStringCreateWithBytes(NULL, printName->Data, + (CFIndex)printName->Length, printEncoding, true)); + CssmData cleanedUpDescr(description->Data, description->Length); + if ((cleanedUpDescr.Data[cleanedUpDescr.Length - 1] == '\0') && + (descrEncoding != kCFStringEncodingISOLatin1) && + (descrEncoding != kCFStringEncodingUnicode)) { + cleanedUpDescr.Length--; + } + CFRef cfDesc(CFStringCreateWithBytes(NULL, cleanedUpDescr.Data, + (CFIndex)cleanedUpDescr.Length, descrEncoding, true)); + CFStringAppend(combo, cfPrint); + CFStringAppendCString(combo, " (", kCFStringEncodingASCII); + CFStringAppend(combo, cfDesc); + CFStringAppendCString(combo, ")", kCFStringEncodingASCII); + CFRef comboData(CFStringCreateExternalRepresentation(NULL, combo, + kCFStringEncodingUTF8, 0)); + printPlusDescr.copy(CFDataGetBytePtr(comboData), CFDataGetLength(comboData)); + printPlusDescData = printPlusDescr; + printName = &printPlusDescData; + printEncoding = kCFStringEncodingUTF8; + } + + if (printName == NULL) + { + /* If the we couldn't find a label use the emailAddress instead. */ + if (!emailAddresses.empty()) + printName = &emailAddresses[0]; + else + { + /* punt! */ + puntData.Data = (uint8 *)"X509 Certificate"; + puntData.Length = 16; + printName = &puntData; + } + printEncoding = kCFStringEncodingUTF8; + } + + /* If we couldn't find an email address just use the printName which might be the url or something else useful. */ + if (emailAddresses.empty()) + emailAddresses.push_back(CssmData::overlay(*printName)); + + /* What do we do with the inferred label - return it or add it mDbAttributes? */ + if (addLabel) + { + mDbAttributes->add(Schema::kX509CertificatePrintName, *printName); + CssmDbAttributeData &attrData = mDbAttributes->add(Schema::kX509CertificateAlias); + + /* Add the email addresses to attrData and normalize them. */ + uint32 ix = 0; + for (std::vector::const_iterator it = emailAddresses.begin(); it != emailAddresses.end(); ++it, ++ix) + { + /* Add the email address using the allocator from mDbAttributes. */ + attrData.add(*it, *mDbAttributes); + /* Normalize the emailAddresses in place since attrData already copied it. */ + normalizeEmailAddress(attrData.Value[ix]); + } + } + + if (rtnString) + { + CFStringBuiltInEncodings testEncoding = printEncoding; + if(testEncoding == kCFStringEncodingISOLatin1) { + // try UTF-8 first + testEncoding = kCFStringEncodingUTF8; + } + *rtnString = CFStringCreateWithBytes(NULL, printName->Data, + (CFIndex)printName->Length, testEncoding, true); + if(*rtnString == NULL && printEncoding == kCFStringEncodingISOLatin1) { + // string cannot be represented in UTF-8, fall back to ISO Latin 1 + *rtnString = CFStringCreateWithBytes(NULL, printName->Data, + (CFIndex)printName->Length, printEncoding, true); + } + } + + // Clean up + if (snValue) + releaseFieldValue(snOid, snValue); + if (sanValues) + releaseFieldValues(sanOid, sanValues); +} + +void +Certificate::populateAttributes() +{ + StLock_(mMutex); + if (mPopulated) + return; + + addParsedAttribute(Schema::attributeInfo(kSecSubjectItemAttr), CSSMOID_X509V1SubjectName); + addParsedAttribute(Schema::attributeInfo(kSecIssuerItemAttr), CSSMOID_X509V1IssuerName); + addParsedAttribute(Schema::attributeInfo(kSecSerialNumberItemAttr), CSSMOID_X509V1SerialNumber); + + addSubjectKeyIdentifier(); + + if(!mHaveTypeAndEncoding) + MacOSError::throwMe(errSecDataNotAvailable); // @@@ Or some other error. + + // Adjust mType based on the actual version of the cert. + CSSM_DATA_PTR versionPtr = copyFirstFieldValue(CSSMOID_X509V1Version); + if (versionPtr && versionPtr->Data && versionPtr->Length == sizeof(uint32)) + { + mType = CSSM_CERT_X_509v1 + (*reinterpret_cast(versionPtr->Data)); + } + else + mType = CSSM_CERT_X_509v1; + + releaseFieldValue(CSSMOID_X509V1Version, versionPtr); + + mDbAttributes->add(Schema::attributeInfo(kSecCertTypeItemAttr), mType); + mDbAttributes->add(Schema::attributeInfo(kSecCertEncodingItemAttr), mEncoding); + mDbAttributes->add(Schema::attributeInfo(kSecPublicKeyHashItemAttr), publicKeyHash()); + inferLabel(true); + + mPopulated = true; +} + +bool +Certificate::verifyEncoding(CSSM_DATA_PTR data) +{ + bool verified = false; + CSSM_SIZE verifiedLength = 0; + { + StLock_(mMutex); + if (!data || !data->Data || !data->Length) { + mEncodingVerified = false; + return false; + } + verified = mEncodingVerified; + if (verified) { + return true; + } + + // Note: the Certificate class supports X509v1 through X509v3 certs, + // with CSSM_CERT_ENCODING_BER or CSSM_CERT_ENCODING_DER encoding. + // Any other types/encodings would need additional verification code here. + + if (mHaveTypeAndEncoding) { + if (mType < CSSM_CERT_X_509v1 || mType > CSSM_CERT_X_509v3) { + secdebug("Certificate", "verifyEncoding: certificate has custom type (%d)", (int)mType); + } + if (mEncoding < CSSM_CERT_ENCODING_BER || mEncoding > CSSM_CERT_ENCODING_DER) { + secdebug("Certificate", "verifyEncoding: certificate has custom encoding (%d)", (int)mEncoding); + } + } + + // attempt to decode the top-level ASN.1 sequence + const DERItem der = { (DERByte *)data->Data, (DERSize)data->Length }; + DERDecodedInfo derInfo; + // sanity check the first byte to avoid decoding a non-DER blob + if ((DERByte)0x30 != *(der.data)) { + return false; + } + DERReturn drtn = DERDecodeItem(&der, &derInfo); + if (drtn == DR_Success) { + CSSM_SIZE tagLength = (CSSM_SIZE)((uintptr_t)derInfo.content.data - (uintptr_t)der.data); + CSSM_SIZE derLength = (CSSM_SIZE)derInfo.content.length + tagLength; + if (derLength != data->Length) { + secdebug("Certificate", "Certificate DER length is %d, but data length is %d", + (int)derLength, (int)data->Length); + // will adjust data size if DER length is positive, but smaller than actual length + if ((derLength > 0) && (derLength < data->Length)) { + verifiedLength = derLength; + secdebug("Certificate", "Will adjust certificate data length to %d", + (int)derLength); + } + else { + secdebug("Certificate", "Certificate encoding invalid (DER length is %d)", + (int)derLength); + return false; + } + } + verified = mEncodingVerified = true; + } + else { + // failure to decode provided data as DER sequence + secdebug("Certificate", "Certificate not in DER encoding (error %d)", + (int)drtn); + return false; + } + } + + if (verifiedLength > 0) { + // setData acquires the mMutex lock, so we call it while not holding the lock + setData((UInt32)verifiedLength, data->Data); + secdebug("Certificate", "Adjusted certificate data length to %d", + (int)verifiedLength); + } + + return verified; +} + +const CssmData & +Certificate::data() +{ + CssmDataContainer *data = NULL; + bool hasKeychain = false; + bool verified = false; + { + StLock_(mMutex); + data = mData.get(); + hasKeychain = (mKeychain != NULL); + verified = mEncodingVerified; + } + + // If data has been set but not yet verified, verify it now. + if (!verified && data) { + // verifyEncoding might modify mData, so refresh the data container + verified = verifyEncoding(data); + { + StLock_(mMutex); + data = mData.get(); + } + } + + // If data isn't set at this point, try to read it from the db record + if (!data && hasKeychain) + { + // Make sure mUniqueId is set. + dbUniqueRecord(); + CssmDataContainer _data; + { + StLock_(mMutex); + mData = NULL; + /* new data allocated by CSPDL, implicitly freed by CssmDataContainer */ + mUniqueId->get(NULL, &_data); + } + /* this saves a copy to be freed at destruction and to be passed to caller */ + setData((UInt32)_data.length(), _data.data()); + // verifyEncoding might modify mData, so refresh the data container + verified = verifyEncoding(&_data); + { + StLock_(mMutex); + data = mData.get(); + } + } + + // If the data hasn't been set we can't return it. + if (!data) + MacOSError::throwMe(errSecDataNotAvailable); + + return *data; +} + +CFHashCode Certificate::hash() +{ + (void)data(); // ensure that mData is set up + return ItemImpl::hash(); +} + +CSSM_CERT_TYPE +Certificate::type() +{ + StLock_(mMutex); + if (!mHaveTypeAndEncoding) + { + SecKeychainAttribute attr; + attr.tag = kSecCertTypeItemAttr; + attr.data = &mType; + attr.length = sizeof(mType); + getAttribute(attr, NULL); + } + + return mType; +} + +CSSM_CERT_ENCODING +Certificate::encoding() +{ + StLock_(mMutex); + if (!mHaveTypeAndEncoding) + { + SecKeychainAttribute attr; + attr.tag = kSecCertEncodingItemAttr; + attr.data = &mEncoding; + attr.length = sizeof(mEncoding); + getAttribute(attr, NULL); + } + + return mEncoding; +} + +const CSSM_X509_ALGORITHM_IDENTIFIER_PTR +Certificate::algorithmID() +{ + StLock_(mMutex); + if (!mV1SubjectPublicKeyCStructValue) + mV1SubjectPublicKeyCStructValue = copyFirstFieldValue(CSSMOID_X509V1SubjectPublicKeyCStruct); + + CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *info = (CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *)mV1SubjectPublicKeyCStructValue->Data; + CSSM_X509_ALGORITHM_IDENTIFIER *algid = &info->algorithm; + return algid; +} + +CFDataRef +Certificate::sha1Hash() +{ + StLock_(mMutex); + if (!mSha1Hash) { + SecCertificateRef certRef = handle(false); + CFAllocatorRef allocRef = (certRef) ? CFGetAllocator(certRef) : NULL; + CSSM_DATA certData = data(); + if (certData.Length == 0 || !certData.Data) { + MacOSError::throwMe(errSecDataNotAvailable); + } + const UInt8 *dataPtr = (const UInt8 *)certData.Data; + CFIndex dataLen = (CFIndex)certData.Length; + CFMutableDataRef digest = CFDataCreateMutable(allocRef, CC_SHA1_DIGEST_LENGTH); + CFDataSetLength(digest, CC_SHA1_DIGEST_LENGTH); + CCDigest(kCCDigestSHA1, dataPtr, dataLen, CFDataGetMutableBytePtr(digest)); + mSha1Hash = digest; + } + return mSha1Hash; /* object is owned by our instance; caller should NOT release it */ +} + +CFStringRef +Certificate::commonName() +{ + StLock_(mMutex); + return distinguishedName(&CSSMOID_X509V1SubjectNameCStruct, &CSSMOID_CommonName); +} + +CFStringRef +Certificate::distinguishedName(const CSSM_OID *sourceOid, const CSSM_OID *componentOid) +{ + StLock_(mMutex); + CFStringRef rtnString = NULL; + CSSM_DATA_PTR fieldValue = copyFirstFieldValue(*sourceOid); + CSSM_X509_NAME_PTR x509Name = (CSSM_X509_NAME_PTR)fieldValue->Data; + const CSSM_DATA *printValue = NULL; + CFStringBuiltInEncodings encoding; + + if (fieldValue && fieldValue->Data) + printValue = findPrintableField(*x509Name, componentOid, true, &encoding); + + if (printValue) + rtnString = CFStringCreateWithBytes(NULL, printValue->Data, + CFIndex(printValue->Length), encoding, true); + + releaseFieldValue(*sourceOid, fieldValue); + + return rtnString; +} + + +/* + * Return a CFString containing the first email addresses for this certificate, based on the + * X509 SubjectAltName and SubjectName. + */ +CFStringRef +Certificate::copyFirstEmailAddress() +{ + StLock_(mMutex); + CFStringRef rtnString; + + const CSSM_OID &sanOid = CSSMOID_SubjectAltName; + CSSM_DATA_PTR *sanValues = copyFieldValues(sanOid); + const CSSM_OID &snOid = CSSMOID_X509V1SubjectNameCStruct; + CSSM_DATA_PTR snValue = copyFirstFieldValue(snOid); + std::vector emailAddresses; + + getNames(sanValues, snValue, GNT_RFC822Name, emailAddresses); + if (emailAddresses.empty()) + rtnString = NULL; + else + { + /* Encoding is kCFStringEncodingUTF8 since the string is either + PRINTABLE_STRING, IA5_STRING, T61_STRING or PKIX_UTF8_STRING. */ + rtnString = CFStringCreateWithBytes(NULL, emailAddresses[0].Data, + (CFIndex)emailAddresses[0].Length, kCFStringEncodingUTF8, true); + } + + // Clean up + if (snValue) + releaseFieldValue(snOid, snValue); + if (sanValues) + releaseFieldValues(sanOid, sanValues); + + return rtnString; +} + +/* + * Return a CFArray containing the DNS hostnames for this certificate, based on the + * X509 SubjectAltName and SubjectName. + */ +CFArrayRef +Certificate::copyDNSNames() +{ + StLock_(mMutex); + CFMutableArrayRef array = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); + std::vector dnsNames; + + // Find the SubjectAltName fields, if any, and extract the GNT_DNSName entries from all of them + const CSSM_OID &sanOid = CSSMOID_SubjectAltName; + CSSM_DATA_PTR *sanValues = copyFieldValues(sanOid); + + const CSSM_OID &snOid = CSSMOID_X509V1SubjectNameCStruct; + CSSM_DATA_PTR snValue = copyFirstFieldValue(snOid); + + getNames(sanValues, snValue, GNT_DNSName, dnsNames); + + for (std::vector::const_iterator it = dnsNames.begin(); it != dnsNames.end(); ++it) + { + /* Encoding is kCFStringEncodingUTF8 since the string is either + PRINTABLE_STRING, IA5_STRING, T61_STRING or PKIX_UTF8_STRING. */ + CFStringRef string = CFStringCreateWithBytes(NULL, it->Data, static_cast(it->Length), kCFStringEncodingUTF8, true); + /* Be prepared for improperly formatted (non-UTF8) strings! */ + if (!string) continue; + CFArrayAppendValue(array, string); + CFRelease(string); + } + + // Clean up + if (snValue) + releaseFieldValue(snOid, snValue); + if (sanValues) + releaseFieldValues(sanOid, sanValues); + + return array; +} + +/* + * Return a CFArray containing the email addresses for this certificate, based on the + * X509 SubjectAltName and SubjectName. + */ +CFArrayRef +Certificate::copyEmailAddresses() +{ + StLock_(mMutex); + CFMutableArrayRef array = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); + std::vector emailAddresses; + + // Find the SubjectAltName fields, if any, and extract all the GNT_RFC822Name entries from all of them + const CSSM_OID &sanOid = CSSMOID_SubjectAltName; + CSSM_DATA_PTR *sanValues = copyFieldValues(sanOid); + + const CSSM_OID &snOid = CSSMOID_X509V1SubjectNameCStruct; + CSSM_DATA_PTR snValue = copyFirstFieldValue(snOid); + + getNames(sanValues, snValue, GNT_RFC822Name, emailAddresses); + + for (std::vector::const_iterator it = emailAddresses.begin(); it != emailAddresses.end(); ++it) + { + /* Encoding is kCFStringEncodingUTF8 since the string is either + PRINTABLE_STRING, IA5_STRING, T61_STRING or PKIX_UTF8_STRING. */ + CFStringRef string = CFStringCreateWithBytes(NULL, it->Data, static_cast(it->Length), kCFStringEncodingUTF8, true); + /* Be prepared for improperly formatted (non-UTF8) strings! */ + if (!string) continue; + CFArrayAppendValue(array, string); + CFRelease(string); + } + + // Clean up + if (snValue) + releaseFieldValue(snOid, snValue); + if (sanValues) + releaseFieldValues(sanOid, sanValues); + + return array; +} + +const CSSM_X509_NAME_PTR +Certificate::subjectName() +{ + StLock_(mMutex); + if (!mV1SubjectNameCStructValue) + if ((mV1SubjectNameCStructValue = copyFirstFieldValue(CSSMOID_X509V1SubjectNameCStruct)) == NULL) + return NULL; + + return (const CSSM_X509_NAME_PTR)mV1SubjectNameCStructValue->Data; +} + +const CSSM_X509_NAME_PTR +Certificate::issuerName() +{ + StLock_(mMutex); + if (!mV1IssuerNameCStructValue) + if ((mV1IssuerNameCStructValue = copyFirstFieldValue(CSSMOID_X509V1IssuerNameCStruct)) == NULL) + return NULL; + + return (const CSSM_X509_NAME_PTR)mV1IssuerNameCStructValue->Data; +} + +CSSM_CL_HANDLE +Certificate::clHandle() +{ + StLock_(mMutex); + if (!mCL) + mCL = clForType(type()); + + return mCL->handle(); +} + +bool +Certificate::operator < (Certificate &other) +{ + // Certificates in different keychains are considered equal if data is equal + // Note that the Identity '<' operator relies on this assumption. + return data() < other.data(); +} + +bool +Certificate::operator == (Certificate &other) +{ + // Certificates in different keychains are considered equal if data is equal + // Note that the Identity '==' operator relies on this assumption. + return data() == other.data(); +} + +void +Certificate::update() +{ + ItemImpl::update(); +} + +Item +Certificate::copyTo(const Keychain &keychain, Access *newAccess) +{ + StLock_(mMutex); + /* Certs can't have access controls. */ + if (newAccess) + MacOSError::throwMe(errSecNoAccessForItem); + + Item item(new Certificate(data(), type(), encoding())); + keychain->add(item); + return item; +} + +void +Certificate::didModify() +{ +} + +PrimaryKey +Certificate::add(Keychain &keychain) +{ + StLock_(mMutex); + // If we already have a Keychain we can't be added. + if (mKeychain) + MacOSError::throwMe(errSecDuplicateItem); + + populateAttributes(); + + CSSM_DB_RECORDTYPE recordType = mDbAttributes->recordType(); + + Db db(keychain->database()); + // add the item to the (regular) db + try + { + mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get()); + } + catch (const CssmError &e) + { + if (e.osStatus() != CSSMERR_DL_INVALID_RECORDTYPE) + throw; + + // Create the cert relation and try again. + db->createRelation(CSSM_DL_DB_RECORD_X509_CERTIFICATE, + "CSSM_DL_DB_RECORD_X509_CERTIFICATE", + Schema::X509CertificateSchemaAttributeCount, + Schema::X509CertificateSchemaAttributeList, + Schema::X509CertificateSchemaIndexCount, + Schema::X509CertificateSchemaIndexList); + keychain->keychainSchema()->didCreateRelation( + CSSM_DL_DB_RECORD_X509_CERTIFICATE, + "CSSM_DL_DB_RECORD_X509_CERTIFICATE", + Schema::X509CertificateSchemaAttributeCount, + Schema::X509CertificateSchemaAttributeList, + Schema::X509CertificateSchemaIndexCount, + Schema::X509CertificateSchemaIndexList); + + mUniqueId = db->insert(recordType, mDbAttributes.get(), mData.get()); + } + + mPrimaryKey = keychain->makePrimaryKey(recordType, mUniqueId); + mKeychain = keychain; + + return mPrimaryKey; +} + +SecPointer +Certificate::publicKey() +{ + StLock_(mMutex); + SecPointer keyItem; + // Return a CSSM_DATA_PTR with the value of the first field specified by field. + // Caller must call releaseFieldValue to free the storage allocated by this call. + // call OSStatus SecKeyGetCSSMKey(SecKeyRef key, const CSSM_KEY **cssmKey); to retrieve + + CSSM_DATA_PTR keyPtr = copyFirstFieldValue(CSSMOID_CSSMKeyStruct); + if (keyPtr && keyPtr->Data) + { + CssmClient::CSP csp(gGuidAppleCSP); + CssmKey *cssmKey = reinterpret_cast(keyPtr->Data); + CssmClient::Key key(csp, *cssmKey); + keyItem = new KeyItem(key); + // Clear out KeyData since KeyItem() takes over ownership of the key, and we don't want it getting released. + cssmKey->KeyData.Data = NULL; + cssmKey->KeyData.Length = 0; + } + + releaseFieldValue(CSSMOID_CSSMKeyStruct, keyPtr); + + return keyItem; +} + +// This function "borrowed" from the X509 CL, which is (currently) linked into +// the Security.framework as a built-in plugin. +extern "C" bool getField_normRDN_NSS ( + const CSSM_DATA &derName, + uint32 &numFields, // RETURNED (if successful, 0 or 1) + CssmOwnedData &fieldValue); // RETURNED + +KCCursor +Certificate::cursorForIssuerAndSN(const StorageManager::KeychainList &keychains, const CssmData &issuer, const CssmData &serialNumber) +{ + CssmAutoData fieldValue(Allocator::standard(Allocator::normal)); + uint32 numFields; + + // We need to decode issuer, normalize it, then re-encode it + if (!getField_normRDN_NSS(issuer, numFields, fieldValue)) + MacOSError::throwMe(errSecDataNotAvailable); + + // Code basically copied from SecKeychainSearchCreateFromAttributes and SecKeychainSearchCopyNext: + KCCursor cursor(keychains, kSecCertificateItemClass, NULL); + cursor->conjunctive(CSSM_DB_AND); + cursor->add(CSSM_DB_EQUAL, Schema::kX509CertificateIssuer, fieldValue.get()); + cursor->add(CSSM_DB_EQUAL, Schema::kX509CertificateSerialNumber, serialNumber); + + return cursor; +} + +KCCursor +Certificate::cursorForIssuerAndSN_CF(const StorageManager::KeychainList &keychains, CFDataRef issuer, CFDataRef serialNumber) +{ + // This assumes a normalized issuer + CSSM_DATA issuerCSSM, serialNumberCSSM; + + issuerCSSM.Length = CFDataGetLength(issuer); + issuerCSSM.Data = const_cast(CFDataGetBytePtr(issuer)); + + serialNumberCSSM.Length = CFDataGetLength(serialNumber); + serialNumberCSSM.Data = const_cast(CFDataGetBytePtr(serialNumber)); + + // Code basically copied from SecKeychainSearchCreateFromAttributes and SecKeychainSearchCopyNext: + KCCursor cursor(keychains, kSecCertificateItemClass, NULL); + cursor->conjunctive(CSSM_DB_AND); + cursor->add(CSSM_DB_EQUAL, Schema::kX509CertificateIssuer, issuerCSSM); + cursor->add(CSSM_DB_EQUAL, Schema::kX509CertificateSerialNumber, serialNumberCSSM); + + return cursor; +} + +KCCursor +Certificate::cursorForSubjectKeyID(const StorageManager::KeychainList &keychains, const CssmData &subjectKeyID) +{ + KCCursor cursor(keychains, kSecCertificateItemClass, NULL); + cursor->conjunctive(CSSM_DB_AND); + cursor->add(CSSM_DB_EQUAL, Schema::kX509CertificateSubjectKeyIdentifier, subjectKeyID); + + return cursor; +} + +KCCursor +Certificate::cursorForEmail(const StorageManager::KeychainList &keychains, const char *emailAddress) +{ + KCCursor cursor(keychains, kSecCertificateItemClass, NULL); + if (emailAddress) + { + cursor->conjunctive(CSSM_DB_AND); + CssmSelectionPredicate &pred = cursor->add(CSSM_DB_EQUAL, Schema::kX509CertificateAlias, emailAddress); + /* Normalize the emailAddresses in place since cursor already copied it. */ + normalizeEmailAddress(pred.Attribute.Value[0]); + } + + return cursor; +} + +SecPointer +Certificate::findInKeychain(const StorageManager::KeychainList &keychains) +{ + StLock_(mMutex); + const CSSM_OID &issuerOid = CSSMOID_X509V1IssuerName; + CSSM_DATA_PTR issuerPtr = copyFirstFieldValue(issuerOid); + CssmData issuer(issuerPtr->Data, issuerPtr->Length); + + const CSSM_OID &serialOid = CSSMOID_X509V1SerialNumber; + CSSM_DATA_PTR serialPtr = copyFirstFieldValue(serialOid); + CssmData serial(serialPtr->Data, serialPtr->Length); + + SecPointer foundCert = NULL; + try { + foundCert = findByIssuerAndSN(keychains, issuer, serial); + } catch (...) { + foundCert = NULL; + } + + releaseFieldValue(issuerOid, issuerPtr); + releaseFieldValue(serialOid, serialPtr); + + return foundCert; +} + +SecPointer +Certificate::findByIssuerAndSN(const StorageManager::KeychainList &keychains, const CssmData &issuer, const CssmData &serialNumber) +{ + Item item; + if (!cursorForIssuerAndSN(keychains, issuer, serialNumber)->next(item)) + CssmError::throwMe(errSecItemNotFound); + + return static_cast(&*item); +} + +SecPointer +Certificate::findBySubjectKeyID(const StorageManager::KeychainList &keychains, const CssmData &subjectKeyID) +{ + Item item; + if (!cursorForSubjectKeyID(keychains, subjectKeyID)->next(item)) + CssmError::throwMe(errSecItemNotFound); + + return static_cast(&*item); +} + +SecPointer +Certificate::findByEmail(const StorageManager::KeychainList &keychains, const char *emailAddress) +{ + Item item; + if (!cursorForEmail(keychains, emailAddress)->next(item)) + CssmError::throwMe(errSecItemNotFound); + + return static_cast(&*item); +} + +/* Normalize emailAddresses in place. */ +void +Certificate::normalizeEmailAddress(CSSM_DATA &emailAddress) +{ + /* Do a check to see if a '\0' was at the end of emailAddress and strip it. */ + if (emailAddress.Length && emailAddress.Data[emailAddress.Length - 1] == '\0') + emailAddress.Length--; + bool foundAt = false; + for (uint32 ix = 0; ix < emailAddress.Length; ++ix) + { + uint8 ch = emailAddress.Data[ix]; + if (foundAt) + { + if ('A' <= ch && ch <= 'Z') + emailAddress.Data[ix] = ch + 'a' - 'A'; + } + else if (ch == '@') + foundAt = true; + } +} + +void +Certificate::getNames(CSSM_DATA_PTR *sanValues, CSSM_DATA_PTR snValue, CE_GeneralNameType generalNameType, std::vector &names) +{ + // Get the DNS host names or RFC822 email addresses for this certificate (depending on generalNameType), + // within the X509 SubjectAltName and SubjectName. + + // Find the SubjectAltName fields, if any, and extract the nameType entries from all of them + if (sanValues) + { + for (CSSM_DATA_PTR *sanIx = sanValues; *sanIx; ++sanIx) + { + CSSM_DATA_PTR sanValue = *sanIx; + if (sanValue && sanValue->Data) + { + CSSM_X509_EXTENSION *cssmExt = (CSSM_X509_EXTENSION *)sanValue->Data; + CE_GeneralNames *parsedValue = (CE_GeneralNames *)cssmExt->value.parsedValue; + + /* Grab all the values that are of the specified name type. */ + for (uint32 i = 0; i < parsedValue->numNames; ++i) + { + if (parsedValue->generalName[i].nameType == generalNameType) + { + if (parsedValue->generalName[i].berEncoded) // can't handle this + continue; + + names.push_back(CssmData::overlay(parsedValue->generalName[i].name)); + } + } + } + } + } + + if (names.empty() && snValue && snValue->Data) + { + const CSSM_X509_NAME &x509Name = *(const CSSM_X509_NAME *)snValue->Data; + for (uint32 rdnDex = 0; rdnDex < x509Name.numberOfRDNs; rdnDex++) + { + const CSSM_X509_RDN *rdnPtr = + &x509Name.RelativeDistinguishedName[rdnDex]; + for (uint32 tvpDex = 0; tvpDex < rdnPtr->numberOfPairs; tvpDex++) + { + const CSSM_X509_TYPE_VALUE_PAIR *tvpPtr = + &rdnPtr->AttributeTypeAndValue[tvpDex]; + + /* type/value pair: match caller's specified type */ + if (GNT_RFC822Name == generalNameType) { + if (((tvpPtr->type.Length != CSSMOID_EmailAddress.Length) || + memcmp(tvpPtr->type.Data, CSSMOID_EmailAddress.Data, CSSMOID_EmailAddress.Length))) { + continue; + } + } + if (GNT_DNSName == generalNameType) { + if (((tvpPtr->type.Length != CSSMOID_CommonName.Length) || + memcmp(tvpPtr->type.Data, CSSMOID_CommonName.Data, CSSMOID_CommonName.Length))) { + continue; + } + } + + /* printable? */ + switch (tvpPtr->valueType) + { + case BER_TAG_PRINTABLE_STRING: + case BER_TAG_IA5_STRING: + case BER_TAG_T61_STRING: + case BER_TAG_PKIX_UTF8_STRING: + /* success */ + names.push_back(CssmData::overlay(tvpPtr->value)); + break; + default: + break; + } + } /* for each pair */ + } /* for each RDN */ + } +} + +void Certificate::willRead() +{ + populateAttributes(); +} + +Boolean Certificate::isSelfSigned() +{ + StLock_(mMutex); + CSSM_DATA_PTR issuer = NULL; + CSSM_DATA_PTR subject = NULL; + OSStatus ortn = errSecSuccess; + Boolean brtn = false; + + issuer = copyFirstFieldValue(CSSMOID_X509V1IssuerNameStd); + subject = copyFirstFieldValue(CSSMOID_X509V1SubjectNameStd); + if((issuer == NULL) || (subject == NULL)) { + ortn = errSecParam; + } + else if((issuer->Length == subject->Length) && + !memcmp(issuer->Data, subject->Data, issuer->Length)) { + brtn = true; + } + if(brtn) { + /* names match: verify signature */ + CSSM_RETURN crtn; + CSSM_DATA certData = data(); + crtn = CSSM_CL_CertVerify(clHandle(), 0, + &certData, &certData, NULL, 0); + if(crtn) { + brtn = false; + } + } + if(issuer) { + releaseFieldValue(CSSMOID_X509V1IssuerNameStd, issuer); + } + if(subject) { + releaseFieldValue(CSSMOID_X509V1SubjectNameStd, subject); + } + if(ortn) { + MacOSError::throwMe(ortn); + } + return brtn; +} diff --git a/Security/libsecurity_keychain/lib/Certificate.h b/OSX/include/security_keychain/Certificate.h similarity index 100% rename from Security/libsecurity_keychain/lib/Certificate.h rename to OSX/include/security_keychain/Certificate.h diff --git a/Security/libsecurity_keychain/lib/CertificateRequest.cpp b/OSX/include/security_keychain/CertificateRequest.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/CertificateRequest.cpp rename to OSX/include/security_keychain/CertificateRequest.cpp diff --git a/Security/libsecurity_keychain/lib/CertificateRequest.h b/OSX/include/security_keychain/CertificateRequest.h similarity index 100% rename from Security/libsecurity_keychain/lib/CertificateRequest.h rename to OSX/include/security_keychain/CertificateRequest.h diff --git a/OSX/include/security_keychain/CertificateValues.cpp b/OSX/include/security_keychain/CertificateValues.cpp new file mode 100644 index 00000000..4025c9f6 --- /dev/null +++ b/OSX/include/security_keychain/CertificateValues.cpp @@ -0,0 +1,610 @@ +/* + * Copyright (c) 2002-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// CertificateValues.cpp +// +#include +#include +#include +#include +#include +#include "SecCertificateOIDs.h" +#include "CertificateValues.h" +#include "SecCertificateP.h" +#include "SecCertificatePrivP.h" +#include +#include "SecCertificateP.h" + +/* FIXME including SecCertificateInternalP.h here produces errors; investigate */ +extern "C" CFDataRef SecCertificateCopyIssuerSequenceP(SecCertificateRefP certificate); +extern "C" CFDataRef SecCertificateCopySubjectSequenceP(SecCertificateRefP certificate); + +extern "C" void appendPropertyP(CFMutableArrayRef properties, CFStringRef propertyType, CFStringRef label, CFTypeRef value); + +extern const CFStringRef __nonnull kSecPropertyKeyType; +extern const CFStringRef __nonnull kSecPropertyKeyLabel; +extern const CFStringRef __nonnull kSecPropertyKeyLocalizedLabel; +extern const CFStringRef __nonnull kSecPropertyKeyValue; + +extern const CFStringRef __nonnull kSecPropertyTypeData; +extern const CFStringRef __nonnull kSecPropertyTypeString; +extern const CFStringRef __nonnull kSecPropertyTypeURL; +extern const CFStringRef __nonnull kSecPropertyTypeDate; + +CFStringRef kSecPropertyTypeArray = CFSTR("array"); +CFStringRef kSecPropertyTypeNumber = CFSTR("number"); + + +#pragma mark ---------- CertificateValues Implementation ---------- + +using namespace KeychainCore; + +void addFieldValues(const void *key, const void *value, void *context); +void addPropertyToFieldValues(const void *value, void *context); +void filterFieldValues(const void *key, const void *value, void *context); +void validateKeys(const void *value, void *context); + +CFDictionaryRef CertificateValues::mOIDRemap = NULL; + +typedef struct FieldValueFilterContext +{ + CFMutableDictionaryRef filteredValues; + CFArrayRef filterKeys; +} FieldValueFilterContext; + +CertificateValues::CertificateValues(SecCertificateRef certificateRef) : mCertificateRef(certificateRef), + mCertificateData(NULL) +{ + if (mCertificateRef) + CFRetain(mCertificateRef); +} + +CertificateValues::~CertificateValues() throw() +{ + if (mCertificateData) + CFRelease(mCertificateData); + if (mCertificateRef) + CFRelease(mCertificateRef); +} + +CFDictionaryRef CertificateValues::copyFieldValues(CFArrayRef keys, CFErrorRef *error) +{ + if (keys) + { + if (CFGetTypeID(keys)!=CFArrayGetTypeID()) + return NULL; + CFRange range = CFRangeMake(0, CFArrayGetCount((CFArrayRef)keys)); + bool failed = false; + CFArrayApplyFunction(keys, range, validateKeys, &failed); + if (failed) + return NULL; + } + + if (mCertificateData) + { + CFRelease(mCertificateData); + mCertificateData = NULL; + } + if (!mCertificateData) + { + mCertificateData = SecCertificateCopyData(mCertificateRef); // OK to call, no big lock + if (!mCertificateData) + { + if (error) { + *error = CFErrorCreate(NULL, kCFErrorDomainOSStatus, errSecInvalidCertificateRef, NULL); + } + return NULL; + } + } + + SecCertificateRefP certificateP = SecCertificateCreateWithDataP(kCFAllocatorDefault, mCertificateData); + if (!certificateP) + { + if (error) + *error = CFErrorCreate(NULL, kCFErrorDomainOSStatus, errSecInvalidCertificateGroup, NULL); + return NULL; + } + + CFMutableDictionaryRef fieldValues=CFDictionaryCreateMutable(kCFAllocatorDefault, 0, + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + + // Return an array of CFStringRefs representing the common names in the certificates subject if any + CFArrayRef commonNames=SecCertificateCopyCommonNamesP(certificateP); + if (commonNames) + { + CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + appendPropertyP(additionalValues, kSecPropertyTypeArray, CFSTR("CN"), commonNames); + CFDictionaryAddValue(fieldValues, kSecOIDCommonName, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); + CFRelease(commonNames); + CFRelease(additionalValues); + } + + // These can exist in the subject alt name or in the subject + CFArrayRef dnsNames=SecCertificateCopyDNSNamesP(certificateP); + if (dnsNames) + { + CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + appendPropertyP(additionalValues, kSecPropertyTypeArray, CFSTR("DNS"), dnsNames); + CFDictionaryAddValue(fieldValues, CFSTR("DNSNAMES"), (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); + CFRelease(dnsNames); + CFRelease(additionalValues); + } + + CFArrayRef ipAddresses=SecCertificateCopyIPAddressesP(certificateP); + if (ipAddresses) + { + CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + appendPropertyP(additionalValues, kSecPropertyTypeArray, CFSTR("IP"), dnsNames); + CFDictionaryAddValue(fieldValues, CFSTR("IPADDRESSES"), (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); + CFRelease(ipAddresses); + CFRelease(additionalValues); + } + + // These can exist in the subject alt name or in the subject + CFArrayRef emailAddrs=SecCertificateCopyRFC822NamesP(certificateP); + if (emailAddrs) + { + CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + appendPropertyP(additionalValues, kSecPropertyTypeArray, CFSTR("DNS"), dnsNames); + CFDictionaryAddValue(fieldValues, kSecOIDEmailAddress, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); + CFRelease(emailAddrs); + CFRelease(additionalValues); + } + + CFAbsoluteTime notBefore = SecCertificateNotValidBeforeP(certificateP); + CFNumberRef notBeforeRef = CFNumberCreate(kCFAllocatorDefault, kCFNumberDoubleType, ¬Before); + if (notBeforeRef) + { + CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + appendPropertyP(additionalValues, kSecPropertyTypeNumber, CFSTR("Not Valid Before"), notBeforeRef); + CFDictionaryAddValue(fieldValues, kSecOIDX509V1ValidityNotBefore, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); + CFRelease(notBeforeRef); + CFRelease(additionalValues); + } + + CFAbsoluteTime notAfter = SecCertificateNotValidAfterP(certificateP); + CFNumberRef notAfterRef = CFNumberCreate(kCFAllocatorDefault, kCFNumberDoubleType, ¬After); + if (notAfterRef) + { + CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + appendPropertyP(additionalValues, kSecPropertyTypeNumber, CFSTR("Not Valid After"), notAfterRef); + CFDictionaryAddValue(fieldValues, kSecOIDX509V1ValidityNotAfter, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); + CFRelease(notAfterRef); + CFRelease(additionalValues); + } + + SecKeyUsage keyUsage=SecCertificateGetKeyUsageP(certificateP); + CFNumberRef ku = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &keyUsage); + if (ku) + { + CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + appendPropertyP(additionalValues, kSecPropertyTypeNumber, CFSTR("Key Usage"), ku); + CFDictionaryAddValue(fieldValues, kSecOIDKeyUsage, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); + CFRelease(ku); + CFRelease(additionalValues); + } + + CFArrayRef ekus = SecCertificateCopyExtendedKeyUsageP(certificateP); + if (ekus) + { + CFMutableArrayRef additionalValues = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + appendPropertyP(additionalValues, kSecPropertyTypeArray, CFSTR("Extended Key Usage"), ekus); + CFDictionaryAddValue(fieldValues, kSecOIDExtendedKeyUsage, (CFTypeRef)CFArrayGetValueAtIndex(additionalValues, 0)); + CFRelease(ekus); + CFRelease(additionalValues); + } + + // Add all values from properties dictionary + CFArrayRef properties = SecCertificateCopyPropertiesP(certificateP); + if (properties) + { + CFRange range = CFRangeMake(0, CFArrayGetCount((CFArrayRef)properties)); + CFArrayApplyFunction(properties, range, addPropertyToFieldValues, fieldValues); + // CFDictionaryApplyFunction(properties, addFieldValues, fieldValues); + CFRelease(properties); + } + + CFAbsoluteTime verifyTime = CFAbsoluteTimeGetCurrent(); + CFMutableArrayRef summaryProperties = + SecCertificateCopySummaryPropertiesP(certificateP, verifyTime); + if (summaryProperties) + { + CFRange range = CFRangeMake(0, CFArrayGetCount((CFArrayRef)summaryProperties)); + CFArrayApplyFunction(summaryProperties, range, addPropertyToFieldValues, fieldValues); +// CFDictionaryApplyFunction(summaryProperties, addFieldValues, fieldValues); +// CFDictionaryAddValue(fieldValues, CFSTR("summaryProperties"), summaryProperties); + CFRelease(summaryProperties); + } + + if (certificateP) + CFRelease(certificateP); + + if (keys==NULL) + return (CFDictionaryRef)fieldValues; + + // Otherwise, we need to filter + CFMutableDictionaryRef filteredFieldValues=CFDictionaryCreateMutable(kCFAllocatorDefault, 0, + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + + FieldValueFilterContext fvcontext; + fvcontext.filteredValues = filteredFieldValues; + fvcontext.filterKeys = keys; + + CFDictionaryApplyFunction(fieldValues, filterFieldValues, &fvcontext); + + CFRelease(fieldValues); + return (CFDictionaryRef)filteredFieldValues; +} + +void validateKeys(const void *value, void *context) +{ + if (value == NULL || (CFGetTypeID(value)!=CFStringGetTypeID())) + if (context) + *(bool *)context = true; +} + +void filterFieldValues(const void *key, const void *value, void *context) +{ + // each element of keys is a CFStringRef with an OID, e.g. + // const CFStringRef kSecOIDTitle = CFSTR("2.5.4.12"); + + CFTypeRef fieldKey = (CFTypeRef)key; + if (fieldKey == NULL || (CFGetTypeID(fieldKey)!=CFStringGetTypeID()) || context==NULL) + return; + + FieldValueFilterContext *fvcontext = (FieldValueFilterContext *)context; + + CFRange range = CFRangeMake(0, CFArrayGetCount(fvcontext->filterKeys)); + CFIndex idx = CFArrayGetFirstIndexOfValue(fvcontext->filterKeys, range, fieldKey); + if (idx != kCFNotFound) + CFDictionaryAddValue(fvcontext->filteredValues, fieldKey, value); +} + +void addFieldValues(const void *key, const void *value, void *context) +{ + CFMutableDictionaryRef fieldValues = (CFMutableDictionaryRef)context; + CFDictionaryAddValue(fieldValues, key, value); +} + +void addPropertyToFieldValues(const void *value, void *context) +{ + CFMutableDictionaryRef fieldValues = (CFMutableDictionaryRef)context; + if (CFGetTypeID(value)==CFDictionaryGetTypeID()) + { + CFStringRef label = (CFStringRef)CFDictionaryGetValue((CFDictionaryRef)value, kSecPropertyKeyLabel); +#if 0 + CFStringRef typeD = (CFStringRef)CFDictionaryGetValue((CFDictionaryRef)value, kSecPropertyKeyType); + CFTypeRef valueD = (CFStringRef)CFDictionaryGetValue((CFDictionaryRef)value, kSecPropertyKeyValue); +#endif + CFStringRef key = CertificateValues::remapLabelToKey(label); + if (key) + CFDictionaryAddValue(fieldValues, key, value); + } +} + +CFStringRef CertificateValues::remapLabelToKey(CFStringRef label) +{ + if (!label) + return NULL; + + if (!mOIDRemap) + { + CFTypeRef keys[] = + { + CFSTR("Subject Name"), + CFSTR("Normalized Subject Name"), + CFSTR("Issuer Name"), + CFSTR("Normalized Subject Name"), + CFSTR("Version"), + CFSTR("Serial Number"), + CFSTR("Signature Algorithm"), + CFSTR("Subject Unique ID"), + CFSTR("Issuer Unique ID"), + CFSTR("Public Key Algorithm"), + CFSTR("Public Key Data"), + CFSTR("Signature"), + CFSTR("Not Valid Before"), + CFSTR("Not Valid After"), + CFSTR("Expires") + }; + + CFTypeRef values[] = + { + kSecOIDX509V1SubjectName, + kSecOIDX509V1SubjectNameStd, + kSecOIDX509V1IssuerName, + kSecOIDX509V1IssuerNameStd, + kSecOIDX509V1Version, + kSecOIDX509V1SerialNumber, + kSecOIDX509V1SignatureAlgorithm, // or CSSMOID_X509V1SignatureAlgorithmTBS? + kSecOIDX509V1CertificateSubjectUniqueId, + kSecOIDX509V1CertificateIssuerUniqueId, + kSecOIDX509V1SubjectPublicKeyAlgorithm, + kSecOIDX509V1SubjectPublicKey, + kSecOIDX509V1Signature, + kSecOIDX509V1ValidityNotBefore, + kSecOIDX509V1ValidityNotAfter, + kSecOIDInvalidityDate + }; + + mOIDRemap = CFDictionaryCreate(NULL, keys, values, + (sizeof(keys) / sizeof(*keys)), &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks); + } + + CFTypeRef result = (CFTypeRef)CFDictionaryGetValue(mOIDRemap, label); + + return result?(CFStringRef)result:label; +} + +CFDataRef CertificateValues::copySerialNumber(CFErrorRef *error) +{ + CFDataRef result = NULL; + SecCertificateRefP certificateP = getSecCertificateRefP(error); + + if (certificateP) + { + result = SecCertificateCopySerialNumberP(certificateP); + CFRelease(certificateP); + } + return result; +} + +CFDataRef CertificateValues::copyNormalizedIssuerContent(CFErrorRef *error) +{ + CFDataRef result = NULL; + SecCertificateRefP certificateP = getSecCertificateRefP(error); + if (certificateP) + { + result = SecCertificateCopyNormalizedIssuerSequenceP(certificateP); + CFRelease(certificateP); + } + return result; +} + +CFDataRef CertificateValues::copyNormalizedSubjectContent(CFErrorRef *error) +{ + CFDataRef result = NULL; + SecCertificateRefP certificateP = getSecCertificateRefP(error); + if (certificateP) + { + result = SecCertificateCopyNormalizedSubjectSequenceP(certificateP); + CFRelease(certificateP); + } + return result; +} + +CFDataRef CertificateValues::copyIssuerSequence(CFErrorRef *error) +{ + CFDataRef result = NULL; + SecCertificateRefP certificateP = getSecCertificateRefP(error); + if (certificateP) + { + result = SecCertificateCopyIssuerSequenceP(certificateP); + CFRelease(certificateP); + } + return result; +} + +CFDataRef CertificateValues::copySubjectSequence(CFErrorRef *error) +{ + CFDataRef result = NULL; + SecCertificateRefP certificateP = getSecCertificateRefP(error); + if (certificateP) + { + result = SecCertificateCopySubjectSequenceP(certificateP); + CFRelease(certificateP); + } + return result; +} + +bool CertificateValues::isValid(CFAbsoluteTime verifyTime, CFErrorRef *error) +{ + bool result = NULL; + SecCertificateRefP certificateP = getSecCertificateRefP(error); + if (certificateP) + { + result = SecCertificateIsValidP(certificateP, verifyTime); + CFRelease(certificateP); + } + return result; +} + +CFAbsoluteTime CertificateValues::notValidBefore(CFErrorRef *error) +{ + CFAbsoluteTime result = 0; + SecCertificateRefP certificateP = getSecCertificateRefP(error); + if (certificateP) + { + result = SecCertificateNotValidBeforeP(certificateP); + CFRelease(certificateP); + } + return result; +} + +CFAbsoluteTime CertificateValues::notValidAfter(CFErrorRef *error) +{ + CFAbsoluteTime result = 0; + SecCertificateRefP certificateP = getSecCertificateRefP(error); + if (certificateP) + { + result = SecCertificateNotValidAfterP(certificateP); + CFRelease(certificateP); + } + return result; +} + +SecCertificateRefP CertificateValues::getSecCertificateRefP(CFErrorRef *error) +{ + // SecCertificateCopyData returns an object created with CFDataCreate, so we + // own it and must release it + + if (mCertificateData) + { + CFRelease(mCertificateData); + mCertificateData = NULL; + } + + mCertificateData = SecCertificateCopyData(mCertificateRef); // OK to call, no big lock + if (!mCertificateData && error) + { + *error = CFErrorCreate(NULL, kCFErrorDomainOSStatus, errSecInvalidCertificateRef, NULL); + return NULL; + } + + SecCertificateRefP certificateP = SecCertificateCreateWithDataP(kCFAllocatorDefault, mCertificateData); + if (!certificateP && error) + { + *error = CFErrorCreate(NULL, kCFErrorDomainOSStatus, errSecInvalidCertificateGroup, NULL); + return NULL; + } + + return certificateP; +} + +#pragma mark ---------- OID Constants ---------- + +const CFStringRef kSecOIDADC_CERT_POLICY = CFSTR("1.2.840.113635.100.5.3"); +const CFStringRef kSecOIDAPPLE_CERT_POLICY = CFSTR("1.2.840.113635.100.5.1"); +const CFStringRef kSecOIDAPPLE_EKU_CODE_SIGNING = CFSTR("1.2.840.113635.100.4.1"); +const CFStringRef kSecOIDAPPLE_EKU_CODE_SIGNING_DEV = CFSTR("1.2.840.113635.100.4.1.1"); +const CFStringRef kSecOIDAPPLE_EKU_ICHAT_ENCRYPTION = CFSTR("1.2.840.113635.100.4.3"); +const CFStringRef kSecOIDAPPLE_EKU_ICHAT_SIGNING = CFSTR("1.2.840.113635.100.4.2"); +const CFStringRef kSecOIDAPPLE_EKU_RESOURCE_SIGNING = CFSTR("1.2.840.113635.100.4.1.4"); +const CFStringRef kSecOIDAPPLE_EKU_SYSTEM_IDENTITY = CFSTR("1.2.840.113635.100.4.4"); +const CFStringRef kSecOIDAPPLE_EXTENSION = CFSTR("1.2.840.113635.100.6"); +const CFStringRef kSecOIDAPPLE_EXTENSION_ADC_APPLE_SIGNING = CFSTR("1.2.840.113635.100.6.1.2.0.0"); +const CFStringRef kSecOIDAPPLE_EXTENSION_ADC_DEV_SIGNING = CFSTR("1.2.840.113635.100.6.1.2.0"); +const CFStringRef kSecOIDAPPLE_EXTENSION_APPLE_SIGNING = CFSTR("1.2.840.113635.100.6.1.1"); +const CFStringRef kSecOIDAPPLE_EXTENSION_CODE_SIGNING = CFSTR("1.2.840.113635.100.6.1"); +const CFStringRef kSecOIDAPPLE_EXTENSION_INTERMEDIATE_MARKER = CFSTR("1.2.840.113635.100.6.2"); +const CFStringRef kSecOIDAPPLE_EXTENSION_WWDR_INTERMEDIATE = CFSTR("1.2.840.113635.100.6.2.1"); +const CFStringRef kSecOIDAPPLE_EXTENSION_ITMS_INTERMEDIATE = CFSTR("1.2.840.113635.100.6.2.2"); +const CFStringRef kSecOIDAPPLE_EXTENSION_AAI_INTERMEDIATE = CFSTR("1.2.840.113635.100.6.2.3"); +const CFStringRef kSecOIDAPPLE_EXTENSION_APPLEID_INTERMEDIATE = CFSTR("1.2.840.113635.100.6.2.7"); +const CFStringRef kSecOIDAuthorityInfoAccess = CFSTR("1.3.6.1.5.5.7.1.1"); +const CFStringRef kSecOIDAuthorityKeyIdentifier = CFSTR("2.5.29.35"); +const CFStringRef kSecOIDBasicConstraints = CFSTR("2.5.29.19"); +const CFStringRef kSecOIDBiometricInfo = CFSTR("1.3.6.1.5.5.7.1.2"); +const CFStringRef kSecOIDCSSMKeyStruct = CFSTR("2.16.840.1.113741.2.1.1.1.20"); +const CFStringRef kSecOIDCertIssuer = CFSTR("2.5.29.29"); +const CFStringRef kSecOIDCertificatePolicies = CFSTR("2.5.29.32"); +const CFStringRef kSecOIDClientAuth = CFSTR("1.3.6.1.5.5.7.3.2"); +const CFStringRef kSecOIDCollectiveStateProvinceName = CFSTR("2.5.4.8.1"); +const CFStringRef kSecOIDCollectiveStreetAddress = CFSTR("2.5.4.9.1"); +const CFStringRef kSecOIDCommonName = CFSTR("2.5.4.3"); +const CFStringRef kSecOIDCountryName = CFSTR("2.5.4.6"); +const CFStringRef kSecOIDCrlDistributionPoints = CFSTR("2.5.29.31"); +const CFStringRef kSecOIDCrlNumber = CFSTR("2.5.29.20"); +const CFStringRef kSecOIDCrlReason = CFSTR("2.5.29.21"); +const CFStringRef kSecOIDDOTMAC_CERT_EMAIL_ENCRYPT = CFSTR("1.2.840.113635.100.3.2.3"); +const CFStringRef kSecOIDDOTMAC_CERT_EMAIL_SIGN = CFSTR("1.2.840.113635.100.3.2.2"); +const CFStringRef kSecOIDDOTMAC_CERT_EXTENSION = CFSTR("1.2.840.113635.100.3.2"); +const CFStringRef kSecOIDDOTMAC_CERT_IDENTITY = CFSTR("1.2.840.113635.100.3.2.1"); +const CFStringRef kSecOIDDOTMAC_CERT_POLICY = CFSTR("1.2.840.113635.100.5.2"); +const CFStringRef kSecOIDDeltaCrlIndicator = CFSTR("2.5.29.27"); +const CFStringRef kSecOIDDescription = CFSTR("2.5.4.13"); +const CFStringRef kSecOIDEKU_IPSec = CFSTR("1.3.6.1.5.5.8.2.2"); +const CFStringRef kSecOIDEmailAddress = CFSTR("1.2.840.113549.1.9.1"); +const CFStringRef kSecOIDEmailProtection = CFSTR("1.3.6.1.5.5.7.3.4"); +const CFStringRef kSecOIDExtendedKeyUsage = CFSTR("2.5.29.37"); +const CFStringRef kSecOIDExtendedKeyUsageAny = CFSTR("2.5.29.37.0"); +const CFStringRef kSecOIDExtendedUseCodeSigning = CFSTR("1.3.6.1.5.5.7.3.3"); +const CFStringRef kSecOIDGivenName = CFSTR("2.5.4.42"); +const CFStringRef kSecOIDHoldInstructionCode = CFSTR("2.5.29.23"); +const CFStringRef kSecOIDInvalidityDate = CFSTR("2.5.29.24"); +const CFStringRef kSecOIDIssuerAltName = CFSTR("2.5.29.18"); +const CFStringRef kSecOIDIssuingDistributionPoint = CFSTR("2.5.29.28"); +const CFStringRef kSecOIDIssuingDistributionPoints = CFSTR("2.5.29.28"); +const CFStringRef kSecOIDKERBv5_PKINIT_KP_CLIENT_AUTH = CFSTR("1.3.6.1.5.2.3.4"); +const CFStringRef kSecOIDKERBv5_PKINIT_KP_KDC = CFSTR("1.3.6.1.5.2.3.5"); +const CFStringRef kSecOIDKeyUsage = CFSTR("2.5.29.15"); +const CFStringRef kSecOIDLocalityName = CFSTR("2.5.4.7"); +const CFStringRef kSecOIDMS_NTPrincipalName = CFSTR("1.3.6.1.4.1.311.20.2.3"); +const CFStringRef kSecOIDMicrosoftSGC = CFSTR("1.3.6.1.4.1.311.10.3.3"); +const CFStringRef kSecOIDNameConstraints = CFSTR("2.5.29.30"); +const CFStringRef kSecOIDNetscapeCertSequence = CFSTR("2.16.840.1.113730.2.5"); +const CFStringRef kSecOIDNetscapeCertType = CFSTR("2.16.840.1.113730.1.1"); +const CFStringRef kSecOIDNetscapeSGC = CFSTR("2.16.840.1.113730.4.1"); +const CFStringRef kSecOIDOCSPSigning = CFSTR("1.3.6.1.5.5.7.3.9"); +const CFStringRef kSecOIDOrganizationName = CFSTR("2.5.4.10"); +const CFStringRef kSecOIDOrganizationalUnitName = CFSTR("2.5.4.11"); +const CFStringRef kSecOIDPolicyConstraints = CFSTR("2.5.29.36"); +const CFStringRef kSecOIDPolicyMappings = CFSTR("2.5.29.33"); +const CFStringRef kSecOIDPrivateKeyUsagePeriod = CFSTR("2.5.29.16"); +const CFStringRef kSecOIDQC_Statements = CFSTR("1.3.6.1.5.5.7.1.3"); +const CFStringRef kSecOIDSerialNumber = CFSTR("2.5.4.5"); +const CFStringRef kSecOIDServerAuth = CFSTR("1.3.6.1.5.5.7.3.1"); +const CFStringRef kSecOIDStateProvinceName = CFSTR("2.5.4.8"); +const CFStringRef kSecOIDStreetAddress = CFSTR("2.5.4.9"); +const CFStringRef kSecOIDSubjectAltName = CFSTR("2.5.29.17"); +const CFStringRef kSecOIDSubjectDirectoryAttributes = CFSTR("2.5.29.9"); +const CFStringRef kSecOIDSubjectEmailAddress = CFSTR("2.16.840.1.113741.2.1.1.1.50.3"); +const CFStringRef kSecOIDSubjectInfoAccess = CFSTR("1.3.6.1.5.5.7.1.11"); +const CFStringRef kSecOIDSubjectKeyIdentifier = CFSTR("2.5.29.14"); +const CFStringRef kSecOIDSubjectPicture = CFSTR("2.16.840.1.113741.2.1.1.1.50.2"); +const CFStringRef kSecOIDSubjectSignatureBitmap = CFSTR("2.16.840.1.113741.2.1.1.1.50.1"); +const CFStringRef kSecOIDSurname = CFSTR("2.5.4.4"); +const CFStringRef kSecOIDTimeStamping = CFSTR("1.3.6.1.5.5.7.3.8"); +const CFStringRef kSecOIDTitle = CFSTR("2.5.4.12"); +const CFStringRef kSecOIDUseExemptions = CFSTR("2.16.840.1.113741.2.1.1.1.50.4"); +const CFStringRef kSecOIDX509V1CertificateIssuerUniqueId = CFSTR("2.16.840.1.113741.2.1.1.1.11"); +const CFStringRef kSecOIDX509V1CertificateSubjectUniqueId = CFSTR("2.16.840.1.113741.2.1.1.1.12"); +const CFStringRef kSecOIDX509V1IssuerName = CFSTR("2.16.840.1.113741.2.1.1.1.5"); +const CFStringRef kSecOIDX509V1IssuerNameCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.5.1"); +const CFStringRef kSecOIDX509V1IssuerNameLDAP = CFSTR("2.16.840.1.113741.2.1.1.1.5.2"); +const CFStringRef kSecOIDX509V1IssuerNameStd = CFSTR("2.16.840.1.113741.2.1.1.1.23"); +const CFStringRef kSecOIDX509V1SerialNumber = CFSTR("2.16.840.1.113741.2.1.1.1.3"); +const CFStringRef kSecOIDX509V1Signature = CFSTR("2.16.840.1.113741.2.1.3.2.2"); +const CFStringRef kSecOIDX509V1SignatureAlgorithm = CFSTR("2.16.840.1.113741.2.1.3.2.1"); +const CFStringRef kSecOIDX509V1SignatureAlgorithmParameters = CFSTR("2.16.840.1.113741.2.1.3.2.3"); +const CFStringRef kSecOIDX509V1SignatureAlgorithmTBS = CFSTR("2.16.840.1.113741.2.1.3.2.10"); +const CFStringRef kSecOIDX509V1SignatureCStruct = CFSTR("2.16.840.1.113741.2.1.3.2.0.1"); +const CFStringRef kSecOIDX509V1SignatureStruct = CFSTR("2.16.840.1.113741.2.1.3.2.0"); +const CFStringRef kSecOIDX509V1SubjectName = CFSTR("2.16.840.1.113741.2.1.1.1.8"); +const CFStringRef kSecOIDX509V1SubjectNameCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.8.1"); +const CFStringRef kSecOIDX509V1SubjectNameLDAP = CFSTR("2.16.840.1.113741.2.1.1.1.8.2"); +const CFStringRef kSecOIDX509V1SubjectNameStd = CFSTR("2.16.840.1.113741.2.1.1.1.22"); +const CFStringRef kSecOIDX509V1SubjectPublicKey = CFSTR("2.16.840.1.113741.2.1.1.1.10"); +const CFStringRef kSecOIDX509V1SubjectPublicKeyAlgorithm = CFSTR("2.16.840.1.113741.2.1.1.1.9"); +const CFStringRef kSecOIDX509V1SubjectPublicKeyAlgorithmParameters = CFSTR("2.16.840.1.113741.2.1.1.1.18"); +const CFStringRef kSecOIDX509V1SubjectPublicKeyCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.20.1"); +const CFStringRef kSecOIDX509V1ValidityNotAfter = CFSTR("2.16.840.1.113741.2.1.1.1.7"); +const CFStringRef kSecOIDX509V1ValidityNotBefore = CFSTR("2.16.840.1.113741.2.1.1.1.6"); +const CFStringRef kSecOIDX509V1Version = CFSTR("2.16.840.1.113741.2.1.1.1.2"); +const CFStringRef kSecOIDX509V3Certificate = CFSTR("2.16.840.1.113741.2.1.1.1.1"); +const CFStringRef kSecOIDX509V3CertificateCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.1.1"); +const CFStringRef kSecOIDX509V3CertificateExtensionCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.13.1"); +const CFStringRef kSecOIDX509V3CertificateExtensionCritical = CFSTR("2.16.840.1.113741.2.1.1.1.16"); +const CFStringRef kSecOIDX509V3CertificateExtensionId = CFSTR("2.16.840.1.113741.2.1.1.1.15"); +const CFStringRef kSecOIDX509V3CertificateExtensionStruct = CFSTR("2.16.840.1.113741.2.1.1.1.13"); +const CFStringRef kSecOIDX509V3CertificateExtensionType = CFSTR("2.16.840.1.113741.2.1.1.1.19"); +const CFStringRef kSecOIDX509V3CertificateExtensionValue = CFSTR("2.16.840.1.113741.2.1.1.1.17"); +const CFStringRef kSecOIDX509V3CertificateExtensionsCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.21.1"); +const CFStringRef kSecOIDX509V3CertificateExtensionsStruct = CFSTR("2.16.840.1.113741.2.1.1.1.21"); +const CFStringRef kSecOIDX509V3CertificateNumberOfExtensions = CFSTR("2.16.840.1.113741.2.1.1.1.14"); +const CFStringRef kSecOIDX509V3SignedCertificate = CFSTR("2.16.840.1.113741.2.1.1.1.0"); +const CFStringRef kSecOIDX509V3SignedCertificateCStruct = CFSTR("2.16.840.1.113741.2.1.1.1.0.1"); +const CFStringRef kSecOIDSRVName = CFSTR("1.3.6.1.5.5.7.8.7"); + diff --git a/Security/libsecurity_keychain/lib/CertificateValues.h b/OSX/include/security_keychain/CertificateValues.h similarity index 100% rename from Security/libsecurity_keychain/lib/CertificateValues.h rename to OSX/include/security_keychain/CertificateValues.h diff --git a/Security/libsecurity_keychain/lib/DLDBListCFPref.cpp b/OSX/include/security_keychain/DLDBListCFPref.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/DLDBListCFPref.cpp rename to OSX/include/security_keychain/DLDBListCFPref.cpp diff --git a/Security/libsecurity_keychain/lib/DLDBListCFPref.h b/OSX/include/security_keychain/DLDBListCFPref.h similarity index 100% rename from Security/libsecurity_keychain/lib/DLDBListCFPref.h rename to OSX/include/security_keychain/DLDBListCFPref.h diff --git a/Security/libsecurity_keychain/lib/DynamicDLDBList.cpp b/OSX/include/security_keychain/DynamicDLDBList.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/DynamicDLDBList.cpp rename to OSX/include/security_keychain/DynamicDLDBList.cpp diff --git a/Security/libsecurity_keychain/lib/DynamicDLDBList.h b/OSX/include/security_keychain/DynamicDLDBList.h similarity index 100% rename from Security/libsecurity_keychain/lib/DynamicDLDBList.h rename to OSX/include/security_keychain/DynamicDLDBList.h diff --git a/Security/libsecurity_keychain/lib/ExtendedAttribute.cpp b/OSX/include/security_keychain/ExtendedAttribute.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/ExtendedAttribute.cpp rename to OSX/include/security_keychain/ExtendedAttribute.cpp diff --git a/Security/libsecurity_keychain/lib/ExtendedAttribute.h b/OSX/include/security_keychain/ExtendedAttribute.h similarity index 100% rename from Security/libsecurity_keychain/lib/ExtendedAttribute.h rename to OSX/include/security_keychain/ExtendedAttribute.h diff --git a/Security/libsecurity_keychain/lib/Globals.cpp b/OSX/include/security_keychain/Globals.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/Globals.cpp rename to OSX/include/security_keychain/Globals.cpp diff --git a/Security/libsecurity_keychain/lib/Globals.h b/OSX/include/security_keychain/Globals.h similarity index 100% rename from Security/libsecurity_keychain/lib/Globals.h rename to OSX/include/security_keychain/Globals.h diff --git a/Security/libsecurity_keychain/lib/Identity.cpp b/OSX/include/security_keychain/Identity.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/Identity.cpp rename to OSX/include/security_keychain/Identity.cpp diff --git a/Security/libsecurity_keychain/lib/Identity.h b/OSX/include/security_keychain/Identity.h similarity index 100% rename from Security/libsecurity_keychain/lib/Identity.h rename to OSX/include/security_keychain/Identity.h diff --git a/Security/libsecurity_keychain/lib/IdentityCursor.cpp b/OSX/include/security_keychain/IdentityCursor.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/IdentityCursor.cpp rename to OSX/include/security_keychain/IdentityCursor.cpp diff --git a/Security/libsecurity_keychain/lib/IdentityCursor.h b/OSX/include/security_keychain/IdentityCursor.h similarity index 100% rename from Security/libsecurity_keychain/lib/IdentityCursor.h rename to OSX/include/security_keychain/IdentityCursor.h diff --git a/Security/libsecurity_keychain/lib/Item.cpp b/OSX/include/security_keychain/Item.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/Item.cpp rename to OSX/include/security_keychain/Item.cpp diff --git a/Security/libsecurity_keychain/lib/Item.h b/OSX/include/security_keychain/Item.h similarity index 100% rename from Security/libsecurity_keychain/lib/Item.h rename to OSX/include/security_keychain/Item.h diff --git a/Security/libsecurity_keychain/lib/KCCursor.cpp b/OSX/include/security_keychain/KCCursor.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/KCCursor.cpp rename to OSX/include/security_keychain/KCCursor.cpp diff --git a/Security/libsecurity_keychain/lib/KCCursor.h b/OSX/include/security_keychain/KCCursor.h similarity index 100% rename from Security/libsecurity_keychain/lib/KCCursor.h rename to OSX/include/security_keychain/KCCursor.h diff --git a/Security/libsecurity_keychain/lib/KCEventNotifier.cpp b/OSX/include/security_keychain/KCEventNotifier.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/KCEventNotifier.cpp rename to OSX/include/security_keychain/KCEventNotifier.cpp diff --git a/Security/libsecurity_keychain/lib/KCEventNotifier.h b/OSX/include/security_keychain/KCEventNotifier.h similarity index 100% rename from Security/libsecurity_keychain/lib/KCEventNotifier.h rename to OSX/include/security_keychain/KCEventNotifier.h diff --git a/Security/libsecurity_keychain/lib/KCExceptions.h b/OSX/include/security_keychain/KCExceptions.h similarity index 100% rename from Security/libsecurity_keychain/lib/KCExceptions.h rename to OSX/include/security_keychain/KCExceptions.h diff --git a/Security/libsecurity_keychain/lib/KCUtilities.cpp b/OSX/include/security_keychain/KCUtilities.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/KCUtilities.cpp rename to OSX/include/security_keychain/KCUtilities.cpp diff --git a/Security/libsecurity_keychain/lib/KCUtilities.h b/OSX/include/security_keychain/KCUtilities.h similarity index 100% rename from Security/libsecurity_keychain/lib/KCUtilities.h rename to OSX/include/security_keychain/KCUtilities.h diff --git a/OSX/include/security_keychain/KeyItem.cpp b/OSX/include/security_keychain/KeyItem.cpp new file mode 100644 index 00000000..69e7f919 --- /dev/null +++ b/OSX/include/security_keychain/KeyItem.cpp @@ -0,0 +1,1420 @@ +/* + * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// KeyItem.cpp +// +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include "KCEventNotifier.h" +#include +#include + +// @@@ This needs to be shared. +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wunused-const-variable" +static CSSM_DB_NAME_ATTR(kInfoKeyPrintName, kSecKeyPrintName, (char*) "PrintName", 0, NULL, BLOB); +static CSSM_DB_NAME_ATTR(kInfoKeyLabel, kSecKeyLabel, (char*) "Label", 0, NULL, BLOB); +static CSSM_DB_NAME_ATTR(kInfoKeyApplicationTag, kSecKeyApplicationTag, (char*) "ApplicationTag", 0, NULL, BLOB); +#pragma clang diagnostic pop + +using namespace KeychainCore; +using namespace CssmClient; + +KeyItem::KeyItem(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId) : + ItemImpl(keychain, primaryKey, uniqueId), + mKey(), + algid(NULL), + mPubKeyHash(Allocator::standard()) +{ +} + +KeyItem::KeyItem(const Keychain &keychain, const PrimaryKey &primaryKey) : + ItemImpl(keychain, primaryKey), + mKey(), + algid(NULL), + mPubKeyHash(Allocator::standard()) +{ +} + +KeyItem* KeyItem::make(const Keychain &keychain, const PrimaryKey &primaryKey, const CssmClient::DbUniqueRecord &uniqueId) +{ + KeyItem* k = new KeyItem(keychain, primaryKey, uniqueId); + keychain->addItem(primaryKey, k); + return k; +} + + + +KeyItem* KeyItem::make(const Keychain &keychain, const PrimaryKey &primaryKey) +{ + KeyItem* k = new KeyItem(keychain, primaryKey); + keychain->addItem(primaryKey, k); + return k; +} + + + +KeyItem::KeyItem(KeyItem &keyItem) : + ItemImpl(keyItem), + mKey(), + algid(NULL), + mPubKeyHash(Allocator::standard()) +{ + // @@@ this doesn't work for keys that are not in a keychain. +} + +KeyItem::KeyItem(const CssmClient::Key &key) : + ItemImpl(key->keyClass() + CSSM_DL_DB_RECORD_PUBLIC_KEY, (OSType)0, (UInt32)0, (const void*)NULL), + mKey(key), + algid(NULL), + mPubKeyHash(Allocator::standard()) +{ + if (key->keyClass() > CSSM_KEYCLASS_SESSION_KEY) + MacOSError::throwMe(errSecParam); +} + +KeyItem::~KeyItem() +{ +} + +void +KeyItem::update() +{ + ItemImpl::update(); +} + +Item +KeyItem::copyTo(const Keychain &keychain, Access *newAccess) +{ + if (!(keychain->database()->dl()->subserviceMask() & CSSM_SERVICE_CSP)) + MacOSError::throwMe(errSecInvalidKeychain); + + /* Get the destination keychain's db. */ + SSDbImpl* dbImpl = dynamic_cast(&(*keychain->database())); + if (dbImpl == NULL) + { + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + } + + SSDb ssDb(dbImpl); + + /* Make sure mKey is valid. */ + const CSSM_KEY *cssmKey = key(); + if (cssmKey && (0==(cssmKey->KeyHeader.KeyAttr & CSSM_KEYATTR_EXTRACTABLE))) + { + MacOSError::throwMe(errSecDataNotAvailable); + } + + // Generate a random label to use initially + CssmClient::CSP appleCsp(gGuidAppleCSP); + CssmClient::Random random(appleCsp, CSSM_ALGID_APPLE_YARROW); + uint8 labelBytes[20]; + CssmData label(labelBytes, sizeof(labelBytes)); + random.generate(label, (uint32)label.Length); + + /* Set up the ACL for the new key. */ + SecPointer access; + if (newAccess) + access = newAccess; + else + access = new Access(*mKey); + + /* Generate a random 3DES wrapping Key. */ + CssmClient::GenerateKey genKey(csp(), CSSM_ALGID_3DES_3KEY, 192); + CssmClient::Key wrappingKey(genKey(KeySpec(CSSM_KEYUSE_WRAP | CSSM_KEYUSE_UNWRAP, + CSSM_KEYATTR_EXTRACTABLE /* | CSSM_KEYATTR_RETURN_DATA */))); + + /* make a random IV */ + uint8 ivBytes[8]; + CssmData iv(ivBytes, sizeof(ivBytes)); + random.generate(iv, (uint32)iv.length()); + + /* Extract the key by wrapping it with the wrapping key. */ + CssmClient::WrapKey wrap(csp(), CSSM_ALGID_3DES_3KEY_EDE); + wrap.key(wrappingKey); + wrap.cred(getCredentials(CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED, kSecCredentialTypeDefault)); + wrap.mode(CSSM_ALGMODE_ECBPad); + wrap.padding(CSSM_PADDING_PKCS7); + wrap.initVector(iv); + CssmClient::Key wrappedKey(wrap(mKey)); + + /* Unwrap the new key into the new Keychain. */ + CssmClient::UnwrapKey unwrap(keychain->csp(), CSSM_ALGID_3DES_3KEY_EDE); + unwrap.key(wrappingKey); + unwrap.mode(CSSM_ALGMODE_ECBPad); + unwrap.padding(CSSM_PADDING_PKCS7); + unwrap.initVector(iv); + + /* Setup the dldbHandle in the context. */ + unwrap.add(CSSM_ATTRIBUTE_DL_DB_HANDLE, ssDb->handle()); + + /* Set up an initial aclEntry so we can change it after the unwrap. */ + Access::Maker maker(Allocator::standard(), Access::Maker::kAnyMakerType); + ResourceControlContext rcc; + maker.initialOwner(rcc, NULL); + unwrap.owner(rcc.input()); + + /* Unwrap the key. */ + uint32 usage = mKey->usage(); + /* Work around csp brokeness where it sets all usage bits in the Keyheader when CSSM_KEYUSE_ANY is set. */ + if (usage & CSSM_KEYUSE_ANY) + usage = CSSM_KEYUSE_ANY; + + CssmClient::Key unwrappedKey(unwrap(wrappedKey, KeySpec(usage, + (mKey->attributes() | CSSM_KEYATTR_PERMANENT) & ~(CSSM_KEYATTR_ALWAYS_SENSITIVE | CSSM_KEYATTR_NEVER_EXTRACTABLE), + label))); + + /* Look up unwrapped key in the DLDB. */ + DbUniqueRecord uniqueId; + SSDbCursor dbCursor(ssDb, 1); + dbCursor->recordType(recordType()); + dbCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, label); + CssmClient::Key copiedKey; + if (!dbCursor->nextKey(NULL, copiedKey, uniqueId)) + MacOSError::throwMe(errSecItemNotFound); + + /* Copy the Label, PrintName and ApplicationTag attributes from the old key to the new one. */ + dbUniqueRecord(); + DbAttributes oldDbAttributes(mUniqueId->database(), 3); + oldDbAttributes.add(kInfoKeyLabel); + oldDbAttributes.add(kInfoKeyPrintName); + oldDbAttributes.add(kInfoKeyApplicationTag); + mUniqueId->get(&oldDbAttributes, NULL); + try + { + uniqueId->modify(recordType(), &oldDbAttributes, NULL, CSSM_DB_MODIFY_ATTRIBUTE_REPLACE); + } + catch (CssmError e) + { + // clean up after trying to insert a duplicate key + uniqueId->deleteRecord (); + throw; + } + + /* Set the acl and owner on the unwrapped key. */ + access->setAccess(*unwrappedKey, maker); + + /* Return a keychain item which represents the new key. */ + Item item(keychain->item(recordType(), uniqueId)); + + KCEventNotifier::PostKeychainEvent(kSecAddEvent, keychain, item); + + return item; +} + +Item +KeyItem::importTo(const Keychain &keychain, Access *newAccess, SecKeychainAttributeList *attrList) +{ + if (!(keychain->database()->dl()->subserviceMask() & CSSM_SERVICE_CSP)) + MacOSError::throwMe(errSecInvalidKeychain); + + /* Get the destination keychain's db. */ + SSDbImpl* dbImpl = dynamic_cast(&(*keychain->database())); + if (dbImpl == NULL) + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + + SSDb ssDb(dbImpl); + + /* Make sure mKey is valid. */ + /* We can't call key() here, since we won't have a unique record id yet */ + if (!mKey) + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + + // Generate a random label to use initially + CssmClient::CSP appleCsp(gGuidAppleCSP); + CssmClient::Random random(appleCsp, CSSM_ALGID_APPLE_YARROW); + uint8 labelBytes[20]; + CssmData label(labelBytes, sizeof(labelBytes)); + random.generate(label, (uint32)label.Length); + + /* Set up the ACL for the new key. */ + SecPointer access; + if (newAccess) + access = newAccess; + else + access = new Access(*mKey); + + /* Generate a random 3DES wrapping Key. */ + CssmClient::GenerateKey genKey(csp(), CSSM_ALGID_3DES_3KEY, 192); + CssmClient::Key wrappingKey(genKey(KeySpec(CSSM_KEYUSE_WRAP | CSSM_KEYUSE_UNWRAP, + CSSM_KEYATTR_EXTRACTABLE /* | CSSM_KEYATTR_RETURN_DATA */))); + + /* make a random IV */ + uint8 ivBytes[8]; + CssmData iv(ivBytes, sizeof(ivBytes)); + random.generate(iv, (uint32)iv.length()); + + /* Extract the key by wrapping it with the wrapping key. */ + CssmClient::WrapKey wrap(csp(), CSSM_ALGID_3DES_3KEY_EDE); + wrap.key(wrappingKey); + wrap.cred(getCredentials(CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED, kSecCredentialTypeDefault)); + wrap.mode(CSSM_ALGMODE_ECBPad); + wrap.padding(CSSM_PADDING_PKCS7); + wrap.initVector(iv); + CssmClient::Key wrappedKey(wrap(mKey)); + + /* Unwrap the new key into the new Keychain. */ + CssmClient::UnwrapKey unwrap(keychain->csp(), CSSM_ALGID_3DES_3KEY_EDE); + unwrap.key(wrappingKey); + unwrap.mode(CSSM_ALGMODE_ECBPad); + unwrap.padding(CSSM_PADDING_PKCS7); + unwrap.initVector(iv); + + /* Setup the dldbHandle in the context. */ + unwrap.add(CSSM_ATTRIBUTE_DL_DB_HANDLE, ssDb->handle()); + + /* Set up an initial aclEntry so we can change it after the unwrap. */ + Access::Maker maker(Allocator::standard(), Access::Maker::kAnyMakerType); + ResourceControlContext rcc; + maker.initialOwner(rcc, NULL); + unwrap.owner(rcc.input()); + + /* Unwrap the key. */ + uint32 usage = mKey->usage(); + /* Work around csp brokeness where it sets all usage bits in the Keyheader when CSSM_KEYUSE_ANY is set. */ + if (usage & CSSM_KEYUSE_ANY) + usage = CSSM_KEYUSE_ANY; + + CssmClient::Key unwrappedKey(unwrap(wrappedKey, KeySpec(usage, + (mKey->attributes() | CSSM_KEYATTR_PERMANENT) & ~(CSSM_KEYATTR_ALWAYS_SENSITIVE | CSSM_KEYATTR_NEVER_EXTRACTABLE), + label))); + + /* Look up unwrapped key in the DLDB. */ + DbUniqueRecord uniqueId; + SSDbCursor dbCursor(ssDb, 1); + dbCursor->recordType(recordType()); + dbCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, label); + CssmClient::Key copiedKey; + if (!dbCursor->nextKey(NULL, copiedKey, uniqueId)) + MacOSError::throwMe(errSecItemNotFound); + + // Set the initial label, application label, and application tag (if provided) + if (attrList) { + DbAttributes newDbAttributes; + SSDbCursor otherDbCursor(ssDb, 1); + otherDbCursor->recordType(recordType()); + bool checkForDuplicates = false; + + for (UInt32 index=0; index < attrList->count; index++) { + SecKeychainAttribute attr = attrList->attr[index]; + CssmData attrData(attr.data, attr.length); + if (attr.tag == kSecKeyPrintName) { + newDbAttributes.add(kInfoKeyPrintName, attrData); + } + if (attr.tag == kSecKeyLabel) { + newDbAttributes.add(kInfoKeyLabel, attrData); + otherDbCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, attrData); + checkForDuplicates = true; + } + if (attr.tag == kSecKeyApplicationTag) { + newDbAttributes.add(kInfoKeyApplicationTag, attrData); + otherDbCursor->add(CSSM_DB_EQUAL, kInfoKeyApplicationTag, attrData); + checkForDuplicates = true; + } + } + + DbAttributes otherDbAttributes; + DbUniqueRecord otherUniqueId; + CssmClient::Key otherKey; + try + { + if (checkForDuplicates && otherDbCursor->nextKey(&otherDbAttributes, otherKey, otherUniqueId)) + MacOSError::throwMe(errSecDuplicateItem); + + uniqueId->modify(recordType(), &newDbAttributes, NULL, CSSM_DB_MODIFY_ATTRIBUTE_REPLACE); + } + catch (CssmError e) + { + // clean up after trying to insert a duplicate key + uniqueId->deleteRecord (); + throw; + } + } + + /* Set the acl and owner on the unwrapped key. */ + access->setAccess(*unwrappedKey, maker); + + /* Return a keychain item which represents the new key. */ + Item item(keychain->item(recordType(), uniqueId)); + + KCEventNotifier::PostKeychainEvent(kSecAddEvent, keychain, item); + + return item; +} + +void +KeyItem::didModify() +{ +} + +PrimaryKey +KeyItem::add(Keychain &keychain) +{ + MacOSError::throwMe(errSecUnimplemented); +} + +CssmClient::SSDbUniqueRecord +KeyItem::ssDbUniqueRecord() +{ + DbUniqueRecordImpl *impl = &*dbUniqueRecord(); + Security::CssmClient::SSDbUniqueRecordImpl *simpl = dynamic_cast(impl); + if (simpl == NULL) + { + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + } + + return CssmClient::SSDbUniqueRecord(simpl); +} + +CssmClient::Key & +KeyItem::key() +{ + StLock_(mMutex); + if (!mKey) + { + CssmClient::SSDbUniqueRecord uniqueId(ssDbUniqueRecord()); + CssmDataContainer dataBlob(uniqueId->allocator()); + uniqueId->get(NULL, &dataBlob); + mKey = CssmClient::Key(uniqueId->database()->csp(), *reinterpret_cast(dataBlob.Data)); + } + + return mKey; +} + +CssmClient::CSP +KeyItem::csp() +{ + return key()->csp(); +} + + +const CSSM_X509_ALGORITHM_IDENTIFIER& +KeyItem::algorithmIdentifier() +{ +#if 0 + CssmKey *mKey; + CSSM_KEY_TYPE algorithm + CSSM_KEY_PTR cssmKey = (CSSM_KEY_PTR)thisData->Data; +cssmKey->KeyHeader + static void printKeyHeader( + const CSSM_KEYHEADER &hdr) +{ + printf(" Algorithm : "); + switch(hdr.AlgorithmId) { +CSSM_X509_ALGORITHM_IDENTIFIER algID; + +CSSM_OID *CL_algToOid( + CSSM_ALGORITHMS algId) +typedef struct cssm_x509_algorithm_identifier { + CSSM_OID algorithm; + CSSM_DATA parameters; +} CSSM_X509_ALGORITHM_IDENTIFIER, *CSSM_X509_ALGORITHM_IDENTIFIER_PTR; +#endif + + abort(); +} + +/* + * itemID, used to locate Extended Attributes, is the public key hash for keys. + */ +const CssmData &KeyItem::itemID() +{ + if(mPubKeyHash.length() == 0) { + /* + * Fetch the attribute from disk. + */ + UInt32 tag = kSecKeyLabel; + UInt32 format = 0; + SecKeychainAttributeInfo attrInfo = {1, &tag, &format}; + SecKeychainAttributeList *attrList = NULL; + getAttributesAndData(&attrInfo, NULL, &attrList, NULL, NULL); + if((attrList == NULL) || (attrList->count != 1)) { + MacOSError::throwMe(errSecNoSuchAttr); + } + mPubKeyHash.copy(attrList->attr->data, attrList->attr->length); + freeAttributesAndData(attrList, NULL); + } + return mPubKeyHash; +} + + +unsigned int +KeyItem::strengthInBits(const CSSM_X509_ALGORITHM_IDENTIFIER *algid) +{ + // @@@ Make a context with key based on algid and use that to get the effective keysize and not just the logical one. + CSSM_KEY_SIZE keySize = {}; + CSSM_RETURN rv = CSSM_QueryKeySizeInBits (csp()->handle(), + CSSM_INVALID_HANDLE, + key(), + &keySize); + if (rv) + return 0; + + return keySize.LogicalKeySizeInBits; +} + +const AccessCredentials * +KeyItem::getCredentials( + CSSM_ACL_AUTHORIZATION_TAG operation, + SecCredentialType credentialType) +{ + // @@@ Fix this to actually examine the ACL for this key and consider operation and do the right thing. + //AutoAclEntryInfoList aclInfos; + //key()->getAcl(aclInfos); + + bool smartcard = keychain() != NULL ? (keychain()->database()->dl()->guid() == gGuidAppleSdCSPDL) : false; + + AclFactory factory; + switch (credentialType) + { + case kSecCredentialTypeDefault: + return smartcard?globals().smartcardItemCredentials():globals().itemCredentials(); + case kSecCredentialTypeWithUI: + return smartcard?globals().smartcardItemCredentials():factory.promptCred(); + case kSecCredentialTypeNoUI: + return factory.nullCred(); + default: + MacOSError::throwMe(errSecParam); + } +} + +bool +KeyItem::operator == (KeyItem &other) +{ + if (mKey && *mKey) + { + // Pointer compare + return this == &other; + } + + // If keychains are different, then keys are different + Keychain otherKeychain = other.keychain(); + return (mKeychain && otherKeychain && (*mKeychain == *otherKeychain)); +} + +void +KeyItem::createPair( + Keychain keychain, + CSSM_ALGORITHMS algorithm, + uint32 keySizeInBits, + CSSM_CC_HANDLE contextHandle, + CSSM_KEYUSE publicKeyUsage, + uint32 publicKeyAttr, + CSSM_KEYUSE privateKeyUsage, + uint32 privateKeyAttr, + SecPointer initialAccess, + SecPointer &outPublicKey, + SecPointer &outPrivateKey) +{ + bool freeKeys = false; + bool deleteContext = false; + + if (!(keychain->database()->dl()->subserviceMask() & CSSM_SERVICE_CSP)) + MacOSError::throwMe(errSecInvalidKeychain); + + SSDbImpl* impl = dynamic_cast(&(*keychain->database())); + if (impl == NULL) + { + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + } + + SSDb ssDb(impl); + CssmClient::CSP csp(keychain->csp()); + CssmClient::CSP appleCsp(gGuidAppleCSP); + + // Generate a random label to use initially + CssmClient::Random random(appleCsp, CSSM_ALGID_APPLE_YARROW); + uint8 labelBytes[20]; + CssmData label(labelBytes, sizeof(labelBytes)); + random.generate(label, (uint32)label.Length); + + // Create a Access::Maker for the initial owner of the private key. + ResourceControlContext rcc; + memset(&rcc, 0, sizeof(rcc)); + Access::Maker maker; + // @@@ Potentially provide a credential argument which allows us to generate keys in the csp. Currently the CSP let's anyone do this, but we might restrict this in the future, f.e. a smartcard could require out of band pin entry before a key can be generated. + maker.initialOwner(rcc); + // Create the cred we need to manipulate the keys until we actually set a new access control for them. + const AccessCredentials *cred = maker.cred(); + + CSSM_KEY publicCssmKey, privateCssmKey; + memset(&publicCssmKey, 0, sizeof(publicCssmKey)); + memset(&privateCssmKey, 0, sizeof(privateCssmKey)); + + CSSM_CC_HANDLE ccHandle = 0; + + Item publicKeyItem, privateKeyItem; + try + { + CSSM_RETURN status; + if (contextHandle) + ccHandle = contextHandle; + else + { + status = CSSM_CSP_CreateKeyGenContext(csp->handle(), algorithm, keySizeInBits, NULL, NULL, NULL, NULL, NULL, &ccHandle); + if (status) + CssmError::throwMe(status); + deleteContext = true; + } + + CSSM_DL_DB_HANDLE dldbHandle = ssDb->handle(); + CSSM_DL_DB_HANDLE_PTR dldbHandlePtr = &dldbHandle; + CSSM_CONTEXT_ATTRIBUTE contextAttributes = { CSSM_ATTRIBUTE_DL_DB_HANDLE, sizeof(dldbHandle), { (char *)dldbHandlePtr } }; + status = CSSM_UpdateContextAttributes(ccHandle, 1, &contextAttributes); + if (status) + CssmError::throwMe(status); + + // Generate the keypair + status = CSSM_GenerateKeyPair(ccHandle, publicKeyUsage, publicKeyAttr, &label, &publicCssmKey, privateKeyUsage, privateKeyAttr, &label, &rcc, &privateCssmKey); + if (status) + CssmError::throwMe(status); + freeKeys = true; + + // Find the keys we just generated in the DL to get SecKeyRef's to them + // so we can change the label to be the hash of the public key, and + // fix up other attributes. + + // Look up public key in the DLDB. + DbAttributes pubDbAttributes; + DbUniqueRecord pubUniqueId; + SSDbCursor dbPubCursor(ssDb, 1); + dbPubCursor->recordType(CSSM_DL_DB_RECORD_PUBLIC_KEY); + dbPubCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, label); + CssmClient::Key publicKey; + if (!dbPubCursor->nextKey(&pubDbAttributes, publicKey, pubUniqueId)) + MacOSError::throwMe(errSecItemNotFound); + + // Look up private key in the DLDB. + DbAttributes privDbAttributes; + DbUniqueRecord privUniqueId; + SSDbCursor dbPrivCursor(ssDb, 1); + dbPrivCursor->recordType(CSSM_DL_DB_RECORD_PRIVATE_KEY); + dbPrivCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, label); + CssmClient::Key privateKey; + if (!dbPrivCursor->nextKey(&privDbAttributes, privateKey, privUniqueId)) + MacOSError::throwMe(errSecItemNotFound); + + // Convert reference public key to a raw key so we can use it + // in the appleCsp. + CssmClient::WrapKey wrap(csp, CSSM_ALGID_NONE); + wrap.cred(cred); + CssmClient::Key rawPubKey = wrap(publicKey); + + // Calculate the hash of the public key using the appleCSP. + CssmClient::PassThrough passThrough(appleCsp); + void *outData; + CssmData *cssmData; + + /* Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the + * associated key blob. + * Key is specified in CSSM_CSP_CreatePassThroughContext. + * Hash is allocated bythe CSP, in the App's memory, and returned + * in *outData. */ + passThrough.key(rawPubKey); + passThrough(CSSM_APPLECSP_KEYDIGEST, NULL, &outData); + cssmData = reinterpret_cast(outData); + CssmData &pubKeyHash = *cssmData; + + auto_ptrprivDescription; + auto_ptrpubDescription; + try { + privDescription.reset(new string(initialAccess->promptDescription())); + pubDescription.reset(new string(initialAccess->promptDescription())); + } + catch(...) { + /* this path taken if no promptDescription available, e.g., for complex ACLs */ + privDescription.reset(new string("Private key")); + pubDescription.reset(new string("Public key")); + } + + // Set the label of the public key to the public key hash. + // Set the PrintName of the public key to the description in the acl. + pubDbAttributes.add(kInfoKeyLabel, pubKeyHash); + pubDbAttributes.add(kInfoKeyPrintName, *pubDescription); + pubUniqueId->modify(CSSM_DL_DB_RECORD_PUBLIC_KEY, &pubDbAttributes, NULL, CSSM_DB_MODIFY_ATTRIBUTE_REPLACE); + + // Set the label of the private key to the public key hash. + // Set the PrintName of the private key to the description in the acl. + privDbAttributes.add(kInfoKeyLabel, pubKeyHash); + privDbAttributes.add(kInfoKeyPrintName, *privDescription); + privUniqueId->modify(CSSM_DL_DB_RECORD_PRIVATE_KEY, &privDbAttributes, NULL, CSSM_DB_MODIFY_ATTRIBUTE_REPLACE); + + // @@@ Not exception safe! + csp.allocator().free(cssmData->Data); + csp.allocator().free(cssmData); + + // Finally fix the acl and owner of the private key to the specified access control settings. + initialAccess->setAccess(*privateKey, maker); + + if(publicKeyAttr & CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT) { + /* + * Make the public key acl completely open. + * If the key was not encrypted, it already has a wide-open + * ACL (though that is a feature of securityd; it's not + * CDSA-specified behavior). + */ + SecPointer pubKeyAccess(new Access()); + pubKeyAccess->setAccess(*publicKey, maker); + } + + // Create keychain items which will represent the keys. + publicKeyItem = keychain->item(CSSM_DL_DB_RECORD_PUBLIC_KEY, pubUniqueId); + privateKeyItem = keychain->item(CSSM_DL_DB_RECORD_PRIVATE_KEY, privUniqueId); + + KeyItem* impl = dynamic_cast(&(*publicKeyItem)); + if (impl == NULL) + { + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + } + + outPublicKey = impl; + + impl = dynamic_cast(&(*privateKeyItem)); + if (impl == NULL) + { + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + } + + outPrivateKey = impl; + } + catch (...) + { + if (freeKeys) + { + // Delete the keys if something goes wrong so we don't end up with inaccessible keys in the database. + CSSM_FreeKey(csp->handle(), cred, &publicCssmKey, TRUE); + CSSM_FreeKey(csp->handle(), cred, &privateCssmKey, TRUE); + } + + if (deleteContext) + CSSM_DeleteContext(ccHandle); + + throw; + } + + if (freeKeys) + { + CSSM_FreeKey(csp->handle(), NULL, &publicCssmKey, FALSE); + CSSM_FreeKey(csp->handle(), NULL, &privateCssmKey, FALSE); + } + + if (deleteContext) + CSSM_DeleteContext(ccHandle); + + if (keychain && publicKeyItem && privateKeyItem) + { + keychain->postEvent(kSecAddEvent, publicKeyItem); + keychain->postEvent(kSecAddEvent, privateKeyItem); + } +} + +void +KeyItem::importPair( + Keychain keychain, + const CSSM_KEY &publicWrappedKey, + const CSSM_KEY &privateWrappedKey, + SecPointer initialAccess, + SecPointer &outPublicKey, + SecPointer &outPrivateKey) +{ + bool freePublicKey = false; + bool freePrivateKey = false; + bool deleteContext = false; + + if (!(keychain->database()->dl()->subserviceMask() & CSSM_SERVICE_CSP)) + MacOSError::throwMe(errSecInvalidKeychain); + + SSDbImpl* impl = dynamic_cast(&(*keychain->database())); + if (impl == NULL) + { + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + } + + SSDb ssDb(impl); + CssmClient::CSP csp(keychain->csp()); + CssmClient::CSP appleCsp(gGuidAppleCSP); + + // Create a Access::Maker for the initial owner of the private key. + ResourceControlContext rcc; + memset(&rcc, 0, sizeof(rcc)); + Access::Maker maker(Allocator::standard(), Access::Maker::kAnyMakerType); + // @@@ Potentially provide a credential argument which allows us to unwrap keys in the csp. + // Currently the CSP lets anyone do this, but we might restrict this in the future, e.g. + // a smartcard could require out of band pin entry before a key can be generated. + maker.initialOwner(rcc); + // Create the cred we need to manipulate the keys until we actually set a new access control for them. + const AccessCredentials *cred = maker.cred(); + + CSSM_KEY publicCssmKey, privateCssmKey; + memset(&publicCssmKey, 0, sizeof(publicCssmKey)); + memset(&privateCssmKey, 0, sizeof(privateCssmKey)); + + CSSM_CC_HANDLE ccHandle = 0; + + Item publicKeyItem, privateKeyItem; + try + { + CSSM_RETURN status; + + // Calculate the hash of the public key using the appleCSP. + CssmClient::PassThrough passThrough(appleCsp); + void *outData; + CssmData *cssmData; + + /* Given a CSSM_KEY_PTR in any format, obtain the SHA-1 hash of the + * associated key blob. + * Key is specified in CSSM_CSP_CreatePassThroughContext. + * Hash is allocated bythe CSP, in the App's memory, and returned + * in *outData. */ + passThrough.key(&publicWrappedKey); + passThrough(CSSM_APPLECSP_KEYDIGEST, NULL, &outData); + cssmData = reinterpret_cast(outData); + CssmData &pubKeyHash = *cssmData; + + status = CSSM_CSP_CreateSymmetricContext(csp->handle(), publicWrappedKey.KeyHeader.WrapAlgorithmId, CSSM_ALGMODE_NONE, NULL, NULL, NULL, CSSM_PADDING_NONE, NULL, &ccHandle); + if (status) + CssmError::throwMe(status); + deleteContext = true; + + CSSM_DL_DB_HANDLE dldbHandle = ssDb->handle(); + CSSM_DL_DB_HANDLE_PTR dldbHandlePtr = &dldbHandle; + CSSM_CONTEXT_ATTRIBUTE contextAttributes = { CSSM_ATTRIBUTE_DL_DB_HANDLE, sizeof(dldbHandle), { (char *)dldbHandlePtr } }; + status = CSSM_UpdateContextAttributes(ccHandle, 1, &contextAttributes); + if (status) + CssmError::throwMe(status); + + // Unwrap the the keys + CSSM_DATA descriptiveData = {0, NULL}; + + status = CSSM_UnwrapKey( + ccHandle, + NULL, + &publicWrappedKey, + publicWrappedKey.KeyHeader.KeyUsage, + publicWrappedKey.KeyHeader.KeyAttr | CSSM_KEYATTR_PERMANENT, + &pubKeyHash, + &rcc, + &publicCssmKey, + &descriptiveData); + + if (status) + CssmError::throwMe(status); + freePublicKey = true; + + if (descriptiveData.Data != NULL) + free (descriptiveData.Data); + + status = CSSM_UnwrapKey( + ccHandle, + NULL, + &privateWrappedKey, + privateWrappedKey.KeyHeader.KeyUsage, + privateWrappedKey.KeyHeader.KeyAttr | CSSM_KEYATTR_PERMANENT, + &pubKeyHash, + &rcc, + &privateCssmKey, + &descriptiveData); + + if (status) + CssmError::throwMe(status); + + if (descriptiveData.Data != NULL) + free (descriptiveData.Data); + + freePrivateKey = true; + + // Find the keys we just generated in the DL to get SecKeyRefs to them + // so we can change the label to be the hash of the public key, and + // fix up other attributes. + + // Look up public key in the DLDB. + DbAttributes pubDbAttributes; + DbUniqueRecord pubUniqueId; + SSDbCursor dbPubCursor(ssDb, 1); + dbPubCursor->recordType(CSSM_DL_DB_RECORD_PUBLIC_KEY); + dbPubCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, pubKeyHash); + CssmClient::Key publicKey; + if (!dbPubCursor->nextKey(&pubDbAttributes, publicKey, pubUniqueId)) + MacOSError::throwMe(errSecItemNotFound); + + // Look up private key in the DLDB. + DbAttributes privDbAttributes; + DbUniqueRecord privUniqueId; + SSDbCursor dbPrivCursor(ssDb, 1); + dbPrivCursor->recordType(CSSM_DL_DB_RECORD_PRIVATE_KEY); + dbPrivCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, pubKeyHash); + CssmClient::Key privateKey; + if (!dbPrivCursor->nextKey(&privDbAttributes, privateKey, privUniqueId)) + MacOSError::throwMe(errSecItemNotFound); + + // @@@ Not exception safe! + csp.allocator().free(cssmData->Data); + csp.allocator().free(cssmData); + + auto_ptrprivDescription; + auto_ptrpubDescription; + try { + privDescription.reset(new string(initialAccess->promptDescription())); + pubDescription.reset(new string(initialAccess->promptDescription())); + } + catch(...) { + /* this path taken if no promptDescription available, e.g., for complex ACLs */ + privDescription.reset(new string("Private key")); + pubDescription.reset(new string("Public key")); + } + + // Set the label of the public key to the public key hash. + // Set the PrintName of the public key to the description in the acl. + pubDbAttributes.add(kInfoKeyPrintName, *pubDescription); + pubUniqueId->modify(CSSM_DL_DB_RECORD_PUBLIC_KEY, &pubDbAttributes, NULL, CSSM_DB_MODIFY_ATTRIBUTE_REPLACE); + + // Set the label of the private key to the public key hash. + // Set the PrintName of the private key to the description in the acl. + privDbAttributes.add(kInfoKeyPrintName, *privDescription); + privUniqueId->modify(CSSM_DL_DB_RECORD_PRIVATE_KEY, &privDbAttributes, NULL, CSSM_DB_MODIFY_ATTRIBUTE_REPLACE); + + // Finally fix the acl and owner of the private key to the specified access control settings. + initialAccess->setAccess(*privateKey, maker); + + // Make the public key acl completely open + SecPointer pubKeyAccess(new Access()); + pubKeyAccess->setAccess(*publicKey, maker); + + // Create keychain items which will represent the keys. + publicKeyItem = keychain->item(CSSM_DL_DB_RECORD_PUBLIC_KEY, pubUniqueId); + privateKeyItem = keychain->item(CSSM_DL_DB_RECORD_PRIVATE_KEY, privUniqueId); + + KeyItem* impl = dynamic_cast(&(*publicKeyItem)); + if (impl == NULL) + { + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + } + + outPublicKey = impl; + + impl = dynamic_cast(&(*privateKeyItem)); + if (impl == NULL) + { + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + } + outPrivateKey = impl; + } + catch (...) + { + if (freePublicKey) + CSSM_FreeKey(csp->handle(), cred, &publicCssmKey, TRUE); + if (freePrivateKey) + CSSM_FreeKey(csp->handle(), cred, &privateCssmKey, TRUE); + + if (deleteContext) + CSSM_DeleteContext(ccHandle); + + throw; + } + + if (freePublicKey) + CSSM_FreeKey(csp->handle(), cred, &publicCssmKey, FALSE); + if (freePrivateKey) + CSSM_FreeKey(csp->handle(), cred, &privateCssmKey, FALSE); + + if (deleteContext) + CSSM_DeleteContext(ccHandle); + + if (keychain && publicKeyItem && privateKeyItem) + { + KCEventNotifier::PostKeychainEvent(kSecAddEvent, keychain, publicKeyItem); + KCEventNotifier::PostKeychainEvent(kSecAddEvent, keychain, privateKeyItem); + } +} + +SecPointer +KeyItem::generateWithAttributes(const SecKeychainAttributeList *attrList, + Keychain keychain, + CSSM_ALGORITHMS algorithm, + uint32 keySizeInBits, + CSSM_CC_HANDLE contextHandle, + CSSM_KEYUSE keyUsage, + uint32 keyAttr, + SecPointer initialAccess) +{ + CssmClient::CSP appleCsp(gGuidAppleCSP); + CssmClient::CSP csp(NULL); + SSDb ssDb(NULL); + uint8 labelBytes[20]; + CssmData label(labelBytes, sizeof(labelBytes)); + bool freeKey = false; + bool deleteContext = false; + const CSSM_DATA *plabel = NULL; + + if (keychain) + { + if (!(keychain->database()->dl()->subserviceMask() & CSSM_SERVICE_CSP)) + MacOSError::throwMe(errSecInvalidKeychain); + + SSDbImpl* impl = dynamic_cast(&(*keychain->database())); + if (impl == NULL) + { + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + } + + ssDb = SSDb(impl); + csp = keychain->csp(); + + // Generate a random label to use initially + CssmClient::Random random(appleCsp, CSSM_ALGID_APPLE_YARROW); + random.generate(label, (uint32)label.Length); + plabel = &label; + } + else + { + // Not a persistent key so create it in the regular csp + csp = appleCsp; + } + + // Create a Access::Maker for the initial owner of the private key. + ResourceControlContext *prcc = NULL, rcc; + const AccessCredentials *cred = NULL; + Access::Maker maker; + if (keychain && initialAccess) + { + memset(&rcc, 0, sizeof(rcc)); + // @@@ Potentially provide a credential argument which allows us to generate keys in the csp. + // Currently the CSP lets anyone do this, but we might restrict this in the future, e.g. a smartcard + // could require out-of-band pin entry before a key can be generated. + maker.initialOwner(rcc); + // Create the cred we need to manipulate the keys until we actually set a new access control for them. + cred = maker.cred(); + prcc = &rcc; + } + + CSSM_KEY cssmKey; + + CSSM_CC_HANDLE ccHandle = 0; + + Item keyItem; + try + { + CSSM_RETURN status; + if (contextHandle) + ccHandle = contextHandle; + else + { + status = CSSM_CSP_CreateKeyGenContext(csp->handle(), algorithm, keySizeInBits, NULL, NULL, NULL, NULL, NULL, &ccHandle); + if (status) + CssmError::throwMe(status); + deleteContext = true; + } + + if (ssDb) + { + CSSM_DL_DB_HANDLE dldbHandle = ssDb->handle(); + CSSM_DL_DB_HANDLE_PTR dldbHandlePtr = &dldbHandle; + CSSM_CONTEXT_ATTRIBUTE contextAttributes = { CSSM_ATTRIBUTE_DL_DB_HANDLE, sizeof(dldbHandle), { (char *)dldbHandlePtr } }; + status = CSSM_UpdateContextAttributes(ccHandle, 1, &contextAttributes); + if (status) + CssmError::throwMe(status); + + keyAttr |= CSSM_KEYATTR_PERMANENT; + } + + // Generate the key + status = CSSM_GenerateKey(ccHandle, keyUsage, keyAttr, plabel, prcc, &cssmKey); + if (status) + CssmError::throwMe(status); + + if (ssDb) + { + freeKey = true; + // Find the key we just generated in the DL and get a SecKeyRef + // so we can specify the label attribute(s) and initial ACL. + + // Look up key in the DLDB. + DbAttributes dbAttributes; + DbUniqueRecord uniqueId; + SSDbCursor dbCursor(ssDb, 1); + dbCursor->recordType(CSSM_DL_DB_RECORD_SYMMETRIC_KEY); + dbCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, label); + CssmClient::Key key; + if (!dbCursor->nextKey(&dbAttributes, key, uniqueId)) + MacOSError::throwMe(errSecItemNotFound); + + // Set the initial label, application label, and application tag (if provided) + if (attrList) { + DbAttributes newDbAttributes; + SSDbCursor otherDbCursor(ssDb, 1); + otherDbCursor->recordType(CSSM_DL_DB_RECORD_SYMMETRIC_KEY); + bool checkForDuplicates = false; + + for (UInt32 index=0; index < attrList->count; index++) { + SecKeychainAttribute attr = attrList->attr[index]; + CssmData attrData(attr.data, attr.length); + if (attr.tag == kSecKeyPrintName) { + newDbAttributes.add(kInfoKeyPrintName, attrData); + } + if (attr.tag == kSecKeyLabel) { + newDbAttributes.add(kInfoKeyLabel, attrData); + otherDbCursor->add(CSSM_DB_EQUAL, kInfoKeyLabel, attrData); + checkForDuplicates = true; + } + if (attr.tag == kSecKeyApplicationTag) { + newDbAttributes.add(kInfoKeyApplicationTag, attrData); + otherDbCursor->add(CSSM_DB_EQUAL, kInfoKeyApplicationTag, attrData); + checkForDuplicates = true; + } + } + + DbAttributes otherDbAttributes; + DbUniqueRecord otherUniqueId; + CssmClient::Key otherKey; + if (checkForDuplicates && otherDbCursor->nextKey(&otherDbAttributes, otherKey, otherUniqueId)) + MacOSError::throwMe(errSecDuplicateItem); + + uniqueId->modify(CSSM_DL_DB_RECORD_SYMMETRIC_KEY, &newDbAttributes, NULL, CSSM_DB_MODIFY_ATTRIBUTE_REPLACE); + } + + // Finally, fix the acl and owner of the key to the specified access control settings. + if (initialAccess) + initialAccess->setAccess(*key, maker); + + // Create keychain item which will represent the key. + keyItem = keychain->item(CSSM_DL_DB_RECORD_SYMMETRIC_KEY, uniqueId); + } + else + { + CssmClient::Key tempKey(csp, cssmKey); + keyItem = new KeyItem(tempKey); + } + } + catch (...) + { + if (freeKey) + { + // Delete the key if something goes wrong so we don't end up with inaccessible keys in the database. + CSSM_FreeKey(csp->handle(), cred, &cssmKey, TRUE); + } + + if (deleteContext) + CSSM_DeleteContext(ccHandle); + + throw; + } + + if (freeKey) + { + CSSM_FreeKey(csp->handle(), NULL, &cssmKey, FALSE); + } + + if (deleteContext) + CSSM_DeleteContext(ccHandle); + + if (keychain && keyItem) + keychain->postEvent(kSecAddEvent, keyItem); + + KeyItem* item = dynamic_cast(&*keyItem); + if (item == NULL) + { + CssmError::throwMe(CSSMERR_CSSM_INVALID_POINTER); + } + + return item; +} + +SecPointer +KeyItem::generate(Keychain keychain, + CSSM_ALGORITHMS algorithm, + uint32 keySizeInBits, + CSSM_CC_HANDLE contextHandle, + CSSM_KEYUSE keyUsage, + uint32 keyAttr, + SecPointer initialAccess) +{ + return KeyItem::generateWithAttributes(NULL, keychain, + algorithm, keySizeInBits, contextHandle, + keyUsage, keyAttr, initialAccess); +} + + +void KeyItem::RawSign(SecPadding padding, CSSM_DATA dataToSign, const AccessCredentials *credentials, CSSM_DATA& signature) +{ + CSSM_ALGORITHMS baseAlg = key()->header().algorithm(); + + if ((baseAlg != CSSM_ALGID_RSA) && (baseAlg != CSSM_ALGID_ECDSA)) + { + MacOSError::throwMe(errSecParam); + } + + CSSM_ALGORITHMS paddingAlg = CSSM_PADDING_PKCS1; + + switch (padding) + { + case kSecPaddingPKCS1: + { + paddingAlg = CSSM_PADDING_PKCS1; + break; + } + + case kSecPaddingPKCS1MD2: + { + baseAlg = CSSM_ALGID_MD2WithRSA; + break; + } + + case kSecPaddingPKCS1MD5: + { + baseAlg = CSSM_ALGID_MD5WithRSA; + break; + } + + case kSecPaddingPKCS1SHA1: + { + baseAlg = CSSM_ALGID_SHA1WithRSA; + break; + } + + case kSecPaddingSigRaw: + { + paddingAlg = CSSM_PADDING_SIGRAW; + break; + } + + default: + { + paddingAlg = CSSM_PADDING_NONE; + break; + } + } + + Sign signContext(csp(), baseAlg); + signContext.key(key()); + signContext.cred(credentials); + // Fields required for CSSM_CSP_CreateSignatureContext set above. Using add instead of set ensures + // that the context is constructed before the set is attempted, which would fail silently otherwise. + signContext.add(CSSM_ATTRIBUTE_PADDING, paddingAlg); + + CssmData data(dataToSign.Data, dataToSign.Length); + signContext.sign(data); + + CssmData sig(signature.Data, signature.Length); + signContext(sig); // yes, this is an accessor. Believe it, or not. + signature.Length = sig.length(); +} + + + +void KeyItem::RawVerify(SecPadding padding, CSSM_DATA dataToVerify, const AccessCredentials *credentials, CSSM_DATA sig) +{ + CSSM_ALGORITHMS baseAlg = key()->header().algorithm(); + if ((baseAlg != CSSM_ALGID_RSA) && (baseAlg != CSSM_ALGID_ECDSA)) + { + MacOSError::throwMe(errSecParam); + } + + CSSM_ALGORITHMS paddingAlg = CSSM_PADDING_PKCS1; + + switch (padding) + { + case kSecPaddingPKCS1: + { + paddingAlg = CSSM_PADDING_PKCS1; + break; + } + + case kSecPaddingPKCS1MD2: + { + baseAlg = CSSM_ALGID_MD2WithRSA; + break; + } + + case kSecPaddingPKCS1MD5: + { + baseAlg = CSSM_ALGID_MD5WithRSA; + break; + } + + case kSecPaddingPKCS1SHA1: + { + baseAlg = CSSM_ALGID_SHA1WithRSA; + break; + } + + case kSecPaddingSigRaw: + { + paddingAlg = CSSM_PADDING_SIGRAW; + break; + } + + default: + { + paddingAlg = CSSM_PADDING_NONE; + break; + } + } + + Verify verifyContext(csp(), baseAlg); + verifyContext.key(key()); + verifyContext.cred(credentials); + // Fields required for CSSM_CSP_CreateSignatureContext set above. Using add instead of set ensures + // that the context is constructed before the set is attempted, which would fail silently otherwise. + verifyContext.add(CSSM_ATTRIBUTE_PADDING, paddingAlg); + + CssmData data(dataToVerify.Data, dataToVerify.Length); + CssmData signature(sig.Data, sig.Length); + verifyContext.verify(data, signature); +} + + + +void KeyItem::Encrypt(SecPadding padding, CSSM_DATA dataToEncrypt, const AccessCredentials *credentials, CSSM_DATA& encryptedData) +{ + CSSM_ALGORITHMS baseAlg = key()->header().algorithm(); + if (baseAlg != CSSM_ALGID_RSA) + { + MacOSError::throwMe(errSecParam); + } + + CSSM_ALGORITHMS paddingAlg = CSSM_PADDING_PKCS1; + + switch (padding) + { + case kSecPaddingPKCS1: + { + paddingAlg = CSSM_PADDING_PKCS1; + break; + } + + default: + { + paddingAlg = CSSM_PADDING_NONE; + break; + } + } + + CssmClient::Encrypt encryptContext(csp(), baseAlg); + encryptContext.key(key()); + encryptContext.padding(paddingAlg); + encryptContext.cred(credentials); + + CssmData inData(dataToEncrypt.Data, dataToEncrypt.Length); + CssmData outData(encryptedData.Data, encryptedData.Length); + CssmData remData((void*) NULL, 0); + + encryptedData.Length = encryptContext.encrypt(inData, outData, remData); +} + + + +void KeyItem::Decrypt(SecPadding padding, CSSM_DATA dataToDecrypt, const AccessCredentials *credentials, CSSM_DATA& decryptedData) +{ + CSSM_ALGORITHMS baseAlg = key()->header().algorithm(); + if (baseAlg != CSSM_ALGID_RSA) + { + MacOSError::throwMe(errSecParam); + } + + CSSM_ALGORITHMS paddingAlg = CSSM_PADDING_PKCS1; + + switch (padding) + { + case kSecPaddingPKCS1: + { + paddingAlg = CSSM_PADDING_PKCS1; + break; + } + + + default: + { + paddingAlg = CSSM_PADDING_NONE; + break; + } + } + + CssmClient::Decrypt decryptContext(csp(), baseAlg); + decryptContext.key(key()); + decryptContext.padding(paddingAlg); + decryptContext.cred(credentials); + + CssmData inData(dataToDecrypt.Data, dataToDecrypt.Length); + CssmData outData(decryptedData.Data, decryptedData.Length); + CssmData remData((void*) NULL, 0); + decryptedData.Length = decryptContext.decrypt(inData, outData, remData); + if (remData.Data != NULL) + { + free(remData.Data); + } +} + +CFHashCode KeyItem::hash() +{ + CFHashCode result = 0; + const CSSM_KEY *cssmKey = key(); + if (NULL != cssmKey) + { + unsigned char digest[CC_SHA256_DIGEST_LENGTH]; + + CFIndex size_of_data = sizeof(CSSM_KEYHEADER) + cssmKey->KeyData.Length; + + CFMutableDataRef temp_cfdata = CFDataCreateMutable(kCFAllocatorDefault, size_of_data); + if (NULL == temp_cfdata) + { + return result; + } + + CFDataAppendBytes(temp_cfdata, (const UInt8 *)cssmKey, sizeof(CSSM_KEYHEADER)); + CFDataAppendBytes(temp_cfdata, cssmKey->KeyData.Data, cssmKey->KeyData.Length); + + if (size_of_data < 80) + { + // If it is less than 80 bytes then CFData can be used + result = CFHash(temp_cfdata); + CFRelease(temp_cfdata); + } + // CFData truncates its hash value to 80 bytes. ???? + // In order to do the 'right thing' a SHA 256 hash will be used to + // include all of the data + else + { + memset(digest, 0, CC_SHA256_DIGEST_LENGTH); + + CC_SHA256((const void *)CFDataGetBytePtr(temp_cfdata), (CC_LONG)CFDataGetLength(temp_cfdata), digest); + + CFDataRef data_to_hash = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, + (const UInt8 *)digest, CC_SHA256_DIGEST_LENGTH, kCFAllocatorNull); + result = CFHash(data_to_hash); + CFRelease(data_to_hash); + CFRelease(temp_cfdata); + } + } + return result; +} + diff --git a/Security/libsecurity_keychain/lib/KeyItem.h b/OSX/include/security_keychain/KeyItem.h similarity index 100% rename from Security/libsecurity_keychain/lib/KeyItem.h rename to OSX/include/security_keychain/KeyItem.h diff --git a/Security/libsecurity_keychain/lib/Keychains.cpp b/OSX/include/security_keychain/Keychains.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/Keychains.cpp rename to OSX/include/security_keychain/Keychains.cpp diff --git a/OSX/include/security_keychain/Keychains.h b/OSX/include/security_keychain/Keychains.h new file mode 100644 index 00000000..7931313e --- /dev/null +++ b/OSX/include/security_keychain/Keychains.h @@ -0,0 +1,267 @@ +/* + * Copyright (c) 2000-2004,2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// Keychains.h - The Keychain class +// +#ifndef _SECURITY_KEYCHAINS_H_ +#define _SECURITY_KEYCHAINS_H_ + +#include +#include +#include +#include +#include +#include +#include +#include "SecCFTypes.h" +#include "defaultcreds.h" + +class EventBuffer; + +namespace Security +{ + +namespace KeychainCore +{ + +class KCCursor; +class Item; +class PrimaryKey; +class StorageManager; + +class KeychainSchemaImpl : public RefCount +{ + NOCOPY(KeychainSchemaImpl) +public: + friend class KeychainSchema; +protected: + KeychainSchemaImpl(const CssmClient::Db &db); +public: + virtual ~KeychainSchemaImpl(); + + CSSM_DB_ATTRIBUTE_FORMAT attributeFormatFor(CSSM_DB_RECORDTYPE recordType, uint32 attributeId) const; + const CssmAutoDbRecordAttributeInfo &primaryKeyInfosFor(CSSM_DB_RECORDTYPE recordType) const; + + bool operator <(const KeychainSchemaImpl &other) const; + bool operator ==(const KeychainSchemaImpl &other) const; + + void getAttributeInfoForRecordType(CSSM_DB_RECORDTYPE recordType, SecKeychainAttributeInfo **Info) const; + CssmDbAttributeInfo attributeInfoFor(CSSM_DB_RECORDTYPE recordType, uint32 attributeId) const; + bool hasAttribute(CSSM_DB_RECORDTYPE recordType, uint32 attributeId) const; + bool hasRecordType(CSSM_DB_RECORDTYPE recordType) const; + + void didCreateRelation(CSSM_DB_RECORDTYPE inRelationID, + const char *inRelationName, + uint32 inNumberOfAttributes, + const CSSM_DB_SCHEMA_ATTRIBUTE_INFO *pAttributeInfo, + uint32 inNumberOfIndexes, + const CSSM_DB_SCHEMA_INDEX_INFO *pIndexInfo); + +private: + typedef map PrimaryKeyInfoMap; + PrimaryKeyInfoMap mPrimaryKeyInfoMap; + + typedef map RelationInfoMap; + typedef map DatabaseInfoMap; + DatabaseInfoMap mDatabaseInfoMap; + Mutex mMutex; + +private: + const RelationInfoMap &relationInfoMapFor(CSSM_DB_RECORDTYPE recordType) const; +}; + + +class KeychainSchema : public RefPointer +{ +public: + KeychainSchema() {} + KeychainSchema(KeychainSchemaImpl *impl) : RefPointer(impl) {} + KeychainSchema(const CssmClient::Db &db) : RefPointer(new KeychainSchemaImpl(db)) {} + ~KeychainSchema(); + + bool operator <(const KeychainSchema &other) const + { return ptr && other.ptr ? *ptr < *other.ptr : ptr < other.ptr; } + bool operator ==(const KeychainSchema &other) const + { return ptr && other.ptr ? *ptr == *other.ptr : ptr == other.ptr; } + +private: + typedef KeychainSchemaImpl Impl; +}; + + +class ItemImpl; + +class KeychainImpl : public SecCFObject, private CssmClient::Db::DefaultCredentialsMaker +{ + NOCOPY(KeychainImpl) +public: + SECCFFUNCTIONS(KeychainImpl, SecKeychainRef, errSecInvalidKeychain, gTypes().KeychainImpl) + + friend class Keychain; + friend class ItemImpl; +protected: + KeychainImpl(const CssmClient::Db &db); + +protected: + // Methods called by ItemImpl; + void didUpdate(const Item &inItem, PrimaryKey &oldPK, + PrimaryKey &newPK); + void completeAdd(Item &item, PrimaryKey &key); + +public: + virtual ~KeychainImpl(); + + Mutex* getKeychainMutex(); + Mutex* getMutexForObject(); + void aboutToDestruct(); + + bool operator ==(const KeychainImpl &) const; + + // Item calls + void add(Item &item); + void addCopy(Item &item); + void deleteItem(Item &item); // item must be persistent. + + // Keychain calls + void create(UInt32 passwordLength, const void *inPassword); + void createWithBlob(CssmData &blob); + void create(ConstStringPtr inPassword); + void create(); + void create(const ResourceControlContext *rcc); + void open(); + + // Locking and unlocking a keychain. + void lock(); + void unlock(); + void unlock(const CssmData &password); + void unlock(ConstStringPtr password); // @@@ This has a length limit, we should remove it. + void stash(); + void stashCheck(); + + void getSettings(uint32 &outIdleTimeOut, bool &outLockOnSleep); + void setSettings(uint32 inIdleTimeOut, bool inLockOnSleep); + + // Passing in NULL for either oldPassword or newPassword will cause them to be prompted for. + // To specify a zero length password in either case the oldPasswordLength or newPasswordLength + // value must be 0 and the oldPassword or newPassword must not be NULL. + void changePassphrase(UInt32 oldPasswordLength, const void *oldPassword, + UInt32 newPasswordLength, const void *newPassword); + void changePassphrase(ConstStringPtr oldPassword, ConstStringPtr newPassword); + + void authenticate(const CSSM_ACCESS_CREDENTIALS *cred); // Does not do an unlock. + + const char *name() const { return mDb->name(); } + UInt32 status() const; + bool exists(); + bool isActive() const; + + KCCursor createCursor(const SecKeychainAttributeList *attrList); + KCCursor createCursor(SecItemClass itemClass, const SecKeychainAttributeList *attrList); + CssmClient::Db database() { return mDb; } + DLDbIdentifier dlDbIdentifier() const { return mDb->dlDbIdentifier(); } + + CssmClient::CSP csp(); + + PrimaryKey makePrimaryKey(CSSM_DB_RECORDTYPE recordType, CssmClient::DbUniqueRecord &uniqueId); + void gatherPrimaryKeyAttributes(CssmClient::DbAttributes& primaryKeyAttrs); + + const CssmAutoDbRecordAttributeInfo &primaryKeyInfosFor(CSSM_DB_RECORDTYPE recordType); + + Item item(const PrimaryKey& primaryKey); + Item item(CSSM_DB_RECORDTYPE recordType, CssmClient::DbUniqueRecord &uniqueId); + + CssmDbAttributeInfo attributeInfoFor(CSSM_DB_RECORDTYPE recordType, UInt32 tag); + void getAttributeInfoForItemID(CSSM_DB_RECORDTYPE itemID, SecKeychainAttributeInfo **Info); + static void freeAttributeInfo(SecKeychainAttributeInfo *Info); + KeychainSchema keychainSchema(); + void resetSchema(); + void didDeleteItem(ItemImpl *inItemImpl); + + void recode(const CssmData &data, const CssmData &extraData); + void copyBlob(CssmData &dbBlob); + + void setBatchMode(Boolean mode, Boolean rollBack); + + // yield default open() credentials for this keychain (as of now) + const AccessCredentials *defaultCredentials(); + + // Only call these functions while holding globals().apiLock. + bool inCache() const throw() { return mInCache; } + void inCache(bool inCache) throw() { mInCache = inCache; } + + void postEvent(SecKeychainEvent kcEvent, ItemImpl* item); + + void addItem(const PrimaryKey &primaryKey, ItemImpl *dbItemImpl); + + bool mayDelete(); + +private: + void removeItem(const PrimaryKey &primaryKey, ItemImpl *inItemImpl); + ItemImpl *_lookupItem(const PrimaryKey &primaryKey); + + const AccessCredentials *makeCredentials(); + + typedef map DbItemMap; + // Weak reference map of all items we know about that have a primaryKey + DbItemMap mDbItemMap; + // True iff we are in the cache of keychains in StorageManager + bool mInCache; + + CssmClient::Db mDb; + + KeychainSchema mKeychainSchema; + + // Data for auto-unlock credentials + DefaultCredentials mCustomUnlockCreds; + bool mIsInBatchMode; + EventBuffer *mEventBuffer; + Mutex mMutex; +}; + + +CFIndex GetKeychainRetainCount(Keychain& kc); + +class Keychain : public SecPointer +{ +public: + Keychain(); + Keychain(KeychainImpl *impl) : SecPointer(impl) {} + ~Keychain(); + + static Keychain optional(SecKeychainRef handle); + +private: + friend class StorageManager; + Keychain(const CssmClient::Db &db) + : SecPointer(new KeychainImpl(db)) {} + + typedef KeychainImpl Impl; +}; + + +} // end namespace KeychainCore + +} // end namespace Security + +#endif // !_SECURITY_KEYCHAINS_H_ diff --git a/Security/libsecurity_keychain/lib/MacOSErrorStrings.h b/OSX/include/security_keychain/MacOSErrorStrings.h similarity index 100% rename from Security/libsecurity_keychain/lib/MacOSErrorStrings.h rename to OSX/include/security_keychain/MacOSErrorStrings.h diff --git a/Security/libsecurity_keychain/lib/Password.cpp b/OSX/include/security_keychain/Password.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/Password.cpp rename to OSX/include/security_keychain/Password.cpp diff --git a/Security/libsecurity_keychain/lib/Password.h b/OSX/include/security_keychain/Password.h similarity index 100% rename from Security/libsecurity_keychain/lib/Password.h rename to OSX/include/security_keychain/Password.h diff --git a/OSX/include/security_keychain/Policies.cpp b/OSX/include/security_keychain/Policies.cpp new file mode 100644 index 00000000..43f5c5a5 --- /dev/null +++ b/OSX/include/security_keychain/Policies.cpp @@ -0,0 +1,361 @@ +/* + * Copyright (c) 2002-2004,2011-2015 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// Policy.cpp - Working with Policies +// +#include +#include +#include +#include + +/* Oids longer than this are considered invalid. */ +#define MAX_OID_SIZE 32 + +//%%FIXME: need to use a common copy of this utility function +static +CFStringRef SecDERItemCopyOIDDecimalRepresentation(uint8 *oid, size_t oidLen) +{ + if (oidLen == 0) + return CFSTR(""); + + if (oidLen > MAX_OID_SIZE) + return CFSTR("Oid too long"); + + CFMutableStringRef result = CFStringCreateMutable(kCFAllocatorDefault, 0); + + // The first two levels are encoded into one byte, since the root level + // has only 3 nodes (40*x + y). However if x = joint-iso-itu-t(2) then + // y may be > 39, so we have to add special-case handling for this. + uint32_t x = oid[0] / 40; + uint32_t y = oid[0] % 40; + if (x > 2) + { + // Handle special case for large y if x = 2 + y += (x - 2) * 40; + x = 2; + } + CFStringAppendFormat(result, NULL, CFSTR("%u.%u"), x, y); + + unsigned long value = 0; + for (x = 1; x < oidLen; ++x) + { + value = (value << 7) | (oid[x] & 0x7F); + /* @@@ value may not span more than 4 bytes. */ + /* A max number of 20 values is allowed. */ + if (!(oid[x] & 0x80)) + { + CFStringAppendFormat(result, NULL, CFSTR(".%lu"), value); + value = 0; + } + } + return result; +} + + +using namespace KeychainCore; + +Policy::Policy(TP supportingTp, const CssmOid &policyOid) + : mTp(supportingTp), + mOid(Allocator::standard(), policyOid), + mValue(Allocator::standard()), + mAuxValue(Allocator::standard()) +{ + // value is as yet unimplemented + secdebug("policy", "Policy() this %p", this); +} + +Policy::~Policy() throw() +{ + secdebug("policy", "~Policy() this %p", this); +} + +void Policy::setValue(const CssmData &value) +{ + StLock_(mMutex); + mValue = value; + mAuxValue.reset(); + + // Certain policy values may contain an embedded pointer. Ask me how I feel about that. + if (mOid == CSSMOID_APPLE_TP_SSL || + mOid == CSSMOID_APPLE_TP_EAP || + mOid == CSSMOID_APPLE_TP_IP_SEC || + mOid == CSSMOID_APPLE_TP_APPLEID_SHARING) + { + CSSM_APPLE_TP_SSL_OPTIONS *opts = (CSSM_APPLE_TP_SSL_OPTIONS *)value.data(); + if (opts->Version == CSSM_APPLE_TP_SSL_OPTS_VERSION) + { + if (opts->ServerNameLen > 0) + { + // Copy auxiliary data, then update the embedded pointer to reference our copy + mAuxValue.copy(const_cast(opts->ServerName), opts->ServerNameLen); + mValue.get().interpretedAs()->ServerName = + reinterpret_cast(mAuxValue.data()); + } + else + { + // Clear the embedded pointer! + mValue.get().interpretedAs()->ServerName = + reinterpret_cast(NULL); + } + } + } + else if (mOid == CSSMOID_APPLE_TP_SMIME || + mOid == CSSMOID_APPLE_TP_ICHAT || + mOid == CSSMOID_APPLE_TP_PASSBOOK_SIGNING) + { + CSSM_APPLE_TP_SMIME_OPTIONS *opts = (CSSM_APPLE_TP_SMIME_OPTIONS *)value.data(); + if (opts->Version == CSSM_APPLE_TP_SMIME_OPTS_VERSION) + { + if (opts->SenderEmailLen > 0) + { + // Copy auxiliary data, then update the embedded pointer to reference our copy + mAuxValue.copy(const_cast(opts->SenderEmail), opts->SenderEmailLen); + mValue.get().interpretedAs()->SenderEmail = + reinterpret_cast(mAuxValue.data()); + } + else + { + // Clear the embedded pointer! + mValue.get().interpretedAs()->SenderEmail = + reinterpret_cast(NULL); + } + } + } +} + +void Policy::setProperties(CFDictionaryRef properties) +{ + // Set the policy value based on the provided dictionary keys. + if (properties == NULL) + return; + + if (mOid == CSSMOID_APPLE_TP_SSL || + mOid == CSSMOID_APPLE_TP_EAP || + mOid == CSSMOID_APPLE_TP_IP_SEC || + mOid == CSSMOID_APPLE_TP_APPLEID_SHARING) + { + CSSM_APPLE_TP_SSL_OPTIONS options = { CSSM_APPLE_TP_SSL_OPTS_VERSION, 0, NULL, 0 }; + char *buf = NULL; + CFStringRef nameStr = NULL; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyName, (const void **)&nameStr)) { + buf = (char *)malloc(MAXPATHLEN); + if (buf) { + if (CFStringGetCString(nameStr, buf, MAXPATHLEN, kCFStringEncodingUTF8)) { + options.ServerName = buf; + options.ServerNameLen = (unsigned)(strlen(buf)+1); // include terminating null + } + } + } + CFBooleanRef clientRef = NULL; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyClient, (const void **)&clientRef) + && CFBooleanGetValue(clientRef) == true) + options.Flags |= CSSM_APPLE_TP_SSL_CLIENT; + + const CssmData value((uint8*)&options, sizeof(options)); + this->setValue(value); + + if (buf) free(buf); + } + else if (mOid == CSSMOID_APPLE_TP_SMIME || + mOid == CSSMOID_APPLE_TP_ICHAT || + mOid == CSSMOID_APPLE_TP_PASSBOOK_SIGNING) + { + CSSM_APPLE_TP_SMIME_OPTIONS options = { CSSM_APPLE_TP_SMIME_OPTS_VERSION, 0, 0, NULL }; + char *buf = NULL; + CFStringRef nameStr = NULL; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyName, (const void **)&nameStr)) { + buf = (char *)malloc(MAXPATHLEN); + if (buf) { + if (CFStringGetCString(nameStr, buf, MAXPATHLEN, kCFStringEncodingUTF8)) { + CFStringRef teamIDStr = NULL; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyTeamIdentifier, (const void **)&teamIDStr)) { + char *buf2 = (char *)malloc(MAXPATHLEN); + if (buf2) { + if (CFStringGetCString(teamIDStr, buf2, MAXPATHLEN, kCFStringEncodingUTF8)) { + /* append tab separator and team identifier */ + strlcat(buf, "\t", MAXPATHLEN); + strlcat(buf, buf2, MAXPATHLEN); + } + free(buf2); + } + } + options.SenderEmail = buf; + options.SenderEmailLen = (unsigned)(strlen(buf)+1); // include terminating null + } + } + } + CFBooleanRef kuRef = NULL; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_DigitalSignature, (const void **)&kuRef) + && CFBooleanGetValue(kuRef) == true) + options.IntendedUsage |= CE_KU_DigitalSignature; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_NonRepudiation, (const void **)&kuRef) + && CFBooleanGetValue(kuRef) == true) + options.IntendedUsage |= CE_KU_NonRepudiation; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_KeyEncipherment, (const void **)&kuRef) + && CFBooleanGetValue(kuRef) == true) + options.IntendedUsage |= CE_KU_KeyEncipherment; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_DataEncipherment, (const void **)&kuRef) + && CFBooleanGetValue(kuRef) == true) + options.IntendedUsage |= CE_KU_DataEncipherment; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_KeyAgreement, (const void **)&kuRef) + && CFBooleanGetValue(kuRef) == true) + options.IntendedUsage |= CE_KU_KeyAgreement; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_KeyCertSign, (const void **)&kuRef) + && CFBooleanGetValue(kuRef) == true) + options.IntendedUsage |= CE_KU_KeyCertSign; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_CRLSign, (const void **)&kuRef) + && CFBooleanGetValue(kuRef) == true) + options.IntendedUsage |= CE_KU_CRLSign; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_EncipherOnly, (const void **)&kuRef) + && CFBooleanGetValue(kuRef) == true) + options.IntendedUsage |= CE_KU_EncipherOnly; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyKU_DecipherOnly, (const void **)&kuRef) + && CFBooleanGetValue(kuRef) == true) + options.IntendedUsage |= CE_KU_DecipherOnly; + + const CssmData value((uint8*)&options, sizeof(options)); + this->setValue(value); + + if (buf) free(buf); + } + else if (mOid == CSSMOID_APPLE_TP_REVOCATION) + { + CFNumberRef num = NULL; + if (CFDictionaryGetValueIfPresent(properties, (const void *)kSecPolicyRevocationFlags, (const void **)&num)) { + CFOptionFlags revocationFlags = 0; + if (num) { + (void)CFNumberGetValue(num, kCFNumberCFIndexType, &revocationFlags); + } + const CssmData value((uint8*)&revocationFlags, sizeof(revocationFlags)); + this->setValue(value); + } + } + +} + +CFDictionaryRef Policy::properties() +{ + // Builds and returns a dictionary which the caller must release. + CFMutableDictionaryRef properties = CFDictionaryCreateMutable(NULL, 0, + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if (!properties) return NULL; + + // kSecPolicyOid + CFStringRef oidStr = SecDERItemCopyOIDDecimalRepresentation((uint8*)mOid.data(), mOid.length()); + if (oidStr) { + CFDictionarySetValue(properties, (const void *)kSecPolicyOid, (const void *)oidStr); + CFRelease(oidStr); + } + + // kSecPolicyName + if (mAuxValue) { + CFStringRef nameStr = CFStringCreateWithBytes(NULL, + (const UInt8 *)reinterpret_cast(mAuxValue.data()), + (CFIndex)mAuxValue.length(), kCFStringEncodingUTF8, false); + if (nameStr) { + if (mOid == CSSMOID_APPLE_TP_PASSBOOK_SIGNING) { + CFArrayRef strs = CFStringCreateArrayBySeparatingStrings(kCFAllocatorDefault, nameStr, CFSTR("\t")); + if (strs) { + CFIndex count = CFArrayGetCount(strs); + if (count > 0) + CFDictionarySetValue(properties, (const void *)kSecPolicyName, (const void *)CFArrayGetValueAtIndex(strs, 0)); + if (count > 1) + CFDictionarySetValue(properties, (const void *)kSecPolicyTeamIdentifier, (const void *)CFArrayGetValueAtIndex(strs, 1)); + CFRelease(strs); + } + } + else { + CFDictionarySetValue(properties, (const void *)kSecPolicyName, (const void *)nameStr); + } + CFRelease(nameStr); + } + } + + // kSecPolicyClient + if (mValue) { + if (mOid == CSSMOID_APPLE_TP_SSL || + mOid == CSSMOID_APPLE_TP_EAP || + mOid == CSSMOID_APPLE_TP_IP_SEC || + mOid == CSSMOID_APPLE_TP_APPLEID_SHARING) + { + CSSM_APPLE_TP_SSL_OPTIONS *opts = (CSSM_APPLE_TP_SSL_OPTIONS *)mValue.data(); + if (opts->Flags & CSSM_APPLE_TP_SSL_CLIENT) { + CFDictionarySetValue(properties, (const void *)kSecPolicyClient, (const void *)kCFBooleanTrue); + } + } + } + + // key usage flags (currently only for S/MIME and iChat policies) + if (mValue) { + if (mOid == CSSMOID_APPLE_TP_SMIME || + mOid == CSSMOID_APPLE_TP_ICHAT) + { + CSSM_APPLE_TP_SMIME_OPTIONS *opts = (CSSM_APPLE_TP_SMIME_OPTIONS *)mValue.data(); + CE_KeyUsage usage = opts->IntendedUsage; + if (usage & CE_KU_DigitalSignature) + CFDictionarySetValue(properties, (const void *)kSecPolicyKU_DigitalSignature, (const void *)kCFBooleanTrue); + if (usage & CE_KU_NonRepudiation) + CFDictionarySetValue(properties, (const void *)kSecPolicyKU_NonRepudiation, (const void *)kCFBooleanTrue); + if (usage & CE_KU_KeyEncipherment) + CFDictionarySetValue(properties, (const void *)kSecPolicyKU_KeyEncipherment, (const void *)kCFBooleanTrue); + if (usage & CE_KU_DataEncipherment) + CFDictionarySetValue(properties, (const void *)kSecPolicyKU_DataEncipherment, (const void *)kCFBooleanTrue); + if (usage & CE_KU_KeyAgreement) + CFDictionarySetValue(properties, (const void *)kSecPolicyKU_KeyAgreement, (const void *)kCFBooleanTrue); + if (usage & CE_KU_KeyCertSign) + CFDictionarySetValue(properties, (const void *)kSecPolicyKU_KeyCertSign, (const void *)kCFBooleanTrue); + if (usage & CE_KU_CRLSign) + CFDictionarySetValue(properties, (const void *)kSecPolicyKU_CRLSign, (const void *)kCFBooleanTrue); + if (usage & CE_KU_EncipherOnly) + CFDictionarySetValue(properties, (const void *)kSecPolicyKU_EncipherOnly, (const void *)kCFBooleanTrue); + if (usage & CE_KU_DecipherOnly) + CFDictionarySetValue(properties, (const void *)kSecPolicyKU_DecipherOnly, (const void *)kCFBooleanTrue); + } + else if (mOid == CSSMOID_APPLE_TP_REVOCATION) + { + CFOptionFlags *revocationFlagsPtr = (CFOptionFlags *)mValue.data(); + if (revocationFlagsPtr) { + CFNumberRef num = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, revocationFlagsPtr); + if (num) { + CFDictionarySetValue(properties, (const void *)kSecPolicyRevocationFlags, num); + CFRelease(num); + } + } + } + } + return properties; +} + + +bool Policy::operator < (const Policy& other) const +{ + //@@@ inefficient + return (oid() < other.oid()) || + (oid() == other.oid() && value() < other.value()); +} + +bool Policy::operator == (const Policy& other) const +{ + return oid() == other.oid() && value() == other.value(); +} diff --git a/Security/libsecurity_keychain/lib/Policies.h b/OSX/include/security_keychain/Policies.h similarity index 100% rename from Security/libsecurity_keychain/lib/Policies.h rename to OSX/include/security_keychain/Policies.h diff --git a/Security/libsecurity_keychain/lib/PolicyCursor.cpp b/OSX/include/security_keychain/PolicyCursor.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/PolicyCursor.cpp rename to OSX/include/security_keychain/PolicyCursor.cpp diff --git a/OSX/include/security_keychain/PolicyCursor.h b/OSX/include/security_keychain/PolicyCursor.h new file mode 100644 index 00000000..c7503b68 --- /dev/null +++ b/OSX/include/security_keychain/PolicyCursor.h @@ -0,0 +1,93 @@ +/* + * Copyright (c) 2002-2004,2011-2012,2014-2015 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// PolicyCursor.h +// +#ifndef _SECURITY_POLICYCURSOR_H_ +#define _SECURITY_POLICYCURSOR_H_ + +#include +#include +#include +#include +#include +#include "SecCFTypes.h" + +namespace Security +{ + +namespace KeychainCore +{ + +class Policy; + +class PolicyCursor : public SecCFObject +{ + NOCOPY(PolicyCursor) +public: + SECCFFUNCTIONS(PolicyCursor, SecPolicySearchRef, errSecInvalidSearchRef, gTypes().PolicyCursor) + + PolicyCursor(const CSSM_OID* oid, const CSSM_DATA* value); + virtual ~PolicyCursor() throw(); + bool next(SecPointer &policy); + bool oidProvided() { return mOidGiven; } + + static void policy(const CSSM_OID* oid, SecPointer &policy); + +private: + //CFArrayRef mKeychainSearchList; + //SecKeyUsage mKeyUsage; + //SecPolicyRef mPolicy; + CssmAutoData mOid; + bool mOidGiven; + // value ignored (for now?) + +#if 1 // quick version -- using built-in policy list + + int mSearchPos; // next untried table entry + +#else // MDS version -- later + bool mFirstLookup; + + // + // Initialization + // + MDS_HANDLE mMdsHand; + CSSM_DB_HANDLE mDbHand; + // + // Used for searching (lookups) + // + MDS_DB_HANDLE mObjDlDb; + MDS_DB_HANDLE mCdsaDlDb; + MDS_FUNCS* mMdsFuncs; +#endif + + Mutex mMutex; +}; + +} // end namespace KeychainCore + +} // end namespace Security + +#endif // !_SECURITY_POLICYCURSOR_H_ diff --git a/Security/libsecurity_keychain/lib/PrimaryKey.cpp b/OSX/include/security_keychain/PrimaryKey.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/PrimaryKey.cpp rename to OSX/include/security_keychain/PrimaryKey.cpp diff --git a/Security/libsecurity_keychain/lib/PrimaryKey.h b/OSX/include/security_keychain/PrimaryKey.h similarity index 100% rename from Security/libsecurity_keychain/lib/PrimaryKey.h rename to OSX/include/security_keychain/PrimaryKey.h diff --git a/Security/libsecurity_keychain/lib/SecACL.cpp b/OSX/include/security_keychain/SecACL.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/SecACL.cpp rename to OSX/include/security_keychain/SecACL.cpp diff --git a/OSX/include/security_keychain/SecACL.h b/OSX/include/security_keychain/SecACL.h new file mode 100644 index 00000000..a0f4514d --- /dev/null +++ b/OSX/include/security_keychain/SecACL.h @@ -0,0 +1,228 @@ +/* + * Copyright (c) 2002-2011 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecACL + The functions provided in SecACL are for managing entries in the access control list. + */ + +#ifndef _SECURITY_SECACL_H_ +#define _SECURITY_SECACL_H_ + +#include +#include +#include +#include +#include + + +#if defined(__cplusplus) +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN +CF_IMPLICIT_BRIDGING_ENABLED + + typedef CF_OPTIONS(uint16, SecKeychainPromptSelector) + { + kSecKeychainPromptRequirePassphase = 0x0001, /* require re-entering of passphrase */ + /* the following bits are ignored by 10.4 and earlier */ + kSecKeychainPromptUnsigned = 0x0010, /* prompt for unsigned clients */ + kSecKeychainPromptUnsignedAct = 0x0020, /* UNSIGNED bit overrides system default */ + kSecKeychainPromptInvalid = 0x0040, /* prompt for invalid signed clients */ + kSecKeychainPromptInvalidAct = 0x0080, + }; + + + /*! + @function SecACLGetTypeID + @abstract Returns the type identifier of SecACL instances. + @result The CFTypeID of SecACL instances. + */ + CFTypeID SecACLGetTypeID(void) + __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); + + /*! + @function SecACLCreateFromSimpleContents + @abstract Creates a new access control list entry from the application list, description, and prompt selector provided and adds it to an item's access. + @param access An access reference. + @param applicationList An array of SecTrustedApplication instances that will be allowed access without prompting. + @param description The human readable name that will be used to refer to this item when the user is prompted. + @param promptSelector A pointer to a CSSM prompt selector. + @param newAcl A pointer to an access control list entry. On return, this points to the reference of the new access control list entry. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This function is deprecated in 10.7 and later; + use SecACLCreateWithSimpleContents instead. + */ + OSStatus SecACLCreateFromSimpleContents(SecAccessRef access, + CFArrayRef __nullable applicationList, + CFStringRef description, + const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR *promptSelector, + SecACLRef * __nonnull CF_RETURNS_RETAINED newAcl) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + + /*! + @function SecACLCreateWithSimpleContents + @abstract Creates a new access control list entry from the application list, description, and prompt selector provided and adds it to an item's access. + @param access An access reference. + @param applicationList An array of SecTrustedApplication instances that will be allowed access without prompting. + @param description The human readable name that will be used to refer to this item when the user is prompted. + @param promptSelector A SecKeychainPromptSelector selector. + @param newAcl A pointer to an access control list entry. On return, this points to the reference of the new access control list entry. + @result A result code. See "Security Error Codes" (SecBase.h). + */ + OSStatus SecACLCreateWithSimpleContents(SecAccessRef access, + CFArrayRef __nullable applicationList, + CFStringRef description, + SecKeychainPromptSelector promptSelector, + SecACLRef * __nonnull CF_RETURNS_RETAINED newAcl) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + + /*! + @function SecACLRemove + @abstract Removes the access control list entry specified. + @param aclRef The reference to the access control list entry to remove. + @result A result code. See "Security Error Codes" (SecBase.h). + */ + OSStatus SecACLRemove(SecACLRef aclRef) + __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); + + /*! + @function SecACLCopySimpleContents + @abstract Returns the application list, description, and CSSM prompt selector for a given access control list entry. + @param acl An access control list entry reference. + @param applicationList On return, An array of SecTrustedApplication instances that will be allowed access without prompting, for the given access control list entry. The caller needs to call CFRelease on this array when it's no longer needed. + @param description On return, the human readable name that will be used to refer to this item when the user is prompted, for the given access control list entry. The caller needs to call CFRelease on this string when it's no longer needed. + @param promptSelector A pointer to a CSSM prompt selector. On return, this points to the CSSM prompt selector for the given access control list entry. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This function is deprecated in 10.7 and later; + use SecACLCopyContents instead. + */ + OSStatus SecACLCopySimpleContents(SecACLRef acl, + CFArrayRef * __nonnull CF_RETURNS_RETAINED applicationList, + CFStringRef * __nonnull CF_RETURNS_RETAINED description, + CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR *promptSelector) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + + /*! + @function SecACLCopyContents + @abstract Returns the application list, description, and prompt selector for a given access control list entry. + @param acl An access control list entry reference. + @param applicationList On return, An array of SecTrustedApplication instances that will be allowed access without prompting, for the given access control list entry. The caller needs to call CFRelease on this array when it's no longer needed. + @param description On return, the human readable name that will be used to refer to this item when the user is prompted, for the given access control list entry. The caller needs to call CFRelease on this string when it's no longer needed. + @param promptSelector A pointer to a SecKeychainPromptSelector. On return, this points to the SecKeychainPromptSelector for the given access control list entry. + @result A result code. See "Security Error Codes" (SecBase.h). + */ + OSStatus SecACLCopyContents(SecACLRef acl, + CFArrayRef * __nonnull CF_RETURNS_RETAINED applicationList, + CFStringRef * __nonnull CF_RETURNS_RETAINED description, + SecKeychainPromptSelector *promptSelector) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + /*! + @function SecACLSetSimpleContents + @abstract Sets the application list, description, and CSSM prompt selector for a given access control list entry. + @param acl A reference to the access control list entry to edit. + @param applicationList An application list reference. + @param description The human readable name that will be used to refer to this item when the user is prompted. + @param promptSelector A pointer to a CSSM prompt selector. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This function is deprecated in 10.7 and later; + use SecACLSetContents instead. + */ + OSStatus SecACLSetSimpleContents(SecACLRef acl, + CFArrayRef __nullable applicationList, + CFStringRef description, + const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR *promptSelector) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + + /*! + @function SecACLSetContents + @abstract Sets the application list, description, and prompt selector for a given access control list entry. + @param acl A reference to the access control list entry to edit. + @param applicationList An application list reference. + @param description The human readable name that will be used to refer to this item when the user is prompted. + @param promptSelector A SecKeychainPromptSelector selector. + @result A result code. See "Security Error Codes" (SecBase.h). + */ + OSStatus SecACLSetContents(SecACLRef acl, + CFArrayRef __nullable applicationList, + CFStringRef description, + SecKeychainPromptSelector promptSelector) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + + /*! + @function SecACLGetAuthorizations + @abstract Retrieve the CSSM authorization tags of a given access control list entry. + @param acl An access control list entry reference. + @param tags On return, this points to the first item in an array of CSSM authorization tags. + @param tagCount On return, this points to the number of tags in the CSSM authorization tag array. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This function is deprecated in 10.7 and later; + use SecACLCopyAuthorizations instead. + */ + OSStatus SecACLGetAuthorizations(SecACLRef acl, + CSSM_ACL_AUTHORIZATION_TAG *tags, uint32 *tagCount) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + + /*! + @function SecACLCopyAuthorizations + @abstract Retrieve the authorization tags of a given access control list entry. + @param acl An access control list entry reference. + @result On return, a CFArrayRef of the authorizations for this ACL. + */ + CFArrayRef SecACLCopyAuthorizations(SecACLRef acl) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + + /*! + @function SecACLSetAuthorizations + @abstract Sets the CSSM authorization tags of a given access control list entry. + @param acl An access control list entry reference. + @param tags A pointer to the first item in an array of CSSM authorization tags. + @param tagCount The number of tags in the CSSM authorization tag array. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This function is deprecated in 10.7 and later; + use SecACLUpdateAuthorizations instead. + */ + OSStatus SecACLSetAuthorizations(SecACLRef acl, + CSSM_ACL_AUTHORIZATION_TAG *tags, uint32 tagCount) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + + + /*! + @function SecACLUpdateAuthorizations + @abstract Sets the authorization tags of a given access control list entry. + @param acl An access control list entry reference. + @param authorizations A pointer to an array of authorization tags. + @result A result code. See "Security Error Codes" (SecBase.h). + */ + OSStatus SecACLUpdateAuthorizations(SecACLRef acl, CFArrayRef authorizations) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +CF_IMPLICIT_BRIDGING_DISABLED +CF_ASSUME_NONNULL_END + +#if defined(__cplusplus) +} +#endif + +#endif /* !_SECURITY_SECACL_H_ */ diff --git a/OSX/include/security_keychain/SecAccess.cpp b/OSX/include/security_keychain/SecAccess.cpp new file mode 100644 index 00000000..9491f85c --- /dev/null +++ b/OSX/include/security_keychain/SecAccess.cpp @@ -0,0 +1,715 @@ +/* + * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include +#include +#include +#include +#include +#include +#include "SecBridge.h" +#include + +#undef secdebug +#include + + +/* No restrictions. Permission to perform all operations on + the resource or available to an ACL owner. */ + + +const CFStringRef kSecACLAuthorizationAny = CFSTR("ACLAuthorizationAny"); + +const CFStringRef kSecACLAuthorizationLogin = CFSTR("ACLAuthorizationLogin"); +const CFStringRef kSecACLAuthorizationGenKey = CFSTR("ACLAuthorizationGenKey"); +const CFStringRef kSecACLAuthorizationDelete = CFSTR("ACLAuthorizationDelete"); +const CFStringRef kSecACLAuthorizationExportWrapped = CFSTR("ACLAuthorizationExportWrapped"); +const CFStringRef kSecACLAuthorizationExportClear = CFSTR("ACLAuthorizationExportClear"); +const CFStringRef kSecACLAuthorizationImportWrapped = CFSTR("ACLAuthorizationImportWrapped"); +const CFStringRef kSecACLAuthorizationImportClear = CFSTR("ACLAuthorizationImportClear"); +const CFStringRef kSecACLAuthorizationSign = CFSTR("ACLAuthorizationSign"); +const CFStringRef kSecACLAuthorizationEncrypt = CFSTR("ACLAuthorizationEncrypt"); +const CFStringRef kSecACLAuthorizationDecrypt = CFSTR("ACLAuthorizationDecrypt"); +const CFStringRef kSecACLAuthorizationMAC = CFSTR("ACLAuthorizationMAC"); +const CFStringRef kSecACLAuthorizationDerive = CFSTR("ACLAuthorizationDerive"); + +/* Defined authorization tag values for Keychain */ + + + +const CFStringRef kSecACLAuthorizationKeychainCreate = CFSTR("ACLAuthorizationKeychainCreate"); +const CFStringRef kSecACLAuthorizationKeychainDelete = CFSTR("ACLAuthorizationKeychainDelete"); +const CFStringRef kSecACLAuthorizationKeychainItemRead = CFSTR("ACLAuthorizationKeychainItemRead"); +const CFStringRef kSecACLAuthorizationKeychainItemInsert = CFSTR("ACLAuthorizationKeychainItemInsert"); +const CFStringRef kSecACLAuthorizationKeychainItemModify = CFSTR("ACLAuthorizationKeychainItemModify"); +const CFStringRef kSecACLAuthorizationKeychainItemDelete = CFSTR("ACLAuthorizationKeychainItemDelete"); + +const CFStringRef kSecACLAuthorizationChangeACL = CFSTR("ACLAuthorizationChangeACL"); +const CFStringRef kSecACLAuthorizationChangeOwner = CFSTR("ACLAuthorizationChangeOwner"); + + +static CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName); + +static CFStringRef gKeys[] = +{ + kSecACLAuthorizationAny, + kSecACLAuthorizationLogin, + kSecACLAuthorizationGenKey, + kSecACLAuthorizationDelete, + kSecACLAuthorizationExportWrapped, + kSecACLAuthorizationExportClear, + kSecACLAuthorizationImportWrapped, + kSecACLAuthorizationImportClear, + kSecACLAuthorizationSign, + kSecACLAuthorizationEncrypt, + kSecACLAuthorizationDecrypt, + kSecACLAuthorizationMAC, + kSecACLAuthorizationDerive, + + /* Defined authorization tag values for Keychain */ + kSecACLAuthorizationKeychainCreate, + kSecACLAuthorizationKeychainDelete, + kSecACLAuthorizationKeychainItemRead, + kSecACLAuthorizationKeychainItemInsert, + kSecACLAuthorizationKeychainItemModify, + kSecACLAuthorizationKeychainItemDelete, + + kSecACLAuthorizationChangeACL, + kSecACLAuthorizationChangeOwner + +}; + +static sint32 gValues[] = +{ + CSSM_ACL_AUTHORIZATION_ANY, + CSSM_ACL_AUTHORIZATION_LOGIN, + CSSM_ACL_AUTHORIZATION_GENKEY, + CSSM_ACL_AUTHORIZATION_DELETE, + CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED, + CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR, + CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED, + CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR, + CSSM_ACL_AUTHORIZATION_SIGN, + CSSM_ACL_AUTHORIZATION_ENCRYPT, + CSSM_ACL_AUTHORIZATION_DECRYPT, + CSSM_ACL_AUTHORIZATION_MAC, + CSSM_ACL_AUTHORIZATION_DERIVE, + CSSM_ACL_AUTHORIZATION_DBS_CREATE, + CSSM_ACL_AUTHORIZATION_DBS_DELETE, + CSSM_ACL_AUTHORIZATION_DB_READ, + CSSM_ACL_AUTHORIZATION_DB_INSERT, + CSSM_ACL_AUTHORIZATION_DB_MODIFY, + CSSM_ACL_AUTHORIZATION_DB_DELETE, + CSSM_ACL_AUTHORIZATION_CHANGE_ACL, + CSSM_ACL_AUTHORIZATION_CHANGE_OWNER +}; + +static +CFDictionaryRef CreateStringToNumDictionary() +{ + int numItems = (sizeof(gValues) / sizeof(sint32)); + CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + + for (int iCnt = 0; iCnt < numItems; iCnt++) + { + sint32 aNumber = gValues[iCnt]; + CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber); + + CFStringRef aString = gKeys[iCnt]; + CFDictionaryAddValue(tempDict, aString, aNum); + CFRelease(aNum); + } + + CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict); + CFRelease(tempDict); + return result; + +} + +static +CFDictionaryRef CreateNumToStringDictionary() +{ + int numItems = (sizeof(gValues) / sizeof(sint32)); + + CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + + for (int iCnt = 0; iCnt < numItems; iCnt++) + { + sint32 aNumber = gValues[iCnt]; + CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber); + + CFStringRef aString = gKeys[iCnt]; + CFDictionaryAddValue(tempDict, aNum, aString); + CFRelease(aNum); + + } + + CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict); + CFRelease(tempDict); + return result; +} + + +/* TODO: This should be in some header */ +sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr); +sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr) +{ + if (NULL == aclStr) + { +#ifndef NDEBUG + CFShow(CFSTR("GetACLAuthorizationTagFromString aclStr is NULL")); +#endif + return 0; + } + + static CFDictionaryRef gACLMapping = NULL; + + if (NULL == gACLMapping) + { + gACLMapping = CreateStringToNumDictionary(); + } + + sint32 result = 0; + CFNumberRef valueResult = (CFNumberRef)CFDictionaryGetValue(gACLMapping, aclStr); + if (NULL != valueResult) + { + if (!CFNumberGetValue(valueResult, kCFNumberSInt32Type, &result)) + { + return 0; + } + + } + else + { + return 0; + } + + return result; + +} + +/* TODO: This should be in some header */ +CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag); +CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag) +{ + static CFDictionaryRef gTagMapping = NULL; + CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tag); + + if (NULL == gTagMapping) + { + gTagMapping = CreateNumToStringDictionary(); + } + + CFStringRef result = (CFStringRef)kSecACLAuthorizationAny; + + if (NULL != gTagMapping && CFDictionaryContainsKey(gTagMapping, aNum)) + { + result = (CFStringRef)CFDictionaryGetValue(gTagMapping, aNum); + } + return result; +} + +// +// CF boilerplate +// +CFTypeID SecAccessGetTypeID(void) +{ + BEGIN_SECAPI + return gTypes().Access.typeID; + END_SECAPI1(_kCFRuntimeNotATypeID) +} + + +// +// API bridge calls +// +/*! + * Create a new SecAccessRef that is set to the default configuration + * of a (newly created) security object. + */ +OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedList, SecAccessRef *accessRef) +{ + BEGIN_SECAPI + Required(descriptor); + SecPointer access; + if (trustedList) { + CFIndex length = CFArrayGetCount(trustedList); + ACL::ApplicationList trusted; + for (CFIndex n = 0; n < length; n++) + trusted.push_back(TrustedApplication::required( + SecTrustedApplicationRef(CFArrayGetValueAtIndex(trustedList, n)))); + access = new Access(cfString(descriptor), trusted); + } else { + access = new Access(cfString(descriptor)); + } + Required(accessRef) = access->handle(); + END_SECAPI +} + + +/*! + */ +OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner, + uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls, + SecAccessRef *accessRef) +{ + BEGIN_SECAPI + Required(accessRef); // preflight + SecPointer access = new Access(Required(owner), aclCount, &Required(acls)); + *accessRef = access->handle(); + END_SECAPI +} + +SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef acls, CFErrorRef *error) +{ + SecAccessRef result = NULL; + + CSSM_ACL_PROCESS_SUBJECT_SELECTOR selector = + { + CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION, // selector version + ownerType, + userId, + groupId + }; + + CSSM_LIST_ELEMENT subject2 = { NULL, 0 }; + subject2.Element.Word.Data = (UInt8 *)&selector; + subject2.Element.Word.Length = sizeof(selector); + CSSM_LIST_ELEMENT subject1 = + { + &subject2, CSSM_ACL_SUBJECT_TYPE_PROCESS, CSSM_LIST_ELEMENT_WORDID + }; + + CFIndex numAcls = 0; + + if (NULL != acls) + { + numAcls = CFArrayGetCount(acls); + } + +#ifndef NDEBUG + CFStringRef debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, + CFSTR("SecAccessCreateWithOwnerAndACL: processing %d acls"), (int)numAcls); + CFShow(debugStr); + CFRelease(debugStr); +#endif + + CSSM_ACL_AUTHORIZATION_TAG rights[numAcls]; + memset(rights, 0, sizeof(rights)); + + for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++) + { + CFStringRef aclStr = (CFStringRef)CFArrayGetValueAtIndex(acls, iCnt); + +#ifndef NDEBUG + debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, + CFSTR("SecAccessCreateWithOwnerAndACL: acls[%d] = %@"), (int)iCnt, aclStr); + + CFShow(debugStr); + CFRelease(debugStr); +#endif + + CSSM_ACL_AUTHORIZATION_TAG aTag = GetACLAuthorizationTagFromString(aclStr); + +#ifndef NDEBUG + debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, + CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, aTag); + + CFShow(debugStr); + CFRelease(debugStr); +#endif + + rights[iCnt] = aTag; + } + + + for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++) + { +#ifndef NDEBUG + debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, + CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, rights[iCnt]); + + CFShow(debugStr); + CFRelease(debugStr); +#endif + + + } + + CSSM_ACL_OWNER_PROTOTYPE owner = + { + // TypedSubject + { CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 }, + // Delegate + false + }; + + + // ACL entries (any number, just one here) + CSSM_ACL_ENTRY_INFO acl_rights[] = + { + { + // prototype + { + // TypedSubject + { CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 }, + false, // Delegate + // rights for this entry + { (uint32)(sizeof(rights) / sizeof(rights[0])), rights }, + // rest is defaulted + } + } + }; + + OSStatus err = SecAccessCreateFromOwnerAndACL(&owner, + sizeof(acl_rights) / sizeof(acl_rights[0]), acl_rights, &result); + + if (errSecSuccess != err) + { + result = NULL; + if (NULL != error) + { + *error = CFErrorCreate(kCFAllocatorDefault, CFSTR("FIX ME"), err, NULL); + } + } + return result; +} + + +/*! + */ +OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef, + CSSM_ACL_OWNER_PROTOTYPE_PTR *owner, + uint32 *aclCount, CSSM_ACL_ENTRY_INFO_PTR *acls) +{ + BEGIN_SECAPI + Access::required(accessRef)->copyOwnerAndAcl( + Required(owner), Required(aclCount), Required(acls)); + END_SECAPI +} + +OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t* userId, gid_t* groupId, SecAccessOwnerType* ownerType, CFArrayRef* aclList) +{ + CSSM_ACL_OWNER_PROTOTYPE_PTR owner = NULL; + CSSM_ACL_ENTRY_INFO_PTR acls = NULL; + uint32 aclCount = 0; + OSStatus result = SecAccessGetOwnerAndACL(accessRef, &owner, &aclCount, &acls); + if (errSecSuccess != result ) + { + return result; + } + + if (NULL != owner) + { + CSSM_LIST_ELEMENT_PTR listHead = owner->TypedSubject.Head; + if (listHead != NULL && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID) + { + CSSM_LIST_ELEMENT_PTR nextElement = listHead->NextElement; + if (listHead->WordID == CSSM_ACL_SUBJECT_TYPE_PROCESS && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID) + { + // nextElement contains the required data + CSSM_ACL_PROCESS_SUBJECT_SELECTOR* selectorPtr = (CSSM_ACL_PROCESS_SUBJECT_SELECTOR*)nextElement->Element.Word.Data; + if (NULL != selectorPtr) + { + if (NULL != userId) + { + *userId = (uid_t)selectorPtr->uid; + } + + if (NULL != groupId) + { + *groupId = (gid_t)selectorPtr->gid; + } + + if (NULL != ownerType) + { + *ownerType = (SecAccessOwnerType)selectorPtr->mask; + } + } + } + + } + + } + + if (NULL != aclList) + { +#ifndef NDEBUG + CFShow(CFSTR("SecAccessCopyOwnerAndACL: processing the ACL list")); +#endif + + CFMutableArrayRef stringArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + CSSM_ACL_OWNER_PROTOTYPE_PTR protoPtr = NULL; + uint32 numAcls = 0L; + CSSM_ACL_ENTRY_INFO_PTR aclEntry = NULL; + + result = SecAccessGetOwnerAndACL(accessRef, &protoPtr, &numAcls, &aclEntry); + if (errSecSuccess == result) + { +#ifndef NDEBUG + CFStringRef tempStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SecAccessCopyOwnerAndACL: numAcls = %d"), numAcls); + CFShow(tempStr); + CFRelease(tempStr); +#endif + + for (uint32 iCnt = 0; iCnt < numAcls; iCnt++) + { + CSSM_ACL_ENTRY_PROTOTYPE prototype = aclEntry[iCnt].EntryPublicInfo; + CSSM_AUTHORIZATIONGROUP authGroup = prototype.Authorization; + int numAuthTags = (int)authGroup.NumberOfAuthTags; + + for (int jCnt = 0; jCnt < numAuthTags; jCnt++) + { + + sint32 aTag = authGroup.AuthTags[jCnt]; + CFStringRef aString = GetAuthStringFromACLAuthorizationTag(aTag); + + CFArrayAppendValue(stringArray, aString); + } + } + } + + if (NULL != stringArray) + { + if (0 < CFArrayGetCount(stringArray)) + { + *aclList = CFArrayCreateCopy(kCFAllocatorDefault, stringArray); + } + CFRelease(stringArray); + } + } + + return result; +} + +/*! + */ +OSStatus SecAccessCopyACLList(SecAccessRef accessRef, + CFArrayRef *aclList) +{ + BEGIN_SECAPI + Required(aclList) = Access::required(accessRef)->copySecACLs(); + END_SECAPI +} + + +/*! + */ +OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef, + CSSM_ACL_AUTHORIZATION_TAG action, + CFArrayRef *aclList) +{ + BEGIN_SECAPI + Required(aclList) = Access::required(accessRef)->copySecACLs(action); + END_SECAPI +} + +CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag) +{ + CFArrayRef result = NULL; + CSSM_ACL_AUTHORIZATION_TAG tag = GetACLAuthorizationTagFromString((CFStringRef)authorizationTag); + OSStatus err = SecAccessCopySelectedACLList(accessRef, tag, &result); + if (errSecSuccess != err) + { + result = NULL; + } + return result; +} + +CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName) +{ + CFStringRef errorString = nil; + CFURLRef bundleURL,trustedAppsURL = NULL; + CFBundleRef secBundle = NULL; + CFPropertyListRef trustedAppsPlist = NULL; + CFDataRef xmlDataRef = NULL; + SInt32 errorCode; + CFArrayRef trustedAppList = NULL; + CFMutableStringRef trustedAppListFileNameWithoutExtension = NULL; + + // Make a CFURLRef from the CFString representation of the bundleÕs path. + bundleURL = CFURLCreateWithFileSystemPath( + kCFAllocatorDefault,bundlePath,kCFURLPOSIXPathStyle,true); + + CFRange wholeStrRange; + + if (!bundleURL) + goto xit; + + // Make a bundle instance using the URLRef. + secBundle = CFBundleCreate(kCFAllocatorDefault,bundleURL); + if (!secBundle) + goto xit; + + trustedAppListFileNameWithoutExtension = + CFStringCreateMutableCopy(NULL,CFStringGetLength(trustedAppListFileName),trustedAppListFileName); + wholeStrRange = CFStringFind(trustedAppListFileName,CFSTR(".plist"),0); + + CFStringDelete(trustedAppListFileNameWithoutExtension,wholeStrRange); + + // Look for a resource in the bundle by name and type + trustedAppsURL = CFBundleCopyResourceURL(secBundle,trustedAppListFileNameWithoutExtension,CFSTR("plist"),NULL); + if (!trustedAppsURL) + goto xit; + + if ( trustedAppListFileNameWithoutExtension ) + CFRelease(trustedAppListFileNameWithoutExtension); + + if (!CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault,trustedAppsURL,&xmlDataRef,NULL,NULL,&errorCode)) + goto xit; + + trustedAppsPlist = CFPropertyListCreateFromXMLData(kCFAllocatorDefault,xmlDataRef,kCFPropertyListImmutable,&errorString); + trustedAppList = (CFArrayRef)trustedAppsPlist; + +xit: + if (bundleURL) + CFRelease(bundleURL); + if (secBundle) + CFRelease(secBundle); + if (trustedAppsURL) + CFRelease(trustedAppsURL); + if (xmlDataRef) + CFRelease(xmlDataRef); + if (errorString) + CFRelease(errorString); + + return trustedAppList; +} + +OSStatus SecAccessCreateWithTrustedApplications(CFStringRef trustedApplicationsPListPath, CFStringRef accessLabel, Boolean allowAny, SecAccessRef* returnedAccess) +{ + OSStatus err = errSecSuccess; + SecAccessRef accessToReturn=nil; + CFMutableArrayRef trustedApplications=nil; + + if (!allowAny) // use default access ("confirm access") + { + // make an exception list of applications you want to trust, + // which are allowed to access the item without requiring user confirmation + SecTrustedApplicationRef myself=NULL, someOther=NULL; + CFArrayRef trustedAppListFromBundle=NULL; + + trustedApplications=CFArrayCreateMutable(kCFAllocatorDefault,0,&kCFTypeArrayCallBacks); + err = SecTrustedApplicationCreateFromPath(NULL, &myself); + if (!err) + CFArrayAppendValue(trustedApplications,myself); + + CFURLRef url = CFURLCreateWithFileSystemPath(NULL, trustedApplicationsPListPath, kCFURLPOSIXPathStyle, 0); + CFStringRef leafStr = NULL; + leafStr = CFURLCopyLastPathComponent(url); + + CFURLRef bndlPathURL = NULL; + bndlPathURL = CFURLCreateCopyDeletingLastPathComponent(NULL, url); + CFStringRef bndlPath = NULL; + bndlPath = CFURLCopyFileSystemPath(bndlPathURL, kCFURLPOSIXPathStyle); + trustedAppListFromBundle=copyTrustedAppListFromBundle(bndlPath, leafStr); + if ( leafStr ) + CFRelease(leafStr); + if ( bndlPath ) + CFRelease(bndlPath); + if ( url ) + CFRelease(url); + if ( bndlPathURL ) + CFRelease(bndlPathURL); + if (trustedAppListFromBundle) + { + CFIndex ix,top; + char buffer[MAXPATHLEN]; + top = CFArrayGetCount(trustedAppListFromBundle); + for (ix=0;ix 1)) + { + CFStringRef descStr = (CFStringRef) CFArrayGetValueAtIndex(descArray, 1); + if (descStr) + buf = CFStringToCString(descStr); + } + SecRequirementRef reqRef = NULL; + err = SecRequirementCreateWithString(reqStr, kSecCSDefaultFlags, &reqRef); + if (!err) + err = SecTrustedApplicationCreateFromRequirement((const char *)buf, reqRef, &someOther); + if (buf) + free(buf); + CFReleaseSafe(reqRef); + CFReleaseSafe(descArray); + } + if (!err) + CFArrayAppendValue(trustedApplications,someOther); + + if (someOther) + CFReleaseNull(someOther); + } + CFRelease(trustedAppListFromBundle); + } + } + + err = SecAccessCreate((CFStringRef)accessLabel, (CFArrayRef)trustedApplications, &accessToReturn); + if (!err) + { + if (allowAny) // change access to be wide-open for decryption ("always allow access") + { + // get the access control list for decryption operations + CFArrayRef aclList=nil; + err = SecAccessCopySelectedACLList(accessToReturn, CSSM_ACL_AUTHORIZATION_DECRYPT, &aclList); + if (!err) + { + // get the first entry in the access control list + SecACLRef aclRef=(SecACLRef)CFArrayGetValueAtIndex(aclList, 0); + CFArrayRef appList=nil; + CFStringRef promptDescription=nil; + CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR promptSelector; + err = SecACLCopySimpleContents(aclRef, &appList, &promptDescription, &promptSelector); + + // modify the default ACL to not require the passphrase, and have a nil application list + promptSelector.flags &= ~CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE; + err = SecACLSetSimpleContents(aclRef, NULL, promptDescription, &promptSelector); + + if (appList) CFRelease(appList); + if (promptDescription) CFRelease(promptDescription); + } + } + } + *returnedAccess = accessToReturn; + return err; +} diff --git a/OSX/include/security_keychain/SecAccess.h b/OSX/include/security_keychain/SecAccess.h new file mode 100644 index 00000000..9464790f --- /dev/null +++ b/OSX/include/security_keychain/SecAccess.h @@ -0,0 +1,221 @@ +/* + * Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecAccess + SecAccess implements a way to set and manipulate access control rules and + restrictions on SecKeychainItems. +*/ + +#ifndef _SECURITY_SECACCESS_H_ +#define _SECURITY_SECACCESS_H_ + +#include +#include +#include +#include +#include +#include + + +#if defined(__cplusplus) +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN +CF_IMPLICIT_BRIDGING_ENABLED + +typedef UInt32 SecAccessOwnerType; +enum +{ + kSecUseOnlyUID = 1, + kSecUseOnlyGID = 2, + kSecHonorRoot = 0x100, + kSecMatchBits = (kSecUseOnlyUID | kSecUseOnlyGID) +}; + +/* No restrictions. Permission to perform all operations on + the resource or available to an ACL owner. */ +extern const CFStringRef kSecACLAuthorizationAny + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +extern const CFStringRef kSecACLAuthorizationLogin + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationGenKey + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationDelete + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationExportWrapped + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationExportClear + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationImportWrapped + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationImportClear + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationSign + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationEncrypt + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationDecrypt + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationMAC + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationDerive + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/* Defined authorization tag values for Keychain */ +extern const CFStringRef kSecACLAuthorizationKeychainCreate + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationKeychainDelete + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationKeychainItemRead + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationKeychainItemInsert + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationKeychainItemModify + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationKeychainItemDelete + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +extern const CFStringRef kSecACLAuthorizationChangeACL + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecACLAuthorizationChangeOwner + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @function SecAccessGetTypeID + @abstract Returns the type identifier of SecAccess instances. + @result The CFTypeID of SecAccess instances. +*/ +CFTypeID SecAccessGetTypeID(void); + +/*! + @function SecAccessCreate + @abstract Creates a new SecAccessRef that is set to the currently designated system default + configuration of a (newly created) security object. Note that the precise nature of + this default may change between releases. + @param descriptor The name of the item as it should appear in security dialogs + @param trustedlist A CFArray of TrustedApplicationRefs, specifying which applications + should be allowed to access an item without triggering confirmation dialogs. + If NULL, defaults to (just) the application creating the item. To set no applications, + pass a CFArray with no elements. + @param accessRef On return, a pointer to the new access reference. + @result A result code. See "Security Error Codes" (SecBase.h). +*/ +OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef __nullable trustedlist, SecAccessRef * __nonnull CF_RETURNS_RETAINED accessRef); + +/*! + @function SecAccessCreateFromOwnerAndACL + @abstract Creates a new SecAccessRef using the owner and access control list you provide. + @param owner A pointer to a CSSM access control list owner. + @param aclCount An unsigned 32-bit integer representing the number of items in the access control list. + @param acls A pointer to the access control list. + @param On return, a pointer to the new access reference. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion For 10.7 and later please use the SecAccessCreateWithOwnerAndACL API +*/ +OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner, uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls, SecAccessRef * __nonnull CF_RETURNS_RETAINED accessRef) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/*! + @function SecAccessCreateWithOwnerAndACL + @abstract Creates a new SecAccessRef using either for a user or a group with a list of ACLs + @param userId An user id that specifies the user to associate with this SecAccessRef. + @param groupId A group id that specifies the group to associate with this SecAccessRef. + @param ownerType Specifies the how the ownership of the new SecAccessRef is defined. + @param acls A CFArrayRef of the ACLs to associate with this SecAccessRef + @param error Optionally a pointer to a CFErrorRef to return any errors with may have occured + @result A pointer to the new access reference. +*/ +__nullable +SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef __nullable acls, CFErrorRef *error) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @function SecAccessGetOwnerAndACL + @abstract Retrieves the owner and the access control list of a given access. + @param accessRef A reference to the access from which to retrieve the information. + @param owner On return, a pointer to the access control list owner. + @param aclCount On return, a pointer to an unsigned 32-bit integer representing the number of items in the access control list. + @param acls On return, a pointer to the access control list. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion For 10.7 and later please use the SecAccessCopyOwnerAndACL API + */ +OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef, CSSM_ACL_OWNER_PROTOTYPE_PTR __nullable * __nonnull owner, uint32 *aclCount, CSSM_ACL_ENTRY_INFO_PTR __nullable * __nonnull acls) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/*! + @function SecAccessCopyOwnerAndACL + @abstract Retrieves the owner and the access control list of a given access. + @param accessRef A reference to the access from which to retrieve the information. + @param userId On return, the user id of the owner + @param groupId On return, the group id of the owner + @param ownerType On return, the type of owner for this AccessRef + @param aclList On return, a pointer to a new created CFArray of SecACL instances. The caller is responsible for calling CFRelease on this array. + @result A result code. See "Security Error Codes" (SecBase.h). + */ +OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t * __nullable userId, gid_t * __nullable groupId, SecAccessOwnerType * __nullable ownerType, CFArrayRef * __nullable CF_RETURNS_RETAINED aclList) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @function SecAccessCopyACLList + @abstract Copies all the access control lists of a given access. + @param accessRef A reference to the access from which to retrieve the information. + @param aclList On return, a pointer to a new created CFArray of SecACL instances. The caller is responsible for calling CFRelease on this array. + @result A result code. See "Security Error Codes" (SecBase.h). +*/ +OSStatus SecAccessCopyACLList(SecAccessRef accessRef, CFArrayRef * __nonnull CF_RETURNS_RETAINED aclList); + +/*! + @function SecAccessCopySelectedACLList + @abstract Copies selected access control lists from a given access. + @param accessRef A reference to the access from which to retrieve the information. + @param action An authorization tag specifying what action with which to select the action control lists. + @param aclList On return, a pointer to the selected access control lists. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion For 10.7 and later please use the SecAccessCopyMatchingACLList API +*/ +OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef, CSSM_ACL_AUTHORIZATION_TAG action, CFArrayRef * __nonnull CF_RETURNS_RETAINED aclList) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + + +/*! + @function SecAccessCopyMatchingACLList + @abstract Copies selected access control lists from a given access. + @param accessRef A reference to the access from which to retrieve the information. + @param authorizationTag An authorization tag specifying what action with which to select the action control lists. + @result A pointer to the selected access control lists. +*/ +__nullable +CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +CF_IMPLICIT_BRIDGING_DISABLED +CF_ASSUME_NONNULL_END + +#if defined(__cplusplus) +} +#endif + +#endif /* !_SECURITY_SECACCESS_H_ */ diff --git a/Security/libsecurity_keychain/lib/SecAccessPriv.h b/OSX/include/security_keychain/SecAccessPriv.h similarity index 100% rename from Security/libsecurity_keychain/lib/SecAccessPriv.h rename to OSX/include/security_keychain/SecAccessPriv.h diff --git a/Security/libsecurity_keychain/lib/SecAsn1TypesP.h b/OSX/include/security_keychain/SecAsn1TypesP.h similarity index 100% rename from Security/libsecurity_keychain/lib/SecAsn1TypesP.h rename to OSX/include/security_keychain/SecAsn1TypesP.h diff --git a/Security/libsecurity_keychain/lib/SecBase.cpp b/OSX/include/security_keychain/SecBase.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/SecBase.cpp rename to OSX/include/security_keychain/SecBase.cpp diff --git a/OSX/include/security_keychain/SecBase.h b/OSX/include/security_keychain/SecBase.h new file mode 100644 index 00000000..7a0cb546 --- /dev/null +++ b/OSX/include/security_keychain/SecBase.h @@ -0,0 +1,655 @@ +/* + * Copyright (c) 2000-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecBase + SecBase contains common declarations for the Security functions. +*/ + +#ifndef _SECURITY_SECBASE_H_ +#define _SECURITY_SECBASE_H_ + +#include +#include + +#if defined(__clang__) +#define SEC_DEPRECATED_ATTRIBUTE DEPRECATED_ATTRIBUTE +#else +#define SEC_DEPRECATED_ATTRIBUTE +#endif + +#if defined(__cplusplus) +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN +CF_IMPLICIT_BRIDGING_ENABLED + +#ifndef __SEC_TYPES__ +#define __SEC_TYPES__ + +/*! + @typedef SecKeychainRef + @abstract Contains information about a keychain. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecKeychainRef *SecKeychainRef; + +/*! + @typedef SecKeychainItemRef + @abstract Contains information about a keychain item. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecKeychainItemRef *SecKeychainItemRef; + +/*! + @typedef SecKeychainSearchRef + @abstract Contains information about a keychain search. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecKeychainSearchRef *SecKeychainSearchRef; + +/*! + @typedef SecKeychainAttrType + @abstract Represents a keychain attribute type. +*/ +typedef OSType SecKeychainAttrType; + +/*! + @struct SecKeychainAttribute + @abstract Contains keychain attributes. + @field tag A 4-byte attribute tag. + @field length The length of the buffer pointed to by data. + @field data A pointer to the attribute data. +*/ +struct SecKeychainAttribute +{ + SecKeychainAttrType tag; + UInt32 length; + void *data; +}; +typedef struct SecKeychainAttribute SecKeychainAttribute; + +/*! + @typedef SecKeychainAttributePtr + @abstract Represents a pointer to a keychain attribute structure. +*/ +typedef SecKeychainAttribute *SecKeychainAttributePtr; + +/*! + @typedef SecKeychainAttributeList + @abstract Represents a list of keychain attributes. + @field count An unsigned 32-bit integer that represents the number of keychain attributes in the array. + @field attr A pointer to the first keychain attribute in the array. +*/ +struct SecKeychainAttributeList +{ + UInt32 count; + SecKeychainAttribute *attr; +}; +typedef struct SecKeychainAttributeList SecKeychainAttributeList; + +/*! + @typedef SecKeychainStatus + @abstract Represents the status of a keychain. +*/ +typedef UInt32 SecKeychainStatus; +#endif + +/*! + @typedef SecTrustedApplicationRef + @abstract Contains information about a trusted application. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecTrustedApplicationRef *SecTrustedApplicationRef; + +/*! + @typedef SecPolicyRef + @abstract Contains information about a policy. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecPolicyRef *SecPolicyRef; + +/*! + @typedef SecCertificateRef + @abstract Contains information about a certificate. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecCertificateRef *SecCertificateRef; + +/*! + @typedef SecAccessRef + @abstract Contains information about an access. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecAccessRef *SecAccessRef; + +/*! + @typedef SecIdentityRef + @abstract Contains information about an identity. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecIdentityRef *SecIdentityRef; + +/*! + @typedef SecKeyRef + @abstract Contains information about a key. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecKeyRef *SecKeyRef; + +/*! + @typedef SecACLRef + @abstract Contains information about an access control list (ACL) entry. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecTrustRef *SecACLRef; + +/*! + @typedef SecAccessControlRef + @abstract CFType representing access control for an item. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecAccessControl *SecAccessControlRef; + +/*! + @typedef SecPasswordRef + @abstract Contains information about a password. +*/ +typedef struct CF_BRIDGED_TYPE(id) OpaqueSecPasswordRef *SecPasswordRef; + +/*! + @typedef SecKeychainAttributeInfo + @abstract Represents an attribute. + @field count The number of tag-format pairs in the respective arrays. + @field tag A pointer to the first attribute tag in the array. + @field format A pointer to the first CSSM_DB_ATTRIBUTE_FORMAT in the array. + @discussion Each tag and format item form a pair. +*/ +struct SecKeychainAttributeInfo +{ + UInt32 count; + UInt32 *tag; + UInt32 *format; +}; +typedef struct SecKeychainAttributeInfo SecKeychainAttributeInfo; + +/*! + @function SecCopyErrorMessageString + @abstract Returns a string describing the specified error result code. + @param status An error result code of type OSStatus or CSSM_RETURN, as returned by a Security or CSSM function. + @reserved Reserved for future use. Your code should pass NULL in this parameter. + @result A reference to an error string, or NULL if no error string is available for the specified result code. Your code must release this reference by calling the CFRelease function. +*/ +__nullable +CFStringRef SecCopyErrorMessageString(OSStatus status, void * __nullable reserved) + __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); +/*! +@enum Security Error Codes +@abstract Result codes returned from Security framework functions. +@constant errSecSuccess No error. +@constant errSecUnimplemented Function or operation not implemented. +@constant errSecDskFull Disk Full error. +@constant errSecIO I/O error. +@constant errSecParam One or more parameters passed to a function were not valid. +@constant errSecWrPerm Write permissions error. +@constant errSecAllocate Failed to allocate memory. +@constant errSecUserCanceled User canceled the operation. +@constant errSecBadReq Bad parameter or invalid state for operation. +@constant errSecInternalComponent +@constant errSecCoreFoundationUnknown +@constant errSecNotAvailable No keychain is available. +@constant errSecReadOnly Read only error. +@constant errSecAuthFailed Authorization/Authentication failed. +@constant errSecNoSuchKeychain The keychain does not exist. +@constant errSecInvalidKeychain The keychain is not valid. +@constant errSecDuplicateKeychain A keychain with the same name already exists. +@constant errSecDuplicateCallback The specified callback is already installed. +@constant errSecInvalidCallback The specified callback is not valid. +@constant errSecDuplicateItem The item already exists. +@constant errSecItemNotFound The item cannot be found. +@constant errSecBufferTooSmall The buffer is too small. +@constant errSecDataTooLarge The data is too large. +@constant errSecNoSuchAttr The attribute does not exist. +@constant errSecInvalidItemRef The item reference is invalid. +@constant errSecInvalidSearchRef The search reference is invalid. +@constant errSecNoSuchClass The keychain item class does not exist. +@constant errSecNoDefaultKeychain A default keychain does not exist. +@constant errSecInteractionNotAllowed User interaction is not allowed. +@constant errSecReadOnlyAttr The attribute is read only. +@constant errSecWrongSecVersion The version is incorrect. +@constant errSecKeySizeNotAllowed The key size is not allowed. +@constant errSecNoStorageModule There is no storage module available. +@constant errSecNoCertificateModule There is no certificate module available. +@constant errSecNoPolicyModule There is no policy module available. +@constant errSecInteractionRequired User interaction is required. +@constant errSecDataNotAvailable The data is not available. +@constant errSecDataNotModifiable The data is not modifiable. +@constant errSecCreateChainFailed The attempt to create a certificate chain failed. +@constant errSecACLNotSimple The access control list is not in standard simple form. +@constant errSecPolicyNotFound The policy specified cannot be found. +@constant errSecInvalidTrustSetting The specified trust setting is invalid. +@constant errSecNoAccessForItem The specified item has no access control. +@constant errSecInvalidOwnerEdit Invalid attempt to change the owner of this item. +@constant errSecTrustNotAvailable No trust results are available. +@constant errSecUnsupportedFormat Import/Export format unsupported. +@constant errSecUnknownFormat Unknown format in import. +@constant errSecKeyIsSensitive Key material must be wrapped for export. +@constant errSecMultiplePrivKeys An attempt was made to import multiple private keys. +@constant errSecPassphraseRequired Passphrase is required for import/export. +@constant errSecInvalidPasswordRef The password reference was invalid. +@constant errSecInvalidTrustSettings The Trust Settings Record was corrupted. +@constant errSecNoTrustSettings No Trust Settings were found. +@constant errSecPkcs12VerifyFailure MAC verification failed during PKCS12 Import. +@constant errSecDecode Unable to decode the provided data. + +@discussion The assigned error space is discontinuous: e.g. -25240..-25279, -25290..-25329, -68608..-67585, and so on. +*/ + +/* + Note: the comments that appear after these errors are used to create SecErrorMessages.strings. + The comments must not be multi-line, and should be in a form meaningful to an end user. If + a different or additional comment is needed, it can be put in the header doc format, or on a + line that does not start with errZZZ. +*/ + +CF_ENUM(OSStatus) +{ + errSecSuccess = 0, /* No error. */ + errSecUnimplemented = -4, /* Function or operation not implemented. */ + errSecDskFull = -34, + errSecIO = -36, /*I/O error (bummers)*/ + + errSecParam = -50, /* One or more parameters passed to a function were not valid. */ + errSecWrPerm = -61, /* write permissions error*/ + errSecAllocate = -108, /* Failed to allocate memory. */ + errSecUserCanceled = -128, /* User canceled the operation. */ + errSecBadReq = -909, /* Bad parameter or invalid state for operation. */ + + errSecInternalComponent = -2070, + errSecCoreFoundationUnknown = -4960, + + errSecNotAvailable = -25291, /* No keychain is available. You may need to restart your computer. */ + errSecReadOnly = -25292, /* This keychain cannot be modified. */ + errSecAuthFailed = -25293, /* The user name or passphrase you entered is not correct. */ + errSecNoSuchKeychain = -25294, /* The specified keychain could not be found. */ + errSecInvalidKeychain = -25295, /* The specified keychain is not a valid keychain file. */ + errSecDuplicateKeychain = -25296, /* A keychain with the same name already exists. */ + errSecDuplicateCallback = -25297, /* The specified callback function is already installed. */ + errSecInvalidCallback = -25298, /* The specified callback function is not valid. */ + errSecDuplicateItem = -25299, /* The specified item already exists in the keychain. */ + errSecItemNotFound = -25300, /* The specified item could not be found in the keychain. */ + errSecBufferTooSmall = -25301, /* There is not enough memory available to use the specified item. */ + errSecDataTooLarge = -25302, /* This item contains information which is too large or in a format that cannot be displayed. */ + errSecNoSuchAttr = -25303, /* The specified attribute does not exist. */ + errSecInvalidItemRef = -25304, /* The specified item is no longer valid. It may have been deleted from the keychain. */ + errSecInvalidSearchRef = -25305, /* Unable to search the current keychain. */ + errSecNoSuchClass = -25306, /* The specified item does not appear to be a valid keychain item. */ + errSecNoDefaultKeychain = -25307, /* A default keychain could not be found. */ + errSecInteractionNotAllowed = -25308, /* User interaction is not allowed. */ + errSecReadOnlyAttr = -25309, /* The specified attribute could not be modified. */ + errSecWrongSecVersion = -25310, /* This keychain was created by a different version of the system software and cannot be opened. */ + errSecKeySizeNotAllowed = -25311, /* This item specifies a key size which is too large. */ + errSecNoStorageModule = -25312, /* A required component (data storage module) could not be loaded. You may need to restart your computer. */ + errSecNoCertificateModule = -25313, /* A required component (certificate module) could not be loaded. You may need to restart your computer. */ + errSecNoPolicyModule = -25314, /* A required component (policy module) could not be loaded. You may need to restart your computer. */ + errSecInteractionRequired = -25315, /* User interaction is required, but is currently not allowed. */ + errSecDataNotAvailable = -25316, /* The contents of this item cannot be retrieved. */ + errSecDataNotModifiable = -25317, /* The contents of this item cannot be modified. */ + errSecCreateChainFailed = -25318, /* One or more certificates required to validate this certificate cannot be found. */ + errSecInvalidPrefsDomain = -25319, /* The specified preferences domain is not valid. */ + errSecInDarkWake = -25320, /* In dark wake, no UI possible */ + + errSecACLNotSimple = -25240, /* The specified access control list is not in standard (simple) form. */ + errSecPolicyNotFound = -25241, /* The specified policy cannot be found. */ + errSecInvalidTrustSetting = -25242, /* The specified trust setting is invalid. */ + errSecNoAccessForItem = -25243, /* The specified item has no access control. */ + errSecInvalidOwnerEdit = -25244, /* Invalid attempt to change the owner of this item. */ + errSecTrustNotAvailable = -25245, /* No trust results are available. */ + errSecUnsupportedFormat = -25256, /* Import/Export format unsupported. */ + errSecUnknownFormat = -25257, /* Unknown format in import. */ + errSecKeyIsSensitive = -25258, /* Key material must be wrapped for export. */ + errSecMultiplePrivKeys = -25259, /* An attempt was made to import multiple private keys. */ + errSecPassphraseRequired = -25260, /* Passphrase is required for import/export. */ + errSecInvalidPasswordRef = -25261, /* The password reference was invalid. */ + errSecInvalidTrustSettings = -25262, /* The Trust Settings Record was corrupted. */ + errSecNoTrustSettings = -25263, /* No Trust Settings were found. */ + errSecPkcs12VerifyFailure = -25264, /* MAC verification failed during PKCS12 import (wrong password?) */ + errSecNotSigner = -26267, /* A certificate was not signed by its proposed parent. */ + + errSecDecode = -26275, /* Unable to decode the provided data. */ + + errSecServiceNotAvailable = -67585, /* The required service is not available. */ + errSecInsufficientClientID = -67586, /* The client ID is not correct. */ + errSecDeviceReset = -67587, /* A device reset has occurred. */ + errSecDeviceFailed = -67588, /* A device failure has occurred. */ + errSecAppleAddAppACLSubject = -67589, /* Adding an application ACL subject failed. */ + errSecApplePublicKeyIncomplete = -67590, /* The public key is incomplete. */ + errSecAppleSignatureMismatch = -67591, /* A signature mismatch has occurred. */ + errSecAppleInvalidKeyStartDate = -67592, /* The specified key has an invalid start date. */ + errSecAppleInvalidKeyEndDate = -67593, /* The specified key has an invalid end date. */ + errSecConversionError = -67594, /* A conversion error has occurred. */ + errSecAppleSSLv2Rollback = -67595, /* A SSLv2 rollback error has occurred. */ + errSecDiskFull = -34, /* The disk is full. */ + errSecQuotaExceeded = -67596, /* The quota was exceeded. */ + errSecFileTooBig = -67597, /* The file is too big. */ + errSecInvalidDatabaseBlob = -67598, /* The specified database has an invalid blob. */ + errSecInvalidKeyBlob = -67599, /* The specified database has an invalid key blob. */ + errSecIncompatibleDatabaseBlob = -67600, /* The specified database has an incompatible blob. */ + errSecIncompatibleKeyBlob = -67601, /* The specified database has an incompatible key blob. */ + errSecHostNameMismatch = -67602, /* A host name mismatch has occurred. */ + errSecUnknownCriticalExtensionFlag = -67603, /* There is an unknown critical extension flag. */ + errSecNoBasicConstraints = -67604, /* No basic constraints were found. */ + errSecNoBasicConstraintsCA = -67605, /* No basic CA constraints were found. */ + errSecInvalidAuthorityKeyID = -67606, /* The authority key ID is not valid. */ + errSecInvalidSubjectKeyID = -67607, /* The subject key ID is not valid. */ + errSecInvalidKeyUsageForPolicy = -67608, /* The key usage is not valid for the specified policy. */ + errSecInvalidExtendedKeyUsage = -67609, /* The extended key usage is not valid. */ + errSecInvalidIDLinkage = -67610, /* The ID linkage is not valid. */ + errSecPathLengthConstraintExceeded = -67611, /* The path length constraint was exceeded. */ + errSecInvalidRoot = -67612, /* The root or anchor certificate is not valid. */ + errSecCRLExpired = -67613, /* The CRL has expired. */ + errSecCRLNotValidYet = -67614, /* The CRL is not yet valid. */ + errSecCRLNotFound = -67615, /* The CRL was not found. */ + errSecCRLServerDown = -67616, /* The CRL server is down. */ + errSecCRLBadURI = -67617, /* The CRL has a bad Uniform Resource Identifier. */ + errSecUnknownCertExtension = -67618, /* An unknown certificate extension was encountered. */ + errSecUnknownCRLExtension = -67619, /* An unknown CRL extension was encountered. */ + errSecCRLNotTrusted = -67620, /* The CRL is not trusted. */ + errSecCRLPolicyFailed = -67621, /* The CRL policy failed. */ + errSecIDPFailure = -67622, /* The issuing distribution point was not valid. */ + errSecSMIMEEmailAddressesNotFound = -67623, /* An email address mismatch was encountered. */ + errSecSMIMEBadExtendedKeyUsage = -67624, /* The appropriate extended key usage for SMIME was not found. */ + errSecSMIMEBadKeyUsage = -67625, /* The key usage is not compatible with SMIME. */ + errSecSMIMEKeyUsageNotCritical = -67626, /* The key usage extension is not marked as critical. */ + errSecSMIMENoEmailAddress = -67627, /* No email address was found in the certificate. */ + errSecSMIMESubjAltNameNotCritical = -67628, /* The subject alternative name extension is not marked as critical. */ + errSecSSLBadExtendedKeyUsage = -67629, /* The appropriate extended key usage for SSL was not found. */ + errSecOCSPBadResponse = -67630, /* The OCSP response was incorrect or could not be parsed. */ + errSecOCSPBadRequest = -67631, /* The OCSP request was incorrect or could not be parsed. */ + errSecOCSPUnavailable = -67632, /* OCSP service is unavailable. */ + errSecOCSPStatusUnrecognized = -67633, /* The OCSP server did not recognize this certificate. */ + errSecEndOfData = -67634, /* An end-of-data was detected. */ + errSecIncompleteCertRevocationCheck = -67635, /* An incomplete certificate revocation check occurred. */ + errSecNetworkFailure = -67636, /* A network failure occurred. */ + errSecOCSPNotTrustedToAnchor = -67637, /* The OCSP response was not trusted to a root or anchor certificate. */ + errSecRecordModified = -67638, /* The record was modified. */ + errSecOCSPSignatureError = -67639, /* The OCSP response had an invalid signature. */ + errSecOCSPNoSigner = -67640, /* The OCSP response had no signer. */ + errSecOCSPResponderMalformedReq = -67641, /* The OCSP responder was given a malformed request. */ + errSecOCSPResponderInternalError = -67642, /* The OCSP responder encountered an internal error. */ + errSecOCSPResponderTryLater = -67643, /* The OCSP responder is busy, try again later. */ + errSecOCSPResponderSignatureRequired = -67644, /* The OCSP responder requires a signature. */ + errSecOCSPResponderUnauthorized = -67645, /* The OCSP responder rejected this request as unauthorized. */ + errSecOCSPResponseNonceMismatch = -67646, /* The OCSP response nonce did not match the request. */ + errSecCodeSigningBadCertChainLength = -67647, /* Code signing encountered an incorrect certificate chain length. */ + errSecCodeSigningNoBasicConstraints = -67648, /* Code signing found no basic constraints. */ + errSecCodeSigningBadPathLengthConstraint= -67649, /* Code signing encountered an incorrect path length constraint. */ + errSecCodeSigningNoExtendedKeyUsage = -67650, /* Code signing found no extended key usage. */ + errSecCodeSigningDevelopment = -67651, /* Code signing indicated use of a development-only certificate. */ + errSecResourceSignBadCertChainLength = -67652, /* Resource signing has encountered an incorrect certificate chain length. */ + errSecResourceSignBadExtKeyUsage = -67653, /* Resource signing has encountered an error in the extended key usage. */ + errSecTrustSettingDeny = -67654, /* The trust setting for this policy was set to Deny. */ + errSecInvalidSubjectName = -67655, /* An invalid certificate subject name was encountered. */ + errSecUnknownQualifiedCertStatement = -67656, /* An unknown qualified certificate statement was encountered. */ + errSecMobileMeRequestQueued = -67657, /* The MobileMe request will be sent during the next connection. */ + errSecMobileMeRequestRedirected = -67658, /* The MobileMe request was redirected. */ + errSecMobileMeServerError = -67659, /* A MobileMe server error occurred. */ + errSecMobileMeServerNotAvailable = -67660, /* The MobileMe server is not available. */ + errSecMobileMeServerAlreadyExists = -67661, /* The MobileMe server reported that the item already exists. */ + errSecMobileMeServerServiceErr = -67662, /* A MobileMe service error has occurred. */ + errSecMobileMeRequestAlreadyPending = -67663, /* A MobileMe request is already pending. */ + errSecMobileMeNoRequestPending = -67664, /* MobileMe has no request pending. */ + errSecMobileMeCSRVerifyFailure = -67665, /* A MobileMe CSR verification failure has occurred. */ + errSecMobileMeFailedConsistencyCheck = -67666, /* MobileMe has found a failed consistency check. */ + errSecNotInitialized = -67667, /* A function was called without initializing CSSM. */ + errSecInvalidHandleUsage = -67668, /* The CSSM handle does not match with the service type. */ + errSecPVCReferentNotFound = -67669, /* A reference to the calling module was not found in the list of authorized callers. */ + errSecFunctionIntegrityFail = -67670, /* A function address was not within the verified module. */ + errSecInternalError = -67671, /* An internal error has occurred. */ + errSecMemoryError = -67672, /* A memory error has occurred. */ + errSecInvalidData = -67673, /* Invalid data was encountered. */ + errSecMDSError = -67674, /* A Module Directory Service error has occurred. */ + errSecInvalidPointer = -67675, /* An invalid pointer was encountered. */ + errSecSelfCheckFailed = -67676, /* Self-check has failed. */ + errSecFunctionFailed = -67677, /* A function has failed. */ + errSecModuleManifestVerifyFailed = -67678, /* A module manifest verification failure has occurred. */ + errSecInvalidGUID = -67679, /* An invalid GUID was encountered. */ + errSecInvalidHandle = -67680, /* An invalid handle was encountered. */ + errSecInvalidDBList = -67681, /* An invalid DB list was encountered. */ + errSecInvalidPassthroughID = -67682, /* An invalid passthrough ID was encountered. */ + errSecInvalidNetworkAddress = -67683, /* An invalid network address was encountered. */ + errSecCRLAlreadySigned = -67684, /* The certificate revocation list is already signed. */ + errSecInvalidNumberOfFields = -67685, /* An invalid number of fields were encountered. */ + errSecVerificationFailure = -67686, /* A verification failure occurred. */ + errSecUnknownTag = -67687, /* An unknown tag was encountered. */ + errSecInvalidSignature = -67688, /* An invalid signature was encountered. */ + errSecInvalidName = -67689, /* An invalid name was encountered. */ + errSecInvalidCertificateRef = -67690, /* An invalid certificate reference was encountered. */ + errSecInvalidCertificateGroup = -67691, /* An invalid certificate group was encountered. */ + errSecTagNotFound = -67692, /* The specified tag was not found. */ + errSecInvalidQuery = -67693, /* The specified query was not valid. */ + errSecInvalidValue = -67694, /* An invalid value was detected. */ + errSecCallbackFailed = -67695, /* A callback has failed. */ + errSecACLDeleteFailed = -67696, /* An ACL delete operation has failed. */ + errSecACLReplaceFailed = -67697, /* An ACL replace operation has failed. */ + errSecACLAddFailed = -67698, /* An ACL add operation has failed. */ + errSecACLChangeFailed = -67699, /* An ACL change operation has failed. */ + errSecInvalidAccessCredentials = -67700, /* Invalid access credentials were encountered. */ + errSecInvalidRecord = -67701, /* An invalid record was encountered. */ + errSecInvalidACL = -67702, /* An invalid ACL was encountered. */ + errSecInvalidSampleValue = -67703, /* An invalid sample value was encountered. */ + errSecIncompatibleVersion = -67704, /* An incompatible version was encountered. */ + errSecPrivilegeNotGranted = -67705, /* The privilege was not granted. */ + errSecInvalidScope = -67706, /* An invalid scope was encountered. */ + errSecPVCAlreadyConfigured = -67707, /* The PVC is already configured. */ + errSecInvalidPVC = -67708, /* An invalid PVC was encountered. */ + errSecEMMLoadFailed = -67709, /* The EMM load has failed. */ + errSecEMMUnloadFailed = -67710, /* The EMM unload has failed. */ + errSecAddinLoadFailed = -67711, /* The add-in load operation has failed. */ + errSecInvalidKeyRef = -67712, /* An invalid key was encountered. */ + errSecInvalidKeyHierarchy = -67713, /* An invalid key hierarchy was encountered. */ + errSecAddinUnloadFailed = -67714, /* The add-in unload operation has failed. */ + errSecLibraryReferenceNotFound = -67715, /* A library reference was not found. */ + errSecInvalidAddinFunctionTable = -67716, /* An invalid add-in function table was encountered. */ + errSecInvalidServiceMask = -67717, /* An invalid service mask was encountered. */ + errSecModuleNotLoaded = -67718, /* A module was not loaded. */ + errSecInvalidSubServiceID = -67719, /* An invalid subservice ID was encountered. */ + errSecAttributeNotInContext = -67720, /* An attribute was not in the context. */ + errSecModuleManagerInitializeFailed = -67721, /* A module failed to initialize. */ + errSecModuleManagerNotFound = -67722, /* A module was not found. */ + errSecEventNotificationCallbackNotFound = -67723, /* An event notification callback was not found. */ + errSecInputLengthError = -67724, /* An input length error was encountered. */ + errSecOutputLengthError = -67725, /* An output length error was encountered. */ + errSecPrivilegeNotSupported = -67726, /* The privilege is not supported. */ + errSecDeviceError = -67727, /* A device error was encountered. */ + errSecAttachHandleBusy = -67728, /* The CSP handle was busy. */ + errSecNotLoggedIn = -67729, /* You are not logged in. */ + errSecAlgorithmMismatch = -67730, /* An algorithm mismatch was encountered. */ + errSecKeyUsageIncorrect = -67731, /* The key usage is incorrect. */ + errSecKeyBlobTypeIncorrect = -67732, /* The key blob type is incorrect. */ + errSecKeyHeaderInconsistent = -67733, /* The key header is inconsistent. */ + errSecUnsupportedKeyFormat = -67734, /* The key header format is not supported. */ + errSecUnsupportedKeySize = -67735, /* The key size is not supported. */ + errSecInvalidKeyUsageMask = -67736, /* The key usage mask is not valid. */ + errSecUnsupportedKeyUsageMask = -67737, /* The key usage mask is not supported. */ + errSecInvalidKeyAttributeMask = -67738, /* The key attribute mask is not valid. */ + errSecUnsupportedKeyAttributeMask = -67739, /* The key attribute mask is not supported. */ + errSecInvalidKeyLabel = -67740, /* The key label is not valid. */ + errSecUnsupportedKeyLabel = -67741, /* The key label is not supported. */ + errSecInvalidKeyFormat = -67742, /* The key format is not valid. */ + errSecUnsupportedVectorOfBuffers = -67743, /* The vector of buffers is not supported. */ + errSecInvalidInputVector = -67744, /* The input vector is not valid. */ + errSecInvalidOutputVector = -67745, /* The output vector is not valid. */ + errSecInvalidContext = -67746, /* An invalid context was encountered. */ + errSecInvalidAlgorithm = -67747, /* An invalid algorithm was encountered. */ + errSecInvalidAttributeKey = -67748, /* A key attribute was not valid. */ + errSecMissingAttributeKey = -67749, /* A key attribute was missing. */ + errSecInvalidAttributeInitVector = -67750, /* An init vector attribute was not valid. */ + errSecMissingAttributeInitVector = -67751, /* An init vector attribute was missing. */ + errSecInvalidAttributeSalt = -67752, /* A salt attribute was not valid. */ + errSecMissingAttributeSalt = -67753, /* A salt attribute was missing. */ + errSecInvalidAttributePadding = -67754, /* A padding attribute was not valid. */ + errSecMissingAttributePadding = -67755, /* A padding attribute was missing. */ + errSecInvalidAttributeRandom = -67756, /* A random number attribute was not valid. */ + errSecMissingAttributeRandom = -67757, /* A random number attribute was missing. */ + errSecInvalidAttributeSeed = -67758, /* A seed attribute was not valid. */ + errSecMissingAttributeSeed = -67759, /* A seed attribute was missing. */ + errSecInvalidAttributePassphrase = -67760, /* A passphrase attribute was not valid. */ + errSecMissingAttributePassphrase = -67761, /* A passphrase attribute was missing. */ + errSecInvalidAttributeKeyLength = -67762, /* A key length attribute was not valid. */ + errSecMissingAttributeKeyLength = -67763, /* A key length attribute was missing. */ + errSecInvalidAttributeBlockSize = -67764, /* A block size attribute was not valid. */ + errSecMissingAttributeBlockSize = -67765, /* A block size attribute was missing. */ + errSecInvalidAttributeOutputSize = -67766, /* An output size attribute was not valid. */ + errSecMissingAttributeOutputSize = -67767, /* An output size attribute was missing. */ + errSecInvalidAttributeRounds = -67768, /* The number of rounds attribute was not valid. */ + errSecMissingAttributeRounds = -67769, /* The number of rounds attribute was missing. */ + errSecInvalidAlgorithmParms = -67770, /* An algorithm parameters attribute was not valid. */ + errSecMissingAlgorithmParms = -67771, /* An algorithm parameters attribute was missing. */ + errSecInvalidAttributeLabel = -67772, /* A label attribute was not valid. */ + errSecMissingAttributeLabel = -67773, /* A label attribute was missing. */ + errSecInvalidAttributeKeyType = -67774, /* A key type attribute was not valid. */ + errSecMissingAttributeKeyType = -67775, /* A key type attribute was missing. */ + errSecInvalidAttributeMode = -67776, /* A mode attribute was not valid. */ + errSecMissingAttributeMode = -67777, /* A mode attribute was missing. */ + errSecInvalidAttributeEffectiveBits = -67778, /* An effective bits attribute was not valid. */ + errSecMissingAttributeEffectiveBits = -67779, /* An effective bits attribute was missing. */ + errSecInvalidAttributeStartDate = -67780, /* A start date attribute was not valid. */ + errSecMissingAttributeStartDate = -67781, /* A start date attribute was missing. */ + errSecInvalidAttributeEndDate = -67782, /* An end date attribute was not valid. */ + errSecMissingAttributeEndDate = -67783, /* An end date attribute was missing. */ + errSecInvalidAttributeVersion = -67784, /* A version attribute was not valid. */ + errSecMissingAttributeVersion = -67785, /* A version attribute was missing. */ + errSecInvalidAttributePrime = -67786, /* A prime attribute was not valid. */ + errSecMissingAttributePrime = -67787, /* A prime attribute was missing. */ + errSecInvalidAttributeBase = -67788, /* A base attribute was not valid. */ + errSecMissingAttributeBase = -67789, /* A base attribute was missing. */ + errSecInvalidAttributeSubprime = -67790, /* A subprime attribute was not valid. */ + errSecMissingAttributeSubprime = -67791, /* A subprime attribute was missing. */ + errSecInvalidAttributeIterationCount = -67792, /* An iteration count attribute was not valid. */ + errSecMissingAttributeIterationCount = -67793, /* An iteration count attribute was missing. */ + errSecInvalidAttributeDLDBHandle = -67794, /* A database handle attribute was not valid. */ + errSecMissingAttributeDLDBHandle = -67795, /* A database handle attribute was missing. */ + errSecInvalidAttributeAccessCredentials = -67796, /* An access credentials attribute was not valid. */ + errSecMissingAttributeAccessCredentials = -67797, /* An access credentials attribute was missing. */ + errSecInvalidAttributePublicKeyFormat = -67798, /* A public key format attribute was not valid. */ + errSecMissingAttributePublicKeyFormat = -67799, /* A public key format attribute was missing. */ + errSecInvalidAttributePrivateKeyFormat = -67800, /* A private key format attribute was not valid. */ + errSecMissingAttributePrivateKeyFormat = -67801, /* A private key format attribute was missing. */ + errSecInvalidAttributeSymmetricKeyFormat = -67802, /* A symmetric key format attribute was not valid. */ + errSecMissingAttributeSymmetricKeyFormat = -67803, /* A symmetric key format attribute was missing. */ + errSecInvalidAttributeWrappedKeyFormat = -67804, /* A wrapped key format attribute was not valid. */ + errSecMissingAttributeWrappedKeyFormat = -67805, /* A wrapped key format attribute was missing. */ + errSecStagedOperationInProgress = -67806, /* A staged operation is in progress. */ + errSecStagedOperationNotStarted = -67807, /* A staged operation was not started. */ + errSecVerifyFailed = -67808, /* A cryptographic verification failure has occurred. */ + errSecQuerySizeUnknown = -67809, /* The query size is unknown. */ + errSecBlockSizeMismatch = -67810, /* A block size mismatch occurred. */ + errSecPublicKeyInconsistent = -67811, /* The public key was inconsistent. */ + errSecDeviceVerifyFailed = -67812, /* A device verification failure has occurred. */ + errSecInvalidLoginName = -67813, /* An invalid login name was detected. */ + errSecAlreadyLoggedIn = -67814, /* The user is already logged in. */ + errSecInvalidDigestAlgorithm = -67815, /* An invalid digest algorithm was detected. */ + errSecInvalidCRLGroup = -67816, /* An invalid CRL group was detected. */ + errSecCertificateCannotOperate = -67817, /* The certificate cannot operate. */ + errSecCertificateExpired = -67818, /* An expired certificate was detected. */ + errSecCertificateNotValidYet = -67819, /* The certificate is not yet valid. */ + errSecCertificateRevoked = -67820, /* The certificate was revoked. */ + errSecCertificateSuspended = -67821, /* The certificate was suspended. */ + errSecInsufficientCredentials = -67822, /* Insufficient credentials were detected. */ + errSecInvalidAction = -67823, /* The action was not valid. */ + errSecInvalidAuthority = -67824, /* The authority was not valid. */ + errSecVerifyActionFailed = -67825, /* A verify action has failed. */ + errSecInvalidCertAuthority = -67826, /* The certificate authority was not valid. */ + errSecInvaldCRLAuthority = -67827, /* The CRL authority was not valid. */ + errSecInvalidCRLEncoding = -67828, /* The CRL encoding was not valid. */ + errSecInvalidCRLType = -67829, /* The CRL type was not valid. */ + errSecInvalidCRL = -67830, /* The CRL was not valid. */ + errSecInvalidFormType = -67831, /* The form type was not valid. */ + errSecInvalidID = -67832, /* The ID was not valid. */ + errSecInvalidIdentifier = -67833, /* The identifier was not valid. */ + errSecInvalidIndex = -67834, /* The index was not valid. */ + errSecInvalidPolicyIdentifiers = -67835, /* The policy identifiers are not valid. */ + errSecInvalidTimeString = -67836, /* The time specified was not valid. */ + errSecInvalidReason = -67837, /* The trust policy reason was not valid. */ + errSecInvalidRequestInputs = -67838, /* The request inputs are not valid. */ + errSecInvalidResponseVector = -67839, /* The response vector was not valid. */ + errSecInvalidStopOnPolicy = -67840, /* The stop-on policy was not valid. */ + errSecInvalidTuple = -67841, /* The tuple was not valid. */ + errSecMultipleValuesUnsupported = -67842, /* Multiple values are not supported. */ + errSecNotTrusted = -67843, /* The trust policy was not trusted. */ + errSecNoDefaultAuthority = -67844, /* No default authority was detected. */ + errSecRejectedForm = -67845, /* The trust policy had a rejected form. */ + errSecRequestLost = -67846, /* The request was lost. */ + errSecRequestRejected = -67847, /* The request was rejected. */ + errSecUnsupportedAddressType = -67848, /* The address type is not supported. */ + errSecUnsupportedService = -67849, /* The service is not supported. */ + errSecInvalidTupleGroup = -67850, /* The tuple group was not valid. */ + errSecInvalidBaseACLs = -67851, /* The base ACLs are not valid. */ + errSecInvalidTupleCredendtials = -67852, /* The tuple credentials are not valid. */ + errSecInvalidEncoding = -67853, /* The encoding was not valid. */ + errSecInvalidValidityPeriod = -67854, /* The validity period was not valid. */ + errSecInvalidRequestor = -67855, /* The requestor was not valid. */ + errSecRequestDescriptor = -67856, /* The request descriptor was not valid. */ + errSecInvalidBundleInfo = -67857, /* The bundle information was not valid. */ + errSecInvalidCRLIndex = -67858, /* The CRL index was not valid. */ + errSecNoFieldValues = -67859, /* No field values were detected. */ + errSecUnsupportedFieldFormat = -67860, /* The field format is not supported. */ + errSecUnsupportedIndexInfo = -67861, /* The index information is not supported. */ + errSecUnsupportedLocality = -67862, /* The locality is not supported. */ + errSecUnsupportedNumAttributes = -67863, /* The number of attributes is not supported. */ + errSecUnsupportedNumIndexes = -67864, /* The number of indexes is not supported. */ + errSecUnsupportedNumRecordTypes = -67865, /* The number of record types is not supported. */ + errSecFieldSpecifiedMultiple = -67866, /* Too many fields were specified. */ + errSecIncompatibleFieldFormat = -67867, /* The field format was incompatible. */ + errSecInvalidParsingModule = -67868, /* The parsing module was not valid. */ + errSecDatabaseLocked = -67869, /* The database is locked. */ + errSecDatastoreIsOpen = -67870, /* The data store is open. */ + errSecMissingValue = -67871, /* A missing value was detected. */ + errSecUnsupportedQueryLimits = -67872, /* The query limits are not supported. */ + errSecUnsupportedNumSelectionPreds = -67873, /* The number of selection predicates is not supported. */ + errSecUnsupportedOperator = -67874, /* The operator is not supported. */ + errSecInvalidDBLocation = -67875, /* The database location is not valid. */ + errSecInvalidAccessRequest = -67876, /* The access request is not valid. */ + errSecInvalidIndexInfo = -67877, /* The index information is not valid. */ + errSecInvalidNewOwner = -67878, /* The new owner is not valid. */ + errSecInvalidModifyMode = -67879, /* The modify mode is not valid. */ + errSecMissingRequiredExtension = -67880, /* A required certificate extension is missing. */ + errSecExtendedKeyUsageNotCritical = -67881, /* The extended key usage extension was not marked critical. */ + errSecTimestampMissing = -67882, /* A timestamp was expected but was not found. */ + errSecTimestampInvalid = -67883, /* The timestamp was not valid. */ + errSecTimestampNotTrusted = -67884, /* The timestamp was not trusted. */ + errSecTimestampServiceNotAvailable = -67885, /* The timestamp service is not available. */ + errSecTimestampBadAlg = -67886, /* An unrecognized or unsupported Algorithm Identifier in timestamp. */ + errSecTimestampBadRequest = -67887, /* The timestamp transaction is not permitted or supported. */ + errSecTimestampBadDataFormat = -67888, /* The timestamp data submitted has the wrong format. */ + errSecTimestampTimeNotAvailable = -67889, /* The time source for the Timestamp Authority is not available. */ + errSecTimestampUnacceptedPolicy = -67890, /* The requested policy is not supported by the Timestamp Authority. */ + errSecTimestampUnacceptedExtension = -67891, /* The requested extension is not supported by the Timestamp Authority. */ + errSecTimestampAddInfoNotAvailable = -67892, /* The additional information requested is not available. */ + errSecTimestampSystemFailure = -67893, /* The timestamp request cannot be handled due to system failure. */ + errSecSigningTimeMissing = -67894, /* A signing time was expected but was not found. */ + errSecTimestampRejection = -67895, /* A timestamp transaction was rejected. */ + errSecTimestampWaiting = -67896, /* A timestamp transaction is waiting. */ + errSecTimestampRevocationWarning = -67897, /* A timestamp authority revocation warning was issued. */ + errSecTimestampRevocationNotification = -67898, /* A timestamp authority revocation notification was issued. */ +}; + +CF_IMPLICIT_BRIDGING_DISABLED +CF_ASSUME_NONNULL_END + +#if defined(__cplusplus) +} +#endif + +#endif /* !_SECURITY_SECBASE_H_ */ diff --git a/Security/libsecurity_keychain/lib/SecBase64P.c b/OSX/include/security_keychain/SecBase64P.c similarity index 100% rename from Security/libsecurity_keychain/lib/SecBase64P.c rename to OSX/include/security_keychain/SecBase64P.c diff --git a/Security/libsecurity_keychain/lib/SecBase64P.h b/OSX/include/security_keychain/SecBase64P.h similarity index 100% rename from Security/libsecurity_keychain/lib/SecBase64P.h rename to OSX/include/security_keychain/SecBase64P.h diff --git a/Security/libsecurity_keychain/lib/SecBaseP.h b/OSX/include/security_keychain/SecBaseP.h similarity index 100% rename from Security/libsecurity_keychain/lib/SecBaseP.h rename to OSX/include/security_keychain/SecBaseP.h diff --git a/Security/libsecurity_keychain/lib/SecBasePriv.h b/OSX/include/security_keychain/SecBasePriv.h similarity index 100% rename from Security/libsecurity_keychain/lib/SecBasePriv.h rename to OSX/include/security_keychain/SecBasePriv.h diff --git a/OSX/include/security_keychain/SecBridge.h b/OSX/include/security_keychain/SecBridge.h new file mode 100644 index 00000000..2c541baf --- /dev/null +++ b/OSX/include/security_keychain/SecBridge.h @@ -0,0 +1,90 @@ +/* + * Copyright (c) 2000-2004,2011,2013-2015 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef _SECURITY_SECBRIDGE_H_ +#define _SECURITY_SECBRIDGE_H_ + +#include +#include +#include "SecBasePriv.h" +#include +#include +#include + +using namespace KeychainCore; + +// +// API boilerplate macros. These provide a frame for C++ code that is impermeable to exceptions. +// Usage: +// BEGIN_API +// ... your C++ code here ... +// END_API // returns CSSM_RETURN on exception +// END_API0 // returns nothing (void) on exception +// END_API1(bad) // return (bad) on exception +// END_API2(name) // like END_API, with API name as debug scope for printing function result +// END_API3(name, bad) // like END_API1, with API name as debug scope for printing function result +// +#define BEGIN_SECAPI \ + OSStatus __secapiresult = errSecSuccess; \ + try { +#define END_SECAPI }\ + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } \ + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } \ + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } \ + catch (...) { __secapiresult=errSecInternalComponent; } \ + return __secapiresult; +#define END_SECAPI1(BAD_RETURN_VAL) \ + } \ + catch (...) \ + { \ + __secapiresult=BAD_RETURN_VAL; \ + } \ + return __secapiresult; +#define END_SECAPI1(BAD_RETURN_VAL) }\ + catch (...) { __secapiresult=BAD_RETURN_VAL; } \ + return __secapiresult; +#define END_SECAPI0 }\ + catch (...) { return; } + +#if SECTRUST_OSX +#define BEGIN_SECCERTAPI \ +OSStatus __secapiresult=errSecSuccess; \ +SecCertificateRef __itemImplRef=(SecCertificateRef)SecCertificateCopyKeychainItem(certificate); \ +if (!__itemImplRef) { __itemImplRef=SecCertificateCreateItemImplInstance(certificate); } \ +try { +#else +#define BEGIN_SECCERTAPI \ +OSStatus __secapiresult=errSecSuccess; \ +SecCertificateRef __itemImplRef=(SecCertificateRef)((certificate)?CFRetain(certificate):NULL); \ +try { +#endif +#define END_SECCERTAPI }\ +catch (const MacOSError &err) { __secapiresult=err.osStatus(); } \ +catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } \ +catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } \ +catch (...) { __secapiresult=errSecInternalComponent; } \ +if (__itemImplRef) { CFRelease(__itemImplRef); } \ +return __secapiresult; + + +#endif /* !_SECURITY_SECBRIDGE_H_ */ diff --git a/Security/libsecurity_keychain/lib/SecCFTypes.cpp b/OSX/include/security_keychain/SecCFTypes.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/SecCFTypes.cpp rename to OSX/include/security_keychain/SecCFTypes.cpp diff --git a/Security/libsecurity_keychain/lib/SecCFTypes.h b/OSX/include/security_keychain/SecCFTypes.h similarity index 100% rename from Security/libsecurity_keychain/lib/SecCFTypes.h rename to OSX/include/security_keychain/SecCFTypes.h diff --git a/OSX/include/security_keychain/SecCertificate.cpp b/OSX/include/security_keychain/SecCertificate.cpp new file mode 100644 index 00000000..9950aa33 --- /dev/null +++ b/OSX/include/security_keychain/SecCertificate.cpp @@ -0,0 +1,1538 @@ +/* + * Copyright (c) 2002-2015 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "SecBridge.h" + +// %%% used by SecCertificate{Copy,Set}Preference +#include +#include +#include +#include +#include +#include +#include +#include "CertificateValues.h" +#include "SecCertificateP.h" +#include "SecCertificatePrivP.h" + +#include "AppleBaselineEscrowCertificates.h" + + +SecCertificateRef SecCertificateCreateItemImplInstance(SecCertificateRef certificate); +OSStatus SecCertificateGetCLHandle_legacy(SecCertificateRef certificate, CSSM_CL_HANDLE *clHandle); +extern CSSM_KEYUSE ConvertArrayToKeyUsage(CFArrayRef usage); + +#define SEC_CONST_DECL(k,v) const CFStringRef k = CFSTR(v); + +SEC_CONST_DECL (kSecCertificateProductionEscrowKey, "ProductionEscrowKey"); +SEC_CONST_DECL (kSecCertificateProductionPCSEscrowKey, "ProductionPCSEscrowKey"); +SEC_CONST_DECL (kSecCertificateEscrowFileName, "AppleESCertificates"); + + +using namespace CssmClient; + +#if !SECTRUST_OSX +CFTypeID +SecCertificateGetTypeID(void) +{ + BEGIN_SECAPI + + return gTypes().Certificate.typeID; + + END_SECAPI1(_kCFRuntimeNotATypeID) +} +#endif + +/* convert a new-world SecCertificateRef to an old-world ItemImpl instance */ +SecCertificateRef +SecCertificateCreateItemImplInstance(SecCertificateRef certificate) +{ +#if !SECTRUST_OSX + return (SecCertificateRef)(certificate ? CFRetain(certificate) : NULL); +#else + if (!certificate) { + return NULL; + } + SecCertificateRef implCertRef = (SecCertificateRef) SecCertificateCopyKeychainItem(certificate); + if (implCertRef) { + return implCertRef; + } + CFDataRef data = SecCertificateCopyData(certificate); + if (!data) { + return NULL; + } + try { + CSSM_DATA cssmCertData; + cssmCertData.Length = (data) ? (CSSM_SIZE)CFDataGetLength(data) : 0; + cssmCertData.Data = (data) ? (uint8 *)CFDataGetBytePtr(data) : NULL; + + SecPointer certificatePtr(new Certificate(cssmCertData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER)); + implCertRef = certificatePtr->handle(); + } + catch (...) {} + CFRelease(data); + return implCertRef; +#endif +} + +/* convert an old-world ItemImpl instance to a new-world SecCertificateRef */ +SecCertificateRef +SecCertificateCreateFromItemImplInstance(SecCertificateRef certificate) +{ +#if !SECTRUST_OSX + return (SecCertificateRef)(certificate ? CFRetain(certificate) : NULL); +#else + if (!certificate) { + return NULL; + } + SecCertificateRef result = NULL; + CFDataRef data = NULL; + try { + CssmData certData = Certificate::required(certificate)->data(); + if (certData.Data && certData.Length) { + data = CFDataCreate(NULL, certData.Data, certData.Length); + } + if (!data) { + if (certData.Data && !certData.Length) { + /* zero-length certs can exist, so don't bother logging this */ + } + else { + syslog(LOG_ERR, "WARNING: SecKeychainSearchCopyNext failed to retrieve certificate data (length=%ld, data=0x%lX)", + (long)certData.Length, (uintptr_t)certData.Data); + } + return NULL; + } + } + catch (...) {} + + result = SecCertificateCreateWithKeychainItem(NULL, data, certificate); + if (data) + CFRelease(data); + return result; +#endif +} + +/* OS X only: DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER */ +OSStatus +SecCertificateCreateFromData(const CSSM_DATA *data, CSSM_CERT_TYPE type, CSSM_CERT_ENCODING encoding, SecCertificateRef *certificate) +{ +#if !SECTRUST_OSX + BEGIN_SECAPI + + SecPointer certificatePtr(new Certificate(Required(data), type, encoding)); + Required(certificate) = certificatePtr->handle(); + + END_SECAPI +#else + /* bridge to support old functionality */ + if (!data || !data->Data || !data->Length || !certificate) { + return errSecParam; + } + SecCertificateRef certRef = NULL; + CFDataRef dataRef = CFDataCreate(NULL, data->Data, data->Length); + if (dataRef) { + certRef = SecCertificateCreateWithData(NULL, dataRef); + CFRelease(dataRef); + } + *certificate = certRef; + return (certRef) ? errSecSuccess : errSecUnknownFormat; +#endif +} + +#if !SECTRUST_OSX +/* new in 10.6 */ +SecCertificateRef +SecCertificateCreateWithData(CFAllocatorRef allocator, CFDataRef data) +{ + SecCertificateRef certificate = NULL; + OSStatus __secapiresult; + try { + CSSM_DATA cssmCertData; + cssmCertData.Length = (data) ? (CSSM_SIZE)CFDataGetLength(data) : 0; + cssmCertData.Data = (data) ? (uint8 *)CFDataGetBytePtr(data) : NULL; + + //NOTE: there isn't yet a Certificate constructor which accepts a CFAllocatorRef + SecPointer certificatePtr(new Certificate(cssmCertData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER)); + certificate = certificatePtr->handle(); + + __secapiresult=errSecSuccess; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return certificate; +} +#endif + +/* OS X only: __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA) */ +OSStatus +SecCertificateAddToKeychain(SecCertificateRef certificate, SecKeychainRef keychain) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Item item(Certificate::required(__itemImplRef)); + Keychain::optional(keychain)->add(item); + + END_SECCERTAPI +} + +/* OS X only: DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER */ +OSStatus +SecCertificateGetData(SecCertificateRef certificate, CSSM_DATA_PTR data) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(data) = Certificate::required(__itemImplRef)->data(); + + END_SECCERTAPI +} + +#if !SECTRUST_OSX +/* new in 10.6 */ +CFDataRef +SecCertificateCopyData(SecCertificateRef certificate) +{ + CFDataRef data = NULL; + OSStatus __secapiresult = errSecSuccess; + try { + CssmData output = Certificate::required(certificate)->data(); + CFIndex length = (CFIndex)output.length(); + const UInt8 *bytes = (const UInt8 *)output.data(); + if (length && bytes) { + data = CFDataCreate(NULL, bytes, length); + } + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return data; +} +#endif + +#if !SECTRUST_OSX +CFDataRef +SecCertificateGetSHA1Digest(SecCertificateRef certificate) +{ + CFDataRef data = NULL; + OSStatus __secapiresult = errSecSuccess; + try { + data = Certificate::required(certificate)->sha1Hash(); + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return data; +} +#endif + +#if !SECTRUST_OSX +CFDataRef +SecCertificateCopyPublicKeySHA1Digest(SecCertificateRef certificate) +{ + CFDataRef data = NULL; + OSStatus __secapiresult = errSecSuccess; + try { + CssmData output = Certificate::required(certificate)->publicKeyHash(); + CFIndex length = (CFIndex)output.length(); + const UInt8 *bytes = (const UInt8 *)output.data(); + if (length && bytes) { + data = CFDataCreate(NULL, bytes, length); + } + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return data; +} +#endif + +#if !SECTRUST_OSX +CFArrayRef +SecCertificateCopyDNSNames(SecCertificateRef certificate) +{ + CFArrayRef names = NULL; + OSStatus __secapiresult = errSecSuccess; + try { + names = Certificate::required(certificate)->copyDNSNames(); + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return names; +} +#endif + +/* OS X only: DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER */ +OSStatus +SecCertificateGetType(SecCertificateRef certificate, CSSM_CERT_TYPE *certificateType) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(certificateType) = Certificate::required(__itemImplRef)->type(); + + END_SECCERTAPI +} + +/* OS X only: DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER */ +OSStatus +SecCertificateGetSubject(SecCertificateRef certificate, const CSSM_X509_NAME **subject) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(subject) = Certificate::required(__itemImplRef)->subjectName(); + + END_SECCERTAPI +} + +/* OS X only: DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER */ +OSStatus +SecCertificateGetIssuer(SecCertificateRef certificate, const CSSM_X509_NAME **issuer) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(issuer) = Certificate::required(__itemImplRef)->issuerName(); + + END_SECCERTAPI +} + +/* OS X only: DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER */ +OSStatus +SecCertificateGetCLHandle(SecCertificateRef certificate, CSSM_CL_HANDLE *clHandle) +{ +#if !SECTRUST_OSX + BEGIN_SECAPI + + Required(clHandle) = Certificate::required(certificate)->clHandle(); + + END_SECAPI +#else +#if 0 + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(clHandle) = Certificate::required(__itemImplRef)->clHandle(); + + END_SECCERTAPI +#endif + /* bridge code to support deprecated functionality */ + OSStatus __secapiresult=errSecSuccess; + bool kcItem=true; + SecCertificateRef __itemImplRef=(SecCertificateRef)SecCertificateCopyKeychainItem(certificate); + if (!__itemImplRef) { __itemImplRef=SecCertificateCreateItemImplInstance(certificate); kcItem=false; } + try { + Required(clHandle) = Certificate::required(__itemImplRef)->clHandle(); + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + if (__itemImplRef) { + if (!kcItem) { + /* we can't release the temporary certificate, or the CL handle becomes invalid. + * for now, just stick the temporary certificate into an array. + * TBD: use a dictionary, indexed by hash of certificate. */ + static CFMutableArrayRef sLegacyCertArray = NULL; + if (!sLegacyCertArray) { + sLegacyCertArray = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); + if (!sLegacyCertArray) { + return errSecAllocate; + } + } + CFArrayAppendValue(sLegacyCertArray, __itemImplRef); +#ifndef NDEBUG + syslog(LOG_ERR, "WARNING: SecCertificateGetCLHandle called on certificate which is not in a keychain."); +#endif + } + CFRelease(__itemImplRef); + } + return __secapiresult; + +#endif +} + +/* private function; assumes input is old-style ItemImpl certificate reference, + and does not release that certificate reference! + */ +OSStatus +SecCertificateGetCLHandle_legacy(SecCertificateRef certificate, CSSM_CL_HANDLE *clHandle) +{ + BEGIN_SECAPI + + Required(clHandle) = Certificate::required(certificate)->clHandle(); + + END_SECAPI +} + + +/* + * Private API to infer a display name for a SecCertificateRef which + * may or may not be in a keychain. + * + * OS X only + */ +OSStatus +SecCertificateInferLabel(SecCertificateRef certificate, CFStringRef *label) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Certificate::required(__itemImplRef)->inferLabel(false, &Required(label)); + + END_SECCERTAPI +} + +/* OS X only (note: iOS version has different arguments and return value) */ +OSStatus +SecCertificateCopyPublicKey(SecCertificateRef certificate, SecKeyRef *key) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(key) = Certificate::required(__itemImplRef)->publicKey()->handle(); + + END_SECCERTAPI +} + +/* OS X only: DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER */ +OSStatus +SecCertificateGetAlgorithmID(SecCertificateRef certificate, const CSSM_X509_ALGORITHM_IDENTIFIER **algid) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(algid) = Certificate::required(__itemImplRef)->algorithmID(); + + END_SECCERTAPI +} + +/* OS X only: __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA) */ +OSStatus +SecCertificateCopyCommonName(SecCertificateRef certificate, CFStringRef *commonName) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(commonName) = Certificate::required(__itemImplRef)->commonName(); + + END_SECCERTAPI +} + +#if !SECTRUST_OSX +/* new in 10.6 */ +CFStringRef +SecCertificateCopySubjectSummary(SecCertificateRef certificate) +{ + CFStringRef summary = NULL; + OSStatus __secapiresult; + try { + Certificate::required(certificate)->inferLabel(false, &summary); + + __secapiresult=errSecSuccess; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return summary; +} +#endif + +#if !SECTRUST_OSX +CFStringRef +SecCertificateCopyIssuerSummary(SecCertificateRef certificate) +{ + CFStringRef issuerStr = NULL; + SecCertificateRefP certP = NULL; + CFDataRef certData = SecCertificateCopyData(certificate); + if (certData) { + certP = SecCertificateCreateWithDataP(NULL, certData); + CFRelease(certData); + } + if (certP) { + issuerStr = SecCertificateCopyIssuerSummaryP(certP); + CFRelease(certP); + } + return issuerStr; +} +#endif + +/* OS X only */ +OSStatus +SecCertificateCopySubjectComponent(SecCertificateRef certificate, const CSSM_OID *component, CFStringRef *result) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(result) = Certificate::required(__itemImplRef)->distinguishedName(&CSSMOID_X509V1SubjectNameCStruct, component); + + END_SECCERTAPI +} + +/* OS X only; deprecated SPI */ +OSStatus +SecCertificateGetCommonName(SecCertificateRef certificate, CFStringRef *commonName) +{ + // deprecated SPI signature; replaced by SecCertificateCopyCommonName + return SecCertificateCopyCommonName(certificate, commonName); +} + +/* OS X only; deprecated SPI */ +OSStatus +SecCertificateGetEmailAddress(SecCertificateRef certificate, CFStringRef *emailAddress) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(emailAddress) = Certificate::required(__itemImplRef)->copyFirstEmailAddress(); + + END_SECCERTAPI +} + +/* OS X only */ +OSStatus +SecCertificateCopyEmailAddresses(SecCertificateRef certificate, CFArrayRef *emailAddresses) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(emailAddresses) = Certificate::required(__itemImplRef)->copyEmailAddresses(); + + END_SECCERTAPI +} + +/* Return a zero terminated list of CSSM_DATA_PTR's with the values of the field specified by field. + * Caller must call releaseFieldValues to free the storage allocated by this call. + * + * OS X only + */ +OSStatus +SecCertificateCopyFieldValues(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR **fieldValues) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(fieldValues) = Certificate::required(__itemImplRef)->copyFieldValues(Required(field)); + + END_SECCERTAPI +} + +/* OS X only */ +OSStatus +SecCertificateReleaseFieldValues(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR *fieldValues) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Certificate::required(__itemImplRef)->releaseFieldValues(Required(field), fieldValues); + + END_SECCERTAPI +} + +/* OS X only */ +OSStatus +SecCertificateCopyFirstFieldValue(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR *fieldValue) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Required(fieldValue) = Certificate::required(__itemImplRef)->copyFirstFieldValue(Required(field)); + + END_SECCERTAPI +} + +/* OS X only */ +OSStatus +SecCertificateReleaseFirstFieldValue(SecCertificateRef certificate, const CSSM_OID *field, CSSM_DATA_PTR fieldValue) +{ + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + Certificate::required(__itemImplRef)->releaseFieldValue(Required(field), fieldValue); + + END_SECCERTAPI +} + +/* OS X only */ +OSStatus +SecCertificateFindByIssuerAndSN(CFTypeRef keychainOrArray,const CSSM_DATA *issuer, + const CSSM_DATA *serialNumber, SecCertificateRef *certificate) +{ + BEGIN_SECAPI + + StorageManager::KeychainList keychains; + globals().storageManager.optionalSearchList(keychainOrArray, keychains); + Required(certificate) = Certificate::findByIssuerAndSN(keychains, CssmData::required(issuer), CssmData::required(serialNumber))->handle(); + +#if SECTRUST_OSX + // convert ItemImpl-based SecCertificateRef to new-world version before returning + CssmData certData = Certificate::required(*certificate)->data(); + CFRef cfData(CFDataCreate(NULL, certData.Data, certData.Length)); + SecCertificateRef tmpRef = *certificate; + *certificate = SecCertificateCreateWithData(NULL, cfData); + CFRelease(tmpRef); +#endif + + END_SECAPI +} + +/* OS X only */ +OSStatus +SecCertificateFindBySubjectKeyID(CFTypeRef keychainOrArray, const CSSM_DATA *subjectKeyID, + SecCertificateRef *certificate) +{ + BEGIN_SECAPI + + StorageManager::KeychainList keychains; + globals().storageManager.optionalSearchList(keychainOrArray, keychains); + Required(certificate) = Certificate::findBySubjectKeyID(keychains, CssmData::required(subjectKeyID))->handle(); + +#if SECTRUST_OSX + // convert ItemImpl-based SecCertificateRef to new-world version before returning + CssmData certData = Certificate::required(*certificate)->data(); + CFRef cfData(CFDataCreate(NULL, certData.Data, certData.Length)); + SecCertificateRef tmpRef = *certificate; + *certificate = SecCertificateCreateWithData(NULL, cfData); + CFRelease(tmpRef); +#endif + + END_SECAPI +} + +/* OS X only */ +OSStatus +SecCertificateFindByEmail(CFTypeRef keychainOrArray, const char *emailAddress, SecCertificateRef *certificate) +{ + BEGIN_SECAPI + + StorageManager::KeychainList keychains; + globals().storageManager.optionalSearchList(keychainOrArray, keychains); + Required(certificate) = Certificate::findByEmail(keychains, emailAddress)->handle(); + +#if SECTRUST_OSX + // convert ItemImpl-based SecCertificateRef to new-world version before returning + CssmData certData = Certificate::required(*certificate)->data(); + CFRef cfData(CFDataCreate(NULL, certData.Data, certData.Length)); + SecCertificateRef tmpRef = *certificate; + *certificate = SecCertificateCreateWithData(NULL, cfData); + CFRelease(tmpRef); +#endif + + END_SECAPI +} + +/* OS X only */ +OSStatus +SecKeychainSearchCreateForCertificateByIssuerAndSN(CFTypeRef keychainOrArray, const CSSM_DATA *issuer, + const CSSM_DATA *serialNumber, SecKeychainSearchRef *searchRef) +{ + BEGIN_SECAPI + + Required(searchRef); + + StorageManager::KeychainList keychains; + globals().storageManager.optionalSearchList(keychainOrArray, keychains); + KCCursor cursor(Certificate::cursorForIssuerAndSN(keychains, CssmData::required(issuer), CssmData::required(serialNumber))); + *searchRef = cursor->handle(); + + END_SECAPI +} + +/* OS X only */ +OSStatus +SecKeychainSearchCreateForCertificateByIssuerAndSN_CF(CFTypeRef keychainOrArray, CFDataRef issuer, + CFDataRef serialNumber, SecKeychainSearchRef *searchRef) +{ + BEGIN_SECAPI + + Required(searchRef); + + StorageManager::KeychainList keychains; + globals().storageManager.optionalSearchList(keychainOrArray, keychains); + Required(issuer); + Required(serialNumber); + KCCursor cursor(Certificate::cursorForIssuerAndSN_CF(keychains, issuer, serialNumber)); + *searchRef = cursor->handle(); + + END_SECAPI +} + +/* OS X only */ +OSStatus +SecKeychainSearchCreateForCertificateBySubjectKeyID(CFTypeRef keychainOrArray, const CSSM_DATA *subjectKeyID, + SecKeychainSearchRef *searchRef) +{ + BEGIN_SECAPI + + Required(searchRef); + + StorageManager::KeychainList keychains; + globals().storageManager.optionalSearchList(keychainOrArray, keychains); + KCCursor cursor(Certificate::cursorForSubjectKeyID(keychains, CssmData::required(subjectKeyID))); + *searchRef = cursor->handle(); + + END_SECAPI +} + +/* OS X only */ +OSStatus +SecKeychainSearchCreateForCertificateByEmail(CFTypeRef keychainOrArray, const char *emailAddress, + SecKeychainSearchRef *searchRef) +{ + BEGIN_SECAPI + + Required(searchRef); + + StorageManager::KeychainList keychains; + globals().storageManager.optionalSearchList(keychainOrArray, keychains); + KCCursor cursor(Certificate::cursorForEmail(keychains, emailAddress)); + *searchRef = cursor->handle(); + + END_SECAPI +} + +/* OS X only */ +CSSM_RETURN +SecDigestGetData (CSSM_ALGORITHMS alg, CSSM_DATA* digest, const CSSM_DATA* data) +{ + BEGIN_SECAPI + // sanity checking + if (!digest || !digest->Data || !digest->Length || !data || !data->Data || !data->Length) + return errSecParam; + + CSP csp(gGuidAppleCSP); + Digest context(csp, alg); + CssmData input(data->Data, data->Length); + CssmData output(digest->Data, digest->Length); + + context.digest(input, output); + digest->Length = output.length(); + + return CSSM_OK; + END_SECAPI1(1); +} + +#if !SECTRUST_OSX +/* determine whether a cert is self-signed */ +OSStatus SecCertificateIsSelfSigned( + SecCertificateRef certificate, + Boolean *isSelfSigned) /* RETURNED */ +{ + BEGIN_SECAPI + + *isSelfSigned = Certificate::required(certificate)->isSelfSigned(); + + END_SECAPI +} +#endif + +/* OS X only: DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER */ +OSStatus +SecCertificateCopyPreference( + CFStringRef name, + CSSM_KEYUSE keyUsage, + SecCertificateRef *certificate) +{ + BEGIN_SECAPI + + Required(name); + Required(certificate); + StorageManager::KeychainList keychains; + globals().storageManager.getSearchList(keychains); + KCCursor cursor(keychains, kSecGenericPasswordItemClass, NULL); + + char idUTF8[MAXPATHLEN]; + if (!CFStringGetCString(name, idUTF8, sizeof(idUTF8)-1, kCFStringEncodingUTF8)) + idUTF8[0] = (char)'\0'; + CssmData service(const_cast(idUTF8), strlen(idUTF8)); + FourCharCode itemType = 'cprf'; + cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecServiceItemAttr), service); + cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecTypeItemAttr), itemType); + if (keyUsage) + cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecScriptCodeItemAttr), (sint32)keyUsage); + + Item prefItem; + if (!cursor->next(prefItem)) + MacOSError::throwMe(errSecItemNotFound); + + // get persistent certificate reference + SecKeychainAttribute itemAttrs[] = { { kSecGenericItemAttr, 0, NULL } }; + SecKeychainAttributeList itemAttrList = { sizeof(itemAttrs) / sizeof(itemAttrs[0]), itemAttrs }; + prefItem->getContent(NULL, &itemAttrList, NULL, NULL); + + // find certificate, given persistent reference data + CFDataRef pItemRef = CFDataCreateWithBytesNoCopy(NULL, (const UInt8 *)itemAttrs[0].data, itemAttrs[0].length, kCFAllocatorNull); + SecKeychainItemRef certItemRef = nil; + OSStatus status = SecKeychainItemCopyFromPersistentReference(pItemRef, &certItemRef); //%%% need to make this a method of ItemImpl + prefItem->freeContent(&itemAttrList, NULL); + if (pItemRef) + CFRelease(pItemRef); + if (status) + return status; + + *certificate = (SecCertificateRef)certItemRef; + +#if SECTRUST_OSX + // convert ItemImpl-based SecCertificateRef to new-world version before returning + CssmData certData = Certificate::required(*certificate)->data(); + CFRef cfData(CFDataCreate(NULL, certData.Data, certData.Length)); + SecCertificateRef tmpRef = *certificate; + *certificate = SecCertificateCreateWithData(NULL, cfData); + CFRelease(tmpRef); +#endif + + END_SECAPI +} + +/* OS X only */ +SecCertificateRef +SecCertificateCopyPreferred( + CFStringRef name, + CFArrayRef keyUsage) +{ + // This function will look for a matching preference in the following order: + // - matches the name and the supplied key use + // - matches the name and the special 'ANY' key use + // - matches the name with no key usage constraint + + SecCertificateRef certRef = NULL; + CSSM_KEYUSE keyUse = ConvertArrayToKeyUsage(keyUsage); + OSStatus status = SecCertificateCopyPreference(name, keyUse, &certRef); + if (status != errSecSuccess && keyUse != CSSM_KEYUSE_ANY) + status = SecCertificateCopyPreference(name, CSSM_KEYUSE_ANY, &certRef); + if (status != errSecSuccess && keyUse != 0) + status = SecCertificateCopyPreference(name, 0, &certRef); + + return certRef; +} + +/* OS X only; not exported */ +static OSStatus +SecCertificateFindPreferenceItemWithNameAndKeyUsage( + CFTypeRef keychainOrArray, + CFStringRef name, + int32_t keyUsage, + SecKeychainItemRef *itemRef) +{ + BEGIN_SECAPI + + StorageManager::KeychainList keychains; + globals().storageManager.optionalSearchList(keychainOrArray, keychains); + KCCursor cursor(keychains, kSecGenericPasswordItemClass, NULL); + + char idUTF8[MAXPATHLEN]; + idUTF8[0] = (char)'\0'; + if (name) + { + if (!CFStringGetCString(name, idUTF8, sizeof(idUTF8)-1, kCFStringEncodingUTF8)) + idUTF8[0] = (char)'\0'; + } + size_t idUTF8Len = strlen(idUTF8); + if (!idUTF8Len) + MacOSError::throwMe(errSecParam); + + CssmData service(const_cast(idUTF8), idUTF8Len); + cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecServiceItemAttr), service); + cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecTypeItemAttr), (FourCharCode)'cprf'); + if (keyUsage) + cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecScriptCodeItemAttr), (sint32)keyUsage); + + Item item; + if (!cursor->next(item)) + MacOSError::throwMe(errSecItemNotFound); + + if (itemRef) + *itemRef=item->handle(); + + END_SECAPI +} + +/* OS X only; not exported */ +static +OSStatus SecCertificateDeletePreferenceItemWithNameAndKeyUsage( + CFTypeRef keychainOrArray, + CFStringRef name, + int32_t keyUsage) +{ + // when a specific key usage is passed, we'll only match & delete that pref; + // when a key usage of 0 is passed, all matching prefs should be deleted. + // maxUsages represents the most matches there could theoretically be, so + // cut things off at that point if we're still finding items (if they can't + // be deleted for some reason, we'd never break out of the loop.) + + OSStatus status; + SecKeychainItemRef item = NULL; + int count = 0, maxUsages = 12; + while (++count <= maxUsages && + (status = SecCertificateFindPreferenceItemWithNameAndKeyUsage(keychainOrArray, name, keyUsage, &item)) == errSecSuccess) { + status = SecKeychainItemDelete(item); + CFRelease(item); + item = NULL; + } + + // it's not an error if the item isn't found + return (status == errSecItemNotFound) ? errSecSuccess : status; +} + +/* OS X only: __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA) */ +OSStatus SecCertificateSetPreference( + SecCertificateRef certificate, + CFStringRef name, + CSSM_KEYUSE keyUsage, + CFDateRef date) +{ + if (!name) { + return errSecParam; + } + if (!certificate) { + // treat NULL certificate as a request to clear the preference + // (note: if keyUsage is 0, this clears all key usage prefs for name) + return SecCertificateDeletePreferenceItemWithNameAndKeyUsage(NULL, name, keyUsage); + } + + // This macro converts a new-style SecCertificateRef to an old-style ItemImpl + BEGIN_SECCERTAPI + + // determine the account attribute + // + // This attribute must be synthesized from certificate label + pref item type + key usage, + // as only the account and service attributes can make a generic keychain item unique. + // For 'iprf' type items (but not 'cprf'), we append a trailing space. This insures that + // we can save a certificate preference if an identity preference already exists for the + // given service name, and vice-versa. + // If the key usage is 0 (i.e. the normal case), we omit the appended key usage string. + // + CFStringRef labelStr = nil; + Certificate::required(__itemImplRef)->inferLabel(false, &labelStr); + if (!labelStr) { + MacOSError::throwMe(errSecDataTooLarge); // data is "in a format which cannot be displayed" + } + CFIndex accountUTF8Len = CFStringGetMaximumSizeForEncoding(CFStringGetLength(labelStr), kCFStringEncodingUTF8) + 1; + const char *templateStr = "%s [key usage 0x%X]"; + const int keyUsageMaxStrLen = 8; + accountUTF8Len += strlen(templateStr) + keyUsageMaxStrLen; + char accountUTF8[accountUTF8Len]; + if (!CFStringGetCString(labelStr, accountUTF8, accountUTF8Len-1, kCFStringEncodingUTF8)) + accountUTF8[0] = (char)'\0'; + if (keyUsage) + snprintf(accountUTF8, accountUTF8Len-1, templateStr, accountUTF8, keyUsage); + CssmData account(const_cast(accountUTF8), strlen(accountUTF8)); + CFRelease(labelStr); + + // service attribute (name provided by the caller) + CFIndex serviceUTF8Len = CFStringGetMaximumSizeForEncoding(CFStringGetLength(name), kCFStringEncodingUTF8) + 1;; + char serviceUTF8[serviceUTF8Len]; + if (!CFStringGetCString(name, serviceUTF8, serviceUTF8Len-1, kCFStringEncodingUTF8)) + serviceUTF8[0] = (char)'\0'; + CssmData service(const_cast(serviceUTF8), strlen(serviceUTF8)); + + // look for existing preference item, in case this is an update + StorageManager::KeychainList keychains; + globals().storageManager.getSearchList(keychains); + KCCursor cursor(keychains, kSecGenericPasswordItemClass, NULL); + FourCharCode itemType = 'cprf'; + cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecServiceItemAttr), service); + cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecTypeItemAttr), itemType); + if (keyUsage) + cursor->add(CSSM_DB_EQUAL, Schema::attributeInfo(kSecScriptCodeItemAttr), (sint32)keyUsage); + if (date) + ; // %%%TBI + + Item item(kSecGenericPasswordItemClass, 'aapl', 0, NULL, false); + bool add = (!cursor->next(item)); + // at this point, we either have a new item to add or an existing item to update + + // set item attribute values + item->setAttribute(Schema::attributeInfo(kSecServiceItemAttr), service); + item->setAttribute(Schema::attributeInfo(kSecTypeItemAttr), itemType); + item->setAttribute(Schema::attributeInfo(kSecAccountItemAttr), account); + item->setAttribute(Schema::attributeInfo(kSecScriptCodeItemAttr), (sint32)keyUsage); + item->setAttribute(Schema::attributeInfo(kSecLabelItemAttr), service); + + // date + if (date) + ; // %%%TBI + + // generic attribute (store persistent certificate reference) + CFDataRef pItemRef = nil; + Certificate::required(__itemImplRef)->copyPersistentReference(pItemRef); + if (!pItemRef) { + MacOSError::throwMe(errSecInvalidItemRef); + } + const UInt8 *dataPtr = CFDataGetBytePtr(pItemRef); + CFIndex dataLen = CFDataGetLength(pItemRef); + CssmData pref(const_cast(reinterpret_cast(dataPtr)), dataLen); + item->setAttribute(Schema::attributeInfo(kSecGenericItemAttr), pref); + CFRelease(pItemRef); + + if (add) { + Keychain keychain = nil; + try { + keychain = globals().storageManager.defaultKeychain(); + if (!keychain->exists()) + MacOSError::throwMe(errSecNoSuchKeychain); // Might be deleted or not available at this time. + } + catch(...) { + keychain = globals().storageManager.defaultKeychainUI(item); + } + + try { + keychain->add(item); + } + catch (const MacOSError &err) { + if (err.osStatus() != errSecDuplicateItem) + throw; // if item already exists, fall through to update + } + } + item->update(); + + END_SECCERTAPI +} + +/* OS X only: __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA) */ +OSStatus SecCertificateSetPreferred( + SecCertificateRef certificate, + CFStringRef name, + CFArrayRef keyUsage) +{ + CSSM_KEYUSE keyUse = ConvertArrayToKeyUsage(keyUsage); + return SecCertificateSetPreference(certificate, name, keyUse, NULL); +} + +/* OS X only: __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA) */ +CFDictionaryRef SecCertificateCopyValues(SecCertificateRef certificate, CFArrayRef keys, CFErrorRef *error) +{ + CFDictionaryRef result = NULL; + OSStatus __secapiresult; + try + { + CertificateValues cv(certificate); + result = cv.copyFieldValues(keys,error); + __secapiresult=0; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return result; +} + +/* OS X only: __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA) */ +CFStringRef SecCertificateCopyLongDescription(CFAllocatorRef alloc, SecCertificateRef certificate, CFErrorRef *error) +{ + return SecCertificateCopyShortDescription(alloc, certificate, error); +} + +/* OS X only: __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA) */ +CFStringRef SecCertificateCopyShortDescription(CFAllocatorRef alloc, SecCertificateRef certificate, CFErrorRef *error) +{ + CFStringRef result = NULL; + OSStatus __secapiresult = SecCertificateInferLabel(certificate, &result); + if (error!=NULL && __secapiresult!=errSecSuccess) + { + *error = CFErrorCreate(kCFAllocatorDefault, kCFErrorDomainOSStatus, + __secapiresult ? __secapiresult : CSSM_ERRCODE_INTERNAL_ERROR, NULL); + } + return result; +} + +/* OS X only: __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA) */ +CFDataRef SecCertificateCopySerialNumber(SecCertificateRef certificate, CFErrorRef *error) +{ + CFDataRef result = NULL; + OSStatus __secapiresult; + try + { + CertificateValues cv(certificate); + result = cv.copySerialNumber(error); + __secapiresult=0; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return result; +} + +/* OS X only: __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA) */ +CFDataRef SecCertificateCopyNormalizedIssuerContent(SecCertificateRef certificate, CFErrorRef *error) +{ + CFDataRef result = NULL; + OSStatus __secapiresult; + try + { + CertificateValues cv(certificate); + result = cv.copyNormalizedIssuerContent(error); + __secapiresult=0; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return result; +} + +/* OS X only: __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA) */ +CFDataRef SecCertificateCopyNormalizedSubjectContent(SecCertificateRef certificate, CFErrorRef *error) +{ + CFDataRef result = NULL; + OSStatus __secapiresult; + try + { + CertificateValues cv(certificate); + result = cv.copyNormalizedSubjectContent(error); + __secapiresult=0; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return result; +} + +#if !SECTRUST_OSX +CFDataRef SecCertificateCopyIssuerSequence(SecCertificateRef certificate) +{ + CFDataRef result = NULL; + OSStatus __secapiresult; + try + { + CertificateValues cv(certificate); + result = cv.copyIssuerSequence(NULL); + __secapiresult=0; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return result; +} +#endif + +#if !SECTRUST_OSX +CFDataRef SecCertificateCopySubjectSequence(SecCertificateRef certificate) +{ + CFDataRef result = NULL; + OSStatus __secapiresult; + try + { + CertificateValues cv(certificate); + result = cv.copySubjectSequence(NULL); + __secapiresult=0; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return result; +} +#endif + +#if !SECTRUST_OSX +bool SecCertificateIsValid(SecCertificateRef certificate, CFAbsoluteTime verifyTime) +{ + bool result = NULL; + OSStatus __secapiresult; + try + { + CFErrorRef error = NULL; + CertificateValues cv(certificate); + result = cv.isValid(verifyTime, &error); + if (error) CFRelease(error); + __secapiresult=0; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return result; +} +#endif + +/* OS X only: __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA) */ +bool SecCertificateIsValidX(SecCertificateRef certificate, CFAbsoluteTime verifyTime) +{ + /* + * deprecated function name + */ + return SecCertificateIsValid(certificate, verifyTime); +} + +#if !SECTRUST_OSX +CFAbsoluteTime SecCertificateNotValidBefore(SecCertificateRef certificate) +{ + CFAbsoluteTime result = 0; + OSStatus __secapiresult; + try + { + CFErrorRef error = NULL; + CertificateValues cv(certificate); + result = cv.notValidBefore(&error); + if (error) CFRelease(error); + __secapiresult=0; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return result; +} +#endif + +#if !SECTRUST_OSX +CFAbsoluteTime SecCertificateNotValidAfter(SecCertificateRef certificate) +{ + CFAbsoluteTime result = 0; + OSStatus __secapiresult; + try + { + CFErrorRef error = NULL; + CertificateValues cv(certificate); + result = cv.notValidAfter(&error); + if (error) CFRelease(error); + __secapiresult=0; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return result; +} +#endif + +#if !SECTRUST_OSX +/* new in 10.8 */ +SecCertificateRef SecCertificateCreateWithBytes(CFAllocatorRef allocator, + const UInt8 *bytes, CFIndex length) +{ + SecCertificateRef certificate = NULL; + OSStatus __secapiresult; + try { + CSSM_DATA cssmCertData = { (CSSM_SIZE)length, (uint8 *)bytes }; + + //NOTE: there isn't yet a Certificate constructor which accepts a CFAllocatorRef + SecPointer certificatePtr(new Certificate(cssmCertData, CSSM_CERT_X_509v3, CSSM_CERT_ENCODING_DER)); + certificate = certificatePtr->handle(); + + __secapiresult=errSecSuccess; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return certificate; +} +#endif + +#if !SECTRUST_OSX +/* new in 10.8 */ +CFIndex SecCertificateGetLength(SecCertificateRef certificate) +{ + CFIndex length = 0; + OSStatus __secapiresult; + try { + CssmData output = Certificate::required(certificate)->data(); + length = (CFIndex)output.length(); + __secapiresult=errSecSuccess; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return length; +} +#endif + +#if !SECTRUST_OSX +/* new in 10.8 */ +const UInt8 *SecCertificateGetBytePtr(SecCertificateRef certificate) +{ + const UInt8 *bytes = NULL; + OSStatus __secapiresult; + try { + CssmData output = Certificate::required(certificate)->data(); + bytes = (const UInt8 *)output.data(); + __secapiresult=errSecSuccess; + } + catch (const MacOSError &err) { __secapiresult=err.osStatus(); } + catch (const CommonError &err) { __secapiresult=SecKeychainErrFromOSStatus(err.osStatus()); } + catch (const std::bad_alloc &) { __secapiresult=errSecAllocate; } + catch (...) { __secapiresult=errSecInternalComponent; } + return bytes; +} +#endif + +#if !SECTRUST_OSX +/* not exported */ +static CFArrayRef CopyEscrowCertificates(SecCertificateEscrowRootType escrowRootType, CFErrorRef *error) +{ + // Return array of CFDataRef certificates. + CFArrayRef result = NULL; + int iCnt; + int numRoots = 0; + + // Get the hard coded set of production roots + // static struct RootRecord* kProductionEscrowRoots[] = {&kOldEscrowRootRecord, &kProductionEscrowRootRecord}; + + struct RootRecord** pEscrowRoots = NULL; + switch (escrowRootType) { + case kSecCertificateBaselineEscrowRoot: + numRoots = kNumberOfBaseLineEscrowRoots; + pEscrowRoots = kBaseLineEscrowRoots; + break; + case kSecCertificateProductionEscrowRoot: + numRoots = kNumberOfBaseLineEscrowRoots; //%%% currently, production == baseline on OS X + pEscrowRoots = kBaseLineEscrowRoots; + break; + case kSecCertificateBaselinePCSEscrowRoot: + numRoots = kNumberOfBaseLinePCSEscrowRoots; + pEscrowRoots = kBaseLinePCSEscrowRoots; + break; + case kSecCertificateProductionPCSEscrowRoot: + numRoots = kNumberOfBaseLinePCSEscrowRoots; //%%% currently, production == baseline on OS X + pEscrowRoots = kBaseLinePCSEscrowRoots; + break; + default: + break; + } + + CFDataRef productionCerts[numRoots]; + struct RootRecord* pRootRecord = NULL; + + for (iCnt = 0; pEscrowRoots != NULL && iCnt < numRoots; iCnt++) + { + pRootRecord = pEscrowRoots[iCnt]; + if (NULL != pRootRecord && pRootRecord->_length > 0 && NULL != pRootRecord->_bytes) + { + productionCerts[iCnt] = CFDataCreate(kCFAllocatorDefault, pRootRecord->_bytes, pRootRecord->_length); + } + } + result = CFArrayCreate(kCFAllocatorDefault, (const void **)productionCerts, numRoots, &kCFTypeArrayCallBacks); + for (iCnt = 0; iCnt < numRoots; iCnt++) + { + if (NULL != productionCerts[iCnt]) + { + CFRelease(productionCerts[iCnt]); + } + } + + return result; +} +#endif + +#if !SECTRUST_OSX +/* new in 10.9 */ +CFArrayRef SecCertificateCopyEscrowRoots(SecCertificateEscrowRootType escrowRootType) +{ + CFArrayRef result = NULL; + int iCnt; + int numRoots = 0; + CFDataRef certData = NULL; + + // The request is for the base line certificates. + // Use the hard coded data to generate the return array + if (kSecCertificateBaselineEscrowRoot == escrowRootType) + { + // Get the hard coded set of roots + numRoots = kNumberOfBaseLineEscrowRoots; + SecCertificateRef baseLineCerts[numRoots]; + struct RootRecord* pRootRecord = NULL; + + for (iCnt = 0; iCnt < numRoots; iCnt++) + { + pRootRecord = kBaseLineEscrowRoots[iCnt]; + if (NULL != pRootRecord && pRootRecord->_length > 0 && NULL != pRootRecord->_bytes) + { + certData = CFDataCreate(kCFAllocatorDefault, pRootRecord->_bytes, pRootRecord->_length); + if (NULL != certData) + { + baseLineCerts[iCnt] = SecCertificateCreateWithData(kCFAllocatorDefault, certData); + CFRelease(certData); + } + } + } + result = CFArrayCreate(kCFAllocatorDefault, (const void **)baseLineCerts, numRoots, &kCFTypeArrayCallBacks); + for (iCnt = 0; iCnt < numRoots; iCnt++) + { + if (NULL != baseLineCerts[iCnt]) + { + CFRelease(baseLineCerts[iCnt]); + } + } + } + // The request is for the current certificates. + else + { + CFErrorRef error = NULL; + CFArrayRef cert_datas = CopyEscrowCertificates(escrowRootType, &error); + if (NULL != error || NULL == cert_datas || 0 == (numRoots = (int)CFArrayGetCount(cert_datas))) + { + if (NULL != error) + { + CFRelease(error); + } + + if (NULL != cert_datas) + { + CFRelease(cert_datas); + } + return result; + } + + SecCertificateRef assetCerts[numRoots]; + for (iCnt = 0; iCnt < numRoots; iCnt++) + { + certData = (CFDataRef)CFArrayGetValueAtIndex(cert_datas, iCnt); + if (NULL != certData) + { + SecCertificateRef aCertRef = SecCertificateCreateWithData(kCFAllocatorDefault, certData); + assetCerts[iCnt] = aCertRef; + } + else + { + assetCerts[iCnt] = NULL; + } + } + + if (numRoots > 0) + { + result = CFArrayCreate(kCFAllocatorDefault, (const void **)assetCerts, numRoots, &kCFTypeArrayCallBacks); + for (iCnt = 0; iCnt < numRoots; iCnt++) + { + if (NULL != assetCerts[iCnt]) + { + CFRelease(assetCerts[iCnt]); + } + } + } + CFRelease(cert_datas); + } + + return result; +} +#endif + +#if !SECTRUST_OSX +/* new in 10.11 */ +SecSignatureHashAlgorithm SecCertificateGetSignatureHashAlgorithm(SecCertificateRef certificate) +{ + SecSignatureHashAlgorithm result = kSecSignatureHashAlgorithmUnknown; + CSSM_X509_ALGORITHM_IDENTIFIER_PTR algId = NULL; + CSSM_DATA_PTR fieldValue = NULL; + CSSM_OID_PTR algOID = NULL; + const CSSM_OID *sigAlgOID = &CSSMOID_X509V1SignatureAlgorithm; + OSStatus status; + + status = SecCertificateCopyFirstFieldValue(certificate, sigAlgOID, &fieldValue); + if (status || !fieldValue) { + return result; + } + algId = (CSSM_X509_ALGORITHM_IDENTIFIER_PTR)fieldValue->Data; + algOID = (algId) ? &algId->algorithm : NULL; + + while (algOID) { + if (!algOID->Data || !algOID->Length) { + break; + } + /* classify the signature algorithm OID into one of our known types */ + if (cuCompareCssmData(algOID, &CSSMOID_ECDSA_WithSHA512) || + cuCompareCssmData(algOID, &CSSMOID_SHA512WithRSA) || + cuCompareCssmData(algOID, &CSSMOID_SHA512)) { + result = kSecSignatureHashAlgorithmSHA512; + break; + } + if (cuCompareCssmData(algOID, &CSSMOID_ECDSA_WithSHA384) || + cuCompareCssmData(algOID, &CSSMOID_SHA384WithRSA) || + cuCompareCssmData(algOID, &CSSMOID_SHA384)) { + result = kSecSignatureHashAlgorithmSHA384; + break; + } + if (cuCompareCssmData(algOID, &CSSMOID_ECDSA_WithSHA256) || + cuCompareCssmData(algOID, &CSSMOID_SHA256WithRSA) || + cuCompareCssmData(algOID, &CSSMOID_SHA256)) { + result = kSecSignatureHashAlgorithmSHA256; + break; + } + if (cuCompareCssmData(algOID, &CSSMOID_ECDSA_WithSHA224) || + cuCompareCssmData(algOID, &CSSMOID_SHA224WithRSA) || + cuCompareCssmData(algOID, &CSSMOID_SHA224)) { + result = kSecSignatureHashAlgorithmSHA224; + break; + } + if (cuCompareCssmData(algOID, &CSSMOID_ECDSA_WithSHA1) || + cuCompareCssmData(algOID, &CSSMOID_SHA1WithRSA) || + cuCompareCssmData(algOID, &CSSMOID_SHA1WithDSA) || + cuCompareCssmData(algOID, &CSSMOID_SHA1WithDSA_CMS) || + cuCompareCssmData(algOID, &CSSMOID_SHA1WithDSA_JDK) || + cuCompareCssmData(algOID, &CSSMOID_SHA1WithRSA_OIW) || + cuCompareCssmData(algOID, &CSSMOID_APPLE_FEE_SHA1) || + cuCompareCssmData(algOID, &CSSMOID_SHA1)) { + result = kSecSignatureHashAlgorithmSHA1; + break; + } + if (cuCompareCssmData(algOID, &CSSMOID_MD5WithRSA) || + cuCompareCssmData(algOID, &CSSMOID_APPLE_FEE_MD5) || + cuCompareCssmData(algOID, &CSSMOID_MD5)) { + result = kSecSignatureHashAlgorithmMD5; + break; + } + if (cuCompareCssmData(algOID, &CSSMOID_MD4WithRSA) || + cuCompareCssmData(algOID, &CSSMOID_MD4)) { + result = kSecSignatureHashAlgorithmMD4; + break; + } + if (cuCompareCssmData(algOID, &CSSMOID_MD2WithRSA) || + cuCompareCssmData(algOID, &CSSMOID_MD2)) { + result = kSecSignatureHashAlgorithmMD2; + break; + } + break; + } + + (void)SecCertificateReleaseFirstFieldValue(certificate, sigAlgOID, fieldValue); + + return result; +} +#endif + diff --git a/OSX/include/security_keychain/SecCertificate.h b/OSX/include/security_keychain/SecCertificate.h new file mode 100644 index 00000000..7eb01b64 --- /dev/null +++ b/OSX/include/security_keychain/SecCertificate.h @@ -0,0 +1,480 @@ +/* + * Copyright (c) 2002-2011,2013 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecCertificate + The functions provided in SecCertificate implement and manage a particular type of keychain item that represents a certificate. You can store a certificate in a keychain, but a certificate can also be a transient object. + + You can use a certificate as a keychain item in most functions. +*/ + +#ifndef _SECURITY_SECCERTIFICATE_H_ +#define _SECURITY_SECCERTIFICATE_H_ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +/* +#include +#include +*/ + +#if defined(__cplusplus) +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN +CF_IMPLICIT_BRIDGING_ENABLED + +/*! + @enum CertificateItemAttributes + @abstract Indicates the type of a certificate item attribute. + @constant kSecSubjectItemAttr Indicates a DER-encoded subject distinguished name. + @constant kSecIssuerItemAttr Indicates a DER-encoded issuer distinguished name. + @constant kSecSerialNumberItemAttr Indicates a DER-encoded certificate serial number (without the tag and length). + @constant kSecPublicKeyHashItemAttr Indicates a public key hash. + @constant kSecSubjectKeyIdentifierItemAttr Indicates a subject key identifier. + @constant kSecCertTypeItemAttr Indicates a certificate type. + @constant kSecCertEncodingItemAttr Indicates a certificate encoding. +*/ +enum +{ + kSecSubjectItemAttr = 'subj', + kSecIssuerItemAttr = 'issu', + kSecSerialNumberItemAttr = 'snbr', + kSecPublicKeyHashItemAttr = 'hpky', + kSecSubjectKeyIdentifierItemAttr = 'skid', + kSecCertTypeItemAttr = 'ctyp', + kSecCertEncodingItemAttr = 'cenc' +} /*DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER*/; + +/*! + @function SecCertificateGetTypeID + @abstract Returns the type identifier of SecCertificate instances. + @result The CFTypeID of SecCertificate instances. +*/ +CFTypeID SecCertificateGetTypeID(void) + __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_2_0); + +#pragma mark ---- Certificate Operations ---- + +/*! + @function SecCertificateCreateFromData + @abstract Creates a certificate based on the input data, type, and encoding. + @param data A pointer to the certificate data. + @param type The certificate type as defined in cssmtype.h. + @param encoding The certificate encoding as defined in cssmtype.h. + @param certificate On return, a reference to the newly created certificate. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This API is deprecated in 10.7 Please use the SecCertificateCreateWithData API instead. +*/ +OSStatus SecCertificateCreateFromData(const CSSM_DATA *data, CSSM_CERT_TYPE type, CSSM_CERT_ENCODING encoding, SecCertificateRef * __nonnull CF_RETURNS_RETAINED certificate) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/*! + @function SecCertificateCreateWithData + @abstract Create a certificate reference given its DER representation as a CFData. + @param allocator CFAllocator to allocate the certificate data. Pass NULL to use the default allocator. + @param certificate DER encoded X.509 certificate. + @result On return, a reference to the certificate. Returns NULL if the passed-in data is not a valid DER-encoded X.509 certificate. +*/ +__nullable +SecCertificateRef SecCertificateCreateWithData(CFAllocatorRef __nullable allocator, CFDataRef data) + __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + +/*! + @function SecCertificateAddToKeychain + @abstract Adds a certificate to the specified keychain. + @param certificate A reference to a certificate. + @param keychain A reference to the keychain in which to add the certificate. Pass NULL to add the certificate to the default keychain. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This function is successful only if the certificate was created using the SecCertificateCreateFromData or + SecCertificateCreateWithData functions, and the certificate has not yet been added to the specified keychain. +*/ +OSStatus SecCertificateAddToKeychain(SecCertificateRef certificate, SecKeychainRef __nullable keychain) + __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); + +/*! + @function SecCertificateGetData + @abstract Retrieves the data for a given certificate. + @param certificate A reference to the certificate from which to retrieve the data. + @param data On return, the CSSM_DATA structure pointed to by data is filled in. You must allocate the space for a CSSM_DATA structure before calling this function. This data pointer is only guaranteed to remain valid as long as the certificate remains unchanged and valid. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This API is deprecated in 10.7. Please use the SecCertificateCopyData API instead. +*/ +OSStatus SecCertificateGetData(SecCertificateRef certificate, CSSM_DATA_PTR data) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/*! + @function SecCertificateCopyData + @abstract Returns the DER representation of an X.509 certificate. + @param certificate A reference to a certificate. + @result On return, a data reference containing the DER encoded representation of the X.509 certificate. + */ +CFDataRef SecCertificateCopyData(SecCertificateRef certificate) + __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + +/*! + @function SecCertificateGetType + @abstract Retrieves the type for a given certificate. + @param certificate A reference to the certificate from which to obtain the type. + @param certificateType On return, the certificate type of the certificate. Certificate types are defined in cssmtype.h. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This API is deprecated in 10.7. Please use the SecCertificateCopyValues API instead. +*/ +OSStatus SecCertificateGetType(SecCertificateRef certificate, CSSM_CERT_TYPE *certificateType) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/*! + @function SecCertificateGetSubject + @abstract Retrieves the subject name for a given certificate. + @param certificate A reference to the certificate from which to obtain the subject name. + @param subject On return, a pointer to a CSSM_X509_NAME struct which contains the subject's X.509 name (x509defs.h). This pointer remains valid until the certificate reference is released. The caller should not attempt to free this pointer. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion Prior to Mac OS X 10.5, this function did not return any output in the subject parameter. Your code should check the returned pointer value (in addition to the function result) before attempting to use it. + For example: + const CSSM_X509_NAME *subject = NULL; + OSStatus status = SecCertificateGetSubject(certificate, &subject); + if ( (status == errSecSuccess) && (subject != NULL) ) { + // subject is valid + } + This API is deprecated in 10.7. Please use the SecCertificateCopyValues API instead. +*/ +OSStatus SecCertificateGetSubject(SecCertificateRef certificate, const CSSM_X509_NAME * __nullable * __nonnull subject) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/*! + @function SecCertificateGetIssuer + @abstract Retrieves the issuer name for a given certificate. + @param certificate A reference to the certificate from which to obtain the issuer name. + @param issuer On return, a pointer to a CSSM_X509_NAME struct which contains the issuer's X.509 name (x509defs.h). This pointer remains valid until the certificate reference is released. The caller should not attempt to free this pointer. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion Prior to Mac OS X 10.5, this function did not return any output in the issuer parameter. Your code should check the returned pointer value (in addition to the function result) before attempting to use it. + For example: + const CSSM_X509_NAME *issuer = NULL; + OSStatus status = SecCertificateGetIssuer(certificate, &issuer); + if ( (status == errSecSuccess) && (issuer != NULL) ) { + // issuer is valid + } + This API is deprecated in 10.7. Please use the SecCertificateCopyValues API instead. +*/ +OSStatus SecCertificateGetIssuer(SecCertificateRef certificate, const CSSM_X509_NAME * __nullable * __nonnull issuer) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/*! + @function SecCertificateGetCLHandle + @abstract Retrieves the certificate library handle for a given certificate. + @param certificate A reference to the certificate from which to obtain the certificate library handle. + @param clHandle On return, the certificate library handle of the given certificate. This handle remains valid at least as long as the certificate does. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This API is deprecated in 10.7. Please use the SecCertificateCopyValues API instead. +*/ +OSStatus SecCertificateGetCLHandle(SecCertificateRef certificate, CSSM_CL_HANDLE *clHandle) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/*! + @function SecCertificateGetAlgorithmID + @abstract Retrieves the algorithm identifier for a given certificate. + @param certificate A reference to the certificate from which to retrieve the algorithm identifier. + @param algid On return, a pointer to a CSSM_X509_ALGORITHM_IDENTIFIER struct which identifies the algorithm for this certificate (x509defs.h). This pointer remains valid until the certificate reference is released. The caller should not attempt to free this pointer. + @result A result code. See "Security Error Codes" (SecBase.h). + discussion This API is deprecated in 10.7. Please use the SecCertificateCopyValues API instead. +*/ +OSStatus SecCertificateGetAlgorithmID(SecCertificateRef certificate, const CSSM_X509_ALGORITHM_IDENTIFIER * __nullable * __nonnull algid) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/*! + @function SecCertificateCopyPublicKey + @abstract Retrieves the public key for a given certificate. + @param certificate A reference to the certificate from which to retrieve the public key. + @param key On return, a reference to the public key for the specified certificate. Your code must release this reference by calling the CFRelease function. + @result A result code. See "Security Error Codes" (SecBase.h). +*/ +OSStatus SecCertificateCopyPublicKey(SecCertificateRef certificate, SecKeyRef * __nonnull CF_RETURNS_RETAINED key) + __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); + +/*! + @function SecCertificateCopyCommonName + @abstract Retrieves the common name of the subject of a given certificate. + @param certificate A reference to the certificate from which to retrieve the common name. + @param commonName On return, a reference to the common name. Your code must release this reference by calling the CFRelease function. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion All the data in this string comes from the certificate itself, and thus it's in whatever language the certificate itself is in. + Note that the certificate's common name field may not be present, or may be inadequate to describe the certificate; for display purposes, + you should consider using SecCertificateCopySubjectSummary instead of this function. +*/ +OSStatus SecCertificateCopyCommonName(SecCertificateRef certificate, CFStringRef * __nonnull CF_RETURNS_RETAINED commonName) + __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); + +/*! + @function SecCertificateCopySubjectSummary + @abstract Returns a simple string which hopefully represents a human understandable summary. + @param certificate A reference to the certificate from which to derive the subject summary string. + @result On return, a reference to the subject summary string. Your code must release this reference by calling the CFRelease function. + @discussion All the data in this string comes from the certificate itself, and thus it's in whatever language the certificate itself is in. +*/ +CFStringRef SecCertificateCopySubjectSummary(SecCertificateRef certificate) + __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + +/*! + @function SecCertificateCopyEmailAddresses + @abstract Returns an array of zero or more email addresses for the subject of a given certificate. + @param certificate A reference to the certificate from which to retrieve the email addresses. + @param emailAddresses On return, an array of zero or more CFStringRef elements corresponding to each email address found. + Your code must release this array reference by calling the CFRelease function. + @result A result code. See "Security Error Codes" (SecBase.h). +*/ +OSStatus SecCertificateCopyEmailAddresses(SecCertificateRef certificate, CFArrayRef * __nonnull CF_RETURNS_RETAINED emailAddresses) + __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); + +/*! + @function SecCertificateCopyPreference + @abstract Returns the preferred certificate for the specified name and key usage. If a preferred certificate does not exist for the specified name and key usage, NULL is returned. + @param name A string containing an email address (RFC822) or other name for which a preferred certificate is requested. + @param keyUsage A CSSM_KEYUSE key usage value, as defined in cssmtype.h. Pass 0 to ignore this parameter. + @param certificate On return, a reference to the preferred certificate, or NULL if none was found. You are responsible for releasing this reference by calling the CFRelease function. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This function will typically be used to obtain the preferred encryption certificate for an email recipient. + This API is deprecated in 10.7. Please use the SecCertificateCopyPreferred API instead. +*/ +OSStatus SecCertificateCopyPreference(CFStringRef name, uint32 keyUsage, SecCertificateRef * __nonnull CF_RETURNS_RETAINED certificate) + DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; + +/*! + @function SecCertificateCopyPreferred + @abstract Returns the preferred certificate for the specified name and key usage. If a preferred certificate does not exist for the specified name and key usage, NULL is returned. + @param name A string containing an email address (RFC822) or other name for which a preferred certificate is requested. + @param keyUsage A CFArrayRef value, containing items defined in SecItem.h Pass NULL to ignore this parameter. (kSecAttrCanEncrypt, kSecAttrCanDecrypt, kSecAttrCanDerive, kSecAttrCanSign, kSecAttrCanVerify, kSecAttrCanWrap, kSecAttrCanUnwrap) + @result On return, a reference to the preferred certificate, or NULL if none was found. You are responsible for releasing this reference by calling the CFRelease function. + @discussion This function will typically be used to obtain the preferred encryption certificate for an email recipient. If a preferred certificate has not been set + for the supplied name, the returned reference will be NULL. Your code should then perform a search for possible certificates, using the SecItemCopyMatching API. + */ +__nullable +SecCertificateRef SecCertificateCopyPreferred(CFStringRef name, CFArrayRef __nullable keyUsage) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @function SecCertificateSetPreference + @abstract Sets the preferred certificate for a specified name, key usage, and date. + @param certificate A reference to the certificate which will be preferred. + @param name A string containing an email address (RFC822) or other name for which a preferred certificate will be associated. + @param keyUsage A CSSM_KEYUSE key usage value, as defined in cssmtype.h. Pass 0 to avoid specifying a particular key usage. + @param date (optional) A date reference. If supplied, the preferred certificate will be changed only if this date is later than the currently saved setting. Pass NULL if this preference should not be restricted by date. + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This function will typically be used to set the preferred encryption certificate for an email recipient, either manually (when encrypting email to a recipient) or automatically upon receipt of encrypted email. + This API is deprecated in 10.7. Plese use the SecCertificateSetPreferred API instead. +*/ +OSStatus SecCertificateSetPreference(SecCertificateRef certificate, CFStringRef name, uint32 keyUsage, CFDateRef __nullable date) + __OSX_AVAILABLE_STARTING(__MAC_10_5, __IPHONE_NA); + +/*! + @function SecCertificateSetPreferred + @abstract Sets the preferred certificate for a specified name and optional key usage. + @param certificate A reference to the preferred certificate. If NULL is passed, any existing preference for the specified name is cleared instead. + @param name A string containing an email address (RFC822) or other name for which a preferred certificate will be associated. + @param keyUsage A CFArrayRef value, containing items defined in SecItem.h Pass NULL to ignore this parameter. (kSecAttrCanEncrypt, kSecAttrCanDecrypt, kSecAttrCanDerive, kSecAttrCanSign, kSecAttrCanVerify, kSecAttrCanWrap, kSecAttrCanUnwrap) + @result A result code. See "Security Error Codes" (SecBase.h). + @discussion This function will typically be used to set the preferred encryption certificate for an email recipient, either manually (when encrypting email to a recipient) + or automatically upon receipt of encrypted email. +*/ +OSStatus SecCertificateSetPreferred(SecCertificateRef __nullable certificate, CFStringRef name, CFArrayRef __nullable keyUsage) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @enum kSecPropertyKey + @abstract Constants used to access dictionary entries returned by SecCertificateCopyValues + @constant kSecPropertyKeyType The type of the entry + @constant kSecPropertyKeyLabel The label of the entry + @constant kSecPropertyKeyLocalizedLabel The localized label of the entry + @constant kSecPropertyKeyValue The value of the entry + */ + +extern const CFStringRef kSecPropertyKeyType __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecPropertyKeyLabel __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecPropertyKeyLocalizedLabel __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecPropertyKeyValue __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @enum kSecPropertyType + @abstract Public Constants for property list values returned by SecCertificateCopyValues + @discussion Note that kSecPropertyTypeTitle and kSecPropertyTypeError are defined in SecTrust.h +*/ +extern const CFStringRef kSecPropertyTypeWarning __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecPropertyTypeSuccess __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecPropertyTypeSection __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecPropertyTypeData __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecPropertyTypeString __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecPropertyTypeURL __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecPropertyTypeDate __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @function SecCertificateCopyValues + @abstract Creates a dictionary that represents a certificate's contents. + @param certificate The certificate from which to get values + @param keys An array of string OID values, or NULL. If present, this is + the subset of values from the certificate to return. If NULL, + all values will be returned. Only OIDs that are top level keys + in the returned dictionary can be specified. Unknown OIDs are + ignored. + @param error An optional pointer to a CFErrorRef. This value is + set if an error occurred. If not NULL the caller is + responsible for releasing the CFErrorRef. + @discussion The keys array will contain all of the keys used in the + returned dictionary. The top level keys in the returned + dictionary are OIDs, many of which are found in SecCertificateOIDs.h. + Each entry that is returned is itself a dictionary with four + entries, whose keys are kSecPropertyKeyType, kSecPropertyKeyLabel, + kSecPropertyKeyLocalizedLabel, kSecPropertyKeyValue. The label + entries may contain a descriptive (localized) string, or an + OID string. The kSecPropertyKeyType describes the type in the + value entry. The value entry may be any CFType, although it + is usually a CFStringRef, CFArrayRef or a CFDictionaryRef. +*/ +__nullable +CFDictionaryRef SecCertificateCopyValues(SecCertificateRef certificate, CFArrayRef __nullable keys, CFErrorRef *error) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @enum Transform Key Value Constants + @discussion Predefined values for the kSecTransformAttrCertificateUsage attribute. + + + kSecCertificateUsageSigning + kSecCertificateUsageSigningAndEncrypting + kSecCertificateUsageDeriveAndSign + +*/ + +extern const CFStringRef kSecCertificateUsageSigning __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecCertificateUsageSigningAndEncrypting __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecCertificateUsageDeriveAndSign __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @function SecCertificateCopyLongDescription + @abstract Return the long description of a certificate + @param alloc The CFAllocator which should be used to allocate + memory for the dictionary and its storage for values. This + parameter may be NULL in which case the current default + CFAllocator is used. If this reference is not a valid + CFAllocator, the behavior is undefined. + @param certificate The certificate from which to retrieve the long description + @param error An optional pointer to a CFErrorRef. This value is + set if an error occurred. If not NULL the caller is + responsible for releasing the CFErrorRef. + @result A CFStringRef of the long description or NULL. If NULL and the error + parameter is supplied the error will be returned in the error parameter + @discussion Note that the format of this string may change in the future +*/ + +__nullable +CFStringRef SecCertificateCopyLongDescription(CFAllocatorRef __nullable alloc, SecCertificateRef certificate, CFErrorRef *error) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @function SecCertificateCopyShortDescription + @abstract Return the short description of a certificate + @param alloc The CFAllocator which should be used to allocate + memory for the dictionary and its storage for values. This + parameter may be NULL in which case the current default + CFAllocator is used. If this reference is not a valid + CFAllocator, the behavior is undefined. + @param certificate The certificate from which to retrieve the short description + @param error An optional pointer to a CFErrorRef. This value is + set if an error occurred. If not NULL the caller is + responsible for releasing the CFErrorRef. + @result A CFStringRef of the short description or NULL. If NULL and the error + parameter is supplied the error will be returned in the error parameter + @discussion Note that the format of this string may change in the future +*/ + +__nullable +CFStringRef SecCertificateCopyShortDescription(CFAllocatorRef __nullable alloc, SecCertificateRef certificate, CFErrorRef *error) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @function SecCertificateCopySerialNumber + @abstract Return the certificate's serial number. + @param certificate The certificate from which to get values + @param error An optional pointer to a CFErrorRef. This value is + set if an error occurred. If not NULL the caller is + responsible for releasing the CFErrorRef. + @discussion Return the content of a DER-encoded integer (without the + tag and length fields) for this certificate's serial + number. The caller must CFRelease the value returned. +*/ + +__nullable +CFDataRef SecCertificateCopySerialNumber(SecCertificateRef certificate, CFErrorRef *error) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @function SecCertificateCopyNormalizedIssuerContent + @abstract Return the certificate's normalized issuer + @param certificate The certificate from which to get values + @param error An optional pointer to a CFErrorRef. This value is + set if an error occurred. If not NULL the caller is + responsible for releasing the CFErrorRef. + @discussion The issuer is a sequence in the format used by + SecItemCopyMatching. The content returned is a DER-encoded + X.509 distinguished name. For a display version of the issuer, + call SecCertificateCopyValues. The caller must CFRelease + the value returned. +*/ + +__nullable +CFDataRef SecCertificateCopyNormalizedIssuerContent(SecCertificateRef certificate, CFErrorRef *error) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +/*! + @function SecCertificateCopyNormalizedSubjectContent + @abstract Return the certificate's normalized subject + @param certificate The certificate from which to get values + @param error An optional pointer to a CFErrorRef. This value is + set if an error occurred. If not NULL the caller is + responsible for releasing the CFErrorRef. + @discussion The subject is a sequence in the format used by + SecItemCopyMatching. The content returned is a DER-encoded + X.509 distinguished name. For a display version of the subject, + call SecCertificateCopyValues. The caller must CFRelease + the value returned. +*/ + +__nullable +CFDataRef SecCertificateCopyNormalizedSubjectContent(SecCertificateRef certificate, CFErrorRef *error) + __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + +CF_IMPLICIT_BRIDGING_DISABLED +CF_ASSUME_NONNULL_END + +#if defined(__cplusplus) +} +#endif + +#endif /* !_SECURITY_SECCERTIFICATE_H_ */ diff --git a/Security/libsecurity_keychain/lib/SecCertificateBundle.cpp b/OSX/include/security_keychain/SecCertificateBundle.cpp similarity index 100% rename from Security/libsecurity_keychain/lib/SecCertificateBundle.cpp rename to OSX/include/security_keychain/SecCertificateBundle.cpp diff --git a/Security/libsecurity_keychain/lib/SecCertificateBundle.h b/OSX/include/security_keychain/SecCertificateBundle.h similarity index 100% rename from Security/libsecurity_keychain/lib/SecCertificateBundle.h rename to OSX/include/security_keychain/SecCertificateBundle.h diff --git a/OSX/include/security_keychain/SecCertificateInternalP.h b/OSX/include/security_keychain/SecCertificateInternalP.h new file mode 100644 index 00000000..b8303e42 --- /dev/null +++ b/OSX/include/security_keychain/SecCertificateInternalP.h @@ -0,0 +1,312 @@ +/* + * Copyright (c) 2007-2011,2013-2015 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/* + SecCertificateInternal.h +*/ + +#ifndef _SECURITY_SECCERTIFICATEINTERNAL_H_ +#define _SECURITY_SECCERTIFICATEINTERNAL_H_ + +//#include +#include "SecCertificatePrivP.h" +#include "certextensionsP.h" +#include + +#if defined(__cplusplus) +extern "C" { +#endif + +CFDataRef SecCertificateGetAuthorityKeyIDP(SecCertificateRefP certificate); +CFDataRef SecCertificateGetSubjectKeyIDP(SecCertificateRefP certificate); + +/* Return an array of CFURLRefs each of which is an crl distribution point for + this certificate. */ +CFArrayRef SecCertificateGetCRLDistributionPointsP(SecCertificateRefP certificate); + +/* Return an array of CFURLRefs each of which is an ocspResponder for this + certificate. */ +CFArrayRef SecCertificateGetOCSPRespondersP(SecCertificateRefP certificate); + +/* Return an array of CFURLRefs each of which is an caIssuer for this + certificate. */ +CFArrayRef SecCertificateGetCAIssuersP(SecCertificateRefP certificate); + +/* Dump certificate for debugging. */ +void SecCertificateShowP(SecCertificateRefP certificate); + +/* Return the DER encoded issuer sequence for the receiving certificates issuer. */ +CFDataRef SecCertificateCopyIssuerSequenceP(SecCertificateRefP certificate); + +/* Return the DER encoded subject sequence for the receiving certificates subject. */ +CFDataRef SecCertificateCopySubjectSequenceP(SecCertificateRefP certificate); + +/* Return the content of a DER encoded X.501 name (without the tag and length + fields) for the receiving certificates issuer. */ +CFDataRef SecCertificateGetNormalizedIssuerContentP(SecCertificateRefP certificate); + +/* Return the content of a DER encoded X.501 name (without the tag and length + fields) for the receiving certificates subject. */ +CFDataRef SecCertificateGetNormalizedSubjectContentP(SecCertificateRefP certificate); + +CFDataRef SecDERItemCopySequenceP(DERItem *content); + +/* Return true iff the certificate has a subject. */ +bool SecCertificateHasSubjectP(SecCertificateRefP certificate); + +/* Return true iff the certificate has a critical subject alt name. */ +bool SecCertificateHasCriticalSubjectAltNameP(SecCertificateRefP certificate); + +/* Return true if certificate contains one or more critical extensions we + are unable to parse. */ +bool SecCertificateHasUnknownCriticalExtensionP(SecCertificateRefP certificate); + +/* Return true iff certificate is valid as of verifyTime. */ +bool SecCertificateIsValidP(SecCertificateRefP certificate, + CFAbsoluteTime verifyTime); + +/* Return an attribute dictionary used to store this item in a keychain. */ +CFDictionaryRef SecCertificateCopyAttributeDictionaryP( + SecCertificateRefP certificate); + +/* Return a certificate from the attribute dictionary that was used to store + this item in a keychain. */ +SecCertificateRefP SecCertificateCreateFromAttributeDictionaryP( + CFDictionaryRef refAttributes); + +/* Return a SecKeyRef for the public key embedded in the cert. */ +SecKeyRefP SecCertificateCopyPublicKeyP(SecCertificateRefP certificate); + +/* Return the SecCEBasicConstraints extension for this certificate if it + has one. */ +const SecCEBasicConstraints * +SecCertificateGetBasicConstraintsP(SecCertificateRefP certificate); + +/* Return the SecCEPolicyConstraints extension for this certificate if it + has one. */ +const SecCEPolicyConstraints * +SecCertificateGetPolicyConstraintsP(SecCertificateRefP certificate); + +/* Return a dictionary from CFDataRef to CFArrayRef of CFDataRef + representing the policyMapping extension of this certificate. */ +CFDictionaryRef +SecCertificateGetPolicyMappingsP(SecCertificateRefP certificate); + +/* Return the SecCECertificatePolicies extension for this certificate if it + has one. */ +const SecCECertificatePolicies * +SecCertificateGetCertificatePoliciesP(SecCertificateRefP certificate); + +/* Returns UINT32_MAX if InhibitAnyPolicy extension is not present or invalid, + returns the value of the SkipCerts field of the InhibitAnyPolicy extension + otherwise. */ +uint32_t +SecCertificateGetInhibitAnyPolicySkipCertsP(SecCertificateRefP certificate); + +/* Return the public key algorithm and parameters for certificate. */ +const DERAlgorithmId *SecCertificateGetPublicKeyAlgorithmP( + SecCertificateRefP certificate); + +/* Return the raw public key data for certificate. */ +const DERItem *SecCertificateGetPublicKeyDataP(SecCertificateRefP certificate); + +#pragma mark - +#pragma mark Certificate Operations + +OSStatus SecCertificateIsSignedByP(SecCertificateRefP certificate, + SecKeyRefP issuerKey); + +#pragma mark - +#pragma mark Certificate Creation + +#ifdef OPTIONAL_METHODS +/* Return a certificate for the PEM representation of this certificate. + Return NULL the passed in der_certificate is not a valid DER encoded X.509 + certificate, and return a CFError by reference. It is the + responsibility of the caller to release the CFError. */ +SecCertificateRefP SecCertificateCreateWithPEMP(CFAllocatorRef allocator, + CFStringRef pem_certificate); + +/* Return a CFStringRef containing the the pem representation of this + certificate. */ +CFStringRef SecCertificateGetPEMP(SecCertificateRefP der_certificate); + +#endif /* OPTIONAL_METHODS */ + +#if 0 +/* Complete the certificate chain of this certificate, setting the parent + certificate for each certificate along they way. Return 0 if the + system is able to find all the certificates to complete the certificate + chain either in the passed in other_certificates array or in the user or + the systems keychain(s). + If the certificate's issuer chain can not be completed, this function + will return an error status code. + NOTE: This function does not verify whether the certificate is trusted it's + main use is just to ensure that anyone using this certificate upstream will + have access to a complete (or as complete as possible in the case of + something going wrong) certificate chain. */ +OSStatus SecCertificateCompleteChainP(SecCertificateRefP certificate, + CFArrayRef other_certificates); +#endif + +#if 0 + +/*! + @function SecCertificateGetVersionNumberP + @abstract Retrieves the version of a given certificate as a CFNumberRef. + @param certificate A reference to the certificate from which to obtain the certificate version. + @result A CFNumberRef representing the certificate version. The following values are currently known to be returned, but more may be added in the future: + 1: X509v1 + 2: X509v2 + 3: X509v3 +*/ +CFNumberRef SecCertificateGetVersionNumberP(SecCertificateRefP certificate); + +/*! + @function SecCertificateGetSerialDERP + @abstract Retrieves the serial number of a given certificate in DER encoding. + @param certificate A reference to the certificate from which to obtain the serial number. + @result A CFDataRef containing the DER encoded serial number of the certificate, minus the tag and length fields. +*/ +CFDataRef SecCertificateGetSerialDERP(SecCertificateRefP certificate); + + +/*! + @function SecCertificateGetSerialStringP + @abstract Retrieves the serial number of a given certificate in human readable form. + @param certificate A reference to the certificate from which to obtain the serial number. + @result A CFStringRef containing the human readable serial number of the certificate in decimal form. +*/ +CFStringRef SecCertificateGetSerialStringP(SecCertificateRefP certificate); + + + +CFDataRef SecCertificateGetPublicKeyDERP(SecCertificateRefP certificate); +CFDataRef SecCertificateGetPublicKeySHA1FingerPrintP(SecCertificateRefP certificate); +CFDataRef SecCertificateGetPublicKeyMD5FingerPrintP(SecCertificateRefP certificate); +CFDataRef SecCertificateGetSignatureAlgorithmDERP(SecCertificateRefP certificate); +CFDataRef SecCertificateGetSignatureAlgorithmNameP(SecCertificateRefP certificate); +CFStringRef SecCertificateGetSignatureAlgorithmOIDP(SecCertificateRefP certificate); +CFDataRef SecCertificateGetSignatureDERP(SecCertificateRefP certificate); +CFDataRef SecCertificateGetSignatureAlgorithmParametersDERP(SecCertificateRefP certificate); + +/* plist top level array is orderd list of key/value pairs */ +CFArrayRef SecCertificateGetSignatureAlgorithmParametersArrayP(SecCertificateRefP certificate); + +#if 0 +/* This cert is signed by its parent? */ +bool SecCertificateIsSignatureValidP(SecCertificateRefP certificate); + +/* This cert is signed by its parent and so on until no parent certificate can be found? */ +bool SecCertificateIsIssuerChainValidP(SecCertificateRefP certificate, CFArrayRef additionalCertificatesToSearch); + +/* This cert is signed by its parent and so on until no parent certificate can be found? */ +bool SecCertificateIsSignatureChainValidP(SecCertificateRefP certificate); + +/* This cert is signed by its parent and so on until a certiicate in anchors can be found. */ +bool SecCertificateIssuerChainHasAnchorInP(SecCertificateRefP certificate, CFArrayRef anchors); + +/* This cert is signed by its parent and so on until a certiicate in anchors can be found. */ +bool SecCertificateSignatureChainHasAnchorInP(SecCertificateRefP certificate, CFArrayRef anchors); + +bool SecCertificateIsSelfSignedP(SecCertificateRefP certificate); +#endif + + +/* The entire certificate in DER encoding including the outer tag and length fields. */ +CFDataRef SecCertificateGetDERP(SecCertificateRefP certificate); + +/* Returns the status code of the last failed call for this certificate on this thread. */ +OSStatus SecCertificateGetStatusP(SecCertificateRefP certificate); + +CFDataRef SecCertificateGetIssuerDERP(SecCertificateRefP certificate); +CFDataRef SecCertificateGetNormalizedIssuerDERP(SecCertificateRefP certificate); + +/* Return the issuer as an X509 name encoded in an array. Each element in this array is an array. Each inner array has en even number of elements. Each pair of elements in the inner array represents a key and a value. The key is a string and the value is also a string. Elements in the outer array should be considered ordered while pairs in the inner array should not. */ +CFArrayRef SecCertificateGetIssuerArrayP(SecCertificateRefP certificate); + + +CFDataRef SecCertificateGetSubjectDERP(SecCertificateRefP certificate); +CFDataRef SecCertificateGetNormalizedSubjectDERP(SecCertificateRefP certificate); +/* See SecCertificateGetIssuerArray for a description of the returned array. */ +CFArrayRef SecCertificateGetSubjectArrayP(SecCertificateRefP certificate); + +CFDateRef SecCertificateGetNotValidBeforeDateP(SecCertificateRefP certificate); +CFDateRef SecCertificateGetNotValidDateP(SecCertificateRefP certificate); + + +#if 0 + +CFIndex SecCertificateGetExtensionCountP(SecCertificateRefP certificate, index); +CFDataRef SecCertificateGetExtensionAtIndexDERP(SecCertificateRefP certificate, CFIndex index); +bool SecCertificateIsExtensionAtIndexCriticalP(SecCertificateRefP certificate, CFIndex index); + +/* array see email example. */ +CFArrayRef SecCertificateGetExtensionAtIndexParamsArrayP(SecCertificateRefP certificate, CFIndex index); + +CFStringRef SecCertificateGetExtensionAtIndexNameP(SecCertificateRefP certificate, CFIndex index); +CFStringRef SecCertificateGetExtensionAtIndexOIDP(SecCertificateRefP certificate, CFIndex index); + +#else + +/* Return an array with all of this certificates SecCertificateExtensionRefs. */ +CFArrayRef SecCertificateGetExtensionsP(SecCertificateRefP certificate); + +/* Return the SecCertificateExtensionRef for the extension with the given oid. Return NULL if it does not exist or if an error occours call SecCertificateGetStatus() to see if an error occured or not. */ +SecCertificateExtensionRef SecCertificateGetExtensionWithOIDP(SecCertificateRefP certificate, CFDataRef oid); + +CFDataRef SecCertificateExtensionGetDERP(SecCertificateExtensionRef extension, CFDataRef oid); +CFStringRef SecCertificateExtensionNameP(SecCertificateExtensionRef extension); +CFDataRef SecCertificateExtensionGetOIDDERP(SecCertificateExtensionRef extension, CFDataRef oid); +CFStringRef SecCertificateExtensionGetOIDStringP(SecCertificateExtensionRef extension, CFDataRef oid); +bool SecCertificateExtensionIsCriticalP(SecCertificateExtensionRef extension); +CFArrayRef SecCertificateExtensionGetContentDERP(SecCertificateExtensionRef extension); + +/* Return the content of extension as an array. The array has en even number of elements. Each pair of elements in the array represents a key and a value. The key is a string and the value is either a string, or dictionary or an array of key value pairs like the outer array. */ +CFArrayRef SecCertificateExtensionGetContentArrayP(SecCertificateExtensionRef extension); + +#endif /* 0 */ + +#endif /* 0 */ + + +void appendPropertyP(CFMutableArrayRef properties, + CFStringRef propertyType, CFStringRef label, CFTypeRef value); + +/* Utility functions. */ +CFStringRef SecDERItemCopyOIDDecimalRepresentation(CFAllocatorRef allocator, + const DERItem *oid); +CFDataRef createNormalizedX501Name(CFAllocatorRef allocator, + const DERItem *x501name); + +/* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return + an absoluteTime if the date was valid and properly decoded. Return + NULL_TIME otherwise. */ +CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes, + size_t length); + +#if defined(__cplusplus) +} +#endif + +#endif /* !_SECURITY_SECCERTIFICATEINTERNAL_H_ */ diff --git a/OSX/include/security_keychain/SecCertificateOIDs.h b/OSX/include/security_keychain/SecCertificateOIDs.h new file mode 100644 index 00000000..2fb8901d --- /dev/null +++ b/OSX/include/security_keychain/SecCertificateOIDs.h @@ -0,0 +1,172 @@ +/* + * Copyright (c) 2002-2012 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/*! + @header SecCertificateOIDs + These constants are used to access entries in the dictionary returned by + SecCertificateCopyValues, which are the parsed field from a certificate. +*/ + +#ifndef _SECURITY_SECCERTIFICATEOIDS_H_ +#define _SECURITY_SECCERTIFICATEOIDS_H_ + +#include +#include +#include + +#if defined(__cplusplus) +extern "C" { +#endif + +CF_ASSUME_NONNULL_BEGIN + +extern const CFStringRef kSecOIDADC_CERT_POLICY __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_CERT_POLICY __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EKU_CODE_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EKU_CODE_SIGNING_DEV __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EKU_ICHAT_ENCRYPTION __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EKU_ICHAT_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EKU_RESOURCE_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EKU_SYSTEM_IDENTITY __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EXTENSION __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EXTENSION_ADC_APPLE_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EXTENSION_ADC_DEV_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EXTENSION_APPLE_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EXTENSION_CODE_SIGNING __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EXTENSION_INTERMEDIATE_MARKER __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EXTENSION_WWDR_INTERMEDIATE __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EXTENSION_ITMS_INTERMEDIATE __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EXTENSION_AAI_INTERMEDIATE __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAPPLE_EXTENSION_APPLEID_INTERMEDIATE __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAuthorityInfoAccess __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDAuthorityKeyIdentifier __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDBasicConstraints __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDBiometricInfo __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDCSSMKeyStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDCertIssuer __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDCertificatePolicies __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDClientAuth __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDCollectiveStateProvinceName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDCollectiveStreetAddress __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDCommonName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDCountryName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDCrlDistributionPoints __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDCrlNumber __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDCrlReason __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDDOTMAC_CERT_EMAIL_ENCRYPT __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDDOTMAC_CERT_EMAIL_SIGN __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDDOTMAC_CERT_EXTENSION __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDDOTMAC_CERT_IDENTITY __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDDOTMAC_CERT_POLICY __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDDeltaCrlIndicator __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDDescription __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDEKU_IPSec __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDEmailAddress __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDEmailProtection __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDExtendedKeyUsage __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDExtendedKeyUsageAny __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDExtendedUseCodeSigning __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDGivenName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDHoldInstructionCode __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDInvalidityDate __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDIssuerAltName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDIssuingDistributionPoint __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDIssuingDistributionPoints __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDKERBv5_PKINIT_KP_CLIENT_AUTH __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDKERBv5_PKINIT_KP_KDC __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDKeyUsage __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDLocalityName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDMS_NTPrincipalName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDMicrosoftSGC __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDNameConstraints __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDNetscapeCertSequence __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDNetscapeCertType __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDNetscapeSGC __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDOCSPSigning __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDOrganizationName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDOrganizationalUnitName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDPolicyConstraints __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDPolicyMappings __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDPrivateKeyUsagePeriod __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDQC_Statements __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDSerialNumber __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDServerAuth __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDStateProvinceName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDStreetAddress __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDSubjectAltName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDSubjectDirectoryAttributes __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDSubjectEmailAddress __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDSubjectInfoAccess __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDSubjectKeyIdentifier __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDSubjectPicture __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDSubjectSignatureBitmap __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDSurname __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDTimeStamping __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDTitle __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDUseExemptions __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1CertificateIssuerUniqueId __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1CertificateSubjectUniqueId __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1IssuerName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1IssuerNameCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1IssuerNameLDAP __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1IssuerNameStd __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SerialNumber __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1Signature __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SignatureAlgorithm __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SignatureAlgorithmParameters __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SignatureAlgorithmTBS __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SignatureCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SignatureStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SubjectName __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SubjectNameCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SubjectNameLDAP __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SubjectNameStd __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SubjectPublicKey __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SubjectPublicKeyAlgorithm __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SubjectPublicKeyAlgorithmParameters __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1SubjectPublicKeyCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1ValidityNotAfter __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1ValidityNotBefore __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V1Version __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3Certificate __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3CertificateCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3CertificateExtensionCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3CertificateExtensionCritical __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3CertificateExtensionId __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3CertificateExtensionStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3CertificateExtensionType __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3CertificateExtensionValue __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3CertificateExtensionsCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3CertificateExtensionsStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3CertificateNumberOfExtensions __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3SignedCertificate __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDX509V3SignedCertificateCStruct __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); +extern const CFStringRef kSecOIDSRVName __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_NA); + +CF_ASSUME_NONNULL_END + +#if defined(__cplusplus) +} +#endif + +#endif /* !_SECURITY_SECCERTIFICATEOIDS_H_ */ diff --git a/OSX/include/security_keychain/SecCertificateP.c b/OSX/include/security_keychain/SecCertificateP.c new file mode 100644 index 00000000..fc6403c9 --- /dev/null +++ b/OSX/include/security_keychain/SecCertificateP.c @@ -0,0 +1,4743 @@ +/* + * Copyright (c) 2006-2015 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +/* + * SecCertificate.c - CoreFoundation based certificate object + */ + + +#include "SecCertificateInternalP.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "SecBasePriv.h" + +#include "SecRSAKeyP.h" +#include "SecFrameworkP.h" +#include "SecItem.h" +#include "SecItemPriv.h" +#include +#include +#include +#include +#include "SecInternalP.h" +#include "SecBase64P.h" + +#include + +typedef struct SecCertificateExtension { + DERItem extnID; + bool critical; + DERItem extnValue; +} SecCertificateExtension; + +#if 0 +typedef struct KnownExtension { + bool critical; + DERItem extnValue; +} KnownExtension; + +enum { + kSecSelfSignedUnknown = 0, + kSecSelfSignedFalse, + kSecSelfSignedTrue, +}; +#endif + +struct __SecCertificate { + CFRuntimeBase _base; + + DERItem _der; /* Entire certificate in DER form. */ + DERItem _tbs; /* To Be Signed cert DER bytes. */ + DERAlgorithmId _sigAlg; /* Top level signature algorithm. */ + DERItem _signature; /* The content of the sig bit string. */ + + UInt8 _version; + DERItem _serialNum; /* Integer. */ + DERAlgorithmId _tbsSigAlg; /* sig alg MUST be same as _sigAlg. */ + DERItem _issuer; /* Sequence of RDN. */ + CFAbsoluteTime _notBefore; + CFAbsoluteTime _notAfter; + DERItem _subject; /* Sequence of RDN. */ + DERAlgorithmId _algId; /* oid and params of _pubKeyDER. */ + DERItem _pubKeyDER; /* contents of bit string */ + DERItem _issuerUniqueID; /* bit string, optional */ + DERItem _subjectUniqueID; /* bit string, optional */ + +#if 0 + /* Known extensions if the certificate contains them, + extnValue.length will be > 0. */ + KnownExtension _authorityKeyID; + + /* This extension is used to uniquely identify a certificate from among + several that have the same subject name. If the extension is not + present, its value is calculated by performing a SHA-1 hash of the + certificate's DER encoded subjectPublicKeyInfo, as recommended by + PKIX. */ + KnownExtension _subjectKeyID; + KnownExtension _keyUsage; + KnownExtension _extendedKeyUsage; + KnownExtension _basicConstraints; + KnownExtension _netscapeCertType; + KnownExtension _subjectAltName; + KnownExtension _qualCertStatements; + +#endif + bool _foundUnknownCriticalExtension; + + /* Well known certificate extensions. */ + SecCEBasicConstraints _basicConstraints; + SecCEPolicyConstraints _policyConstraints; + CFDictionaryRef _policyMappings; + SecCECertificatePolicies _certificatePolicies; + + /* If InhibitAnyPolicy extension is not present or invalid UINT32_MAX, + value of the SkipCerts field of the InhibitAnyPolicy extension + otherwise. */ + uint32_t _inhibitAnyPolicySkipCerts; + + /* If KeyUsage extension is not present this is 0, otherwise it's + the value of the extension. */ + SecKeyUsage _keyUsage; + + /* OCTECTS of SubjectKeyIdentifier extensions KeyIdentifier. + Length = 0 if not present. */ + DERItem _subjectKeyIdentifier; + + /* OCTECTS of AuthorityKeyIdentifier extensions KeyIdentifier. + Length = 0 if not present. */ + DERItem _authorityKeyIdentifier; + /* AuthorityKeyIdentifier extension _authorityKeyIdentifierIssuer and + _authorityKeyIdentifierSerialNumber have non zero length if present. + Both are either present or absent together. */ + DERItem _authorityKeyIdentifierIssuer; + DERItem _authorityKeyIdentifierSerialNumber; + + /* Subject alt name extension, if present. Not malloced, it's just a + pointer to an element in the _extensions array. */ + const SecCertificateExtension *_subjectAltName; + + /* Parsed extension values. */ + + /* Array of CFURLRefs containing the URI values of crlDistributionPoints. */ + CFMutableArrayRef _crlDistributionPoints; + + /* Array of CFURLRefs containing the URI values of accessLocations of each + id-ad-ocsp AccessDescription in the Authority Information Access + extension. */ + CFMutableArrayRef _ocspResponders; + + /* Array of CFURLRefs containing the URI values of accessLocations of each + id-ad-caIssuers AccessDescription in the Authority Information Access + extension. */ + CFMutableArrayRef _caIssuers; + + /* All other (non known) extensions. The _extensions array is malloced. */ + CFIndex _extensionCount; + SecCertificateExtension *_extensions; + + /* Optional cached fields. */ + SecKeyRef _pubKey; + CFDataRef _der_data; + CFArrayRef _properties; + CFDataRef _serialNumber; + CFDataRef _normalizedIssuer; + CFDataRef _normalizedSubject; + CFDataRef _authorityKeyID; + CFDataRef _subjectKeyID; + + CFDataRef _sha1Digest; + uint8_t _isSelfSigned; + +}; + +/* Public Constants for property list keys. */ +CFStringRef kSecPropertyKeyType = CFSTR("type"); +CFStringRef kSecPropertyKeyLabel = CFSTR("label"); +CFStringRef kSecPropertyKeyLocalizedLabel = CFSTR("localized label"); +CFStringRef kSecPropertyKeyValue = CFSTR("value"); + +/* Public Constants for property list values. */ +CFStringRef kSecPropertyTypeWarning = CFSTR("warning"); +CFStringRef kSecPropertyTypeError = CFSTR("error"); +CFStringRef kSecPropertyTypeSuccess = CFSTR("success"); +CFStringRef kSecPropertyTypeTitle = CFSTR("title"); +CFStringRef kSecPropertyTypeSection = CFSTR("section"); +CFStringRef kSecPropertyTypeData = CFSTR("data"); +CFStringRef kSecPropertyTypeString = CFSTR("string"); +CFStringRef kSecPropertyTypeURL = CFSTR("url"); +CFStringRef kSecPropertyTypeDate = CFSTR("date"); + +/* Extension parsing routine. */ +typedef void (*SecCertificateExtensionParser)(SecCertificateRefP certificate, + const SecCertificateExtension *extn); + +/* CFRuntime regsitration data. */ +static pthread_once_t kSecCertificateRegisterClass = PTHREAD_ONCE_INIT; +static CFTypeID kSecCertificateTypeID = _kCFRuntimeNotATypeID; + +/* Mapping from extension OIDs (as a DERItem *) to + SecCertificateExtensionParser extension parsing routines. */ +static CFDictionaryRef gExtensionParsers; + +/* Forward declartions of static functions. */ +static CFStringRef SecCertificateDescribe(CFTypeRef cf); +static void SecCertificateDestroy(CFTypeRef cf); +static bool derDateGetAbsoluteTime(const DERItem *dateChoice, + CFAbsoluteTime *absTime); + +/* Static functions. */ +static CFStringRef SecCertificateDescribe(CFTypeRef cf) { + SecCertificateRefP certificate = (SecCertificateRefP)cf; + return CFStringCreateWithFormat(kCFAllocatorDefault, NULL, + CFSTR(""), certificate, + SecCertificateCopySubjectSummaryP(certificate), + SecCertificateCopyIssuerSummaryP(certificate)); +} + +static void SecCertificateDestroy(CFTypeRef cf) { + SecCertificateRefP certificate = (SecCertificateRefP)cf; + if (certificate->_certificatePolicies.policies) + free(certificate->_certificatePolicies.policies); + CFReleaseSafe(certificate->_policyMappings); + CFReleaseSafe(certificate->_crlDistributionPoints); + CFReleaseSafe(certificate->_ocspResponders); + CFReleaseSafe(certificate->_caIssuers); + if (certificate->_extensions) { + free(certificate->_extensions); + } + CFReleaseSafe(certificate->_pubKey); + CFReleaseSafe(certificate->_der_data); + CFReleaseSafe(certificate->_properties); + CFReleaseSafe(certificate->_serialNumber); + CFReleaseSafe(certificate->_normalizedIssuer); + CFReleaseSafe(certificate->_normalizedSubject); + CFReleaseSafe(certificate->_authorityKeyID); + CFReleaseSafe(certificate->_subjectKeyID); + CFReleaseSafe(certificate->_sha1Digest); +} + +static Boolean SecCertificateEqual(CFTypeRef cf1, CFTypeRef cf2) { + SecCertificateRefP cert1 = (SecCertificateRefP)cf1; + SecCertificateRefP cert2 = (SecCertificateRefP)cf2; + if (cert1 == cert2) + return true; + if (!cert2 || cert1->_der.length != cert2->_der.length) + return false; + return !memcmp(cert1->_der.data, cert2->_der.data, cert1->_der.length); +} + +/* Hash of the certificate is der length + signature length + last 4 bytes + of signature. */ +static CFHashCode SecCertificateHash(CFTypeRef cf) { + SecCertificateRefP certificate = (SecCertificateRefP)cf; + DERSize der_length = certificate->_der.length; + DERSize sig_length = certificate->_signature.length; + DERSize ix = (sig_length > 4) ? sig_length - 4 : 0; + CFHashCode hashCode = 0; + for (; ix < sig_length; ++ix) + hashCode = (hashCode << 8) + certificate->_signature.data[ix]; + + return (hashCode + der_length + sig_length); +} + +#if 1 + +/************************************************************************/ +/************************* General Name Parsing *************************/ +/************************************************************************/ + +typedef OSStatus (*parseGeneralNameCallback)(void *context, + SecCEGeneralNameType type, const DERItem *value); + + +/* + GeneralName ::= CHOICE { + otherName [0] OtherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER} + + OtherName ::= SEQUENCE { + type-id OBJECT IDENTIFIER, + value [0] EXPLICIT ANY DEFINED BY type-id } + + EDIPartyName ::= SEQUENCE { + nameAssigner [0] DirectoryString OPTIONAL, + partyName [1] DirectoryString } + */ +static OSStatus parseGeneralNameContentProperty(DERTag tag, + const DERItem *generalNameContent, + void *context, parseGeneralNameCallback callback) { + switch (tag) { + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0: + return callback(context, GNT_OtherName, generalNameContent); + case ASN1_CONTEXT_SPECIFIC | 1: + return callback(context, GNT_RFC822Name, generalNameContent); + case ASN1_CONTEXT_SPECIFIC | 2: + return callback(context, GNT_DNSName, generalNameContent); + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3: + return callback(context, GNT_X400Address, generalNameContent); + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 4: + return callback(context, GNT_DirectoryName, generalNameContent); + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 5: + return callback(context, GNT_EdiPartyName, generalNameContent); + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 6: + { + /* Technically I don't think this is valid, but there are certs out + in the wild that use a constructed IA5String. In particular the + VeriSign Time Stamping Authority CA.cer does this. */ + DERDecodedInfo uriContent; + require_noerr(DERDecodeItem(generalNameContent, &uriContent), badDER); + require(uriContent.tag == ASN1_IA5_STRING, badDER); + return callback(context, GNT_URI, &uriContent.content); + } + case ASN1_CONTEXT_SPECIFIC | 6: + return callback(context, GNT_URI, generalNameContent); + case ASN1_CONTEXT_SPECIFIC | 7: + return callback(context, GNT_IPAddress, generalNameContent); + case ASN1_CONTEXT_SPECIFIC | 8: + return callback(context, GNT_RegisteredID, generalNameContent); + default: + goto badDER; + } +badDER: + return errSecInvalidCertificate; +} + +static OSStatus parseGeneralNamesContent(const DERItem *generalNamesContent, + void *context, parseGeneralNameCallback callback) { + DERSequence gnSeq; + DERReturn drtn = DERDecodeSeqContentInit(generalNamesContent, &gnSeq); + require_noerr_quiet(drtn, badDER); + DERDecodedInfo generalNameContent; + while ((drtn = DERDecodeSeqNext(&gnSeq, &generalNameContent)) == + DR_Success) { + OSStatus status = parseGeneralNameContentProperty( + generalNameContent.tag, &generalNameContent.content, context, + callback); + if (status) + return status; + } + require_quiet(drtn == DR_EndOfSequence, badDER); + return errSecSuccess; + +badDER: + return errSecInvalidCertificate; +} + +static OSStatus parseGeneralNames(const DERItem *generalNames, void *context, + parseGeneralNameCallback callback) { + DERDecodedInfo generalNamesContent; + DERReturn drtn = DERDecodeItem(generalNames, &generalNamesContent); + require_noerr_quiet(drtn, badDER); + require_quiet(generalNamesContent.tag == ASN1_CONSTR_SEQUENCE, badDER); + return parseGeneralNamesContent(&generalNamesContent.content, context, + callback); +badDER: + return errSecInvalidCertificate; +} + +#else + +/* + GeneralName ::= CHOICE { + otherName [0] OtherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER} + + EDIPartyName ::= SEQUENCE { + nameAssigner [0] DirectoryString OPTIONAL, + partyName [1] DirectoryString } + */ +static OSStatus parseGeneralNameContentProperty(DERTag tag, + const DERItem *generalNameContent, SecCEGeneralName *generalName) { + switch (tag) { + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0: + generalName->nameType = GNT_OtherName; + generalName->berEncoded = true; + generalName->name = *generalNameContent; + break; + case ASN1_CONTEXT_SPECIFIC | 1: + /* IA5String. */ + generalName->nameType = GNT_RFC822Name; + generalName->berEncoded = false; + generalName->name = *generalNameContent; + break; + case ASN1_CONTEXT_SPECIFIC | 2: + /* IA5String. */ + generalName->nameType = GNT_DNSName; + generalName->berEncoded = false; + generalName->name = *generalNameContent; + break; + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3: + generalName->nameType = GNT_X400Address; + generalName->berEncoded = true; + generalName->name = *generalNameContent; + break; + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 4: + generalName->nameType = GNT_DirectoryName; + generalName->berEncoded = true; + generalName->name = *generalNameContent; + break; + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 5: + generalName->nameType = GNT_EdiPartyName; + generalName->berEncoded = true; + generalName->name = *generalNameContent; + break; + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 6: + { + /* Technically I don't think this is valid, but there are certs out + in the wild that use a constructed IA5String. In particular the + VeriSign Time Stamping Authority CA.cer does this. */ + DERDecodedInfo decoded; + require_noerr(DERDecodeItem(generalNameContent, &decoded), badDER); + require(decoded.tag == ASN1_IA5_STRING, badDER); + generalName->nameType = GNT_URI; + generalName->berEncoded = false; + generalName->name = decoded.content; + break; + } + case ASN1_CONTEXT_SPECIFIC | 6: + generalName->nameType = GNT_URI; + generalName->berEncoded = false; + generalName->name = *generalNameContent; + break; + case ASN1_CONTEXT_SPECIFIC | 7: + /* @@@ This is the IP Address as an OCTECT STRING. For IPv4 it's + 8 octects, addr/mask for ipv6 it's 32. */ + generalName->nameType = GNT_IPAddress; + generalName->berEncoded = false; + generalName->name = *generalNameContent; + break; + case ASN1_CONTEXT_SPECIFIC | 8: + /* name is the content of an OID. */ + generalName->nameType = GNT_RegisteredID; + generalName->berEncoded = false; + generalName->name = *generalNameContent; + break; + default: + goto badDER; + break; + } + return errSecSuccess; +badDER: + return errSecInvalidCertificate; +} + +/* + GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + */ +static OSStatus parseGeneralNamesContent(const DERItem *generalNamesContent, + CFIndex *count, SecCEGeneralName **name) { + SecCEGeneralName *generalNames = NULL; + DERSequence gnSeq; + DERReturn drtn = DERDecodeSeqContentInit(generalNamesContent, &gnSeq); + require_noerr_quiet(drtn, badDER); + DERDecodedInfo generalNameContent; + CFIndex generalNamesCount = 0; + while ((drtn = DERDecodeSeqNext(&gnSeq, &generalNameContent)) == + DR_Success) { + ++generalNamesCount; + } + require_quiet(drtn == DR_EndOfSequence, badDER); + + require(generalNames = calloc(generalNamesCount, sizeof(SecCEGeneralName)), + badDER); + DERDecodeSeqContentInit(generalNamesContent, &gnSeq); + CFIndex ix = 0; + while ((drtn = DERDecodeSeqNext(&gnSeq, &generalNameContent)) == + DR_Success) { + if (!parseGeneralNameContentProperty(generalNameContent.tag, + &generalNameContent.content, &generalNames[ix])) { + goto badDER; + } + ++ix; + } + *count = generalNamesCount; + *name = generalNames; + return errSecSuccess; + +badDER: + if (generalNames) + free(generalNames); + return errSecInvalidCertificate; +} + +static OSStatus parseGeneralNames(const DERItem *generalNames, + CFIndex *count, SecCEGeneralName **name) { + DERDecodedInfo generalNamesContent; + DERReturn drtn = DERDecodeItem(generalNames, &generalNamesContent); + require_noerr_quiet(drtn, badDER); + require_quiet(generalNamesContent.tag == ASN1_CONSTR_SEQUENCE, + badDER); + parseGeneralNamesContent(&generalNamesContent.content, count, name); + return errSecSuccess; +badDER: + return errSecInvalidCertificate; +} +#endif + +/************************************************************************/ +/************************** X.509 Name Parsing **************************/ +/************************************************************************/ + +typedef OSStatus (*parseX501NameCallback)(void *context, const DERItem *type, + const DERItem *value, CFIndex rdnIX); + +static OSStatus parseRDNContent(const DERItem *rdnSetContent, void *context, + parseX501NameCallback callback) { + DERSequence rdn; + DERReturn drtn = DERDecodeSeqContentInit(rdnSetContent, &rdn); + require_noerr_quiet(drtn, badDER); + DERDecodedInfo atvContent; + CFIndex rdnIX = 0; + while ((drtn = DERDecodeSeqNext(&rdn, &atvContent)) == DR_Success) { + require_quiet(atvContent.tag == ASN1_CONSTR_SEQUENCE, badDER); + DERAttributeTypeAndValue atv; + drtn = DERParseSequenceContent(&atvContent.content, + DERNumAttributeTypeAndValueItemSpecs, + DERAttributeTypeAndValueItemSpecs, + &atv, sizeof(atv)); + require_noerr_quiet(drtn, badDER); + require_quiet(atv.type.length != 0, badDER); + OSStatus status = callback(context, &atv.type, &atv.value, rdnIX++); + if (status) + return status; + } + require_quiet(drtn == DR_EndOfSequence, badDER); + + return errSecSuccess; +badDER: + return errSecInvalidCertificate; +} + +static OSStatus parseX501NameContent(const DERItem *x501NameContent, void *context, + parseX501NameCallback callback) { + DERSequence derSeq; + DERReturn drtn = DERDecodeSeqContentInit(x501NameContent, &derSeq); + require_noerr_quiet(drtn, badDER); + DERDecodedInfo currDecoded; + while ((drtn = DERDecodeSeqNext(&derSeq, &currDecoded)) == DR_Success) { + require_quiet(currDecoded.tag == ASN1_CONSTR_SET, badDER); + OSStatus status = parseRDNContent(&currDecoded.content, context, + callback); + if (status) + return status; + } + require_quiet(drtn == DR_EndOfSequence, badDER); + + return errSecSuccess; + +badDER: + return errSecInvalidCertificate; +} + +static OSStatus parseX501Name(const DERItem *x501Name, void *context, + parseX501NameCallback callback) { + DERDecodedInfo x501NameContent; + if (DERDecodeItem(x501Name, &x501NameContent) || + x501NameContent.tag != ASN1_CONSTR_SEQUENCE) { + return errSecInvalidCertificate; + } else { + return parseX501NameContent(&x501NameContent.content, context, + callback); + } +} + +/************************************************************************/ +/********************** Extension Parsing Routines **********************/ +/************************************************************************/ + +static void SecCEPSubjectKeyIdentifier(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); + DERDecodedInfo keyIdentifier; + DERReturn drtn = DERDecodeItem(&extn->extnValue, &keyIdentifier); + require_noerr_quiet(drtn, badDER); + require_quiet(keyIdentifier.tag == ASN1_OCTET_STRING, badDER); + certificate->_subjectKeyIdentifier = keyIdentifier.content; + + return; +badDER: + secdebug("cert", "Invalid SubjectKeyIdentifier Extension"); +} + +static void SecCEPKeyUsage(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); + SecKeyUsage keyUsage = extn->critical ? kSecKeyUsageCritical : 0; + DERDecodedInfo bitStringContent; + DERReturn drtn = DERDecodeItem(&extn->extnValue, &bitStringContent); + require_noerr_quiet(drtn, badDER); + require_quiet(bitStringContent.tag == ASN1_BIT_STRING, badDER); + DERSize len = bitStringContent.content.length - 1; + require_quiet(len == 1 || len == 2, badDER); + DERByte numUnusedBits = bitStringContent.content.data[0]; + require_quiet(numUnusedBits < 8, badDER); + /* Flip the bits in the bit string so the first bit in the lsb. */ + uint_fast16_t bits = 8 * len - numUnusedBits; + uint_fast16_t value = bitStringContent.content.data[1]; + uint_fast16_t mask; + if (len > 1) { + value = (value << 8) + bitStringContent.content.data[2]; + mask = 0x8000; + } else { + mask = 0x80; + } + uint_fast16_t ix; + for (ix = 0; ix < bits; ++ix) { + if (value & mask) { + keyUsage |= 1 << ix; + } + mask >>= 1; + } + certificate->_keyUsage = keyUsage; + return; +badDER: + certificate->_keyUsage = kSecKeyUsageUnspecified; +} + +static void SecCEPPrivateKeyUsagePeriod(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); +} + +static void SecCEPSubjectAltName(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); + certificate->_subjectAltName = extn; +} + +static void SecCEPIssuerAltName(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); +} + +static void SecCEPBasicConstraints(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); + DERBasicConstraints basicConstraints; + require_noerr_quiet(DERParseSequence(&extn->extnValue, + DERNumBasicConstraintsItemSpecs, DERBasicConstraintsItemSpecs, + &basicConstraints, sizeof(basicConstraints)), badDER); + require_noerr_quiet(DERParseBoolean(&basicConstraints.cA, false, + &certificate->_basicConstraints.isCA), badDER); + if (basicConstraints.pathLenConstraint.length != 0) { + require_noerr_quiet(DERParseInteger( + &basicConstraints.pathLenConstraint, + &certificate->_basicConstraints.pathLenConstraint), badDER); + certificate->_basicConstraints.pathLenConstraintPresent = true; + } + certificate->_basicConstraints.present = true; + certificate->_basicConstraints.critical = extn->critical; + return; +badDER: + certificate->_basicConstraints.present = false; + secdebug("cert", "Invalid BasicConstraints Extension"); +} + +static void SecCEPCrlDistributionPoints(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); +} + +/* + certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + + PolicyInformation ::= SEQUENCE { + policyIdentifier CertPolicyId, + policyQualifiers SEQUENCE SIZE (1..MAX) OF + PolicyQualifierInfo OPTIONAL } + + CertPolicyId ::= OBJECT IDENTIFIER + + PolicyQualifierInfo ::= SEQUENCE { + policyQualifierId PolicyQualifierId, + qualifier ANY DEFINED BY policyQualifierId } +*/ +static void SecCEPCertificatePolicies(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); + DERTag tag; + DERSequence piSeq; + SecCEPolicyInformation *policies = NULL; + DERReturn drtn = DERDecodeSeqInit(&extn->extnValue, &tag, &piSeq); + require_noerr_quiet(drtn, badDER); + require_quiet(tag == ASN1_CONSTR_SEQUENCE, badDER); + DERDecodedInfo piContent; + DERSize policy_count = 0; + while ((drtn = DERDecodeSeqNext(&piSeq, &piContent)) == DR_Success) { + require_quiet(piContent.tag == ASN1_CONSTR_SEQUENCE, badDER); + policy_count++; + } + require_quiet(drtn == DR_EndOfSequence, badDER); + policies = (SecCEPolicyInformation *)malloc(sizeof(SecCEPolicyInformation) + * policy_count); + DERDecodeSeqInit(&extn->extnValue, &tag, &piSeq); + DERSize policy_ix = 0; + while ((drtn = DERDecodeSeqNext(&piSeq, &piContent)) == DR_Success) { + DERPolicyInformation pi; + drtn = DERParseSequenceContent(&piContent.content, + DERNumPolicyInformationItemSpecs, + DERPolicyInformationItemSpecs, + &pi, sizeof(pi)); + require_noerr_quiet(drtn, badDER); + policies[policy_ix].policyIdentifier = pi.policyIdentifier; + policies[policy_ix++].policyQualifiers = pi.policyQualifiers; + } + certificate->_certificatePolicies.present = true; + certificate->_certificatePolicies.critical = extn->critical; + certificate->_certificatePolicies.numPolicies = (uint32_t)policy_count; + certificate->_certificatePolicies.policies = policies; + return; +badDER: + if (policies) + free(policies); + certificate->_certificatePolicies.present = false; + secdebug("cert", "Invalid CertificatePolicies Extension"); +} + +/* + id-ce-policyMappings OBJECT IDENTIFIER ::= { id-ce 33 } + + PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + issuerDomainPolicy CertPolicyId, + subjectDomainPolicy CertPolicyId } +*/ +#if 0 +static void SecCEPPolicyMappings(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); + DERTag tag; + DERSequence pmSeq; + SecCEPolicyMapping *mappings = NULL; + DERReturn drtn = DERDecodeSeqInit(&extn->extnValue, &tag, &pmSeq); + require_noerr_quiet(drtn, badDER); + require_quiet(tag == ASN1_CONSTR_SEQUENCE, badDER); + DERDecodedInfo pmContent; + DERSize mapping_count = 0; + while ((drtn = DERDecodeSeqNext(&pmSeq, &pmContent)) == DR_Success) { + require_quiet(pmContent.tag == ASN1_CONSTR_SEQUENCE, badDER); + mapping_count++; + } + mappings = (SecCEPolicyMapping *)malloc(sizeof(SecCEPolicyMapping) + * mapping_count); + DERDecodeSeqInit(&extn->extnValue, &tag, &pmSeq); + DERSize mapping_ix = 0; + while ((drtn = DERDecodeSeqNext(&pmSeq, &pmContent)) == DR_Success) { + DERPolicyMapping pm; + drtn = DERParseSequenceContent(&pmContent.content, + DERNumPolicyMappingItemSpecs, + DERPolicyMappingItemSpecs, + &pm, sizeof(pm)); + require_noerr_quiet(drtn, badDER); + mappings[mapping_ix].issuerDomainPolicy = pm.issuerDomainPolicy; + mappings[mapping_ix++].subjectDomainPolicy = pm.subjectDomainPolicy; + } + require_quiet(drtn == DR_EndOfSequence, badDER); + certificate->_policyMappings.present = true; + certificate->_policyMappings.critical = extn->critical; + certificate->_policyMappings.numMappings = mapping_count; + certificate->_policyMappings.mappings = mappings; + return; +badDER: + if (mappings) + free(mappings); + CFReleaseSafe(mappings); + certificate->_policyMappings.present = false; + secdebug("cert", "Invalid CertificatePolicies Extension"); +} +#else +static void SecCEPPolicyMappings(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); + DERTag tag; + DERSequence pmSeq; + CFMutableDictionaryRef mappings = NULL; + DERReturn drtn = DERDecodeSeqInit(&extn->extnValue, &tag, &pmSeq); + require_noerr_quiet(drtn, badDER); + require_quiet(tag == ASN1_CONSTR_SEQUENCE, badDER); + DERDecodedInfo pmContent; + require_quiet(mappings = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks), + badDER);; + while ((drtn = DERDecodeSeqNext(&pmSeq, &pmContent)) == DR_Success) { + require_quiet(pmContent.tag == ASN1_CONSTR_SEQUENCE, badDER); + DERPolicyMapping pm; + drtn = DERParseSequenceContent(&pmContent.content, + DERNumPolicyMappingItemSpecs, + DERPolicyMappingItemSpecs, + &pm, sizeof(pm)); + require_noerr_quiet(drtn, badDER); + CFDataRef idp, sdp; + require_quiet(idp = CFDataCreate(kCFAllocatorDefault, + pm.issuerDomainPolicy.data, pm.issuerDomainPolicy.length), badDER); + require_quiet(sdp = CFDataCreate(kCFAllocatorDefault, + pm.subjectDomainPolicy.data, pm.subjectDomainPolicy.length), badDER); + CFMutableArrayRef sdps = + (CFMutableArrayRef)CFDictionaryGetValue(mappings, idp); + if (sdps) { + CFArrayAppendValue(sdps, sdp); + } else { + require_quiet(sdps = CFArrayCreateMutable(kCFAllocatorDefault, 0, + &kCFTypeArrayCallBacks), badDER); + CFDictionarySetValue(mappings, idp, sdps); + CFRelease(sdps); + } + } + require_quiet(drtn == DR_EndOfSequence, badDER); + certificate->_policyMappings = mappings; + return; +badDER: + CFReleaseSafe(mappings); + certificate->_policyMappings = NULL; + secdebug("cert", "Invalid CertificatePolicies Extension"); +} +#endif + +/* +AuthorityKeyIdentifier ::= SEQUENCE { + keyIdentifier [0] KeyIdentifier OPTIONAL, + authorityCertIssuer [1] GeneralNames OPTIONAL, + authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } + -- authorityCertIssuer and authorityCertSerialNumber MUST both + -- be present or both be absent + +KeyIdentifier ::= OCTET STRING +*/ +static void SecCEPAuthorityKeyIdentifier(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); + DERAuthorityKeyIdentifier akid; + DERReturn drtn; + drtn = DERParseSequence(&extn->extnValue, + DERNumAuthorityKeyIdentifierItemSpecs, + DERAuthorityKeyIdentifierItemSpecs, + &akid, sizeof(akid)); + require_noerr_quiet(drtn, badDER); + if (akid.keyIdentifier.length) { + certificate->_authorityKeyIdentifier = akid.keyIdentifier; + } + if (akid.authorityCertIssuer.length || + akid.authorityCertSerialNumber.length) { + require_quiet(akid.authorityCertIssuer.length && + akid.authorityCertSerialNumber.length, badDER); + /* Perhaps put in a subsection called Authority Certificate Issuer. */ + certificate->_authorityKeyIdentifierIssuer = akid.authorityCertIssuer; + certificate->_authorityKeyIdentifierSerialNumber = akid.authorityCertSerialNumber; + } + + return; +badDER: + secdebug("cert", "Invalid AuthorityKeyIdentifier Extension"); +} + +static void SecCEPPolicyConstraints(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); + DERPolicyConstraints pc; + DERReturn drtn; + drtn = DERParseSequence(&extn->extnValue, + DERNumPolicyConstraintsItemSpecs, + DERPolicyConstraintsItemSpecs, + &pc, sizeof(pc)); + require_noerr_quiet(drtn, badDER); + if (pc.requireExplicitPolicy.length) { + require_noerr_quiet(DERParseInteger( + &pc.requireExplicitPolicy, + &certificate->_policyConstraints.requireExplicitPolicy), badDER); + certificate->_policyConstraints.requireExplicitPolicyPresent = true; + } + if (pc.inhibitPolicyMapping.length) { + require_noerr_quiet(DERParseInteger( + &pc.inhibitPolicyMapping, + &certificate->_policyConstraints.inhibitPolicyMapping), badDER); + certificate->_policyConstraints.inhibitPolicyMappingPresent = true; + } + + certificate->_policyConstraints.present = true; + certificate->_policyConstraints.critical = extn->critical; + + return; +badDER: + certificate->_policyConstraints.present = false; + secdebug("cert", "Invalid PolicyConstraints Extension"); +} + +static void SecCEPExtendedKeyUsage(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); +} + +/* + InhibitAnyPolicy ::= SkipCerts + + SkipCerts ::= INTEGER (0..MAX) +*/ +static void SecCEPInhibitAnyPolicy(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); + require_noerr_quiet(DERParseInteger( + &extn->extnValue, + &certificate->_inhibitAnyPolicySkipCerts), badDER); + return; +badDER: + certificate->_inhibitAnyPolicySkipCerts = UINT32_MAX; + secdebug("cert", "Invalid InhibitAnyPolicy Extension"); +} + +/* + id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } + + AuthorityInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + + AccessDescription ::= SEQUENCE { + accessMethod OBJECT IDENTIFIER, + accessLocation GeneralName } + + id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } + + id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } + + id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } + */ +static void SecCEPAuthorityInfoAccess(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); + DERTag tag; + DERSequence adSeq; + DERReturn drtn = DERDecodeSeqInit(&extn->extnValue, &tag, &adSeq); + require_noerr_quiet(drtn, badDER); + require_quiet(tag == ASN1_CONSTR_SEQUENCE, badDER); + DERDecodedInfo adContent; + while ((drtn = DERDecodeSeqNext(&adSeq, &adContent)) == DR_Success) { + require_quiet(adContent.tag == ASN1_CONSTR_SEQUENCE, badDER); + DERAccessDescription ad; + drtn = DERParseSequenceContent(&adContent.content, + DERNumAccessDescriptionItemSpecs, + DERAccessDescriptionItemSpecs, + &ad, sizeof(ad)); + require_noerr_quiet(drtn, badDER); + CFMutableArrayRef *urls; + if (DEROidCompare(&ad.accessMethod, &oidAdOCSP)) + urls = &certificate->_ocspResponders; + else if (DEROidCompare(&ad.accessMethod, &oidAdCAIssuer)) + urls = &certificate->_caIssuers; + else + continue; + + DERDecodedInfo generalNameContent; + drtn = DERDecodeItem(&ad.accessLocation, &generalNameContent); + require_noerr_quiet(drtn, badDER); + switch (generalNameContent.tag) { +#if 0 + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 6: + /* Technically I don't think this is valid, but there are certs out + in the wild that use a constructed IA5String. In particular the + VeriSign Time Stamping Authority CA.cer does this. */ +#endif + case ASN1_CONTEXT_SPECIFIC | 6: + { + CFURLRef url = CFURLCreateWithBytes(kCFAllocatorDefault, + generalNameContent.content.data, generalNameContent.content.length, + kCFStringEncodingASCII, NULL); + if (url) { + if (!*urls) + *urls = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + CFArrayAppendValue(*urls, url); + CFRelease(url); + } + break; + } + default: + secdebug("cert", "bad general name for id-ad-ocsp AccessDescription t: 0x%02x v: %.*s", + generalNameContent.tag, (int)generalNameContent.content.length, generalNameContent.content.data); + goto badDER; + break; + } + } + require_quiet(drtn == DR_EndOfSequence, badDER); + return; +badDER: + secdebug("cert", "failed to parse Authority Information Access extension"); +} + +static void SecCEPSubjectInfoAccess(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); +} + +static void SecCEPNetscapeCertType(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); +} + +static void SecCEPEntrustVersInfo(SecCertificateRefP certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "critical: %s", extn->critical ? "yes" : "no"); +} + +/* Dictionary key callback for comparing to DERItems. */ +static Boolean SecDERItemEqual(const void *value1, const void *value2) { + return DEROidCompare((const DERItem *)value1, (const DERItem *)value2); +} + +/* Dictionary key callback calculating the hash of a DERItem. */ +static CFHashCode SecDERItemHash(const void *value) { + const DERItem *derItem = (const DERItem *)value; + CFHashCode hash = derItem->length; + DERSize ix = derItem->length > 8 ? derItem->length - 8 : 0; + for (; ix < derItem->length; ++ix) { + hash = (hash << 9) + (hash >> 23) + derItem->data[ix]; + } + + return hash; +} + +/* Dictionary key callbacks using the above 2 functions. */ +static const CFDictionaryKeyCallBacks SecDERItemKeyCallBacks = { + 0, /* version */ + NULL, /* retain */ + NULL, /* release */ + NULL, /* copyDescription */ + SecDERItemEqual, /* equal */ + SecDERItemHash /* hash */ +}; + +static void SecCertificateRegisterClass(void) { + static const CFRuntimeClass kSecCertificateClass = { + 0, /* version */ + "SecCertificate", /* class name */ + NULL, /* init */ + NULL, /* copy */ + SecCertificateDestroy, /* dealloc */ + SecCertificateEqual, /* equal */ + SecCertificateHash, /* hash */ + NULL, /* copyFormattingDesc */ + SecCertificateDescribe /* copyDebugDesc */ + }; + + kSecCertificateTypeID = _CFRuntimeRegisterClass(&kSecCertificateClass); + + /* Build a dictionary that maps from extension OIDs to callback functions + which can parse the extension of the type given. */ + static const void *extnOIDs[] = { + &oidSubjectKeyIdentifier, + &oidKeyUsage, + &oidPrivateKeyUsagePeriod, + &oidSubjectAltName, + &oidIssuerAltName, + &oidBasicConstraints, + &oidCrlDistributionPoints, + &oidCertificatePolicies, + &oidPolicyMappings, + &oidAuthorityKeyIdentifier, + &oidPolicyConstraints, + &oidExtendedKeyUsage, + &oidInhibitAnyPolicy, + &oidAuthorityInfoAccess, + &oidSubjectInfoAccess, + &oidNetscapeCertType, + &oidEntrustVersInfo + }; + static const void *extnParsers[] = { + SecCEPSubjectKeyIdentifier, + SecCEPKeyUsage, + SecCEPPrivateKeyUsagePeriod, + SecCEPSubjectAltName, + SecCEPIssuerAltName, + SecCEPBasicConstraints, + SecCEPCrlDistributionPoints, + SecCEPCertificatePolicies, + SecCEPPolicyMappings, + SecCEPAuthorityKeyIdentifier, + SecCEPPolicyConstraints, + SecCEPExtendedKeyUsage, + SecCEPInhibitAnyPolicy, + SecCEPAuthorityInfoAccess, + SecCEPSubjectInfoAccess, + SecCEPNetscapeCertType, + SecCEPEntrustVersInfo + }; + gExtensionParsers = CFDictionaryCreate(kCFAllocatorDefault, extnOIDs, + extnParsers, sizeof(extnOIDs) / sizeof(*extnOIDs), + &SecDERItemKeyCallBacks, NULL); +} + +/* Given the contents of an X.501 Name return the contents of a normalized + X.501 name. */ +CFDataRef createNormalizedX501Name(CFAllocatorRef allocator, + const DERItem *x501name) { + CFMutableDataRef result = CFDataCreateMutable(allocator, x501name->length); + CFIndex length = x501name->length; + CFDataSetLength(result, length); + UInt8 *base = CFDataGetMutableBytePtr(result); + + DERSequence rdnSeq; + DERReturn drtn = DERDecodeSeqContentInit(x501name, &rdnSeq); + + require_noerr_quiet(drtn, badDER); + DERDecodedInfo rdn; + + /* Always points to last rdn tag. */ + const DERByte *rdnTag = rdnSeq.nextItem; + /* Offset relative to base of current rdn set tag. */ + CFIndex rdnTagLocation = 0; + while ((drtn = DERDecodeSeqNext(&rdnSeq, &rdn)) == DR_Success) { + require_quiet(rdn.tag == ASN1_CONSTR_SET, badDER); + /* We don't allow empty RDNs. */ + require_quiet(rdn.content.length != 0, badDER); + /* Length of the tag and length of the current rdn. */ + CFIndex rdnTLLength = rdn.content.data - rdnTag; + CFIndex rdnContentLength = rdn.content.length; + /* Copy the tag and length of the RDN. */ + memcpy(base + rdnTagLocation, rdnTag, rdnTLLength); + + DERSequence atvSeq; + drtn = DERDecodeSeqContentInit(&rdn.content, &atvSeq); + DERDecodedInfo atv; + /* Always points to tag of current atv sequence. */ + const DERByte *atvTag = atvSeq.nextItem; + /* Offset relative to base of current atv sequence tag. */ + CFIndex atvTagLocation = rdnTagLocation + rdnTLLength; + while ((drtn = DERDecodeSeqNext(&atvSeq, &atv)) == DR_Success) { + require_quiet(atv.tag == ASN1_CONSTR_SEQUENCE, badDER); + /* Length of the tag and length of the current atv. */ + CFIndex atvTLLength = atv.content.data - atvTag; + CFIndex atvContentLength = atv.content.length; + /* Copy the tag and length of the atv and the atv itself. */ + memcpy(base + atvTagLocation, atvTag, + atvTLLength + atv.content.length); + + /* Now decode the atv sequence. */ + DERAttributeTypeAndValue atvPair; + drtn = DERParseSequenceContent(&atv.content, + DERNumAttributeTypeAndValueItemSpecs, + DERAttributeTypeAndValueItemSpecs, + &atvPair, sizeof(atvPair)); + require_noerr_quiet(drtn, badDER); + require_quiet(atvPair.type.length != 0, badDER); + DERDecodedInfo value; + drtn = DERDecodeItem(&atvPair.value, &value); + require_noerr_quiet(drtn, badDER); + + /* (c) attribute values in PrintableString are not case sensitive + (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and + + (d) attribute values in PrintableString are compared after + removing leading and trailing white space and converting internal + substrings of one or more consecutive white space characters to a + single space. */ + if (value.tag == ASN1_PRINTABLE_STRING) { + /* Offset relative to base of current value tag. */ + CFIndex valueTagLocation = atvTagLocation + atvPair.value.data - atvTag; + CFIndex valueTLLength = value.content.data - atvPair.value.data; + CFIndex valueContentLength = value.content.length; + + /* Now copy all the bytes, but convert to upper case while + doing so and convert multiple whitespace chars into a + single space. */ + bool lastWasBlank = false; + CFIndex valueLocation = valueTagLocation + valueTLLength; + CFIndex valueCurrentLocation = valueLocation; + CFIndex ix; + for (ix = 0; ix < valueContentLength; ++ix) { + UInt8 ch = value.content.data[ix]; + if (isblank(ch)) { + if (lastWasBlank) { + continue; + } else { + /* Don't insert a space for first character + we encounter. */ + if (valueCurrentLocation > valueLocation) { + base[valueCurrentLocation++] = ' '; + } + lastWasBlank = true; + } + } else { + lastWasBlank = false; + if ('a' <= ch && ch <= 'z') { + base[valueCurrentLocation++] = ch + 'A' - 'a'; + } else { + base[valueCurrentLocation++] = ch; + } + } + } + /* Finally if lastWasBlank remove the trailing space. */ + if (lastWasBlank && valueCurrentLocation > valueLocation) { + valueCurrentLocation--; + } + /* Adjust content length to normalized length. */ + valueContentLength = valueCurrentLocation - valueLocation; + + /* Number of bytes by which the length should be shorted. */ + CFIndex lengthDiff = value.content.length - valueContentLength; + if (lengthDiff == 0) { + /* Easy case no need to adjust lengths. */ + } else { + /* Hard work we need to go back and fix up length fields + for: + 1) The value itself. + 2) The ATV Sequence containing type/value + 3) The RDN Set containing one or more atv pairs. + 4) The result. + */ + + /* Step 1 fix up length of value. */ + /* Length of value tag and length minus the tag. */ + DERSize newValueTLLength = valueTLLength - 1; + drtn = DEREncodeLength(valueContentLength, + base + valueTagLocation + 1, &newValueTLLength); + /* Add the length of the tag back in. */ + newValueTLLength++; + CFIndex valueLLDiff = valueTLLength - newValueTLLength; + if (valueLLDiff) { + /* The size of the length field changed, let's slide + the value back by valueLLDiff bytes. */ + memmove(base + valueTagLocation + newValueTLLength, + base + valueTagLocation + valueTLLength, + valueContentLength); + /* The length diff for the enclosing object. */ + lengthDiff += valueLLDiff; + } + + /* Step 2 fix up length of the enclosing ATV Sequence. */ + atvContentLength -= lengthDiff; + DERSize newATVTLLength = atvTLLength - 1; + drtn = DEREncodeLength(atvContentLength, + base + atvTagLocation + 1, &newATVTLLength); + /* Add the length of the tag back in. */ + newATVTLLength++; + CFIndex atvLLDiff = atvTLLength - newATVTLLength; + if (atvLLDiff) { + /* The size of the length field changed, let's slide + the value back by valueLLDiff bytes. */ + memmove(base + atvTagLocation + newATVTLLength, + base + atvTagLocation + atvTLLength, + atvContentLength); + /* The length diff for the enclosing object. */ + lengthDiff += atvLLDiff; + atvTLLength = newATVTLLength; + } + + /* Step 3 fix up length of enclosing RDN Set. */ + rdnContentLength -= lengthDiff; + DERSize newRDNTLLength = rdnTLLength - 1; + drtn = DEREncodeLength(rdnContentLength, + base + rdnTagLocation + 1, &newRDNTLLength); + /* Add the length of the tag back in. */ + newRDNTLLength++; + CFIndex rdnLLDiff = rdnTLLength - newRDNTLLength; + if (rdnLLDiff) { + /* The size of the length field changed, let's slide + the value back by valueLLDiff bytes. */ + memmove(base + rdnTagLocation + newRDNTLLength, + base + rdnTagLocation + rdnTLLength, + rdnContentLength); + /* The length diff for the enclosing object. */ + lengthDiff += rdnLLDiff; + rdnTLLength = newRDNTLLength; + + /* Adjust the locations that might have changed due to + this slide. */ + atvTagLocation -= rdnLLDiff; + } + } + } + atvTagLocation += atvTLLength + atvContentLength; + atvTag = atvSeq.nextItem; + } + rdnTagLocation += rdnTLLength + rdnContentLength; + rdnTag = rdnSeq.nextItem; + } + require_quiet(drtn == DR_EndOfSequence, badDER); + /* Truncate the result to the proper length. */ + CFDataSetLength(result, rdnTagLocation); + + return result; + +badDER: + CFRelease(result); + return NULL; +} + +/* AUDIT[securityd]: + certificate->_der is a caller provided data of any length (might be 0). + + Top level certificate decode. + */ +static bool SecCertificateParse(SecCertificateRefP certificate) +{ + DERReturn drtn; + + check(certificate); + CFAllocatorRef allocator = CFGetAllocator(certificate); + + /* top level decode */ + DERSignedCertCrl signedCert; + drtn = DERParseSequence(&certificate->_der, DERNumSignedCertCrlItemSpecs, + DERSignedCertCrlItemSpecs, &signedCert, + sizeof(signedCert)); + require_noerr_quiet(drtn, badCert); + /* Store tbs since we need to digest it for verification later on. */ + certificate->_tbs = signedCert.tbs; + + /* decode the TBSCert - it was saved in full DER form */ + DERTBSCert tbsCert; + drtn = DERParseSequence(&signedCert.tbs, + DERNumTBSCertItemSpecs, DERTBSCertItemSpecs, + &tbsCert, sizeof(tbsCert)); + require_noerr_quiet(drtn, badCert); + + /* sequence we're given: decode the signedCerts Signature Algorithm. */ + /* This MUST be the same as the certificate->_tbsSigAlg with the exception + of the params field. */ + drtn = DERParseSequenceContent(&signedCert.sigAlg, + DERNumAlgorithmIdItemSpecs, DERAlgorithmIdItemSpecs, + &certificate->_sigAlg, sizeof(certificate->_sigAlg)); + require_noerr_quiet(drtn, badCert); + + /* The contents of signedCert.sig is a bit string whose contents + are the signature itself. */ + DERByte numUnusedBits; + drtn = DERParseBitString(&signedCert.sig, + &certificate->_signature, &numUnusedBits); + require_noerr_quiet(drtn, badCert); + + /* Now decode the tbsCert. */ + + /* First we turn the optional version into an int. */ + if (tbsCert.version.length) { + DERDecodedInfo decoded; + drtn = DERDecodeItem(&tbsCert.version, &decoded); + require_noerr_quiet(drtn, badCert); + require_quiet(decoded.tag == ASN1_INTEGER, badCert); + require_quiet(decoded.content.length == 1, badCert); + certificate->_version = decoded.content.data[0]; + require_quiet(certificate->_version > 0, badCert); + require_quiet(certificate->_version < 3, badCert); + } else { + certificate->_version = 0; + } + + /* The serial number is in the tbsCert.serialNum - it was saved in + INTEGER form without the tag and length. */ + certificate->_serialNum = tbsCert.serialNum; + certificate->_serialNumber = CFDataCreate(allocator, + tbsCert.serialNum.data, tbsCert.serialNum.length); + + /* sequence we're given: decode the tbsCerts TBS Signature Algorithm. */ + drtn = DERParseSequenceContent(&tbsCert.tbsSigAlg, + DERNumAlgorithmIdItemSpecs, DERAlgorithmIdItemSpecs, + &certificate->_tbsSigAlg, sizeof(certificate->_tbsSigAlg)); + require_noerr_quiet(drtn, badCert); + + /* The issuer is in the tbsCert.issuer - it's a sequence without the tag + and length fields. */ + certificate->_issuer = tbsCert.issuer; + certificate->_normalizedIssuer = createNormalizedX501Name(allocator, + &tbsCert.issuer); + + /* sequence we're given: decode the tbsCerts Validity sequence. */ + DERValidity validity; + drtn = DERParseSequenceContent(&tbsCert.validity, + DERNumValidityItemSpecs, DERValidityItemSpecs, + &validity, sizeof(validity)); + require_noerr_quiet(drtn, badCert); + require_quiet(derDateGetAbsoluteTime(&validity.notBefore, + &certificate->_notBefore), badCert); + require_quiet(derDateGetAbsoluteTime(&validity.notAfter, + &certificate->_notAfter), badCert); + + /* The subject is in the tbsCert.subject - it's a sequence without the tag + and length fields. */ + certificate->_subject = tbsCert.subject; + certificate->_normalizedSubject = createNormalizedX501Name(allocator, + &tbsCert.subject); + + /* sequence we're given: encoded DERSubjPubKeyInfo - it was saved in full DER form */ + DERSubjPubKeyInfo pubKeyInfo; + drtn = DERParseSequence(&tbsCert.subjectPubKey, + DERNumSubjPubKeyInfoItemSpecs, DERSubjPubKeyInfoItemSpecs, + &pubKeyInfo, sizeof(pubKeyInfo)); + require_noerr_quiet(drtn, badCert); + + /* sequence we're given: decode the pubKeyInfos DERAlgorithmId */ + drtn = DERParseSequenceContent(&pubKeyInfo.algId, + DERNumAlgorithmIdItemSpecs, DERAlgorithmIdItemSpecs, + &certificate->_algId, sizeof(certificate->_algId)); + require_noerr_quiet(drtn, badCert); + + /* Now we can figure out the key's algorithm id and params based on + certificate->_algId.oid. */ + + /* The contents of pubKeyInfo.pubKey is a bit string whose contents + are a PKCS1 format RSA key. */ + drtn = DERParseBitString(&pubKeyInfo.pubKey, + &certificate->_pubKeyDER, &numUnusedBits); + require_noerr_quiet(drtn, badCert); + + /* The contents of tbsCert.issuerID is a bit string. */ + certificate->_issuerUniqueID = tbsCert.issuerID; + + /* The contents of tbsCert.subjectID is a bit string. */ + certificate->_subjectUniqueID = tbsCert.subjectID; + + /* Extensions. */ + if (tbsCert.extensions.length) { + CFIndex extensionCount = 0; + DERSequence derSeq; + DERTag tag; + drtn = DERDecodeSeqInit(&tbsCert.extensions, &tag, + &derSeq); + require_noerr_quiet(drtn, badCert); + require_quiet(tag == ASN1_CONSTR_SEQUENCE, badCert); + DERDecodedInfo currDecoded; + while ((drtn = DERDecodeSeqNext(&derSeq, &currDecoded)) == DR_Success) { +#if 0 +/* ! = MUST recognize ? = SHOULD recognize +*/ + + KnownExtension _subjectKeyID; /* ?SubjectKeyIdentifier id-ce 14 */ + KnownExtension _keyUsage; /* !KeyUsage id-ce 15 */ + KnownExtension _subjectAltName; /* !SubjectAltName id-ce 17 */ + KnownExtension _basicConstraints; /* !BasicConstraints id-ce 19 */ + KnownExtension _authorityKeyID; /* ?AuthorityKeyIdentifier id-ce 35 */ + KnownExtension _extKeyUsage; /* !ExtKeyUsage id-ce 37 */ + KnownExtension _netscapeCertType; /* 2.16.840.1.113730.1.1 netscape 1 1 */ + KnownExtension _qualCertStatements; /* QCStatements id-pe 3 */ + + KnownExtension _issuerAltName; /* IssuerAltName id-ce 18 */ + KnownExtension _nameConstraints; /* !NameConstraints id-ce 30 */ + KnownExtension _cRLDistributionPoints; /* CRLDistributionPoints id-ce 31 */ + KnownExtension _certificatePolicies; /* !CertificatePolicies id-ce 32 */ + KnownExtension _policyMappings; /* ?PolicyMappings id-ce 33 */ + KnownExtension _policyConstraints; /* !PolicyConstraints id-ce 36 */ + KnownExtension _freshestCRL; /* FreshestCRL id-ce 46 */ + KnownExtension _inhibitAnyPolicy; /* !InhibitAnyPolicy id-ce 54 */ + + KnownExtension _authorityInfoAccess; /* AuthorityInfoAccess id-pe 1 */ + KnownExtension _subjectInfoAccess; /* SubjectInfoAccess id-pe 11 */ +#endif + + extensionCount++; + } + require_quiet(drtn == DR_EndOfSequence, badCert); + + /* Put some upper limit on the number of extentions allowed. */ + require_quiet(extensionCount < 10000, badCert); + certificate->_extensionCount = extensionCount; + certificate->_extensions = + malloc(sizeof(SecCertificateExtension) * extensionCount); + + CFIndex ix = 0; + drtn = DERDecodeSeqInit(&tbsCert.extensions, &tag, &derSeq); + require_noerr_quiet(drtn, badCert); + for (ix = 0; ix < extensionCount; ++ix) { + drtn = DERDecodeSeqNext(&derSeq, &currDecoded); + require_quiet(drtn == DR_Success || + (ix == extensionCount - 1 && drtn == DR_EndOfSequence), badCert); + require_quiet(currDecoded.tag == ASN1_CONSTR_SEQUENCE, badCert); + DERExtension extn; + drtn = DERParseSequenceContent(&currDecoded.content, + DERNumExtensionItemSpecs, DERExtensionItemSpecs, + &extn, sizeof(extn)); + require_noerr_quiet(drtn, badCert); + /* Copy stuff into certificate->extensions[ix]. */ + certificate->_extensions[ix].extnID = extn.extnID; + require_noerr_quiet(drtn = DERParseBoolean(&extn.critical, false, + &certificate->_extensions[ix].critical), badCert); + certificate->_extensions[ix].extnValue = extn.extnValue; + + SecCertificateExtensionParser parser = + (SecCertificateExtensionParser)CFDictionaryGetValue( + gExtensionParsers, &certificate->_extensions[ix].extnID); + if (parser) { + /* Invoke the parser. */ + parser(certificate, &certificate->_extensions[ix]); + } else if (certificate->_extensions[ix].critical) { + secdebug("cert", "Found unknown critical extension"); + certificate->_foundUnknownCriticalExtension = true; + } else { + secdebug("cert", "Found unknown non critical extension"); + } + } + } + + return true; + +badCert: + return false; +} + + +/* Public API functions. */ +CFTypeID SecCertificateGetTypeIDP(void) { + pthread_once(&kSecCertificateRegisterClass, SecCertificateRegisterClass); + return kSecCertificateTypeID; +} + +SecCertificateRefP SecCertificateCreateWithBytesP(CFAllocatorRef allocator, + const UInt8 *der_bytes, CFIndex der_length) { + check(der_bytes); + check(der_length); + CFIndex size = sizeof(struct __SecCertificate) + der_length; + SecCertificateRefP result = (SecCertificateRefP)_CFRuntimeCreateInstance( + allocator, SecCertificateGetTypeIDP(), size - sizeof(CFRuntimeBase), 0); + if (result) { + memset((char*)result + sizeof(result->_base), 0, + sizeof(*result) - sizeof(result->_base)); + result->_der.data = ((DERByte *)result + sizeof(*result)); + result->_der.length = der_length; + memcpy(result->_der.data, der_bytes, der_length); + if (!SecCertificateParse(result)) { + CFRelease(result); + return NULL; + } + } + return result; +} + +/* @@@ Placeholder until iap submits a binary is fixed. */ +SecCertificateRefP SecCertificateCreate(CFAllocatorRef allocator, + const UInt8 *der_bytes, CFIndex der_length); + +SecCertificateRefP SecCertificateCreate(CFAllocatorRef allocator, + const UInt8 *der_bytes, CFIndex der_length) { + return SecCertificateCreateWithBytesP(allocator, der_bytes, der_length); +} +/* @@@ End of placeholder. */ + +/* AUDIT[securityd](done): + der_certificate is a caller provided data of any length (might be 0), only + its cf type has been checked. + */ +SecCertificateRefP SecCertificateCreateWithDataP(CFAllocatorRef allocator, + CFDataRef der_certificate) { + check(der_certificate); + CFIndex size = sizeof(struct __SecCertificate); + SecCertificateRefP result = (SecCertificateRefP)_CFRuntimeCreateInstance( + allocator, SecCertificateGetTypeIDP(), size - sizeof(CFRuntimeBase), 0); + if (result) { + memset((char*)result + sizeof(result->_base), 0, size - sizeof(result->_base)); + result->_der_data = CFDataCreateCopy(allocator, der_certificate); + result->_der.data = (DERByte *)CFDataGetBytePtr(result->_der_data); + result->_der.length = CFDataGetLength(result->_der_data); + if (!SecCertificateParse(result)) { + CFRelease(result); + return NULL; + } + } + return result; +} + +CFDataRef SecCertificateCopyDataP(SecCertificateRefP certificate) { + check(certificate); + CFDataRef result; + if (certificate->_der_data) { + CFRetain(certificate->_der_data); + result = certificate->_der_data; + } else { + result = CFDataCreate(CFGetAllocator(certificate), + certificate->_der.data, certificate->_der.length); +#if 0 + /* FIXME: If we wish to cache result we need to lock the certificate. + Also this create 2 copies of the certificate data which is somewhat + suboptimal. */ + CFRetain(result); + certificate->_der_data = result; +#endif + } + + return result; +} + +CFIndex SecCertificateGetLengthP(SecCertificateRefP certificate) { + return certificate->_der.length; +} + +const UInt8 *SecCertificateGetBytePtrP(SecCertificateRefP certificate) { + return certificate->_der.data; +} + +/* From rfc3280 - Appendix B. ASN.1 Notes + + Object Identifiers (OIDs) are used throughout this specification to + identify certificate policies, public key and signature algorithms, + certificate extensions, etc. There is no maximum size for OIDs. + This specification mandates support for OIDs which have arc elements + with values that are less than 2^28, that is, they MUST be between 0 + and 268,435,455, inclusive. This allows each arc element to be + represented within a single 32 bit word. Implementations MUST also + support OIDs where the length of the dotted decimal (see [RFC 2252], + section 4.1) string representation can be up to 100 bytes + (inclusive). Implementations MUST be able to handle OIDs with up to + 20 elements (inclusive). CAs SHOULD NOT issue certificates which + contain OIDs that exceed these requirements. Likewise, CRL issuers + SHOULD NOT issue CRLs which contain OIDs that exceed these + requirements. +*/ + +/* Oids longer than this are considered invalid. */ +#define MAX_OID_SIZE 32 + +CFStringRef SecDERItemCopyOIDDecimalRepresentation(CFAllocatorRef allocator, + const DERItem *oid) { + + if (oid->length == 0) { + return SecFrameworkCopyLocalizedString(CFSTR(""), + CFSTR("SecCertificate")); + } + if (oid->length > MAX_OID_SIZE) { + return SecFrameworkCopyLocalizedString(CFSTR("Oid too long"), + CFSTR("SecCertificate")); + } + + CFMutableStringRef result = CFStringCreateMutable(allocator, 0); + + // The first two levels are encoded into one byte, since the root level + // has only 3 nodes (40*x + y). However if x = joint-iso-itu-t(2) then + // y may be > 39, so we have to add special-case handling for this. + uint32_t x = oid->data[0] / 40; + uint32_t y = oid->data[0] % 40; + if (x > 2) + { + // Handle special case for large y if x = 2 + y += (x - 2) * 40; + x = 2; + } + CFStringAppendFormat(result, NULL, CFSTR("%u.%u"), x, y); + + uint32_t value = 0; + for (x = 1; x < oid->length; ++x) + { + value = (value << 7) | (oid->data[x] & 0x7F); + /* @@@ value may not span more than 4 bytes. */ + /* A max number of 20 values is allowed. */ + if (!(oid->data[x] & 0x80)) + { + CFStringAppendFormat(result, NULL, CFSTR(".%lu"), (unsigned long)value); + value = 0; + } + } + return result; +} + +static CFStringRef copyLocalizedOidDescription(CFAllocatorRef allocator, + const DERItem *oid) { + if (oid->length == 0) { + return SecFrameworkCopyLocalizedString(CFSTR(""), + CFSTR("SecCertificate")); + } + + /* Build the key we use to lookup the localized OID description. */ + CFMutableStringRef oidKey = CFStringCreateMutable(allocator, + oid->length * 3 + 5); + CFStringAppendFormat(oidKey, NULL, CFSTR("06 %02lX"), (unsigned long)oid->length); + DERSize ix; + for (ix = 0; ix < oid->length; ++ix) + CFStringAppendFormat(oidKey, NULL, CFSTR(" %02X"), oid->data[ix]); + + CFStringRef name = SecFrameworkCopyLocalizedString(oidKey, CFSTR("OID")); + if (CFEqual(oidKey, name)) { + CFRelease(name); + name = SecDERItemCopyOIDDecimalRepresentation(allocator, oid); + } + CFRelease(oidKey); + + return name; +} + +/* Return the ipAddress as a dotted quad for ipv4 or as 8 colon separated + 4 digit hex strings for ipv6. Return NULL if the passed in IP doesn't + have a length of exactly 4 or 16 octects. */ +static CFStringRef copyIPAddressContentDescription(CFAllocatorRef allocator, + const DERItem *ip) { + /* @@@ This is the IP Address as an OCTECT STRING. For IPv4 it's + 4 octects addr, or 8 octects, addr/mask for ipv6 it's + 16 octects addr, or 32 octects addr/mask. */ + CFStringRef value = NULL; + if (ip->length == 4) { + value = CFStringCreateWithFormat(allocator, NULL, + CFSTR("%u.%u.%u.%u"), + ip->data[0], ip->data[1], ip->data[2], ip->data[3]); + } else if (ip->length == 16) { + value = CFStringCreateWithFormat(allocator, NULL, + CFSTR("%02x%02x:%02x%02x:%02x%02x:%02x%02x:" + "%02x%02x:%02x%02x:%02x%02x:%02x%02x"), + ip->data[0], ip->data[1], ip->data[2], ip->data[3], + ip->data[4], ip->data[5], ip->data[6], ip->data[7], + ip->data[8], ip->data[9], ip->data[10], ip->data[11], + ip->data[12], ip->data[13], ip->data[14], ip->data[15]); + } + + return value; +} + +#if 0 +static CFStringRef copyFullOidDescription(CFAllocatorRef allocator, + const DERItem *oid) { + CFStringRef decimal = SecDERItemCopyOIDDecimalRepresentation(allocator, oid); + CFStringRef name = copyLocalizedOidDescription(allocator, oid); + CFStringRef oid_string = CFStringCreateWithFormat(allocator, NULL, + CFSTR("%@ (%@)"), name, decimal); + CFRelease(name); + CFRelease(decimal); + return oid_string; +} +#endif + +void appendPropertyP(CFMutableArrayRef properties, + CFStringRef propertyType, CFStringRef label, CFTypeRef value) { + CFDictionaryRef property; + if (label) { + CFStringRef localizedLabel = SecFrameworkCopyLocalizedString(label, + CFSTR("SecCertificate")); + const void *all_keys[4]; + all_keys[0] = kSecPropertyKeyType; + all_keys[1] = kSecPropertyKeyLabel; + all_keys[2] = kSecPropertyKeyLocalizedLabel; + all_keys[3] = kSecPropertyKeyValue; + const void *property_values[] = { + propertyType, + label, + localizedLabel, + value, + }; + property = CFDictionaryCreate(CFGetAllocator(properties), + all_keys, property_values, value ? 4 : 3, + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + CFRelease(localizedLabel); + } else { + const void *nolabel_keys[2]; + nolabel_keys[0] = kSecPropertyKeyType; + nolabel_keys[1] = kSecPropertyKeyValue; + const void *property_values[] = { + propertyType, + value, + }; + property = CFDictionaryCreate(CFGetAllocator(properties), + nolabel_keys, property_values, 2, + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + } + + CFArrayAppendValue(properties, property); + CFRelease(property); +} + +/* YYMMDDhhmmZ */ +#define UTC_TIME_NOSEC_ZULU_LEN 11 +/* YYMMDDhhmmssZ */ +#define UTC_TIME_ZULU_LEN 13 +/* YYMMDDhhmmssThhmm */ +#define UTC_TIME_LOCALIZED_LEN 17 +/* YYYYMMDDhhmmssZ */ +#define GENERALIZED_TIME_ZULU_LEN 15 +/* YYYYMMDDhhmmssThhmm */ +#define GENERALIZED_TIME_LOCALIZED_LEN 19 + +/* Parse 2 digits at (*p)[0] and (*p)[1] and return the result. Also + advance *p by 2. */ +static inline SInt32 parseDecimalPair(const DERByte **p) { + const DERByte *cp = *p; + *p += 2; + return 10 * (cp[0] - '0') + cp[1] - '0'; +} + +/* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return + true if the date was valid and properly decoded, also return the result in + absTime. Return false otherwise. */ +CFAbsoluteTime SecAbsoluteTimeFromDateContent(DERTag tag, const uint8_t *bytes, + size_t length) { + check(bytes); + if (length == 0) + return NULL_TIME; + + bool isUtcLength = false; + bool isLocalized = false; + bool noSeconds = false; + switch (length) { + case UTC_TIME_NOSEC_ZULU_LEN: /* YYMMDDhhmmZ */ + isUtcLength = true; + noSeconds = true; + break; + case UTC_TIME_ZULU_LEN: /* YYMMDDhhmmssZ */ + isUtcLength = true; + break; + case GENERALIZED_TIME_ZULU_LEN: /* YYYYMMDDhhmmssZ */ + break; + case UTC_TIME_LOCALIZED_LEN: /* YYMMDDhhmmssThhmm (where T=[+,-]) */ + isUtcLength = true; + /*DROPTHROUGH*/ + case GENERALIZED_TIME_LOCALIZED_LEN:/* YYYYMMDDhhmmssThhmm (where T=[+,-]) */ + isLocalized = true; + break; + default: /* unknown format */ + return NULL_TIME; + } + + /* Make sure the der tag fits the thing inside it. */ + if (tag == ASN1_UTC_TIME) { + if (!isUtcLength) + return NULL_TIME; + } else if (tag == ASN1_GENERALIZED_TIME) { + if (isUtcLength) + return NULL_TIME; + } else { + return NULL_TIME; + } + + const DERByte *cp = bytes; + /* Check that all characters are digits, except if localized the timezone + indicator or if not localized the 'Z' at the end. */ + DERSize ix; + for (ix = 0; ix < length; ++ix) { + if (!(isdigit(cp[ix]))) { + if ((isLocalized && ix == length - 5 && + (cp[ix] == '+' || cp[ix] == '-')) || + (!isLocalized && ix == length - 1 && cp[ix] == 'Z')) { + continue; + } + return NULL_TIME; + } + } + + /* Initialize the fields in a gregorian date struct. */ + CFGregorianDate gdate; + if (isUtcLength) { + SInt32 year = parseDecimalPair(&cp); + if (year < 50) { + /* 0 <= year < 50 : assume century 21 */ + gdate.year = 2000 + year; + } else if (year < 70) { + /* 50 <= year < 70 : illegal per PKIX */ + return false; + } else { + /* 70 < year <= 99 : assume century 20 */ + gdate.year = 1900 + year; + } + } else { + gdate.year = 100 * parseDecimalPair(&cp) + parseDecimalPair(&cp); + } + gdate.month = parseDecimalPair(&cp); + gdate.day = parseDecimalPair(&cp); + gdate.hour = parseDecimalPair(&cp); + gdate.minute = parseDecimalPair(&cp); + if (noSeconds) { + gdate.second = 0; + } else { + gdate.second = parseDecimalPair(&cp); + } + + CFTimeInterval timeZoneOffset = 0; + if (isLocalized) { + /* ZONE INDICATOR */ + SInt32 multiplier = *cp++ == '+' ? 60 : -60; + timeZoneOffset = multiplier * + (parseDecimalPair(&cp) + 60 * parseDecimalPair(&cp)); + } else { + timeZoneOffset = 0; + } + + secdebug("dateparse", + "date %.*s year: %04d-%02d-%02d %02d:%02d:%02.f %+05.f", + (int)length, bytes, (int)gdate.year, gdate.month, + gdate.day, gdate.hour, gdate.minute, gdate.second, + timeZoneOffset / 60); + + if (!CFGregorianDateIsValid(gdate, kCFGregorianAllUnits)) + return false; + CFTimeZoneRef timeZone = CFTimeZoneCreateWithTimeIntervalFromGMT(NULL, + timeZoneOffset); + if (!timeZone) + return NULL_TIME; + CFAbsoluteTime absTime = CFGregorianDateGetAbsoluteTime(gdate, timeZone); + CFRelease(timeZone); + return absTime; +} + +static bool derDateContentGetAbsoluteTime(DERTag tag, const DERItem *date, + CFAbsoluteTime *pabsTime) { + CFAbsoluteTime absTime = SecAbsoluteTimeFromDateContent(tag, date->data, + date->length); + if (absTime == NULL_TIME) + return false; + + *pabsTime = absTime; + return true; +} + +/* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return + true if the date was valid and properly decoded, also return the result in + absTime. Return false otherwise. */ +static bool derDateGetAbsoluteTime(const DERItem *dateChoice, + CFAbsoluteTime *absTime) { + check(dateChoice); + check(absTime); + if (dateChoice->length == 0) + return false; + + DERDecodedInfo decoded; + if (DERDecodeItem(dateChoice, &decoded)) + return false; + + return derDateContentGetAbsoluteTime(decoded.tag, &decoded.content, + absTime); +} + +static void appendDataProperty(CFMutableArrayRef properties, + CFStringRef label, const DERItem *der_data) { + CFDataRef data = CFDataCreate(CFGetAllocator(properties), + der_data->data, der_data->length); + appendPropertyP(properties, kSecPropertyTypeData, label, data); + CFRelease(data); +} + +static void appendUnparsedProperty(CFMutableArrayRef properties, + CFStringRef label, const DERItem *der_data) { + CFStringRef newLabel = CFStringCreateWithFormat(CFGetAllocator(properties), + NULL, CFSTR("Unparsed %@"), label); + appendDataProperty(properties, newLabel, der_data); + CFRelease(newLabel); +} + +static void appendInvalidProperty(CFMutableArrayRef properties, + CFStringRef label, const DERItem *der_data) { + CFStringRef newLabel = CFStringCreateWithFormat(CFGetAllocator(properties), + NULL, CFSTR("Invalid %@"), label); + appendDataProperty(properties, newLabel, der_data); + CFRelease(newLabel); +} + +static void appendDateContentProperty(CFMutableArrayRef properties, + CFStringRef label, DERTag tag, const DERItem *dateContent) { + CFAbsoluteTime absTime; + if (!derDateContentGetAbsoluteTime(tag, dateContent, &absTime)) { + /* Date decode failure insert hex bytes instead. */ + return appendInvalidProperty(properties, label, dateContent); + } + CFDateRef date = CFDateCreate(CFGetAllocator(properties), absTime); + appendPropertyP(properties, kSecPropertyTypeDate, label, date); + CFRelease(date); +} + +static void appendDateProperty(CFMutableArrayRef properties, + CFStringRef label, CFAbsoluteTime absTime) { + CFDateRef date = CFDateCreate(CFGetAllocator(properties), absTime); + appendPropertyP(properties, kSecPropertyTypeDate, label, date); + CFRelease(date); +} + +static void appendIPAddressContentProperty(CFMutableArrayRef properties, + CFStringRef label, const DERItem *ip) { + CFStringRef value = + copyIPAddressContentDescription(CFGetAllocator(properties), ip); + if (value) { + appendPropertyP(properties, kSecPropertyTypeString, label, value); + CFRelease(value); + } else { + appendUnparsedProperty(properties, label, ip); + } +} + +static void appendURLContentProperty(CFMutableArrayRef properties, + CFStringRef label, const DERItem *urlContent) { + CFURLRef url = CFURLCreateWithBytes(CFGetAllocator(properties), + urlContent->data, urlContent->length, kCFStringEncodingASCII, NULL); + if (url) { + appendPropertyP(properties, kSecPropertyTypeURL, label, url); + CFRelease(url); + } else { + appendInvalidProperty(properties, label, urlContent); + } +} + +static void appendURLProperty(CFMutableArrayRef properties, + CFStringRef label, const DERItem *url) { + DERDecodedInfo decoded; + DERReturn drtn; + + drtn = DERDecodeItem(url, &decoded); + if (drtn || decoded.tag != ASN1_IA5_STRING) { + appendInvalidProperty(properties, label, url); + } else { + appendURLContentProperty(properties, label, &decoded.content); + } +} + +static void appendOIDProperty(CFMutableArrayRef properties, + CFStringRef label, const DERItem *oid) { + CFStringRef oid_string = copyLocalizedOidDescription(CFGetAllocator(properties), + oid); + appendPropertyP(properties, kSecPropertyTypeString, label, oid_string); + CFRelease(oid_string); +} + +static void appendAlgorithmProperty(CFMutableArrayRef properties, + CFStringRef label, const DERAlgorithmId *algorithm) { + CFMutableArrayRef alg_props = + CFArrayCreateMutable(CFGetAllocator(properties), 0, + &kCFTypeArrayCallBacks); + appendOIDProperty(alg_props, CFSTR("Algorithm"), &algorithm->oid); + if (algorithm->params.length) { + if (algorithm->params.length == 2 && + algorithm->params.data[0] == ASN1_NULL && + algorithm->params.data[1] == 0) { + /* @@@ Localize or perhaps skip it? */ + appendPropertyP(alg_props, kSecPropertyTypeString, + CFSTR("Parameters"), CFSTR("none")); + } else { + appendUnparsedProperty(alg_props, CFSTR("Parameters"), + &algorithm->params); + } + } + appendPropertyP(properties, kSecPropertyTypeSection, label, alg_props); + CFRelease(alg_props); +} + +static CFStringRef copyHexDescription(CFAllocatorRef allocator, + const DERItem *blob) { + CFIndex ix, length = blob->length /* < 24 ? blob->length : 24 */; + CFMutableStringRef string = CFStringCreateMutable(allocator, + blob->length * 3 - 1); + for (ix = 0; ix < length; ++ix) + if (ix == 0) + CFStringAppendFormat(string, NULL, CFSTR("%02X"), blob->data[ix]); + else + CFStringAppendFormat(string, NULL, CFSTR(" %02X"), blob->data[ix]); + + return string; +} + +static CFStringRef copyBlobString(CFAllocatorRef allocator, + CFStringRef blobType, CFStringRef quanta, const DERItem *blob) { + CFStringRef blobFormat = SecFrameworkCopyLocalizedString( + CFSTR("%@; %d %@; data = %@"), CFSTR("SecCertificate") + /*, "format string for encoded field data (e.g. Sequence; 128 bytes; " + "data = 00 00 ...)" */); + CFStringRef hex = copyHexDescription(allocator, blob); + CFStringRef result = CFStringCreateWithFormat(allocator, NULL, + blobFormat, blobType, blob->length, quanta, hex); + CFRelease(hex); + CFRelease(blobFormat); + + return result; +} + +static CFStringRef copyContentString(CFAllocatorRef allocator, + const DERItem *string, CFStringEncoding encoding, + bool printableOnly) { + /* Strip potential bogus trailing zero from printable strings. */ + DERSize length = string->length; + if (length && string->data[length - 1] == 0) { + /* Don't mess with the length of UTF16 strings though. */ + if (encoding != kCFStringEncodingUTF16) + length--; + } + /* A zero length string isn't considered printable. */ + if (!length && printableOnly) + return NULL; + + /* Passing true for the 5th paramater to CFStringCreateWithBytes() makes + it treat kCFStringEncodingUTF16 as big endian by default, whereas + passing false makes it treat it as native endian by default. */ + CFStringRef result = CFStringCreateWithBytes(allocator, string->data, + length, encoding, encoding == kCFStringEncodingUTF16); + if (result) + return result; + + return printableOnly ? NULL : copyHexDescription(allocator, string); +} + +/* From rfc3280 - Appendix B. ASN.1 Notes + + CAs MUST force the serialNumber to be a non-negative integer, that + is, the sign bit in the DER encoding of the INTEGER value MUST be + zero - this can be done by adding a leading (leftmost) `00'H octet if + necessary. This removes a potential ambiguity in mapping between a + string of octets and an integer value. + + As noted in section 4.1.2.2, serial numbers can be expected to + contain long integers. Certificate users MUST be able to handle + serialNumber values up to 20 octets in length. Conformant CAs MUST + NOT use serialNumber values longer than 20 octets. +*/ + +/* Return the given numeric data as a string: decimal up to 64 bits, + hex otherwise. */ +static CFStringRef copyIntegerContentDescription(CFAllocatorRef allocator, + const DERItem *integer) { + uint64_t value = 0; + CFIndex ix, length = integer->length; + + if (length == 0 || length > 8) + return copyHexDescription(allocator, integer); + + for(ix = 0; ix < length; ++ix) { + value <<= 8; + value += integer->data[ix]; + } + + return CFStringCreateWithFormat(allocator, NULL, CFSTR("%llu"), value); +} + +static CFStringRef copyDERThingContentDescription(CFAllocatorRef allocator, + DERTag tag, const DERItem *derThing, bool printableOnly) { + switch(tag) { + case ASN1_INTEGER: + case ASN1_BOOLEAN: + return printableOnly ? NULL : copyIntegerContentDescription(allocator, derThing); + case ASN1_PRINTABLE_STRING: + case ASN1_IA5_STRING: + return copyContentString(allocator, derThing, kCFStringEncodingASCII, printableOnly); + case ASN1_UTF8_STRING: + case ASN1_GENERAL_STRING: + case ASN1_UNIVERSAL_STRING: + return copyContentString(allocator, derThing, kCFStringEncodingUTF8, printableOnly); + case ASN1_T61_STRING: // 20, also BER_TAG_TELETEX_STRING + case ASN1_VIDEOTEX_STRING: // 21 + case ASN1_VISIBLE_STRING: // 26 + return copyContentString(allocator, derThing, kCFStringEncodingISOLatin1, printableOnly); + case ASN1_BMP_STRING: // 30 + return copyContentString(allocator, derThing, kCFStringEncodingUTF16, printableOnly); + case ASN1_OCTET_STRING: + return printableOnly ? NULL : copyBlobString(allocator, CFSTR("Byte string"), CFSTR("bytes"), + derThing); + //return copyBlobString(BYTE_STRING_STR, BYTES_STR, derThing); + case ASN1_BIT_STRING: + return printableOnly ? NULL : copyBlobString(allocator, CFSTR("Bit string"), CFSTR("bits"), + derThing); + case (DERByte)ASN1_CONSTR_SEQUENCE: + return printableOnly ? NULL : copyBlobString(allocator, CFSTR("Sequence"), CFSTR("bytes"), + derThing); + case (DERByte)ASN1_CONSTR_SET: + return printableOnly ? NULL : copyBlobString(allocator, CFSTR("Set"), CFSTR("bytes"), + derThing); + case ASN1_OBJECT_ID: + return printableOnly ? NULL : copyLocalizedOidDescription(allocator, derThing); + default: + /* @@@ Localize. */ + /* "format string for undisplayed field data with a given DER tag" */ + return printableOnly ? NULL : CFStringCreateWithFormat(allocator, NULL, + CFSTR("not displayed (tag = %d; length %d)"), + tag, (int)derThing->length); + } +} + +static CFStringRef copyDERThingDescription(CFAllocatorRef allocator, + const DERItem *derThing, bool printableOnly) { + DERDecodedInfo decoded; + DERReturn drtn; + + drtn = DERDecodeItem(derThing, &decoded); + if (drtn) { + return printableOnly ? NULL : copyHexDescription(allocator, derThing); + } else { + return copyDERThingContentDescription(allocator, decoded.tag, + &decoded.content, false); + } +} + +static void appendDERThingProperty(CFMutableArrayRef properties, + CFStringRef label, const DERItem *derThing) { + CFStringRef value = copyDERThingDescription(CFGetAllocator(properties), + derThing, false); + appendPropertyP(properties, kSecPropertyTypeString, label, value); + CFRelease(value); +} + +static OSStatus appendRDNProperty(void *context, const DERItem *rdnType, + const DERItem *rdnValue, CFIndex rdnIX) { + CFMutableArrayRef properties = (CFMutableArrayRef)context; + if (rdnIX > 0) { + /* If there is more than one value pair we create a subsection for the + second pair, and append things to the subsection for subsequent + pairs. */ + CFIndex lastIX = CFArrayGetCount(properties) - 1; + CFTypeRef lastValue = CFArrayGetValueAtIndex(properties, lastIX); + if (rdnIX == 1) { + /* Since this is the second rdn pair for a given rdn, we setup a + new subsection for this rdn. We remove the first property + from the properties array and make it the first element in the + subsection instead. */ + CFMutableArrayRef rdn_props = CFArrayCreateMutable( + CFGetAllocator(properties), 0, &kCFTypeArrayCallBacks); + CFArrayAppendValue(rdn_props, lastValue); + CFArrayRemoveValueAtIndex(properties, lastIX); + appendPropertyP(properties, kSecPropertyTypeSection, NULL, rdn_props); + properties = rdn_props; + } else { + /* Since this is the third or later rdn pair we have already + created a subsection in the top level properties array. Instead + of appending to that directly we append to the array inside the + subsection. */ + properties = (CFMutableArrayRef)CFDictionaryGetValue( + (CFDictionaryRef)lastValue, kSecPropertyKeyValue); + } + } + + /* Finally we append the new rdn value to the property array. */ + CFStringRef label = copyLocalizedOidDescription(CFGetAllocator(properties), + rdnType); + if (label) { + appendDERThingProperty(properties, label, rdnValue); + CFRelease(label); + return errSecSuccess; + } else { + return errSecInvalidCertificate; + } +} + +static CFArrayRef createPropertiesForRDNContent(CFAllocatorRef allocator, + const DERItem *rdnSetContent) { + CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, + &kCFTypeArrayCallBacks); + OSStatus status = parseRDNContent(rdnSetContent, properties, + appendRDNProperty); + if (status) { + CFArrayRemoveAllValues(properties); + appendInvalidProperty(properties, CFSTR("RDN"), rdnSetContent); + } + + return properties; +} + +/* + From rfc3739 - 3.1.2. Subject + + When parsing the subject here are some tips for a short name of the cert. + Choice I: commonName + Choice II: givenName + Choice III: pseudonym + + The commonName attribute value SHALL, when present, contain a name + of the subject. This MAY be in the subject's preferred + presentation format, or a format preferred by the CA, or some + other format. Pseudonyms, nicknames, and names with spelling + other than defined by the registered name MAY be used. To + understand the nature of the name presented in commonName, + complying applications MAY have to examine present values of the + givenName and surname attributes, or the pseudonym attribute. + +*/ +static CFArrayRef createPropertiesForX501NameContent(CFAllocatorRef allocator, + const DERItem *x501NameContent) { + CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, + &kCFTypeArrayCallBacks); + OSStatus status = parseX501NameContent(x501NameContent, properties, + appendRDNProperty); + if (status) { + CFArrayRemoveAllValues(properties); + appendInvalidProperty(properties, CFSTR("X.501 Name"), x501NameContent); + } + + return properties; +} + +static CFArrayRef createPropertiesForX501Name(CFAllocatorRef allocator, + const DERItem *x501Name) { + CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, + &kCFTypeArrayCallBacks); + OSStatus status = parseX501Name(x501Name, properties, appendRDNProperty); + if (status) { + CFArrayRemoveAllValues(properties); + appendInvalidProperty(properties, CFSTR("X.501 Name"), x501Name); + } + + return properties; +} + +static void appendIntegerProperty(CFMutableArrayRef properties, + CFStringRef label, const DERItem *integer) { + CFStringRef string = copyIntegerContentDescription( + CFGetAllocator(properties), integer); + appendPropertyP(properties, kSecPropertyTypeString, label, string); + CFRelease(string); +} + +static void appendBoolProperty(CFMutableArrayRef properties, + CFStringRef label, bool boolean) { + appendPropertyP(properties, kSecPropertyTypeString, + label, boolean ? CFSTR("Yes") : CFSTR("No")); +} + +static void appendBooleanProperty(CFMutableArrayRef properties, + CFStringRef label, const DERItem *boolean, bool defaultValue) { + bool result; + DERReturn drtn = DERParseBoolean(boolean, defaultValue, &result); + if (drtn) { + /* Couldn't parse boolean; dump the raw unparsed data as hex. */ + appendInvalidProperty(properties, label, boolean); + } else { + appendBoolProperty(properties, label, result); + } +} + +static void appendBitStringContentNames(CFMutableArrayRef properties, + CFStringRef label, const DERItem *bitStringContent, + const CFStringRef *names, CFIndex namesCount) { + DERSize len = bitStringContent->length - 1; + require_quiet(len == 1 || len == 2, badDER); + DERByte numUnusedBits = bitStringContent->data[0]; + require_quiet(numUnusedBits < 8, badDER); + uint_fast16_t bits = 8 * len - numUnusedBits; + require_quiet(bits <= (uint_fast16_t)namesCount, badDER); + uint_fast16_t value = bitStringContent->data[1]; + uint_fast16_t mask; + if (len > 1) { + value = (value << 8) + bitStringContent->data[2]; + mask = 0x8000; + } else { + mask = 0x80; + } + uint_fast16_t ix; + bool didOne = false; + CFMutableStringRef string = + CFStringCreateMutable(CFGetAllocator(properties), 0); + for (ix = 0; ix < bits; ++ix) { + if (value & mask) { + if (didOne) { + CFStringAppend(string, CFSTR(", ")); + } else { + didOne = true; + } + CFStringAppend(string, names[ix]); + } + mask >>= 1; + } + appendPropertyP(properties, kSecPropertyTypeString, label, string); + CFRelease(string); + return; +badDER: + appendInvalidProperty(properties, label, bitStringContent); +} + +static void appendBitStringNames(CFMutableArrayRef properties, + CFStringRef label, const DERItem *bitString, + const CFStringRef *names, CFIndex namesCount) { + DERDecodedInfo bitStringContent; + DERReturn drtn = DERDecodeItem(bitString, &bitStringContent); + require_noerr_quiet(drtn, badDER); + require_quiet(bitStringContent.tag == ASN1_BIT_STRING, badDER); + appendBitStringContentNames(properties, label, &bitStringContent.content, + names, namesCount); + return; +badDER: + appendInvalidProperty(properties, label, bitString); +} + +#if 0 +typedef uint16_t SecKeyUsage; + +#define kSecKeyUsageDigitalSignature 0x8000 +#define kSecKeyUsageNonRepudiation 0x4000 +#define kSecKeyUsageKeyEncipherment 0x2000 +#define kSecKeyUsageDataEncipherment 0x1000 +#define kSecKeyUsageKeyAgreement 0x0800 +#define kSecKeyUsageKeyCertSign 0x0400 +#define kSecKeyUsageCRLSign 0x0200 +#define kSecKeyUsageEncipherOnly 0x0100 +#define kSecKeyUsageDecipherOnly 0x0080 + +/* + KeyUsage ::= BIT STRING { + digitalSignature (0), + nonRepudiation (1), + keyEncipherment (2), + dataEncipherment (3), + keyAgreement (4), + keyCertSign (5), + cRLSign (6), + encipherOnly (7), + decipherOnly (8) } + */ +static void appendKeyUsage(CFMutableArrayRef properties, + const DERItem *extnValue) { + if ((extnValue->length != 4 && extnValue->length != 5) || + extnValue->data[0] != ASN1_BIT_STRING || + extnValue->data[1] < 2 || extnValue->data[1] > 3 || + extnValue->data[2] > 7) { + appendInvalidProperty(properties, CFSTR("KeyUsage Extension"), + extnValue); + } else { + CFMutableStringRef string = + CFStringCreateMutable(CFGetAllocator(properties), 0); + SecKeyUsage usage = (extnValue->data[3] << 8); + if (extnValue->length == 5) + usage += extnValue->data[4]; + secdebug("keyusage", "keyusage: %04X", usage); + static const CFStringRef usageNames[] = { + CFSTR("Digital Signature"), + CFSTR("Non-Repudiation"), + CFSTR("Key Encipherment"), + CFSTR("Data Encipherment"), + CFSTR("Key Agreement"), + CFSTR("Cert Sign"), + CFSTR("CRL Sign"), + CFSTR("Encipher"), + CFSTR("Decipher"), + }; + bool didOne = false; + SecKeyUsage mask = kSecKeyUsageDigitalSignature; + CFIndex ix, bits = (extnValue->data[1] - 1) * 8 - extnValue->data[2]; + for (ix = 0; ix < bits; ++ix) { + if (usage & mask) { + if (didOne) { + CFStringAppend(string, CFSTR(", ")); + } else { + didOne = true; + } + /* @@@ Localize usageNames[ix]. */ + CFStringAppend(string, usageNames[ix]); + } + mask >>= 1; + } + appendPropertyP(properties, kSecPropertyTypeString, CFSTR("Usage"), + string); + CFRelease(string); + } +} +#else +static void appendKeyUsage(CFMutableArrayRef properties, + const DERItem *extnValue) { + static const CFStringRef usageNames[] = { + CFSTR("Digital Signature"), + CFSTR("Non-Repudiation"), + CFSTR("Key Encipherment"), + CFSTR("Data Encipherment"), + CFSTR("Key Agreement"), + CFSTR("Cert Sign"), + CFSTR("CRL Sign"), + CFSTR("Encipher Only"), + CFSTR("Decipher Only") + }; + appendBitStringNames(properties, CFSTR("Usage"), extnValue, + usageNames, sizeof(usageNames) / sizeof(*usageNames)); +} +#endif + +static void appendPrivateKeyUsagePeriod(CFMutableArrayRef properties, + const DERItem *extnValue) { + DERPrivateKeyUsagePeriod pkup; + DERReturn drtn = DERParseSequence(extnValue, + DERNumPrivateKeyUsagePeriodItemSpecs, DERPrivateKeyUsagePeriodItemSpecs, + &pkup, sizeof(pkup)); + require_noerr_quiet(drtn, badDER); + if (pkup.notBefore.length) { + appendDateContentProperty(properties, CFSTR("Not Valid Before"), + ASN1_GENERALIZED_TIME, &pkup.notBefore); + } + if (pkup.notAfter.length) { + appendDateContentProperty(properties, CFSTR("Not Valid After"), + ASN1_GENERALIZED_TIME, &pkup.notAfter); + } + return; +badDER: + appendInvalidProperty(properties, CFSTR("Private Key Usage Period"), + extnValue); +} + +static void appendStringContentProperty(CFMutableArrayRef properties, + CFStringRef label, const DERItem *stringContent, + CFStringEncoding encoding) { + CFStringRef string = CFStringCreateWithBytes(CFGetAllocator(properties), + stringContent->data, stringContent->length, encoding, FALSE); + if (string) { + appendPropertyP(properties, kSecPropertyTypeString, label, string); + CFRelease(string); + } else { + appendInvalidProperty(properties, label, stringContent); + } +} + +/* + OtherName ::= SEQUENCE { + type-id OBJECT IDENTIFIER, + value [0] EXPLICIT ANY DEFINED BY type-id } +*/ +static void appendOtherNameContentProperty(CFMutableArrayRef properties, + const DERItem *otherNameContent) { + DEROtherName on; + DERReturn drtn = DERParseSequenceContent(otherNameContent, + DERNumOtherNameItemSpecs, DEROtherNameItemSpecs, + &on, sizeof(on)); + require_noerr_quiet(drtn, badDER); + CFAllocatorRef allocator = CFGetAllocator(properties); + CFStringRef oid_string = copyLocalizedOidDescription(allocator, + &on.typeIdentifier); + CFStringRef value_string = copyDERThingDescription(allocator, &on.value, false); + if (value_string) + appendPropertyP(properties, kSecPropertyTypeString, oid_string, + value_string); + else + appendUnparsedProperty(properties, oid_string, &on.value); + + return; +badDER: + appendInvalidProperty(properties, CFSTR("Other Name"), otherNameContent); +} + +/* + GeneralName ::= CHOICE { + otherName [0] OtherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER} + + EDIPartyName ::= SEQUENCE { + nameAssigner [0] DirectoryString OPTIONAL, + partyName [1] DirectoryString } + */ +static bool appendGeneralNameContentProperty(CFMutableArrayRef properties, + DERTag tag, const DERItem *generalName) { + switch (tag) { + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0: + appendOtherNameContentProperty(properties, generalName); + break; + case ASN1_CONTEXT_SPECIFIC | 1: + /* IA5String. */ + appendStringContentProperty(properties, CFSTR("Email Address"), + generalName, kCFStringEncodingASCII); + break; + case ASN1_CONTEXT_SPECIFIC | 2: + /* IA5String. */ + appendStringContentProperty(properties, CFSTR("DNS Name"), generalName, + kCFStringEncodingASCII); + break; + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3: + appendUnparsedProperty(properties, CFSTR("X.400 Address"), + generalName); + break; + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 4: + { + CFArrayRef directory_plist = + createPropertiesForX501Name(CFGetAllocator(properties), + generalName); + appendPropertyP(properties, kSecPropertyTypeSection, + CFSTR("Directory Name"), directory_plist); + CFRelease(directory_plist); + break; + } + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 5: + appendUnparsedProperty(properties, CFSTR("EDI Party Name"), + generalName); + break; + case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 6: + /* Technically I don't think this is valid, but there are certs out + in the wild that use a constructed IA5String. In particular the + VeriSign Time Stamping Authority CA.cer does this. */ + appendURLProperty(properties, CFSTR("URI"), generalName); + break; + case ASN1_CONTEXT_SPECIFIC | 6: + appendURLContentProperty(properties, CFSTR("URI"), generalName); + break; + case ASN1_CONTEXT_SPECIFIC | 7: + appendIPAddressContentProperty(properties, CFSTR("IP Address"), + generalName); + break; + case ASN1_CONTEXT_SPECIFIC | 8: + appendOIDProperty(properties, CFSTR("Registered ID"), generalName); + break; + default: + goto badDER; + break; + } + return true; +badDER: + return false; +} + +static void appendGeneralNameProperty(CFMutableArrayRef properties, + const DERItem *generalName) { + DERDecodedInfo generalNameContent; + DERReturn drtn = DERDecodeItem(generalName, &generalNameContent); + require_noerr_quiet(drtn, badDER); + if (appendGeneralNameContentProperty(properties, generalNameContent.tag, + &generalNameContent.content)) + return; +badDER: + appendInvalidProperty(properties, CFSTR("General Name"), generalName); +} + + +/* + GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName + */ +static void appendGeneralNamesContent(CFMutableArrayRef properties, + const DERItem *generalNamesContent) { + DERSequence gnSeq; + DERReturn drtn = DERDecodeSeqContentInit(generalNamesContent, &gnSeq); + require_noerr_quiet(drtn, badDER); + DERDecodedInfo generalNameContent; + while ((drtn = DERDecodeSeqNext(&gnSeq, &generalNameContent)) == + DR_Success) { + if (!appendGeneralNameContentProperty(properties, + generalNameContent.tag, &generalNameContent.content)) { + goto badDER; + } + } + require_quiet(drtn == DR_EndOfSequence, badDER); + return; +badDER: + appendInvalidProperty(properties, CFSTR("General Names"), + generalNamesContent); +} + +static void appendGeneralNames(CFMutableArrayRef properties, + const DERItem *generalNames) { + DERDecodedInfo generalNamesContent; + DERReturn drtn = DERDecodeItem(generalNames, &generalNamesContent); + require_noerr_quiet(drtn, badDER); + require_quiet(generalNamesContent.tag == ASN1_CONSTR_SEQUENCE, + badDER); + appendGeneralNamesContent(properties, &generalNamesContent.content); + return; +badDER: + appendInvalidProperty(properties, CFSTR("General Names"), generalNames); +} + +/* +BasicConstraints ::= SEQUENCE { + cA BOOLEAN DEFAULT FALSE, + pathLenConstraint INTEGER (0..MAX) OPTIONAL } +*/ +static void appendBasicConstraints(CFMutableArrayRef properties, + const DERItem *extnValue) { + DERBasicConstraints basicConstraints; + DERReturn drtn = DERParseSequence(extnValue, + DERNumBasicConstraintsItemSpecs, DERBasicConstraintsItemSpecs, + &basicConstraints, sizeof(basicConstraints)); + require_noerr_quiet(drtn, badDER); + + appendBooleanProperty(properties, CFSTR("Certificate Authority"), + &basicConstraints.cA, false); + + if (basicConstraints.pathLenConstraint.length != 0) { + appendIntegerProperty(properties, CFSTR("Path Length Constraint"), + &basicConstraints.pathLenConstraint); + } + return; +badDER: + appendInvalidProperty(properties, CFSTR("Basic Constraints"), extnValue); +} + +/* + CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint + + DistributionPoint ::= SEQUENCE { + distributionPoint [0] DistributionPointName OPTIONAL, + reasons [1] ReasonFlags OPTIONAL, + cRLIssuer [2] GeneralNames OPTIONAL } + + DistributionPointName ::= CHOICE { + fullName [0] GeneralNames, + nameRelativeToCRLIssuer [1] RelativeDistinguishedName } + + ReasonFlags ::= BIT STRING { + unused (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + privilegeWithdrawn (7), + aACompromise (8) } +*/ +static void appendCrlDistributionPoints(CFMutableArrayRef properties, + const DERItem *extnValue) { + CFAllocatorRef allocator = CFGetAllocator(properties); + DERTag tag; + DERSequence dpSeq; + DERReturn drtn = DERDecodeSeqInit(extnValue, &tag, &dpSeq); + require_noerr_quiet(drtn, badDER); + require_quiet(tag == ASN1_CONSTR_SEQUENCE, badDER); + DERDecodedInfo dpSeqContent; + while ((drtn = DERDecodeSeqNext(&dpSeq, &dpSeqContent)) == DR_Success) { + require_quiet(dpSeqContent.tag == ASN1_CONSTR_SEQUENCE, badDER); + DERDistributionPoint dp; + drtn = DERParseSequenceContent(&dpSeqContent.content, + DERNumDistributionPointItemSpecs, + DERDistributionPointItemSpecs, + &dp, sizeof(dp)); + require_noerr_quiet(drtn, badDER); + if (dp.distributionPoint.length) { + DERDecodedInfo distributionPointName; + drtn = DERDecodeItem(&dp.distributionPoint, &distributionPointName); + require_noerr_quiet(drtn, badDER); + if (distributionPointName.tag == + (ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0)) { + /* Full Name */ + appendGeneralNamesContent(properties, + &distributionPointName.content); + } else if (distributionPointName.tag == + (ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1)) { + CFArrayRef rdn_props = createPropertiesForRDNContent(allocator, + &dp.reasons); + appendPropertyP(properties, kSecPropertyTypeSection, + CFSTR("Name Relative To CRL Issuer"), rdn_props); + CFRelease(rdn_props); + } else { + goto badDER; + } + } + if (dp.reasons.length) { + static const CFStringRef reasonNames[] = { + CFSTR("Unused"), + CFSTR("Key Compromise"), + CFSTR("CA Compromise"), + CFSTR("Affiliation Changed"), + CFSTR("Superseded"), + CFSTR("Cessation Of Operation"), + CFSTR("Certificate Hold"), + CFSTR("Priviledge Withdrawn"), + CFSTR("AA Compromise") + }; + appendBitStringContentNames(properties, CFSTR("Reasons"), + &dp.reasons, + reasonNames, sizeof(reasonNames) / sizeof(*reasonNames)); + } + if (dp.cRLIssuer.length) { + CFMutableArrayRef crlIssuer = CFArrayCreateMutable(allocator, 0, + &kCFTypeArrayCallBacks); + appendPropertyP(properties, kSecPropertyTypeSection, + CFSTR("CRL Issuer"), crlIssuer); + CFRelease(crlIssuer); + appendGeneralNames(crlIssuer, &dp.cRLIssuer); + } + } + require_quiet(drtn == DR_EndOfSequence, badDER); + return; +badDER: + appendInvalidProperty(properties, CFSTR("Crl Distribution Points"), + extnValue); +} + +/* Decode a sequence of integers into a comma separated list of ints. */ +static void appendIntegerSequenceContent(CFMutableArrayRef properties, + CFStringRef label, const DERItem *intSequenceContent) { + CFAllocatorRef allocator = CFGetAllocator(properties); + DERSequence intSeq; + DERReturn drtn = DERDecodeSeqContentInit(intSequenceContent, &intSeq); + require_noerr_quiet(drtn, badDER); + DERDecodedInfo intContent; + CFMutableStringRef value = NULL; + while ((drtn = DERDecodeSeqNext(&intSeq, &intContent)) + == DR_Success) { + require_quiet(intContent.tag == ASN1_INTEGER, badDER); + CFStringRef intDesc = copyIntegerContentDescription( + allocator, &intContent.content); + if (value) { + CFStringAppendFormat(value, NULL, CFSTR(", %@"), intDesc); + } else { + value = CFStringCreateMutableCopy(allocator, 0, intDesc); + } + CFRelease(intDesc); + } + require_quiet(drtn == DR_EndOfSequence, badDER); + if (value) { + appendPropertyP(properties, kSecPropertyTypeString, + CFSTR("Notice Numbers"), value); + CFRelease(value); + return; + } + /* DROPTHOUGH if !value. */ +badDER: + appendInvalidProperty(properties, label, intSequenceContent); +} + +static void appendCertificatePolicies(CFMutableArrayRef properties, + const DERItem *extnValue) { + CFAllocatorRef allocator = CFGetAllocator(properties); + DERTag tag; + DERSequence piSeq; + DERReturn drtn = DERDecodeSeqInit(extnValue, &tag, &piSeq); + require_noerr_quiet(drtn, badDER); + require_quiet(tag == ASN1_CONSTR_SEQUENCE, badDER); + DERDecodedInfo piContent; + int pin = 1; + while ((drtn = DERDecodeSeqNext(&piSeq, &piContent)) == DR_Success) { + require_quiet(piContent.tag == ASN1_CONSTR_SEQUENCE, badDER); + DERPolicyInformation pi; + drtn = DERParseSequenceContent(&piContent.content, + DERNumPolicyInformationItemSpecs, + DERPolicyInformationItemSpecs, + &pi, sizeof(pi)); + require_noerr_quiet(drtn, badDER); + CFStringRef piLabel = CFStringCreateWithFormat(allocator, NULL, + CFSTR("Policy Identifier #%d"), pin++); + appendOIDProperty(properties, piLabel, &pi.policyIdentifier); + CFRelease(piLabel); + if (pi.policyQualifiers.length == 0) + continue; + + DERSequence pqSeq; + drtn = DERDecodeSeqContentInit(&pi.policyQualifiers, &pqSeq); + require_noerr_quiet(drtn, badDER); + DERDecodedInfo pqContent; + int pqn = 1; + while ((drtn = DERDecodeSeqNext(&pqSeq, &pqContent)) == DR_Success) { + DERPolicyQualifierInfo pqi; + drtn = DERParseSequenceContent(&pqContent.content, + DERNumPolicyQualifierInfoItemSpecs, + DERPolicyQualifierInfoItemSpecs, + &pqi, sizeof(pqi)); + require_noerr_quiet(drtn, badDER); + DERDecodedInfo qualifierContent; + drtn = DERDecodeItem(&pqi.qualifier, &qualifierContent); + require_noerr_quiet(drtn, badDER); + CFStringRef pqLabel = CFStringCreateWithFormat(allocator, NULL, + CFSTR("Policy Qualifier #%d"), pqn++); + appendOIDProperty(properties, pqLabel, &pqi.policyQualifierID); + CFRelease(pqLabel); + if (DEROidCompare(&oidQtCps, &pqi.policyQualifierID)) { + require_quiet(qualifierContent.tag == ASN1_IA5_STRING, badDER); + appendURLContentProperty(properties, + CFSTR("CPS URI"), + &qualifierContent.content); + } else if (DEROidCompare(&oidQtUNotice, &pqi.policyQualifierID)) { + require_quiet(qualifierContent.tag == ASN1_CONSTR_SEQUENCE, badDER); + DERUserNotice un; + drtn = DERParseSequenceContent(&qualifierContent.content, + DERNumUserNoticeItemSpecs, + DERUserNoticeItemSpecs, + &un, sizeof(un)); + require_noerr_quiet(drtn, badDER); + if (un.noticeRef.length) { + DERNoticeReference nr; + drtn = DERParseSequenceContent(&un.noticeRef, + DERNumNoticeReferenceItemSpecs, + DERNoticeReferenceItemSpecs, + &nr, sizeof(nr)); + require_noerr_quiet(drtn, badDER); + appendDERThingProperty(properties, + CFSTR("Organization"), + &nr.organization); + appendIntegerSequenceContent(properties, + CFSTR("Notice Numbers"), &nr.noticeNumbers); + } + if (un.explicitText.length) { + appendDERThingProperty(properties, CFSTR("Explicit Text"), + &un.explicitText); + } + } else { + appendUnparsedProperty(properties, CFSTR("Qualifier"), + &pqi.qualifier); + } + } + } + require_quiet(drtn == DR_EndOfSequence, badDER); + return; +badDER: + appendInvalidProperty(properties, CFSTR("Certificate Policies"), + extnValue); +} + +static void appendSubjectKeyIdentifier(CFMutableArrayRef properties, + const DERItem *extnValue) { + DERReturn drtn; + DERDecodedInfo keyIdentifier; + drtn = DERDecodeItem(extnValue, &keyIdentifier); + require_noerr_quiet(drtn, badDER); + require_quiet(keyIdentifier.tag == ASN1_OCTET_STRING, badDER); + appendDataProperty(properties, CFSTR("Key Identifier"), + &keyIdentifier.content); + + return; +badDER: + appendInvalidProperty(properties, CFSTR("Invalid Subject Key Identifier"), + extnValue); +} + +/* +AuthorityKeyIdentifier ::= SEQUENCE { + keyIdentifier [0] KeyIdentifier OPTIONAL, + authorityCertIssuer [1] GeneralNames OPTIONAL, + authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } + -- authorityCertIssuer and authorityCertSerialNumber MUST both + -- be present or both be absent + +KeyIdentifier ::= OCTET STRING +*/ +static void appendAuthorityKeyIdentifier(CFMutableArrayRef properties, + const DERItem *extnValue) { + DERAuthorityKeyIdentifier akid; + DERReturn drtn; + drtn = DERParseSequence(extnValue, + DERNumAuthorityKeyIdentifierItemSpecs, + DERAuthorityKeyIdentifierItemSpecs, + &akid, sizeof(akid)); + require_noerr_quiet(drtn, badDER); + if (akid.keyIdentifier.length) { + appendDataProperty(properties, CFSTR("Key Identifier"), + &akid.keyIdentifier); + } + if (akid.authorityCertIssuer.length || + akid.authorityCertSerialNumber.length) { + require_quiet(akid.authorityCertIssuer.length && + akid.authorityCertSerialNumber.length, badDER); + /* Perhaps put in a subsection called Authority Certificate Issuer. */ + appendGeneralNamesContent(properties, + &akid.authorityCertIssuer); + appendIntegerProperty(properties, + CFSTR("Authority Certificate Serial Number"), + &akid.authorityCertSerialNumber); + } + + return; +badDER: + appendInvalidProperty(properties, CFSTR("Authority Key Identifier"), + extnValue); +} + +/* + PolicyConstraints ::= SEQUENCE { + requireExplicitPolicy [0] SkipCerts OPTIONAL, + inhibitPolicyMapping [1] SkipCerts OPTIONAL } + + SkipCerts ::= INTEGER (0..MAX) +*/ +static void appendPolicyConstraints(CFMutableArrayRef properties, + const DERItem *extnValue) { + DERPolicyConstraints pc; + DERReturn drtn; + drtn = DERParseSequence(extnValue, + DERNumPolicyConstraintsItemSpecs, + DERPolicyConstraintsItemSpecs, + &pc, sizeof(pc)); + require_noerr_quiet(drtn, badDER); + if (pc.requireExplicitPolicy.length) { + appendIntegerProperty(properties, + CFSTR("Require Explicit Policy"), &pc.requireExplicitPolicy); + } + if (pc.inhibitPolicyMapping.length) { + appendIntegerProperty(properties, + CFSTR("Inhibit Policy Mapping"), &pc.inhibitPolicyMapping); + } + + return; + +badDER: + appendInvalidProperty(properties, CFSTR("Policy Constraints"), extnValue); +} + +/* +extendedKeyUsage EXTENSION ::= { + SYNTAX SEQUENCE SIZE (1..MAX) OF KeyPurposeId + IDENTIFIED BY id-ce-extKeyUsage } + +KeyPurposeId ::= OBJECT IDENTIFIER +*/ +static void appendExtendedKeyUsage(CFMutableArrayRef properties, + const DERItem *extnValue) { + DERTag tag; + DERSequence derSeq; + DERReturn drtn = DERDecodeSeqInit(extnValue, &tag, &derSeq); + require_noerr_quiet(drtn, badDER); + require_quiet(tag == ASN1_CONSTR_SEQUENCE, badDER); + DERDecodedInfo currDecoded; + while ((drtn = DERDecodeSeqNext(&derSeq, &currDecoded)) == DR_Success) { + require_quiet(currDecoded.tag == ASN1_OBJECT_ID, badDER); + appendOIDProperty(properties, CFSTR("Purpose"), + &currDecoded.content); + } + require_quiet(drtn == DR_EndOfSequence, badDER); + return; +badDER: + appendInvalidProperty(properties, CFSTR("Extended Key Usage"), extnValue); +} + +/* + id-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pe 1 } + + AuthorityInfoAccessSyntax ::= + SEQUENCE SIZE (1..MAX) OF AccessDescription + + AccessDescription ::= SEQUENCE { + accessMethod OBJECT IDENTIFIER, + accessLocation GeneralName } + + id-ad OBJECT IDENTIFIER ::= { id-pkix 48 } + + id-ad-caIssuers OBJECT IDENTIFIER ::= { id-ad 2 } + + id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } +*/ +static void appendInfoAccess(CFMutableArrayRef properties, + const DERItem *extnValue) { + DERTag tag; + DERSequence adSeq; + DERReturn drtn = DERDecodeSeqInit(extnValue, &tag, &adSeq); + require_noerr_quiet(drtn, badDER); + require_quiet(tag == ASN1_CONSTR_SEQUENCE, badDER); + DERDecodedInfo adContent; + while ((drtn = DERDecodeSeqNext(&adSeq, &adContent)) == DR_Success) { + require_quiet(adContent.tag == ASN1_CONSTR_SEQUENCE, badDER); + DERAccessDescription ad; + drtn = DERParseSequenceContent(&adContent.content, + DERNumAccessDescriptionItemSpecs, + DERAccessDescriptionItemSpecs, + &ad, sizeof(ad)); + require_noerr_quiet(drtn, badDER); + appendOIDProperty(properties, CFSTR("Access Method"), + &ad.accessMethod); + //CFSTR("Access Location"); + appendGeneralNameProperty(properties, &ad.accessLocation); + } + require_quiet(drtn == DR_EndOfSequence, badDER); + return; +badDER: + appendInvalidProperty(properties, CFSTR("Authority Information Access"), + extnValue); +} + +static void appendNetscapeCertType(CFMutableArrayRef properties, + const DERItem *extnValue) { + static const CFStringRef certTypes[] = { + CFSTR("SSL client"), + CFSTR("SSL server"), + CFSTR("S/MIME"), + CFSTR("Object Signing"), + CFSTR("Reserved"), + CFSTR("SSL CA"), + CFSTR("S/MIME CA"), + CFSTR("Object Signing CA") + }; + appendBitStringNames(properties, CFSTR("Usage"), extnValue, + certTypes, sizeof(certTypes) / sizeof(*certTypes)); +} + +#if 0 +static void appendEntrustVersInfo(CFMutableArrayRef properties, + const DERItem *extnValue) { +} + +/* + * The list of Qualified Cert Statement statementIds we understand, even though + * we don't actually do anything with them; if these are found in a Qualified + * Cert Statement that's critical, we can truthfully say "yes we understand this". + */ +static const CSSM_OID_PTR knownQualifiedCertStatements[] = +{ + /* id-qcs := { id-pkix 11 } */ + (const CSSM_OID_PTR)&CSSMOID_OID_QCS_SYNTAX_V1, /* id-qcs 1 */ + (const CSSM_OID_PTR)&CSSMOID_OID_QCS_SYNTAX_V2, /* id-qcs 2 */ + (const CSSM_OID_PTR)&CSSMOID_ETSI_QCS_QC_COMPLIANCE, + (const CSSM_OID_PTR)&CSSMOID_ETSI_QCS_QC_LIMIT_VALUE, + (const CSSM_OID_PTR)&CSSMOID_ETSI_QCS_QC_RETENTION, + (const CSSM_OID_PTR)&CSSMOID_ETSI_QCS_QC_SSCD +}; +#define NUM_KNOWN_QUAL_CERT_STATEMENTS (sizeof(knownQualifiedCertStatements) / sizeof(CSSM_OID_PTR)) +*/ +static void appendQCCertStatements(CFMutableArrayRef properties, + const DERItem *extnValue) { +} + +#endif + +static bool appendPrintableDERSequenceP(CFMutableArrayRef properties, + CFStringRef label, const DERItem *sequence) { + DERTag tag; + DERSequence derSeq; + DERReturn drtn = DERDecodeSeqInit(sequence, &tag, &derSeq); + require_noerr_quiet(drtn, badSequence); + require_quiet(tag == ASN1_CONSTR_SEQUENCE, badSequence); + DERDecodedInfo currDecoded; + bool appendedSomething = false; + while ((drtn = DERDecodeSeqNext(&derSeq, &currDecoded)) == DR_Success) { + switch (currDecoded.tag) + { + case 0: // 0 + case ASN1_SEQUENCE: // 16 + case ASN1_SET: // 17 + // skip constructed object lengths + break; + + case ASN1_UTF8_STRING: // 12 + case ASN1_NUMERIC_STRING: // 18 + case ASN1_PRINTABLE_STRING: // 19 + case ASN1_T61_STRING: // 20, also ASN1_TELETEX_STRING + case ASN1_VIDEOTEX_STRING: // 21 + case ASN1_IA5_STRING: // 22 + case ASN1_GRAPHIC_STRING: // 25 + case ASN1_VISIBLE_STRING: // 26, also ASN1_ISO646_STRING + case ASN1_GENERAL_STRING: // 27 + case ASN1_UNIVERSAL_STRING: // 28 + { + CFStringRef string = + copyDERThingContentDescription(CFGetAllocator(properties), + currDecoded.tag, &currDecoded.content, false); + //CFStringRef cleanString = copyStringRemovingPercentEscapes(string); + + appendPropertyP(properties, kSecPropertyTypeString, label, + string); + CFRelease(string); + appendedSomething = true; + break; + } + default: + break; + } + } + require_quiet(drtn == DR_EndOfSequence, badSequence); + return appendedSomething; +badSequence: + return false; +} + +static void appendExtension(CFMutableArrayRef parent, + const SecCertificateExtension *extn) { + CFAllocatorRef allocator = CFGetAllocator(parent); + CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, + &kCFTypeArrayCallBacks); + const DERItem + *extnID = &extn->extnID, + *extnValue = &extn->extnValue; + + appendBoolProperty(properties, CFSTR("Critical"), extn->critical); + +#if 1 + bool handled = true; + /* Extensions that we know how to handle ourselves... */ + if (extnID->length == oidSubjectKeyIdentifier.length && + !memcmp(extnID->data, oidSubjectKeyIdentifier.data, extnID->length - 1)) + { + switch (extnID->data[extnID->length - 1]) { + case 14: /* SubjectKeyIdentifier id-ce 14 */ + appendSubjectKeyIdentifier(properties, extnValue); + break; + case 15: /* KeyUsage id-ce 15 */ + appendKeyUsage(properties, extnValue); + break; + case 16: /* PrivateKeyUsagePeriod id-ce 16 */ + appendPrivateKeyUsagePeriod(properties, extnValue); + break; + case 17: /* SubjectAltName id-ce 17 */ + case 18: /* IssuerAltName id-ce 18 */ + appendGeneralNames(properties, extnValue); + break; + case 19: /* BasicConstraints id-ce 19 */ + appendBasicConstraints(properties, extnValue); + break; + case 30: /* NameConstraints id-ce 30 */ + handled = false; + break; + case 31: /* CRLDistributionPoints id-ce 31 */ + appendCrlDistributionPoints(properties, extnValue); + break; + case 32: /* CertificatePolicies id-ce 32 */ + appendCertificatePolicies(properties, extnValue); + break; + case 33: /* PolicyMappings id-ce 33 */ + handled = false; + break; + case 35: /* AuthorityKeyIdentifier id-ce 35 */ + appendAuthorityKeyIdentifier(properties, extnValue); + break; + case 36: /* PolicyConstraints id-ce 36 */ + appendPolicyConstraints(properties, extnValue); + break; + case 37: /* ExtKeyUsage id-ce 37 */ + appendExtendedKeyUsage(properties, extnValue); + break; + case 46: /* FreshestCRL id-ce 46 */ + handled = false; + break; + case 54: /* InhibitAnyPolicy id-ce 54 */ + handled = false; + break; + default: + handled = false; + break; + } + } else if (extnID->length == oidAuthorityInfoAccess.length && + !memcmp(extnID->data, oidAuthorityInfoAccess.data, extnID->length - 1)) + { + switch (extnID->data[extnID->length - 1]) { + case 1: /* AuthorityInfoAccess id-pe 1 */ + appendInfoAccess(properties, extnValue); + break; + case 3: /* QCStatements id-pe 3 */ + handled = false; + break; + case 11: /* SubjectInfoAccess id-pe 11 */ + appendInfoAccess(properties, extnValue); + break; + default: + handled = false; + break; + } + } else if (DEROidCompare(extnID, &oidNetscapeCertType)) { + /* 2.16.840.1.113730.1.1 netscape 1 1 */ + appendNetscapeCertType(properties, extnValue); + } else { + handled = false; + } + + if (!handled) { + /* Try to parse and display printable string(s). */ + if (appendPrintableDERSequenceP(properties, CFSTR("Data"), extnValue)) { + /* Nothing to do here appendPrintableDERSequenceP did the work. */ + } else { + /* Couldn't parse extension; dump the raw unparsed data as hex. */ + appendUnparsedProperty(properties, CFSTR("Data"), extnValue); + } + } +#else + /* Extensions that we know how to handle ourselves... */ + if (DEROidCompare(extnID, &oidSubjectKeyIdentifier)) { + appendSubjectKeyIdentifier(properties, extnValue); + } else if (DEROidCompare(extnID, &oidKeyUsage)) { + appendKeyUsage(properties, extnValue); + } else if (DEROidCompare(extnID, &oidPrivateKeyUsagePeriod)) { + appendPrivateKeyUsagePeriod(properties, extnValue); + } else if (DEROidCompare(extnID, &oidSubjectAltName)) { + appendGeneralNames(properties, extnValue); + } else if (DEROidCompare(extnID, &oidIssuerAltName)) { + appendGeneralNames(properties, extnValue); + } else if (DEROidCompare(extnID, &oidBasicConstraints)) { + appendBasicConstraints(properties, extnValue); + } else if (DEROidCompare(extnID, &oidCrlDistributionPoints)) { + appendCrlDistributionPoints(properties, extnValue); + } else if (DEROidCompare(extnID, &oidCertificatePolicies)) { + appendCertificatePolicies(properties, extnValue); + } else if (DEROidCompare(extnID, &oidAuthorityKeyIdentifier)) { + appendAuthorityKeyIdentifier(properties, extnValue); + } else if (DEROidCompare(extnID, &oidPolicyConstraints)) { + appendPolicyConstraints(properties, extnValue); + } else if (DEROidCompare(extnID, &oidExtendedKeyUsage)) { + appendExtendedKeyUsage(properties, extnValue); + } else if (DEROidCompare(extnID, &oidAuthorityInfoAccess)) { + appendInfoAccess(properties, extnValue); + } else if (DEROidCompare(extnID, &oidSubjectInfoAccess)) { + appendInfoAccess(properties, extnValue); + } else if (DEROidCompare(extnID, &oidNetscapeCertType)) { + appendNetscapeCertType(properties, extnValue); +#if 0 + } else if (DEROidCompare(extnID, &oidEntrustVersInfo)) { + appendEntrustVersInfo(properties, extnValue); +#endif + } else + /* Try to parse and display printable string(s). */ + if (appendPrintableDERSequenceP(properties, CFSTR("Data"), extnValue)) { + /* Nothing to do here appendPrintableDERSequenceP did the work. */ + } else { + /* Couldn't parse extension; dump the raw unparsed data as hex. */ + appendUnparsedProperty(properties, CFSTR("Data"), extnValue); + } +#endif + CFStringRef oid_string = copyLocalizedOidDescription(allocator, extnID); + appendPropertyP(parent, kSecPropertyTypeSection, oid_string, properties); + CFRelease(oid_string); + CFRelease(properties); +} + +/* Different types of summary types from least desired to most desired. */ +enum SummaryType { + kSummaryTypeNone, + kSummaryTypePrintable, + kSummaryTypeOrganizationName, + kSummaryTypeOrganizationalUnitName, + kSummaryTypeCommonName, +}; + +struct Summary { + enum SummaryType type; + CFStringRef summary; + CFStringRef description; +}; + +static OSStatus obtainSummaryFromX501Name(void *context, + const DERItem *type, const DERItem *value, CFIndex rdnIX) { + struct Summary *summary = (struct Summary *)context; + enum SummaryType stype = kSummaryTypeNone; + CFStringRef string = NULL; + if (DEROidCompare(type, &oidCommonName)) { + /* We skip Common Names that have generic values. */ + const char tfm[] = "Thawte Freemail Member"; + if ((value->length == sizeof(tfm) + 1) && + !memcmp(value->data + 2, tfm, sizeof(tfm) - 1)) { + return errSecSuccess; + } + stype = kSummaryTypeCommonName; + } else if (DEROidCompare(type, &oidOrganizationalUnitName)) { + stype = kSummaryTypeOrganizationalUnitName; + } else if (DEROidCompare(type, &oidOrganizationName)) { + stype = kSummaryTypeOrganizationName; + } else if (DEROidCompare(type, &oidDescription)) { + if (!summary->description) { + summary->description = string = copyDERThingDescription(kCFAllocatorDefault, value, true); + CFRetain(string); + } + stype = kSummaryTypePrintable; + } else { + stype = kSummaryTypePrintable; + } + + /* Use the first field we encounter of the highest priority type. */ + if (summary->type < stype) { + if (!string) { + string = copyDERThingDescription(kCFAllocatorDefault, value, true); + } + + if (string) { + CFReleaseSafe(summary->summary); + summary->summary = string; + summary->type = stype; + } + } else { + CFReleaseSafe(string); + } + + return errSecSuccess; +} + +CFStringRef SecCertificateCopySubjectSummaryP(SecCertificateRefP certificate) { + struct Summary summary = {}; + parseX501NameContent(&certificate->_subject, &summary, obtainSummaryFromX501Name); + /* If we found a description and a common name we change the summary to + CommonName (Description). */ + if (summary.description) { + if (summary.type == kSummaryTypeCommonName) { + CFStringRef newSummary = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, + CFSTR("%@ (%@)"), summary.summary, summary.description); + CFRelease(summary.summary); + summary.summary = newSummary; + } + CFRelease(summary.description); + } + + if (!summary.summary) { + /* If we didn't find a suitable printable string in the subject at all, we try + the first email address in the certificate instead. */ + CFArrayRef names = SecCertificateCopyRFC822NamesP(certificate); + if (!names) { + /* If we didn't find any email addresses in the certificate, we try finding + a DNS name instead. */ + names = SecCertificateCopyDNSNamesP(certificate); + } + if (names) { + summary.summary = CFArrayGetValueAtIndex(names, 0); + CFRetain(summary.summary); + CFRelease(names); + } + } + + return summary.summary; +} + +CFStringRef SecCertificateCopyIssuerSummaryP(SecCertificateRefP certificate) { + struct Summary summary = {}; + parseX501NameContent(&certificate->_issuer, &summary, obtainSummaryFromX501Name); + /* If we found a description and a common name we change the summary to + CommonName (Description). */ + if (summary.description) { + if (summary.type == kSummaryTypeCommonName) { + CFStringRef newSummary = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, + CFSTR("%@ (%@)"), summary.summary, summary.description); + CFRelease(summary.summary); + summary.summary = newSummary; + } + CFRelease(summary.description); + } + + return summary.summary; +} + +/* Return the earliest date on which all certificates in this chain are still + valid. */ +static CFAbsoluteTime SecCertificateGetChainsLastValidity( + SecCertificateRefP certificate) { + CFAbsoluteTime earliest = certificate->_notAfter; +#if 0 + while (certificate->_parent) { + certificate = certificate->_parent; + if (earliest > certificate->_notAfter) + earliest = certificate->_notAfter; + } +#endif + + return earliest; +} + +/* Return the latest date on which all certificates in this chain will be + valid. */ +static CFAbsoluteTime SecCertificateGetChainsFirstValidity( + SecCertificateRefP certificate) { + CFAbsoluteTime latest = certificate->_notBefore; +#if 0 + while (certificate->_parent) { + certificate = certificate->_parent; + if (latest < certificate->_notBefore) + latest = certificate->_notBefore; + } +#endif + + return latest; +} + +bool SecCertificateIsValidP(SecCertificateRefP certificate, + CFAbsoluteTime verifyTime) { + check(certificate); + return certificate->_notBefore <= verifyTime && + verifyTime <= certificate->_notAfter; +} + +CFIndex SecCertificateVersionP(SecCertificateRefP certificate) { + return certificate->_version + 1; +} + +CFAbsoluteTime SecCertificateNotValidBeforeP(SecCertificateRefP certificate) { + return certificate->_notBefore; +} + +CFAbsoluteTime SecCertificateNotValidAfterP(SecCertificateRefP certificate) { + return certificate->_notAfter; +} + +CFMutableArrayRef SecCertificateCopySummaryPropertiesP( + SecCertificateRefP certificate, CFAbsoluteTime verifyTime) { + CFAllocatorRef allocator = CFGetAllocator(certificate); + CFMutableArrayRef summary = CFArrayCreateMutable(allocator, 0, + &kCFTypeArrayCallBacks); + + /* First we put the subject summary name. */ + CFStringRef ssummary = SecCertificateCopySubjectSummaryP(certificate); + if (ssummary) { + appendPropertyP(summary, kSecPropertyTypeTitle, + NULL, ssummary); + CFRelease(ssummary); + } +#if 0 + CFStringRef isummary = CFSTR("Issuer Summary"); + appendPropertyP(summary, kSecPropertyTypeString, + CFSTR("Issued By"), isummary); + CFRelease(isummary); +#endif + + /* Let see if this certificate is currently valid. */ + CFStringRef label; + CFAbsoluteTime when; + CFStringRef message; + CFStringRef ptype; + if (verifyTime > certificate->_notAfter) { + label = CFSTR("Expired"); + when = certificate->_notAfter; + ptype = kSecPropertyTypeError; + message = CFSTR("This certificate has expired"); + } else if (certificate->_notBefore > verifyTime) { + label = CFSTR("Valid from"); + when = certificate->_notBefore; + ptype = kSecPropertyTypeError; + message = CFSTR("This certificate is not yet valid"); + } else { + CFAbsoluteTime last = SecCertificateGetChainsLastValidity(certificate); + CFAbsoluteTime first = SecCertificateGetChainsFirstValidity(certificate); + if (verifyTime > last) { + label = CFSTR("Expired"); + when = last; + ptype = kSecPropertyTypeError; + message = CFSTR("This certificate has an issuer that has expired"); + } else if (verifyTime < first) { + label = CFSTR("Valid from"); + when = first; + ptype = kSecPropertyTypeError; + message = CFSTR("This certificate has an issuer that is not yet valid"); + } else { + label = CFSTR("Expires"); + when = certificate->_notAfter; + ptype = kSecPropertyTypeSuccess; + message = CFSTR("This certificate is valid"); + } + } + + appendDateProperty(summary, label, when); + appendPropertyP(summary, ptype, NULL, message); + + return summary; +} + +CFArrayRef SecCertificateCopyPropertiesP(SecCertificateRefP certificate) { + if (!certificate->_properties) { + CFAllocatorRef allocator = CFGetAllocator(certificate); + CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, + &kCFTypeArrayCallBacks); + + /* First we put the Subject Name in the property list. */ + CFArrayRef subject_plist = createPropertiesForX501NameContent(allocator, + &certificate->_subject); + appendPropertyP(properties, kSecPropertyTypeSection, + CFSTR("Subject Name"), subject_plist); + CFRelease(subject_plist); + +#if 0 + /* Put Normalized subject in for testing. */ + if (certificate->_normalizedSubject) { + DERItem nsubject = { + (DERByte *)CFDataGetBytePtr(certificate->_normalizedSubject), + CFDataGetLength(certificate->_normalizedSubject) + }; + CFArrayRef nsubject_plist = createPropertiesForX501NameContent(allocator, + &nsubject); + appendPropertyP(properties, kSecPropertyTypeSection, + CFSTR("Normalized Subject Name"), nsubject_plist); + CFRelease(nsubject_plist); + } +#endif + + /* Next we put the Issuer Name in the property list. */ + CFArrayRef issuer_plist = createPropertiesForX501NameContent(allocator, + &certificate->_issuer); + appendPropertyP(properties, kSecPropertyTypeSection, + CFSTR("Issuer Name"), issuer_plist); + CFRelease(issuer_plist); + +#if 0 + /* Certificate version/type. */ + bool isRoot = false; + CFStringRef typeString = CFStringCreateWithFormat(allocator, NULL, + CFSTR("X.509 version %d %scertificate"), + certificate->_version + 1, isRoot ? "root " : ""); + appendPropertyP(properties, kSecPropertyTypeString, + CFSTR("Certificate Type"), typeString); + CFRelease(typeString); +#endif + + /* Version */ + CFStringRef versionString = CFStringCreateWithFormat(allocator, + NULL, CFSTR("%d"), certificate->_version + 1); + appendPropertyP(properties, kSecPropertyTypeString, + CFSTR("Version"), versionString); + CFRelease(versionString); + + /* Serial Number */ + if (certificate->_serialNum.length) { + appendIntegerProperty(properties, CFSTR("Serial Number"), + &certificate->_serialNum); + } + + /* Signature algorithm. */ +#if 0 + appendAlgorithmProperty(properties, CFSTR("Signature Algorithm"), + &certificate->_sigAlg); +#endif + appendAlgorithmProperty(properties, CFSTR("Signature Algorithm"), + &certificate->_tbsSigAlg); + + + /* Validity dates. */ + appendDateProperty(properties, CFSTR("Not Valid Before"), + certificate->_notBefore); + appendDateProperty(properties, CFSTR("Not Valid After"), + certificate->_notAfter); + + if (certificate->_subjectUniqueID.length) { + appendDataProperty(properties, CFSTR("Subject Unique ID"), + &certificate->_subjectUniqueID); + } + if (certificate->_issuerUniqueID.length) { + appendDataProperty(properties, CFSTR("Issuer Unique ID"), + &certificate->_issuerUniqueID); + } + + /* Public key algorithm. */ + appendAlgorithmProperty(properties, CFSTR("Public Key Algorithm"), + &certificate->_algId); + + /* Consider breaking down an RSA public key into modulus and + exponent? */ + appendDataProperty(properties, CFSTR("Public Key Data"), + &certificate->_pubKeyDER); + /* @@@ Key Size. */ + /* @@@ Key Usage. */ + + appendDataProperty(properties, CFSTR("Signature"), + &certificate->_signature); + + CFIndex ix; + for (ix = 0; ix < certificate->_extensionCount; ++ix) { + appendExtension(properties, &certificate->_extensions[ix]); + } + + /* @@@ Key Fingerprints. */ + + certificate->_properties = properties; + } + + CFRetain(certificate->_properties); + return certificate->_properties; +} + +CFDataRef SecCertificateCopySerialNumberP( + SecCertificateRefP certificate) { + if (certificate->_serialNumber) { + CFRetain(certificate->_serialNumber); + } + return certificate->_serialNumber; +} + +/* + * Accessor for normalized issuer content + */ +CFDataRef SecCertificateGetNormalizedIssuerContentP( + SecCertificateRefP certificate) { + return certificate->_normalizedIssuer; +} + +/* + * Accessor for normalized subject content + */ +CFDataRef SecCertificateGetNormalizedSubjectContentP( + SecCertificateRefP certificate) { + return certificate->_normalizedSubject; +} + +/* + * Returns DER-encoded normalized issuer sequence + * for use with SecItemCopyMatching; caller must release + */ +CFDataRef SecCertificateCopyNormalizedIssuerSequenceP( + SecCertificateRefP certificate) { + DERItem tmpdi; + tmpdi.data = (DERByte *)CFDataGetBytePtr(certificate->_normalizedIssuer); + tmpdi.length = CFDataGetLength(certificate->_normalizedIssuer); + + return SecDERItemCopySequenceP(&tmpdi); +} + +/* + * Returns DER-encoded normalized subject sequence + * for use with SecItemCopyMatching; caller must release + */ +CFDataRef SecCertificateCopyNormalizedSubjectSequenceP( + SecCertificateRefP certificate) { + DERItem tmpdi; + tmpdi.data = (DERByte *)CFDataGetBytePtr(certificate->_normalizedSubject); + tmpdi.length = CFDataGetLength(certificate->_normalizedSubject); + + return SecDERItemCopySequenceP(&tmpdi); +} + +/* Verify that certificate was signed by issuerKey. */ +OSStatus SecCertificateIsSignedByP(SecCertificateRefP certificate, + SecKeyRefP issuerKey) { + /* Setup algId in SecAsn1AlgId format. */ + SecAsn1AlgId algId; + algId.algorithm.Length = certificate->_tbsSigAlg.oid.length; + algId.algorithm.Data = certificate->_tbsSigAlg.oid.data; + algId.parameters.Length = certificate->_tbsSigAlg.params.length; + algId.parameters.Data = certificate->_tbsSigAlg.params.data; + +#warning implementation empty +#if 0 + OSStatus status = SecKeyDigestAndVerify(issuerKey, &algId, + certificate->_tbs.data, certificate->_tbs.length, + certificate->_signature.data, certificate->_signature.length); + if (status) { + secdebug("verify", "signature verify failed: %d", status); + return errSecNotSigner; + } +#endif + + return errSecSuccess; +} + +#if 0 +static OSStatus SecCertificateIsIssuedBy(SecCertificateRefP certificate, + SecCertificateRefP issuer, bool signatureCheckOnly) { + if (!signatureCheckOnly) { + /* It turns out we don't actually need to use normalized subject and + issuer according to rfc2459. */ + + /* If present we should check issuerID against the issuer subjectID. */ + + /* If we have an AuthorityKeyIdentifier extension that has a keyIdentifier + then we should look for a SubjectKeyIdentifier in the issuer + certificate. + If we have a authorityCertSerialNumber we can use that for chaining. + If we have a authorityCertIssuer we can use that? (or not) */ + + /* Verify that this cert was issued by issuer. Do so by chaining + either issuerID to subjectID or normalized issuer to normalized + subject. */ + CFDataRef normalizedIssuer = + SecCertificateGetNormalizedIssuerContentP(certificate); + CFDataRef normalizedIssuerSubject = + SecCertificateGetNormalizedSubjectContentP(issuer); + if (normalizedIssuer && normalizedIssuerSubject && + !CFEqual(normalizedIssuer, normalizedIssuerSubject)) + return errSecIssuerMismatch; + } + + /* Next verify that this cert was signed by issuer. */ + SecKeyRef issuerKey = SecCertificateGetPublicKey(issuer); + + /* Get the encodedDigestInfo from the digest of the subject's TBSCert */ + /* FIXME: We sould cache this (or at least the digest) until we find + a suitable issuer. */ + uint8_t signedData[DER_SHA1_DIGEST_INFO_LEN]; + CFIndex signedDataLength; + CertVerifyReturn crtn; + if (DEROidCompare(&certificate->_tbsSigAlg.oid, &oidSha1Rsa)) { + signedDataLength = DER_SHA1_DIGEST_INFO_LEN; + crtn = sha1DigestInfo(&certificate->_tbs, signedData); + } else if(DEROidCompare(&certificate->_tbsSigAlg.oid, &oidMd5Rsa)) { + signedDataLength = DER_MD_DIGEST_INFO_LEN; + crtn = mdDigestInfo(WD_MD5, &certificate->_tbs, signedData); + } else if(DEROidCompare(&certificate->_tbsSigAlg.oid, &oidMd2Rsa)) { + signedDataLength = DER_MD_DIGEST_INFO_LEN; + crtn = mdDigestInfo(WD_MD2, &certificate->_tbs, signedData); + } else { + secdebug("verify", "unsupported algorithm"); + return errSecUnsupportedAlgorithm; + } + if (crtn) { + secdebug("verify", "*DigestInfo returned: %d", crtn); + /* FIXME: Do proper error code translation. */ + return errSecUnsupportedAlgorithm; + } + + OSStatus status = SecKeyRawVerify(issuerKey, kSecPaddingPKCS1, + signedData, signedDataLength, + certificate->_signature.data, certificate->_signature.length); + if (status) { + secdebug("verify", "signature verify failed: %d", status); + return errSecNotSigner; + } + + return errSecSuccess; +} + +static OSStatus _SecCertificateSetParent(SecCertificateRefP certificate, + SecCertificateRefP issuer, bool signatureCheckOnly) { + check(issuer); + if (certificate->_parent) { + /* Setting a certificates issuer twice is only allowed if the new + issuer is equal to the current one. */ + return issuer && CFEqual(certificate->_parent, issuer); + } + +#if 0 + OSStatus status = SecCertificateIsIssuedBy(certificate, issuer, + signatureCheckOnly); +#else + OSStatus status = errSecSuccess; +#endif + if (!status) { + if (CFEqual(certificate, issuer)) { + /* We don't retain ourselves cause that would be bad mojo, + however we do record that we are properly self signed. */ + certificate->_isSelfSigned = kSecSelfSignedTrue; + secdebug("cert", "set self as parent"); + return errSecSuccess; + } + + CFRetain(issuer); + certificate->_parent = issuer; + certificate->_isSelfSigned = kSecSelfSignedFalse; + } + + return status; +} + +static bool SecCertificateIsSelfSignedP(SecCertificateRefP certificate) { + if (certificate->_isSelfSigned == kSecSelfSignedUnknown) { + certificate->_isSelfSigned = + (SecCertificateIsIssuedBy(certificate, certificate, false) ? + kSecSelfSignedTrue : kSecSelfSignedFalse); + } + + return certificate->_isSelfSigned == kSecSelfSignedTrue; +} + +/* Return true iff we were able to set our own parent from one of the + certificates in other_certificates, return false otherwise. If + signatureCheckOnly is true, we can skip the subject == issuer or + authorityKeyIdentifier tests. */ +static bool SecCertificateSetParentFrom(SecCertificateRefP certificate, + CFArrayRef other_certificates, bool signatureCheckOnly) { + CFIndex count = CFArrayGetCount(other_certificates); + CFIndex ix; + for (ix = 0; ix < count; ++ix) { + SecCertificateRefP candidate = (SecCertificateRefP) + CFArrayGetValueAtIndex(other_certificates, ix); + if (_SecCertificateSetParent(certificate, candidate, + signatureCheckOnly)) + return true; + } + return false; +} + +/* Lookup the parent of certificate in the keychain and set it. */ +static bool SecCertificateFindParent(SecCertificateRefP certificate) { + /* FIXME: Search for things other than just subject of our issuer if we + have a subjectID or authorityKeyIdentifier. */ + CFDataRef normalizedIssuer = + SecCertificateGetNormalizedIssuerContentP(certificate); + const void *keys[] = { + kSecClass, + kSecReturnRef, + kSecMatchLimit, + kSecAttrSubject + }, + *values[] = { + kSecClassCertificate, + kCFBooleanTrue, + kSecMatchLimitAll, + normalizedIssuer + }; + CFDictionaryRef query = CFDictionaryCreate(NULL, keys, values, 4, + &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + CFTypeRef results; + OSStatus status = SecItemCopyMatching(query, &results); + CFRelease(query); + if (status) { + secdebug("cert", "SecCertificateFindParent: SecItemCopyMatching: %d", + status); + return false; + } + CFArrayRef certs = (CFArrayRef)results; + /* Since we already know the certificates we are providing as candidates + have been checked for subject matching, we can ask + SecCertificateSetParentFrom to skip everything except the signature + checks. */ + bool result = SecCertificateSetParentFrom(certificate, certs, true); + CFRelease(certs); + return result; +} + +OSStatus SecCertificateCompleteChainP(SecCertificateRefP certificate, + CFArrayRef other_certificates) { + for (;;) { + if (certificate->_parent == NULL) { + if (SecCertificateIsSelfSignedP(certificate)) + return errSecSuccess; + if (!other_certificates || + !SecCertificateSetParentFrom(certificate, other_certificates,\ + false)) { + if (!SecCertificateFindParent(certificate)) + return errSecIssuerNotFound; + } + } + certificate = certificate->_parent; + } +} +#endif + +static OSStatus appendIPAddressesFromGeneralNames(void *context, + SecCEGeneralNameType gnType, const DERItem *generalName) { + CFMutableArrayRef ipAddresses = (CFMutableArrayRef)context; + if (gnType == GNT_IPAddress) { + CFStringRef string = copyIPAddressContentDescription( + kCFAllocatorDefault, generalName); + if (string) { + CFArrayAppendValue(ipAddresses, string); + CFRelease(string); + } else { + return errSecInvalidCertificate; + } + } + return errSecSuccess; +} + +CFArrayRef SecCertificateCopyIPAddressesP(SecCertificateRefP certificate) { + /* These can only exist in the subject alt name. */ + if (!certificate->_subjectAltName) + return NULL; + + CFMutableArrayRef ipAddresses = CFArrayCreateMutable(kCFAllocatorDefault, + 0, &kCFTypeArrayCallBacks); + OSStatus status = parseGeneralNames(&certificate->_subjectAltName->extnValue, + ipAddresses, appendIPAddressesFromGeneralNames); + if (status || CFArrayGetCount(ipAddresses) == 0) { + CFRelease(ipAddresses); + ipAddresses = NULL; + } + return ipAddresses; +} + +static OSStatus appendDNSNamesFromGeneralNames(void *context, SecCEGeneralNameType gnType, + const DERItem *generalName) { + CFMutableArrayRef dnsNames = (CFMutableArrayRef)context; + if (gnType == GNT_DNSName) { + CFStringRef string = CFStringCreateWithBytes(kCFAllocatorDefault, + generalName->data, generalName->length, + kCFStringEncodingUTF8, FALSE); + if (string) { + CFArrayAppendValue(dnsNames, string); + CFRelease(string); + } else { + return errSecInvalidCertificate; + } + } + return errSecSuccess; +} + +/* Return true if the passed in string matches the + Preferred name syntax from sections 2.3.1. in RFC 1035. + With the added check that we disallow empty dns names. + Also in order to support wildcard DNSNames we allow for the '*' + character anywhere in a dns component where we currently allow + a letter. + + ::= | " " + + ::=